Economic pressures on U.S. companies are forcing many to send unprecedented amounts of technology work to low-cost service providers overseas. Civil and international conflict combined with the pervasive threat of terrorism, however, raises three new areas where managers and lawyers must focus their attention: security, disaster recovery and privacy.
Employees that the client may never meet will have access to valuable and sensitive data, which is useful to hackers and terrorists.
- Consider requiring the vendor to perform a third-party background check on any employee who will work on the client’s account.
- Retain audit rights to confirm compliance.
- Restrict the office space and hardware where the client’s work is performed to those authorized employees and client’s data. Other companies’ data should not mix with the client’s information.
In the event of a political crisis, such as the outbreak of war in the vendor’s country, agreements should provide for disaster recovery measures. The vendor should be able to provide multiple sites to work from and a plan to move people, software, databases and network connectivity from one secure hardware environment to another.
- Require production by the vendor of a disaster recovery plan before the agreement is signed. Have the client’s technical team review the plan.
- Tie the disaster recovery plan into the force majeure clause. If the vendor is unable to perform due to a force majeure event, the vendor should be obligated to then switch to the disaster recovery site to provide services.
- Allow for a termination by the client in the event the vendor can’t comply with the disaster recovery plan within a certain period of time.
Finally, privacy issues come under increasingly tight scrutiny as more countries grow concerned about where data on individuals is going in a worldwide economy. Yet many companies are outsourcing database management and customer services functions to off-shore service providers. That means a lot of customers’ personally identifiable information resides on servers in foreign countries.
- Meet with the managers of the system being outsourced and find out what kind of data is processed and stored and consult legal counsel to see if it is covered by U.S. or international laws.
- Discuss the legal issues which arise as a result of the nature and location of the data. Compliance may be required with U.S. laws such as Graham-Leech-Bliley or HIPAA, or international laws such as the EU Directive or Canada’s Personal Information Protection and Electronic Documents Act.
- Have the technical team review the vendor’s security measures to confirm it has taken commercially reasonable measures using the latest available technology to protect the databases.
- Require an indemnity and that the vendor defend the client in the event a security breach occurs and a third-party suit against the client arises.
Technology services are more global today than ever, but so is the threat to the security of the technology environment. If a company is going to put its technology management into someone else’s hands, it’s critical to make sure they are trusted hands.