IT Service Providers and Customers Battle Over Data Breaches
IT outsourcing providers and their customers are fighting hard over data security liability limits at the negotiating table, and the issue is going to get more contentious in the cloud.
Fri, March 09, 2012
CIO — There is no shortage of contentious contractual issues when inking an IT outsourcing deal, but one in particular has both providers and customers taking a hard line today: liability for data breaches.
At one time, data security liability was a relatively straightforward issue. Generally speaking, an outsourcing customer always had the responsibility to secure its own data, but provisions were inserted into contracts allocating responsibility for the confidential information to which a service provider had access. At that time, outsourcers were willing to take on unlimited financial liability for a breach of confidential data.
"The service provider was on the hook," says Chris Ford, chair of the global sourcing group at the law firm Morrison & Foerster. For other data breaches, there may have been a limitation of liability, typically set at a year's worth of service provider revenue associated with the contract. There were few, if any, special terms or requirements around data security processes.
Then along came federal regulations like Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) along with a swarm of state laws creating new requirements for companies suffering a data breach, including customer notification and damage mitigation provisions, such as mandatory credit monitoring and fraud protection for affected customers.
IT service providers saw the price tag on unlimited liability skyrocket. Potential damages from a data breach vary widely by industry and scope. Forrester estimated that the cost ranged from $90 to $305 per data record in 2007, while last year the Ponemon Institute tagged it at $214 per compromised record. "If you have a large customer base," Ford explained, "the price to comply could be very large."
IBM Reshapes the Liability Paradigm
And so the lawyers got to work. The big U.S. providers like IBM Global Services, HP and Accenture began reexamining their risk profiles and moving aggressively to limit liability. "Providers, led by IBM, pushed back hard," said Shawn Helms, partner in the outsourcing practice of law firm K&L Gates. They began creating secondary caps for certain breach of confidentiality or data protection measures. Those with clients with gigantic customer bases in sectors such as retail, energy or financial services were the most concerned.
"Companies like IBM took a very aggressive approach," said Ford. "The usual limitation on liability -- an amount equal to 12 months of revenue -- was a standard you never had to negotiate. They all became fairly aggressive about limited liability. It was a paradigm shift."