See our Outsourcing Provider Directory here

Legal Voice: If There’s a Data Security Breach, Who’s Responsible and Who Pays the Fine?

Data security has become “the number one issue” in outsourcing contract negotiations at his firm, reports John Delaney, partner and co-chairman of the Technology Transaction Group in the New York office of Morrison & Foerster.

For example, say an outsourcing buyer gathers personal data and then shares it with its outsourcing supplier. Then the supplier has a data breach.

Here’s the conflict: Buyers believe outsourcing suppliers should have superior processes and technologies, so they should be responsible for all data security breaches. Buyers feel the supplier is better positioned to deal with these risks.

But suppliers know no system is immune from a data security incident. They want to work with buyers to create a list of things the buyers expect them to do. Then, if they are compliant, they are not responsible if a data breach occurs.

But buyers know they can’t list everything. Contract negotiations try to figure out processes and liabilities to keep both parties happy (or at least equally unhappy).

Why now?

Delaney posits data security has become a contract issue because global data security laws have become tougher with each passing year. U.S. states have been adopting “increasingly strict laws on how to store data,” he reports. Today 44 of the 50 states have enacted breach notification laws. More than 30 states have special rules regarding Social Security numbers. “That impacts every human resources (HR) deal and many other types of sourcing transactions,” he says.

What about transactions that cross borders, since more and more outsourcing deals are global? The European Union and 59 other countries (Australia, Canada, and Japan, to name a few) have strict rules about transferring personally identifiable customer and employee data to other countries; special rules often exist where governments deem the transferee country to have inadequate privacy laws. The United States is on the European Union’s list of countries with inadequate privacy laws.

And data security breaches have become more expensive to remedy. Who bears the cost? And there are other expenses. Is the buyer, supplier, or both responsible for keeping track of the rapidly evolving legal landscape? “Staying on top of these legal developments is extremely expensive and a full-time job,” says Delaney.

Advice for buyers

Delaney says his team counsels buyers (which it typically represents) to set up relationships to minimize the inherent conflict. For example, is it necessary to transfer personal information to the supplier? “Only collect, use, and disclose information that is absolutely necessary to complete a business function,” the lawyer advises. “Only share the absolute minimum.”

In an ADM deal, for example, there is no reason to share real information if it’s just for testing purposes. “Give dummy data to the supplier,” he suggests. On an HR deal, design call center systems so the fewest number of reps can see Social Security numbers. Consider whether you can encrypt or mask sensitive data on the supplier’s systems.

Delaney says buyers need to know the actions the suppliers are taking to protect against rogue employees. Do they have pens and papers at their work stations? What’s the cell phone policy? Does the supplier have a paperless call center?

The attorney has one more piece of advice for buyers: don’t wait until the last days of contract negotiation to discuss this issue. “It’s one of the biggest mistakes you can make in outsourcing contracting today,” observes Delaney.

He describes one negotiation when the parties left the question of data encryption to the final days. When the supplier agreed to do what the buyer asked, the price changed. That single alteration delayed the deal closing as the buyer needed additional time to determine if it wanted to bear the higher cost.

He says request for proposals (RFPs) often fail to adequately address data security issues. This is a mistake especially in global deals, Delaney says. Many business unit leaders don’t think about data security, so they don’t list it as a requirement in their RFPs. The team responsible for the contract needs to remedy this.

Lessons from the Outsourcing Journal:

  • Don’t save data security issues until the final days of contract negotiation. Put these issues up front by including them in the request for proposal.
  • Outsourcing buyers should do due diligence on suppliers that are handling personal data, including checking on their procedures to keep rogue employee behavior to a minimum.
  • Outsourcing buyers should only share sensitive data when absolutely necessary. Use dummy data for testing wherever possible.

John Delaney is a partner at Morrison & Foerster LLP. You can reach him at [email protected].

 

Get 3 Free Quotes Logo

  • Save 70%
  • Unrivaled expertise
  • Verified leading firms
  • Transparent, safe, secure

Get Started

Small Teams Call Logo

Start your Outsourcing Journey in 15 seconds.

Get Started

Enterprise & Large
Teams Call
Logo

Explore with an Enterprise Expert

  • Independent
  • Trusted
  • Transparent
Outsourcing

Dive into “Outsourcing”

A Guide to … Selecting the Correct Business Unit … Negotiating the Contract … Maintaining Control of the Process

Order now

Outsourcing Articles

Start your
outsourcing
journey here

"*" indicates required fields

Start your outsourcing journey.

Book a call with an outsourcing expert now

This field is for validation purposes and should be left unchanged.

"*" indicates required fields

This guide will walk you through some areas most important when outsourcing, such as
  • Identifying Your Outsourcing Needs Intelligently
  • Research & Selection
  • The Bidding Process
  • Contracts & Agreements
  • Implementation & Onboarding
  • Ongoing Management
  • Evaluating Success
  • Additional Resources

Book a call with an outsourcing expert now

This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Become an OC Partner
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Media Inquiries for OC
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Subscribe to our Newsletter
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Submit Press Release
Accepted file types: pdf, doc, docx, Max. file size: 8 MB.
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Submit an Article
Accepted file types: pdf, doc, docx, Max. file size: 8 MB.
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Request Ben Trowbridge as a Keynote Speaker
This field is for validation purposes and should be left unchanged.

Go to standard quote

Exclusive Enterprise Assistance

  • Independent
  • Trusted
  • Transparent

Offshore staffing solutions for enterprise. Independent expertise, advice & implementation

  • 200+ Firms, Global Reach
  • Offshore, Nearshore, Onshore, Rightshore
  • Managed Request for Proposal (RFP)
  • Assisted Procurement Processes
  • Vendor Management
  • Unique Build Operate Transfer model
  • Captive & Shared Services
  • Champion-Challenger
  • Multi-site, multi-vendor, multi-source
  • Managed Solutions

For Enterprise and large teams only

  • Book 20-minute consult, obligation free

You will get:

  • Needs Analysis & Report
  • Salary Guidance & Indicative Pricing
  • Process Map

Only takes 1 minute to complete the form

Get Started

Not an enterprise?

Go to standard quote