Organizations have varied reasons for outsourcing information technology functions to third-party service providers (“Providers”). Companies that outsource (“Outsourcers”) may do so to reduce operational cost or for subject matter expertise. Unfortunately, significant risks associated with outsourcing important technology functions to Providers are being ignored. These risks include business continuity, information security and data privacy, intellectual property and un-transferred litigation risks. At the broadest level, lack of oversight and management controls create the majority of the risks associated with outsourcing. All of these risks implicate the broader topic of compliance, and when key functions are outsourced, it becomes increasingly difficult to manage risk and monitor compliance.
Regulations and Standards
Examples of regulations IT organizations are working to comply with include the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Foreign Corrupt Practices Act and the Sarbanes-Oxley Act. Rules are enacted by, among others, the FDIC, FTC, DOJ and most state legislatures. Virtually all of these regulations create broad requirements concerning technology governance, which in turn impacts an organization’s outsourcing decisions. In addition to statutory and regulatory compliance, Outsourcers face the risk of consumer class-action litigation based upon theories of negligence or unfair competition. Regulatory organizations such as the Federal Financial Institutions Examination Council (FFIEC), National Institute of Standards and Technology (NIST), the Payment Card Industry Data Security Standard (PCI DSS) and the Cloud Security Alliance (CSA) generally provide standards and guidelines for handling data, security and information governance. Although these organizations and associations are not regulators imposing mandated duties, following their guidelines and “best practices” shows a deeper commitment to diligence in calculating the risks involved in a certain outsourced transaction that is being contemplated or managed. Additionally, following these guidelines (or requiring the provider by contract to comply) may go far in defending a claim by showing that the entity’s outsourcing conduct was reasonable.
While business continuity may often be viewed only as a concept for creating sustainable and reproducible business transactions, it is a key component of many compliance obligations, especially in heavily regulated industries such as health care and financial services. When outsourcing technology functions, an organization may lose needed visibility into the organization’s ability to recover from a disaster. Outsourcers are often sold on the concept that the service provider is providing a turn-key solution, so it is common for businesses to assume that the Provider is taking care of all aspects of the outsourced service, including disaster recovery. While the Provider’s liability is likely limited to damages arising out of the outsourcing agreement, the Outsourcer remains exposed to regulatory liability arising from its failure to comply with regulations, regardless of fault or knowledge. This non-delegable duty is the legal foundation for virtually all outsourcing risks.
Security and Privacy
The area of information security and data privacy is garnering significant attention, and not surprisingly, it presents a major risk when outsourcing technology functions. As an example, a financial institution regulated by the GLBA is affirmatively required to:
- Exercise appropriate due diligence in selecting its service providers
- Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines and
- Where indicated by the bank’s risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers. See Appendix D-2 to 12 CFR Part 208, Section III.D.
When a process is outsourced, it may become more difficult to monitor and manage. Additionally, almost every state has its own data breach and identity theft protection statutes for residents residing within that particular state. If an entity does business with a resident of a particular state and there is a breach of security or unauthorized access to the resident’s non-public personally identifiable information, the entity must notify the resident as required by statute. After functions are outsourced, events giving rise to notice obligations may become more difficult to discover. With many regulated businesses, the handling of non-public personally identifiable information (PII) carries an increasingly burdensome compliance concern. PII hosted in the cloud or exported outside the United States may offend regulatory rules. Often once the Outsourcer contracts with the Provider, control of the data has been turned over and may become more difficult to track and protect.
Intellectual Property Rights
Intellectual property protection is another important risk area when outsourcing. While protecting the Outsourcer’s own intellectual property rights is important, the greater risk comes from failure to protect the intellectual property of others. Industry associations such as the Business Software Alliance or Software & Information Industry Association, which represent major software publishers, conduct audits of companies worldwide to ensure the intellectual property rights of their members are protected. Violations concerning copyright can be extremely costly, and while penalties rarely involve incarceration, prison time is possible. One example of copyright infringement risk occurs when application support is outsourced. Providers may have access to install software applications involving the copyrights of third-party software publishers. They may install software without the appropriate licenses, creating the possibility of an infringement action against the Outsourcer that may not have any knowledge of the offending activities. Because copyright infringement requires no intent to infringe, the Outsourcer can still be held liable for the infringement activities of the Provider. It is important to utilize risk mitigation strategies when outsourcing projects or functions that even tangentially involve intellectual property rights.
Un-transferred legal risk is another area of concern when outsourcing. Virtually all outsourcing transactions involve written agreements that contain risk-balancing and risk-shifting provisions. These agreements may involve difficult technical concepts, including emerging computer technologies, social networking, or complex health sciences topics. As the law changes to keep pace with these constantly changing topics, it is difficult to keep up with trends concerning the contracts that govern the relationship between the Outsourcer and Provider. The boiler plate language that one party may have used a few years ago may fail to address newer and more relevant topics. Examples of this include new contract language concerning data breach incident response, loss of electronic trade secret information or the handling of PII. Contract provisions that deal with insurance and indemnity involve the transfer of legal risk, and it is important that the Outsourcer be diligent in transferring as much legal risk as it can during the negotiation phase.
It is also risky when companies fail to adequately manage existing outsourcing contracts. Many outsourcing agreements have some type of automatic renewal unless one party informs the other party of its intent not to renew within some agreed-upon notice period. If the Outsourcer does not diligently maintain controls in the management of its vendors, it may miss an important renewal notice deadline and thus, an opportunity to renegotiate a contract when it has a better bargaining position.
Mitigation Strategies and Conclusion
Once risks are identified, many Outsourcers ask: What can be done to mitigate the risk? Broadly speaking, the greatest mitigation strategies require the implementation of stronger controls and oversight. An entity must be committed to creating a culture of compliance internally and require the same of their Providers. Additional risk mitigation strategies include the following:
- Carefully investigating prospective Providers, and when appropriate, ensuring they follow all appropriate industry standards;
- Using experienced technology attorneys for drafting and negotiating outsourcing contracts;
- Requiring Providers to comply with all applicable regulations and policies;
- Requiring Providers to carry applicable professional liability insurance, including endorsements for technology errors and omissions, network security and data privacy;
- Requiring Providers to include service level agreements and to document and test business continuity preparedness;
- Requiring Providers to include provisions for protection of intellectual property rights and related indemnification;
- Routinely auditing vendor compliance with contractual obligations and
- Upgrading terms and conditions during contract renewal periods.
Regardless of the reasons why a company may consider outsourcing technology functions, the decision presents significant risks. Outsourcing decisions should not be made lightly, and if an entity decides to move forward, a great deal of diligence is required when selecting, contracting and managing Providers.