Data Breach Case Study

A QuisLex corporate client utilized a third-party auditor that was the victim of a ransomware attack. The auditor performed routine audits to recover duplicate payments for the corporate client. Approximately once per month, the corporate client sent the auditor a .txt file containing the supplier invoice number, invoice amount, etc. The auditor would then contact the corporate client’s suppliers that received a duplicate payment to recover the duplicate payments.

The QuisLex Privacy Attorney served as the proxy for the Director of Privacy and was added to the client’s incident response team to assist with the data breach resolution process, which included:

• Working with the client’s information security team and engineers to understand what client data was with the auditor at that time.
• Reviewing the relevant contract(s) between the auditor and client; preparing a summary of potential remedies available to the corporate client; and providing a recommended course of action from the legal/privacy standpoint.
• Tracking the remediation process and reporting progress/setbacks to the client’s Chief Privacy Officer and Director of Privacy.
• Participating in working meetings with the client and the auditor to remediate and provide notice to relevant parties, including but not limited to:
  • Compiling a list of the corporate client’s suppliers that the breached auditor may have contacted on behalf of the client over the past two years.
  • Cross-referencing the list of contacted suppliers with the .txt file(s) that were with the auditor during a specified time period.
  • Determining the exact data that was compromised.
  • Reviewing and analyzing the data to ascertain the level of data, i.e., company, confidential, proprietary, etc.
  • Re-assessing the auditor for global privacy compliance and making recommendations with regard to updated privacy language in the data processing addendum.

The QuisLex Privacy Attorney is listed as the point of contact for any related data subject requests.

Data and Privacy Controls

At QuisLex, we understand how important it is to protect your company’s information. That’s why we use a comprehensive set of advanced security tools to prevent data breaches and provide immediate incident response. Our operations center in Hyderabad, India is purpose-built to meet international standards for information security management systems (ISO 27001:2013). We use the following security controls to protect client privacy:

• 24/7 live CCTV monitoring
• Firewall, IPS, and IDS systems
• Biometric access control system
• HITRUST CSF certification
• Segregated project networks
• Controlled access to the internet, email, external media, and printing
• Physically separated project areas and secure private lockers
• Encrypted devices and secure infrastructure for remote work

QuisLex partners with Exterro, a leading provider of Governance, Risk, and Compliance (GRC) software, to provide comprehensive data breach response services.

Learn More About Privacy and Data Breach Services From QuisLex

Since 2004, our teams have supported global clients, across 16 time zones and various jurisdictions, from industries such as Technology, Pharma, Retail, Finance, Insurance and Banking. QuisLex is a highly acclaimed legal services provider delivering the benefits of operational excellence, process rigor, and expertise for complex legal work.

What Makes Us Unique:

• 1,000+ Permanent Employees
• Nationally Certified Minority Business Enterprise (MBE)
• 60% of Project Leaders Are Women
• Six Sigma Certified Process Management Team
• 10-Year Average Tenure for Senior Project Managers
• Technology Expertise in Over 20 Legal Related Software Tools
• Contact us to learn more.