The 'cyber' risks of outsourcing: outsourcing does not mean out of mind when it comes to cyberliabilities. Instead, companies with databases full of client and employee information should be even more wary

Risk & Insurance, Sept 1, 2007 by Brian Branner, Emily Freeman

Summary

* Outsourcing does not mean cyberliability is out of mind.

* Instead, companies who outsource are still responsible for the security of confidential customer and employee information.

* Mitigation can be provided through vendor management as well as proper insurance.

**********

Businesses routinely outsource everything from their information-technology departments to finance, accounting and human resources. Outsourcing, of course, is designed to help companies achieve cost efficiencies, save time or gain a particular area of specialized expertise.

[ILLUSTRATIONS OMITTED]

What many companies might not realize, however, is that outsourcing these operational functions potentially gives vendors access to confidential information and could open the door to a serious threat to their network or breach in data security.

Many corporate executives mistakenly believe that, by outsourcing the work to vendors, they have also transferred the liability that may arise when a breach occurs. Unfortunately, it is not that easy. Business-process-outsourcing and IT vendors may contractually agree to indemnify their customer for breach of confidentiality or privacy, but the legal and regulatory liability primarily remains with the data owner, in this ease the client of the vendor.

While the indemnification provided by vendors grants some measure of comfort, that indemnification will only be as strong as the insurance in place or the financial solvency of the vendor. The vendor contract could exclude consequential damages and not contain necessary requirements for professional liability and data-protection insurance. Vendors are often smaller companies and service a number of companies in a particular sector. Finally, a systemic security problem or breach by the vendor could seriously impair the vendor's financial condition if lawsuits pile up and clients caned contracts.

The bottom line is that clients who outsource are responsible for the security of confidential customer and employee information and cannot effectively transfer the liability that arises from a breach to their vendors. There are federal laws designed to ensure that confidential information in the hands of others is kept private.

Under Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act, companies are required to keep customer and patient data private. On top of that, at least 34 states have enacted notification laws that require companies to alert customers when there has been a potential security breach affecting personally identifiable nonpublic information, or PII, typically if such PII is not encrypted. The standard includes responsibility for breaches of security of vendors who access PII, such as call centers and IT vendors. Again, if there is a security lapse, the fact that it was a vendor that failed to safeguard the information does not absolve the company from responsibility as the owner or originator of the data.

It's not simply a question of whether the vendors themselves are trustworthy. Each time that confidential corporate information gets passed on from one vendor to another, the company has less and less control over how well the data is being safeguarded. Security and privacy due diligence of new and existing vendors are highly recommended, especially those that touch PII or personally identifiable health-care information, PHI.

However, such audits are a snapshot in time, and clients cannot examine the vendor's organization to ensure proper management on a day-to-day basis. Finally, vendors located offshore may be at even greater risk of security breaches for a number of reasons, including the differences between their local legal and compliance requirements, say in the European Union versus the United States.

MILLIONS EXPOSED

The potential for a security breach, meanwhile, is very real. More than 150 million data records of U.S. residents have been exposed due to security breaches since January 2005, according to Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization. A company's vendors can be a source of such security breaches, as some of the publicized security breaches confirm.

It is also not difficult to imagine any number of scenarios. Many utility companies, for instance, now offer customers the opportunity to pay their bills online. Online bill-pay service is usually outsourced to a third-party vendor, who then has access to the utility customer's confidential information.

That vendor, however, might not have the same level of network security as the utility company, making it more vulnerable to a security breach. Should this occur, the utility company itself would be held liable, with only the vendor contract available for indemnification. An indemnification is very helpful, but only if it is backed by vendor assets and appropriate insurance.

Some security breaches are a result of a vulnerability in applications or operating systems that are exploited to gain access to sensitive personal or corporate information or to disrupt the operations of the customer.