Businesses routinely outsource everything from their information-technology departments to finance, accounting and human resources. Outsourcing, of course, is designed to help companies achieve cost efficiencies, save time or gain a particular area of specialized expertise.
What many companies might not realize, however, is that outsourcing these operational functions potentially gives vendors access to confidential information and could open the door to a serious threat to their network or breach in data security.
Many corporate executives mistakenly believe that, by outsourcing the work to vendors, they have also transferred the liability that may arise when a breach occurs. Unfortunately, it is not that easy. Business-process-outsourcing and IT vendors may contractually agree to indemnify their customer for breach of confidentiality or privacy, but the legal and regulatory liability primarily remains with the data owner, in this case the client of the vendor.
While the indemnification provided by vendors grants some measure of comfort, that indemnification will only be as strong as the insurance in place or the financial solvency of the vendor. The vendor contract could exclude consequential damages and not contain necessary requirements for professional liability and data-protection insurance. Vendors are often smaller companies and service a number of companies in a particular sector. Finally, a systemic security problem or breach by the vendor could seriously impair the vendor's financial condition if lawsuits pile up and clients cancel contracts.
The bottom line is that clients who outsource are responsible for the security of confidential customer and employee information and cannot effectively transfer the liability that arises from a breach to their vendors. There are federal laws designed to ensure that confidential information in the hands of others is kept private.
Under Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act, companies are required to keep customer and patient data private. On top of that, at least 34 states have enacted notification laws that require companies to alert customers when there has been a potential security breach affecting personally identifiable nonpublic information, or PII, typically if such PII is not encrypted. The standard includes responsibility for breaches of security of vendors who access PII, such as call centers and IT vendors. Again, if there is a security lapse, the fact that it was a vendor that failed to safeguard the information does not absolve the company from responsibility as the owner or originator of the data.
It's not simply a question of whether the vendors themselves are trustworthy. Each time that confidential corporate information gets passed on from one vendor to another, the company has less and less control over how well the data is being safeguarded. Security and privacy due diligence of new and existing vendors are highly recommended, especially those that touch PII or personally identifiable health-care information, PHI.
However, such audits are a snapshot in time, and clients cannot examine the vendor's organization to ensure proper management on a day-to-day basis. Finally, vendors located offshore may be at even greater risk of security breaches for a number of reasons, including the differences between their local legal and compliance requirements, say in the European Union versus the United States.
The potential for a security breach, meanwhile, is very real. More than 150 million data records of U.S. residents have been exposed due to security breaches since January 2005, according to Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization. A company's vendors can be a source of such security breaches, as some of the publicized security breaches confirm.
It is also not difficult to imagine any number of scenarios. Many utility companies, for instance, now offer customers the opportunity to pay their bills online. Online bill-pay service is usually outsourced to a third-party vendor, who then has access to the utility customer's confidential information.
That vendor, however, might not have the same level of network security as the utility company, making it more vulnerable to a security breach. Should this occur, the utility company itself would be held liable, with only the vendor contract available for indemnification. An indemnification is very helpful, but only if it is backed by vendor assets and appropriate insurance.
Some security breaches are a result of a vulnerability in applications or operating systems that are exploited to gain access to sensitive personal or corporate information or to disrupt the operations of the customer.
When computer code is written by application software vendors either here or in other countries, the code they write could contain such a security flaw, either left intentionally or as a result of inadequate application security testing. A contract with such vendors is unlikely to pay consequential damages as a result of the security flaw in software, and it can be difficult to hold the IT vendor to account if there is a network security breach exploiting that flaw.
By failing to keep confidential customer or employee information private, companies face the risk of lawsuits, fines and penalties, as well as severe reputational or brand damage.
One of the most important trends is the filing of derivative shareholder actions on the back of adverse publicity and investor reaction to an announcement of a major security breach and/or regulatory enforcement action. Investor lawsuits could allege that the company's senior executives failed to properly manage the risk and maintain adequate insurance against financial loss associated with the event.
Other trends include the rising cost of an average data breach to $4.8 million in 2006, according to the Ponemon Institute LLC. The largest known Federal Trade Commission fine related to data protection was $15 million, levied on data warehouser ChoicePoint Inc. in 2006 to settle charges that it failed to protect consumers' personal information after the company mistakenly sold information on 163,000 consumers to a ring of identify thieves.
The expenses aren't limited to lawsuits and fines. For most companies, the real expense is the very substantial cost of notifying thousands or millions of affected individuals and providing them with access to a professional call center (knowledgeable in identity theft and credit issues), free credit report and sometimes a free credit-monitoring service.
Notification costs can be expensive, although there are no accurate public data on this issue, but some estimate the cost at $20 per person including the cost of credit monitoring. In the United States, the theft of information on 250,000 customers, therefore, could lead to notification costs of more than $1 million.
