Generally speaking, an outsourcing customer always had the responsibility to secure its own data, but provisions were inserted into contracts allocating responsibility for the confidential information to which a service provider had access.At that time, outsourcers were willing to take on unlimited financial liability for a breach of confidential data.
"The service provider was on the hook," says Chris Ford, chair of the global sourcing group at the law firm Morrison & Foerster. For other data breaches, there may have been a limitation of liability, typically set at a year's worth of service provider revenue associated with the contract. There were few, if any, special terms or requirements around data security processes.
Then along came federal regulations like Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) along with a swarm of state laws creating new requirements for companies suffering a data breach, including customer notification and damage mitigation provisions, such as mandatory credit monitoring and fraud protection for affected customers.
IT service providers saw the price tag on unlimited liability skyrocket. Potential damages from a data breach vary widely by industry and scope. Forrester estimated that the cost ranged from $90 to $305 per data record in 2007, while last year the Ponemon Institute tagged it at $214 per compromised record. "If you have a large customer base," Ford explained, "the price to comply could be very large."
IBM Reshapes the Liability Paradigm
And so the lawyers got to work. The big U.S. providers like IBM Global Services, HP and Accenture began reexamining their risk profiles and moving aggressively to limit liability. "Providers, led by IBM, pushed back hard," said Shawn Helms, partner in the outsourcing practice of law firm K&L Gates. They began creating secondary caps for certain breach of confidentiality or data protection measures. Those with clients with gigantic customer bases in sectors such as retail, energy or financial services were the most concerned.
"Companies like IBM took a very aggressive approach," said Ford. "The usual limitation on liability -- an amount equal to 12 months of revenue -- was a standard you never had to negotiate. They all became fairly aggressive about limited liability. It was a paradigm shift."
It became common to encounter outsourcing providers capping liability at two or three months of fees, said Robert Finkel, a partner in the corporate practice of the law firm Dewey & LeBoeuf. Meanwhile, most offshore vendors were willing to take on unlimited data security liability to get new business, and many still are, according to Finkel.
But among IBM and others that took a hard line on limited liability, negotiators would sometimes leave the table if the limits on data breach liability were financially unfeasible. "IBM took the corporate position that they were unwilling to assume that level of liability and even walked away from huge deals. Customers were frankly a little stunned," Ford said.
Outsourcing Customers Push Back on Liability
In recent years, however, outsourcing customers have begun to fight back. "Four or five years ago, they were okay with just getting some data breach liability," said Ford. "Now they're saying, 'We need a multiple of [the standard 12 months of fees] limitation.' I've seen a number of deals where it's three or four times that."
Outsourcing customers started demanding that new data security processes be written into their contracts, as well. "Customers understood the risks and started requiring more protection," said Helms. They began "demanding specific data security requirements, such as specific firewall policies, encryption or limited network access to [provider employees]," he said.
IT service buyers are also coming to the table with detailed risk profile assessments that put a real dollar figure on potential data breaches. "Customers are looking at this issue as hard as the service providers and saying, 'I'm handing my data over to you. You're in control of my data. If something goes wrong you need to take responsibility,'" Ford said.
In response, the outsourcing providers began adding very detailed exhibits to their agreements outlining their security obligations.
"In order for the customer to recover under one of these contracts, they have to prove a clear breach of these exhibits. If it's not listed, it's not [the provider's] obligation," Ford said. "It makes the likelihood of the customer recovering much lower."
It doesn't matter that no outsourcing providers or customers have encountered the kind of multi-million dollar data breach they most fear. "There hasn't been any big private case or the government leveraging any huge fines," said Finkel. "But it's inevitable. It will happen. And that's changed things on both sides."
Today, data breach liability "is the most contested provision in outsourcing contracts today," according to Ford. And it's only poised to become more contentious as customers consider cloud computing services.
"Today, this issue is a mess. Customers and providers are not getting closer on this issue, but further apart," Helms said. "As more data moves to the cloud, the allocation of risk is becoming more and more important."
Ford advises outsourcing buyers to push hard for data breach liability in contracts when it makes sense. If a service provider will not have access to confidential customer information, for example, it would be a waste of negotiating power to take a hard line on data security liability. But for those situations where a data breach is a bigger risk, it's important to understand where a provider's limits, and your own, might lie.
"You have to do due diligence and conduct a significant risk assessment as to the real potential liability," Ford said. "There will be a breaking point, but you have to figure that out through hard negotiation, and you have to figure out if that's something you can live with."