Benefits without risk?

More and more companies are looking to outsource parts of their business, not just their IT systems, but many other core business functions. Outsourcing has led to offshoring, where business functions are relocated from the client's home country in the EU or US to other parts of the world, such as India and the Philippines. Customer support and software code development and maintenance are examples of business and IT functions that are often outsourced. Productivity and technology, combined with offshore call centres, have changed where and how customers access information and receive answers to their questions.

It is a huge trend. Everything from credit card processing, medical transcription, and benefits administration to logistics and procurement functions are outsourced today. In IT, other commonly outsourced functions are security management, managed network, managed hosting, co-location, and security testing.

In India alone, the value of the outsourcing industry swelled by 40% in 2006 over 2005, to $5.8bn, and is expected to hit $64bn and employ three million people by 2012, according to a recent KPMG study. In 2005, financial services represented 39% of outsourcing in India. TowerGroup reports that the top 15 global financial institutions will increase IT spending on vendor-direct offshore outsourcing by 34% annually, to $3.89bn in 2008.

Information is key

The heart of a company is its network and IT department. Strategic data, trade secrets, financial information, and personal information on employees and customers are held, processed and stored on servers accessible on the network and on mobile portable devices. Outsourcing vendors may have sensitive network access and confidential data.

Outsourcing arrangements present a substantial risk to the outsourcing firm, ie the client. The client will not retain the same measure of control over sensitive information, which may become exposed to theft or disclosure. In most outsourcing transactions, the client transfers the total responsibility of handling a task or managing a function to a third party. Concurrently, it makes valuable internal information available to that third party (such as source code for the application to be maintained or personal information about its customers).

At issue is not so much the security that outsourcing vendors use to protect clients' systems – such as firewalls and data backup – as the cultural differences. For instance, standards of privacy are often looser in India because it is a close-knit society where reading someone else's e-mail would not be considered a significant intrusion. Also the legal and political system may be quite different from the domicile country of the client. One such difference can be the ability under local law to obtain background checks on employees to reduce the significant risks posed by insiders who can become perpetrators or assist outside organised crime. Another is the temptation to participate in cyber crime in countries where the salaries of service employees at call centres, for example, are relatively low. There have been allegations that call centre employees working on behalf of financial services companies have stolen data entrusted to their employers.

Protect data

From a client's perspective, loss of control does not mean a shifting of risk from a legal or regulatory perspective. More than 50 countries have data protection laws, notably those in the EU, Canada, Australia, and the US. These laws place responsibility on the data owner: the party that collected the information in the first place. The data owner has responsibility for its own actions, but also for the activities and controls of its vendors.

The EU Data Directive has extensive provisions regarding collection, compilation, use, disclosure or transfer of personal data, including permitted uses of personal data, whether and to whom the data may be transferred or disclosed. In the US, attention has been focused on the security measures to protect personally identifiable medical or financial information from identity thieves.

Over 36 states in the US have passed laws requiring a business or person that has specific sensitive personal information to disclose a security breach to the potentially affected group. This has resulted in significant notification and mitigation costs (one case resulted in more than 44 million people being affected), and public notification has been followed by civil law suits from banks and affected consumers. The notification laws in the US are being studied in other countries, including those in the EU. Besides exposure to civil suits, regulators can bring actions that result in significant legal costs and potential civil fines or penalties.

Evaluate the risks

Given these extensive obligations and the potential for damage to reputation and brand, the outsourcing client should conduct appropriate due diligence to evaluate the risks and controls of potential vendor partners. Security and privacy audits by the client can uncover the state of controls, as well as reviewing audits or assessments performed by the vendor or by third parties. There are international standards of security through which vendors can prove the quality of controls by obtaining a certification, such as ISO 7799 and PCI (specific security standards for credit cards sponsored by VISA and MasterCard). An important factor is review of specific remediation steps taken to address any medium to high risk recommendations. Through the due diligence process, the client should understand what aspects of the service the vendor is in turn outsourcing to others.

