In information security, many customers are now shifting their focus from getting their own house in order to making sure that their suppliers' houses are in order. Employee and customer data, as well as other valuable information obtained through sourcing, is in the hands of these suppliers. Outsourcing agreements provide the means to protect that information, but many lack key provisions.
What Is Information Security?
Information security means:
Why Is Information Security Important?
Suppliers today need to protect both their own information and other people's information. A supplier's own information might include its financial information, proprietary methods for creating and delivering its products, customer lists, or business plans. Other people's information might include licensed software and personally identifiable information (such as employee or customer records).
This is not merely a matter of competitive advantage. A supplier that discloses financial information or releases maliciously modified financial information could be liable under the securities laws. A supplier that discloses licensed software could be liable under the software license agreement, trade secret laws, and copyright laws. A supplier that discloses information about, for example, a person's financial status, heath condition or employment could be liable under privacy laws.
These types of regulatory, legal, statutory and contractual requirements are not limited to actions by a supplier. A customer can be liable for information security breaches by suppliers, and, of course, a customer suffers equally if its own information is disclosed by its own people or by a supplier's people.
How Do You Assess A Supplier's Level Of Information Security?
Information security should be on every supplier's due diligence list as you review suppliers. However, it is difficult to find a clear metric for security. For example, one cannot determine the number of attacks that were discouraged or the number of disgruntled employees who decided not to attack because of strong information security. Thus, suppliers might consider the following indicators of good security:
Potential customers should also inquire as to whether the supplier performs services under the legal controls that affect the customer. For example, health care institutions in the U.S. are affected by the HIPPA (Health Insurance Privacy and Portability Act) privacy regulations. These are dense and difficult to comply with. As a result, if the prospective supplier is not already complying with the HIPPA privacy regulations, the customer should seek assurances that the supplier is willing and able to comply.
What Do You Put In The Contract?
Outsourcing agreements should include covenants requiring information security. For example, the supplier should agree to:
Of course, these are merely examples. Different provisions will be appropriate in different types of outsourcing transactions.
Lessons from the Outsourcing Journal:
For more information about Outsourcing Center, visit www.outsourcing-journal.com.
(Reprinted from the March 2002 Issue of Outsourcing Journal. www.outsourcing-journal.com)
You have no pages selected. Please select pages to email then resubmit.