Outsourcing investigate

Outsourced security: Who pays when things go wrong?

Too many businesses see the cost savings and access to expertise offered by outsourcing security but ignore the issue of liability in the event of service failure.

The liability and exclusions provisions in any outsourced security contract seldom get sufficient scrutiny. Photo: Shutterstock

Despite austerity measures, or perhaps because of them, companies are continuing to outsource business and back-office functions.

With most mainstream services already outsourced, all that's left are the higher level functions, and the new kid on the block is the outsourcing of IT security.

The rationale for outsourcing services and functions is a well-trodden path. Key reasons are to save money, tap into suppliers' expert knowledge and to allow a company to focus on its core business.

However, handing over responsibility for IT security is a big step for a company to take. Corporate reliance on IT is now so fundamental that any business would cease to function if its IT systems or access to its data was severely restricted or removed.

Short-term solutions may be possible but a long outage could be fatal, and nothing can replace lost commercial advantage if key confidential information is corrupted or disclosed to the competition.

Disclosure of confidential information or loss of personal data can also result in regulatory sanctions, including fines under the UK's Data Protection Act - currently limited to £500,000 ($800,000) but which may be increased to two per cent of turnover under proposed EU regulations - or the Financial Services Act.

Despite the risks, for some companies, particularly those without access to the right expertise, outsourcing may result in stronger IT security. Therefore, outsourcing, whether direct or through the cloud, must always be a commercial decision that balances risks and benefits before control of the function is handed to the supplier, always remembering that exiting the relationship is seldom as easy as entering it.

IT security suppliers' view of risks

However, the risks are not one-sided. Suppliers will also have concerns about the nature of the service they are taking on. The weakest link in the security chain is the human element, and the service provider is unlikely to have adequate control over the customers' employees.

Suppliers, and their insurers, will not accept liability for losses over which they do not have adequate control. Equally, customers will have concerns where compensation does not adequately reflect the potential loss.

So who will be liable in the event of a failure of IT security? Establishing the cause of any claim will be of vital importance in determining liability, which will require a careful forensic examination of computer systems.

Inspection of system logs will identify when patches and updates were applied, but those records only tell you so much because it can be reasonable to delay such processes. For example, where applying a patch may have an impact on the availability or operation of systems and applications. Consequently, the supplier will look to the contract to protect itself from liability where possible.

The liability and exclusions provisions are probably the most significant clauses to be discussed in any contract negotiation but seldom get the level of scrutiny that they require.

However, these are provisions that are governed both by statute law under the Unfair Contract Terms Act (UCTA) and by precedent law, with many cases turning on determination of the enforceability of a particular provision.

The courts and commercial contracts

UK courts are generally unwilling to intervene in commercial contracts where the parties have the ability and the opportunity to negotiate the terms of any contract. A series of recent cases such as Air Transworld vs Bombardier [2012], AXA vs Campbell Martin [2011] and Springwell vs JP Navigation [2010] have confirmed that the courts will leave the commercial world to determine what is reasonable.

Furthermore, the courts have also upheld an exclusion clause that the parties considered to be fair and reasonable at the time they agreed the terms of the contract, even though its application gave rise to unexpected consequences - Shared Network Services vs Nextira One [2011].

For some businesses, particularly small and medium-sized ones that may lack some or all the skills, knowledge or capacity to deal with the increasing risk profiles of trading in an internet-connected market, outsourcing will improve their overall IT security.

The ability to demonstrate strong security could even be used as a winning part of the sales pitch. Other businesses will decide that the reward of lower costs is not balanced by the loss of control that an outsourced service implies.

In either case, as part of that analysis, all businesses will need to make this decision based on a careful consideration of the service offering and the consequences of service failure, and this process should include a detailed analysis of the exclusion and limitation of liability provisions under the service contract.

About

Stewart James is a partner in the technology, media and commercial group at law firm DLA Piper's Leeds, UK, office. His areas of expertise include outsourcing and retendering, business process re-engineering, information assurance, data protection, a...

0 comments