Losses such as these are happening on a regular basis, particularly in the United States, where the notification laws are in place. It is anticipated that the European Union will adopt similar notification requirements. With regard to vendors, there have been a pattern of notifications triggered by a lost laptop containing unencrypted PHI or PII, insider employees participating in identity theft, and mysterious disappearance of files or tapes that were being transferred to a data repository center.
These are significant risks that should be not dismissed lightly, but they can be managed through a combination of vendor due diligence, contractual requirements and insurance. Besides the considerations of price and delivery, customers need to include a thorough due diligence with higher risk vendors regarding security and privacy controls. This due-diligence phase may include on-site audits conducted by the customer or its security representative.
Further, the customer should negotiate with vendors on indemnification, limitation of liability provisions, and warranties and representation not just on performance risk, but on security and confidentiality risk as well.
Finally, customers should require their vendors have the appropriate insurance to respond to performance failures and security/privacy breaches. Simply asking for "technology errors and omissions" or "professional liability" will not guarantee that the vendor has strong and affirmative coverage for data protection.
Instead, specify the types of risks, including identity theft, unauthorized access and use, transmission of malicious code and insiders as perpetrators, for example. The reason is that there is no standardized coverage for data-protection risks within professional liability policies. It can vary from none, poor, adequate to superior. Limits requirements should start at $1 million, but be increased based upon the aggregate exposure and operations of the vendor. Waiving of requirements for insurance should be escalated to senior levels and done with thorough consideration, given the risks mentioned above.
As customers cannot rely on the insurance and indemnification provided by their vendors, they should also have their own insurance in place to address their own direct risks and vicarious liability, including the possibility that the vendor becomes insolvent. Traditional commercial general liability or crime insurance will not cover the consequential financial loss associated with data crimes.
In fact, over the last five years, the general liability policy has restricted coverage with respect to Internet activities. Crime coverage was really designed to cover theft of tangible property, money and securities where the perpetrator and the intent of the perpetrator was manifest and known.
Traditional insurance is not addressing growing data-protection risks in the age of network-based technology. Fortunately, insurance products have evolved to address data protection risks, commonly called cyberinsurance. The term "cyber" is really a bit of a misnomer as these policies need to address not only a breach in a computer system, but also a lost laptop/personal digital assistant or theft of hard-copy data.
The better policies provide broad coverage for security and privacy liability, including a sublimit for regulatory defense and notification costs. There are a number of insurers that offer policy forms with widely varying scope, claims management approach and exclusions. Clients should consider underwriters who provide strong, affirmative coverage that provides a balanced approach to management of claims and defense.
Coverage should include areas such as breach in confidential employee information, data theft following a theft of a mobile device, insiders as perpetrators and vicarious liability for breach of security by a vendor. The policies should also address privacy violations associated with collection, notice, use, disclosure and correction of personal information about individuals. For global companies, privacy risk is considerably greater in some countries and regions, such as Canada and the European Union.
Some clients are also concerned about the impact of damage to electronic information assets and network interruption caused by computer attacks. Traditional property policies do not address nonphysical loss, either direct or contingent. Network and data coverages address the threats posed by computer attacks and operational mistakes, rather than those from weather-related physical perils.
Some underwriters provide first-party coverage as part of a cyberliability policy and others provide a stand-alone network and data damage first-party coverage. This includes the business-income loss that companies could experience while their network is down and extra expenses incurred to restore the computer network. The policy also addresses restoration and replacement costs of damaged or corrupted data and coverage for special expenses, such as forensic or investigation costs.
An important aspect of the coverage is contingent business interruption if a vendor's computer network is vital to the customer's own operations and revenues. Because cybercrime is a business for some perpetrators, the policy can also cover the ransom demand and expenses associated with cyberextortion. Cyberterrorism can be included as an optional cover.
While cyberinsurance often includes a crisis-management sublimit to assist with expenses to minimize reputational harm, there is an insurance product called "adverse reputational insurance" to cover the potential loss in revenues derived from a defined "negative event," such as a breach in the network security.
In these policies, the overriding trigger is a defined adverse media report or event a company would not want to see reported, such as a privacy breach, service error, disgrace or product recall.This product can pay business-income loss from client attrition following the event for periods of from three months to possibly three years, depending on how the cover is put together.
Companies are relying on their vendors more than ever for essential business infrastructure functions and IT services, some of which involve offshore vendors.
While outsourcing is here to stay, it is important that companies understand that, even though they have outsourced the function, the liability risks are there for the hiring customer.
The solutions include vendor management, but also appropriate data-protection insurance to respond to the growing threats and increasing risks from a civil liability and regulatory perspective.
BRIAN BRANNER is a vice president within Lockton's Financial Services Practice in Kansas City, Mo.
EMILY FREEMAN is executive director for technology and media risks at Lockton International in London.
READ MORE: Features | Special Reports | Industry Risk Reports | Columnists | In-Depth Series
September 1, 2007
Copyright 2007© LRP Publications