The 'cyber' risks of outsourcing: outsourcing does not mean out of mind when it comes to cyberliabilities. Instead, companies with databases full of client and employee information should be even more wary

Risk & Insurance, Sept 1, 2007 by Brian Branner, Emily Freeman

When computer code is written by application software vendors either here or in other countries, the code they write could contain such a security flaw, either left intentionally or as a result of inadequate application security testing. A contract with such vendors is unlikely to pay consequential damages as a result of the security flaw in software, and it can be difficult to hold the IT vendor to account if there is a network security breach exploiting that flaw.

By failing to keep confidential customer or employee information private, companies face the risk of lawsuits, fines and penalties, as well as severe reputational or brand damage.

One of the most important trends is the filing of derivative shareholder actions on the back of adverse publicity and investor reaction to an announcement of a major security breach and/or regulatory enforcement action. Investor lawsuits could allege that the company's senior executives failed to properly manage the risk and maintain adequate insurance against financial loss associated with the event.

Other trends include the rising cost of an average data breach to $4.8 million in 2006, according to the Ponemon Institute LLC. The largest known Federal Trade Commission fine related to data protection was $15 million, levied on data warehouser ChoicePoint Inc. in 2006 to settle charges that it failed to protect consumers' personal information after the company mistakenly sold information on 163,000 consumers to a ring of identify thieves.

The expenses aren't limited to lawsuits and fines. For most companies, the real expense is the very substantial cost of notifying thousands or millions of affected individuals and providing them with access to a professional call center (knowledgeable in identity theft and credit issues), free credit report and sometimes a free credit-monitoring service.

Notification costs can be expensive, although there are no accurate public data on this issue, but some estimate the cost at $20 per person including the cost of credit monitoring. In the United States, the theft of information on 250,000 customers, therefore, could lead to notification costs of more than $1 million.

Losses such as these are happening on a regular basis, particularly in the United States, where the notification laws are in place. It is anticipated that the European Union will adopt similar notification requirements. With regard to vendors, there have been a pattern of notifications triggered by a lost laptop containing unencrypted PHI or PII, insider employees participating in identity theft, and mysterious disappearance of files or tapes that were being transferred to a data repository center.

These are significant risks that should be not dismissed lightly, but they can be managed through a combination of vendor due diligence, contractual requirements and insurance. Besides the considerations of price and delivery, customers need to include a thorough due diligence with higher risk vendors regarding security and privacy controls. This due-diligence phase may include onsite audits conducted by the customer or its security representative.