Kroger is the latest US company to report being affected by a breach at a supplier of secure file sharing services. The vendor explicitly markets its services as a consolidated and secure way to manage certain internal records and communications. Kroger has listed its HR records as being among those potentially affected.
Any company dependent on outsourced storage, communications, security, records management, or other common tasks should remember that in case of a breach at the vendor level, the customer company may owe legal notices to employees and business partners as well as to consumers. Such a breach may be subject to state laws regarding medical or other privacy concerns, state law reporting requirements, and federal or international laws pertaining to medical, financial, or other personal data.
Ensuring that your vendor agreements explicitly require prompt notice, cooperation, and some sharing or offset of compliance costs can be invaluable in these instances.