This Bulletin is to advise authorized users of centralized information technology contracts established by the New York State Office of General Services (“OGS”) of data privacy and security concerns related to products sold by Kaspersky Lab.
On September 13, 2017, the U.S. Department of Homeland Security (“DHS”) directed federal agencies to identify, remove, and discontinue current and future use of products manufactured by Kaspersky Lab, a Russian cybersecurity and software company that DHS characterized as possibly vulnerable to Russian government influence, unless directed otherwise by DHS based on new information. This action followed a decision earlier in the summer by the General Services Administration (“GSA”) to remove Kaspersky Lab products from GSA contracts for information technology products, services, and solutions, and photographic equipment and related supplies and services, in order to “ensure the integrity and security of U.S. government systems and networks.” Kaspersky Lab refutes the allegations.
Kaspersky Lab does not currently hold an OGS centralized information technology contract, and therefore cannot sell directly to authorized users, but Kaspersky Lab products may be purchased from other vendors on OGS centralized contracts. To date, OGS is aware that Kaspersky Lab products may be sold under the following OGS centralized contracts: (i) the Comprehensive Telecommunications Equipment and Solutions (“CTES”) contract (Kaspersky Lab products are available from Washington Computer Services Inc., Layer 3 Technologies, Inc., and Vandis, Inc.); (ii) the Information Technology Umbrella Contract – Distributor Based (Kaspersky Lab products are available from SHI International Corp); and (iii) the Information Technology Umbrella Contract – Manufacturer Based (Kaspersky Lab products are available from AT&T Corporation and Dell Marketing LLP). There may be other vendors that either sell Kaspersky Lab products under an OGS centralized contract or utilize Kaspersky Lab products in a service offering under an OGS centralized contract.
In light of this information, authorized users may want to contact their IT department to commence a review of purchases and contracts for software and services to determine their exposure to Kaspersky Lab products and services. If you determine that Kaspersky Lab products are installed in your environment or that you have contracted with a vendor that is utilizing Kaspersky Lab products as part of a technology or service offering, you may want to consider whether the concerns raised by the federal government necessitate further action. In addition, when making future IT purchases, you may want to ask your vendor whether any Kaspersky Lab products or services will be utilized in the vendor’s technology or service offering.