Finally, given the growth of mobile technology such as PDA's and laptops, it is important to review the vendor's implementation of strong encryption and policies with regard to sensitive information on such mobile devices. There has been the well publicised February 2007 case in the UK regarding the Nationwide Building Society, which was fined £980,000 by the Financial Services Authority, following the theft of a laptop from a Nationwide employee's home, which contained confidential customer data of 11 million people.

“Outsourcing vendors may have sensitive network access and confidential data

Audit, check and confirm

After the vendor is appointed, periodic audits should be done to make sure the vendor still complies with the contract provisions and the regulatory and legal requirements. Companies that outsource operations overseas are advised to train local staff to adhere to the company's global privacy standards and to check the risk of government interception of sensitive confidential information.

The outsourcing contract should define how data, privacy and security issues will be addressed during the term of the contract and upon termination. It should address the ownership and disposition of databases of private information the participants might have developed or shared during the relationship. Appropriate clauses should include representations and warranties with respect to the data and the scope of use, and an indemnification of breach of confidentiality and breach of data protection laws or regulations.

Some firms already compel their offshore vendors to comply with EU laws in the handling of consumer data, and specifically name the EU as the jurisdiction and venue for dispute adjudication. However, one legal problem for clients can be the lack of a international treaty that requires judgments rendered in US or EU courts to be valid in the vendor's home country. Many clients use arbitration clauses, which require disagreements to be resolved before even entering the court system.

Finally, the customer should consider a strong insurance clause requiring the vendor to show evidence of insurance for its professional services (ie professional liability) and data protection risks (security and privacy). A common mistake is to draft strong indemnity clauses that are not backed by appropriate insurance and vendor financial assets. Another problem is that the vendor insurance clause does not address data protection risks. We have collaborated with legal counsel of our clients to improve the insurance clause relative to professional liability and data protection liability. One example of such an insurance clause reads:

‘Vendor agrees to purchase and maintain throughout the term of this agreement professional indemnity insurance and data protection liability insurance covering liabilities for financial loss resulting or arising from acts, errors, or omissions, in rendering [type of service] or from privacy violations, breach of privacy regulations, data theft, damage, destruction, or corruption, including without limitation, unauthorised access, unauthorised use, identity theft, virus transmission, and denial of service in connection with the services provided under this agreement with a minimum limit of [amount] per occurrence and annual aggregate.’

Professional liability and data protection liability are obtainable in many countries, but there are issues where the vendor is located in a country that does not have a developed insurance market for professional liability. A business decision needs to be made as to whether the benefits of working with such a vendor outweigh the potential risks.

Even with appropriate insurance in place, the prudent client understands that it must protect itself from vicarious liability from breaches of security or privacy violations committed by its vendors. This may take the form of purchasing insurance to address data protection risks on a stand-alone basis or combining it with professional indemnity insurance programmes in place. This is increasingly an approach of medium to large clients who outsource critical business functions.

A matter of necessity

The reasoning behind the seeking of data protection insurance reflects the real risk of a systemic breach of security by a key vendor, who is handling multiple companies at the same time. In the US, a third-party processor of data had a security breach in 2005, involving 40 million accounts and multiple banks and credit card associations.

The impact of all this can result in the vendor seeking the protection of bankruptcy, leaving the clients alone as the solvent defendants in the pending lawsuits. This case illustrates not only the need to have strong insurance, but also the need for the client to protect itself for vicarious liability following a large security breach committed by a vendor.

Lastly, clients in high compliance industries where there is regulatory oversight and audits are increasingly being asked to provide risk management information regarding controls on important infrastructure and IT vendors. A further recent development has been derivative shareholder actions filed after the announcement of a breach.

In summary, the proliferation of data protection laws, sophisticated threats, regulatory oversight, and investor concerns has made the outsourcing decision not just one based upon talent, expense containment and service delivery, but risk management as well. The risk management process should include initial and ongoing due diligence, client provisions in the outsourcing contract (including a strong vendor insurance requirement), and evaluation of the client's own insurance programme.