These are thoroughly disturbing statistics that should make every ERP user shudder:
A survey of more than 400 IT professionals conducted by Onapsis Research Labs found that 64-percent of ERP software systems suffered a data breach in the past two years. Onapsis reported that 90-percent of SAP’s ERP software systems remain vulnerable to a nasty virus called 10KBLAZE discovered one year ago. Onapsis also reported that there are serious security weaknesses in Oracle’s ERP payment modules.
It seems that every week news of another data breach involving businesses, hospitals, and other organizations in the healthcare field and even government agencies find its way into the news media. For users of ERP software systems, there is a two-pronged risk they need to confront and address proactively:
- The loss of valuable proprietary information about their supply chain, production processes, and even trade secrets that could command a high price in the underground market from unsavory competitors and counterfeiters in unfriendly countries.
- Violating various state data breach and privacy laws including, the California Consumer Privacy Act (CCPA), if personally identifiable information of employees or customers is revealed.
In many respects, a leak of personal customer information would be as damaging as having business processes revealed to competitors. First off, there comes to the time, expenses and opportunity costs of properly responding to a data breach and providing the applicable notices to affected individuals, state regulators and the media. Then comes the public embarrassment with a possible loss of trust along with the real possibility of penalties imposed by the state. This is all in addition to a wave of potential lawsuits that could be filed by affected individuals under state law, including the CCPA, which allows for a private right of action.
Protecting ERP from Incidents
An ERP software system is a particularly inviting target for private and state-sponsored criminals as well as run-of-the-mill mischief-makers. For most companies, so many employees need access to the software that accidental or inadvertent data incidents can easily occur.
We wrote recently on the need for all businesses to prepare to defend themselves against CCPA lawsuits or penalties. For users of ERP software systems, beyond the obvious, there are additional steps organizations should implement.
One that often gets overlooked is to promptly install patches and fixes when the vendor sends them. As attorneys who’ve spent our careers working with clients on legal issues connected to data security matters relating to ERP software systems, often we are amazed at how slow some companies do this (or maintain and review log files). Now there is a kind of “double jeopardy” for not installing updates quickly: The software might become vulnerable to a hack or breach and the risk of possible CCPA penalties if there is a breach.
Establish Cybersecurity Policies
A related necessity is to ensure comprehensive and compliant cybersecurity procedures are established along with a software application maintenance policy. Part of this includes an audit methodology that delves deep into the system so that vulnerabilities can be identified even if the vendor has yet to launch a patch for it.
Keep in mind the law specifies that doing these things proactively can help create a safe harbor in the event of a hack, leak, or data incident, possibly preventing state investigators from knocking on your door.
Another important way of preventing data incidents is to limit the people who have access to identifiable customer data. A contractor who is part of the supply chain may very well need to know how many and when the components they provide must arrive at a manufacturer. They don’t need to be able to see which customers ordered the finished product. From both a current technological and cost perspective, there is little excuse for any company to allow access to identifiable customer data when there is no need for such access.
Finally, keep reinforcing to everyone who has access to data that security is as much their responsibility as it is the responsibility of the IT department. Far more breaches result from employee carelessness inside an organization than are the result of criminal activity. Remember that the CCPA does not distinguish between a deliberate hack and a mistake; the liability for an ERP user is the same.
ERP Contract Precautions
There are other preventative measures related to the CCPA that can be taken even before the contract for a new or upgraded ERP software system is signed.
Perhaps the most important is to ensure that the contract specifies who is responsible for data security and under what circumstances: Users, vendors, or integrators. The template ERP contracts used by vendors and integrators are usually vague about this, so greater specificity needs to be negotiated and written into the document.
Another aspect deals with specifying the roles and responsibilities of third-party contractors from when a contract is signed to when the ERP software system goes live. It is common for an integrator to use outside resources, which means there could be dozens of people unknown to the customer who will have at least temporary access to identifiable data. These entities need to have a contractual obligation to be responsible if their work is the cause of an incident or breach.
By the way, all of these precautions are important steps to take to help comply with not just the CCPA but most data privacy and data breach laws as well, such as New York’s new Shield Law.
We’ve spent our career negotiating and drafting contracts for ERP software systems and handling disputes that arise when there is an issue. If you’re an executive or inside counsel at an organization concerned about possible liability under the CCPA due to an ERP implementation, feel free to contact us. We will be pleased to share our knowledge and experience with you.