Legal Voice: If There’s a Data Security Breach, Who’s Responsible and Who Pays the Fine?

By Outsourcing Center, Beth Ellyn Rosenthal, Senior Writer

  • Home
  • /
  • Cloud
  • /
  • Cloud Security
  • /
  • Legal Voice: If There’s a Data Security Breach, Who’s Responsible and Who Pays the Fine?

Legal Voice: If There’s a Data Security Breach, Who’s Responsible and Who Pays the Fine?

Data security has become “the number one issue” in outsourcing contract negotiations at his firm, reports John Delaney, partner and co-chairman of the Technology Transaction Group in the New York office of Morrison & Foerster.

For example, say an outsourcing buyer gathers personal data and then shares it with its outsourcing supplier. Then the supplier has a data breach.

Here’s the conflict: Buyers believe outsourcing suppliers should have superior processes and technologies, so they should be responsible for all data security breaches. Buyers feel the supplier is better positioned to deal with these risks.

But suppliers know no system is immune from a data security incident. They want to work with buyers to create a list of things the buyers expect them to do. Then, if they are compliant, they are not responsible if a data breach occurs.

But buyers know they can’t list everything. Contract negotiations try to figure out processes and liabilities to keep both parties happy (or at least equally unhappy).

Why now?

Delaney posits data security has become a contract issue because global data security laws have become tougher with each passing year. U.S. states have been adopting “increasingly strict laws on how to store data,” he reports. Today 44 of the 50 states have enacted breach notification laws. More than 30 states have special rules regarding Social Security numbers. “That impacts every human resources (HR) deal and many other types of sourcing transactions,” he says.

What about transactions that cross borders, since more and more outsourcing deals are global? The European Union and 59 other countries (Australia, Canada, and Japan, to name a few) have strict rules about transferring personally identifiable customer and employee data to other countries; special rules often exist where governments deem the transferee country to have inadequate privacy laws. The United States is on the European Union’s list of countries with inadequate privacy laws.

And data security breaches have become more expensive to remedy. Who bears the cost? And there are other expenses. Is the buyer, supplier, or both responsible for keeping track of the rapidly evolving legal landscape? “Staying on top of these legal developments is extremely expensive and a full-time job,” says Delaney.

Advice for buyers

Delaney says his team counsels buyers (which it typically represents) to set up relationships to minimize the inherent conflict. For example, is it necessary to transfer personal information to the supplier? “Only collect, use, and disclose information that is absolutely necessary to complete a business function,” the lawyer advises. “Only share the absolute minimum.”

In an ADM deal, for example, there is no reason to share real information if it’s just for testing purposes. “Give dummy data to the supplier,” he suggests. On an HR deal, design call center systems so the fewest number of reps can see Social Security numbers. Consider whether you can encrypt or mask sensitive data on the supplier’s systems.

Delaney says buyers need to know the actions the suppliers are taking to protect against rogue employees. Do they have pens and papers at their work stations? What’s the cell phone policy? Does the supplier have a paperless call center?

The attorney has one more piece of advice for buyers: don’t wait until the last days of contract negotiation to discuss this issue. “It’s one of the biggest mistakes you can make in outsourcing contracting today,” observes Delaney.

He describes one negotiation when the parties left the question of data encryption to the final days. When the supplier agreed to do what the buyer asked, the price changed. That single alteration delayed the deal closing as the buyer needed additional time to determine if it wanted to bear the higher cost.

He says request for proposals (RFPs) often fail to adequately address data security issues. This is a mistake especially in global deals, Delaney says. Many business unit leaders don’t think about data security, so they don’t list it as a requirement in their RFPs. The team responsible for the contract needs to remedy this.

Lessons from the Outsourcing Journal:

  • Don’t save data security issues until the final days of contract negotiation. Put these issues up front by including them in the request for proposal.
  • Outsourcing buyers should do due diligence on suppliers that are handling personal data, including checking on their procedures to keep rogue employee behavior to a minimum.
  • Outsourcing buyers should only share sensitive data when absolutely necessary. Use dummy data for testing wherever possible.

John Delaney is a partner at Morrison & Foerster LLP. You can reach him at [email protected].

About the Author: Ben Trowbridge is an accomplished Outsourcing Consultant with extensive experience in outsourcing and managed services. As a former EY Partner and CEO of Alsbridge, he built successful practices in Transformational Outsourcing, BPO, Cybersecurity assessment, IT Outsourcing, and Cybersecurity Sourcing. Throughout his career, Ben has advised a broad range of clients on outsourcing and global business services strategy and transactions. As the current CEO of the Outsourcing Center, he provides invaluable insights and guidance to buyers and managed services executives. Contact him at [email protected].

Let’s talk more

Consult Form

"*" indicates required fields

This field is for validation purposes and should be left unchanged.