Ensuring Security in an Outsourcing Relationship

By Tara Swords

More organizations are outsourcing critical IT functions to third parties. At the same time, they are under strict mandates to maintain records, protect consumer privacy, and report data breaches -- mandates that significantly affect these outsourcing agreements.

The benefits of outsourcing are understandable. If properly managed, outsourcers can help organizations focus on their own core competencies, cut costs, and get specialized help for a problem the enterprise can't solve with in-house resources. An April 2006 report from research firm Gartner, Inc., predicted that the outsourcing market will grow at a healthy rate of 7.3% from 2004 through 2009.

As enterprises outsource more data-related functions, they are simultaneously juggling a variety of regulations that govern what they can and can't do with their data. For example, California Senate Bill 1386, aimed at curtailing identity theft, requires any company that conducts business in California or has customers in the state to notify those customers if their electronic personal information is exposed through a security breach. The European Union (EU) Data Protection Directive has some very strict rules for the way companies collect, use, and process individuals' personal data in an EU country. Health care organizations must also comply with the Health Insurance Portability and Accountability Act (HIPAA), a complex piece of legislation that requires organizations to protect personal health information.

The problem with outsourcing data-related functions is that in the end, enterprises may still be held accountable for much of what the outsourcer does.

"You can't really transfer much of your liability," says Michael Rasmussen, vice president and analyst Forrester Research. "Nobody will accept liability A to Z in security."

To protect themselves in outsourcing arrangements, organizations need to specify exactly what the liabilities are for the outsourcer  in service-level agreements (SLAs). These agreements should include provisions to ensure that service providers are in compliance -- or limit the enterprise's liability in the event of noncompliance. Here are some strategies:

• Ask for what you want  Negotiations almost never result in one party getting everything it wants. Before you begin, you need to know what points are non-negotiable and which are less critical. But don't start compromising before you sit down at the table. "Start the negotiation with what is the ideal situation for yourself. Then work with your business partner to define what's feasible," Rasmussen says.
• Choose a jurisdiction  CIOs should understand that the service provider's home-country rules apply unless the contract names a different governing jurisdiction. For that reason, Rasmussen says, some organizations are building models that take different countries' laws into account. "Organizations will set up some type of framework, such as assigning level one through five depending on the intellectual property laws in a specific jurisdiction," he says. "That will govern what type of outsourcing relationships they'll allow in those jurisdictions."
• Include an NDA Nondisclosure agreements, or NDAs, should require the service provider and its employees to agree that they will not disclose any sensitive information or intellectual property about your company to any other party. Detail exactly what kinds of information the NDA covers, and specify that the information cannot be communicated in any way: verbally, through email, over the phone, on paper, or in video, for example. Make the NDA both broad and specific.
• Reserve the right to run background checks -- then do it  It sounds like a hassle, but a company should run background checks on all service provider employees who will have access to its information. According to a November 8, 2005, report from Gartner, Inc., "The United States Sentencing Commission Organizational Sentencing Guidelines require that personnel screening be done to make sure that access to information and processes is not given to individuals who have a history of criminal behavior." In other words, an enterprise may be at least partly liable if a service provider employee has a criminal record and discloses or misuses the enterprise's data.
• Negotiate to prevent problems  It's almost impossible to put a dollar amount on brand or reputation damage. For example, if a service provider sells sensitive customer data to identity thieves posing as a legitimate business, the enterprise must work to rebuild trust with customers -- an immeasurable task. That's why it's important to structure contracts in a way that prevents breaches with incentives for results that go beyond the contracted requirements -- not in a way that outlines only post-breach punishments.
• Think carefully before signing a long-term agreement   In general, service providers want to engage enterprises with longer-term contracts that last for five or more years. If CIOs agree to long-term contracts, they should be sure to craft strong termination clauses that enable them to cancel a contract after certain numbers or types of incidents. Also, CIOs should be aware that the longer the enterprise remains with a single vendor, the more dependent on that vendor it will become. While outsourcing frees organizations to focus on their core competencies, it also tends to decrease the company's ability to handle such functions on its own.
• Reserve the right to renegotiate  As with any new partnership, problems become most apparent after the relationship gets underway. CIOs should ensure that they can renegotiate a contract after a certain period of time to adjust any elements that aren't working.
• Audit your service providers   CIOs should ensure that contracts with service providers include "right to audit" clauses. Indicate how the relationship will be monitored and how results will be measured. Rasmussen says enterprises must be "very diligent in following through on your right-to-audit clauses to make sure that your contractors are doing what they say they're going to do."
• Watch out for liability clauses   According to a March 21, 2006 Gartner report, outsourcers sometimes agree to limits of liability that add up to no more than one month's total revenue or $1 million, whichever is less. But the fine print typically reads that outsourcers will only agree to such liability if the customer can prove that the problem was entirely and solely the outsourcer's fault. That's a high burden of proof because most aspects of the relationship are cooperative between the client and the service provider, making it difficult to lay blame entirely on the service provider.

IT outsourcing can be helpful to organizations, but their first priority in structuring outsourcing agreements must be self-protection. By ensuring that outsourcers comply with laws and policies, enterprises can pave the way for a solid partnership that is beneficial for both parties. The best way for CIOs to ensure they're getting a good deal, Rasmussen says, is to do their homework up front and actively manage the relationship after it's in effect.

"It's up to the organization to clearly define in their contracts what they expect, and then to do due diligence to investigate the vendor's background for security," he says. "It's also up to the organization to make sure their vendor is meeting their security requirements."

Tara Swords is a Chicago-based journalist who has written about business and technology for nearly 10 years.