The practice of outsourcing information technology and information security projects in order to reduce operational costs is common. Hall and Liedtka (2007) describe the rationale behind outsourcing decisions, “If successful, IT outsourcing allows client-firm management to focus on core business competencies, while the vendor manages the many non-core IT support and compliance functions” (p. 97). Unfortunately, many businesses fail to properly understand and plan for the risks associated with outsourcing. Federal and state laws governing financial accountability and the handling of privacy data do not, in general, allow the outsourcing of liability. As a result, businesses may find that controls have been outsourced, but not liability for the failure of controls. As Hall and Liedtka explain,
Specifically, large-scale IT outsourcing increases the risk that top management and boards of directors will be unable to fulfill their oversight duties; that firms will employ ineffective internal controls over financial statements; that financial reports will be inaccurate and/or misleading; and that firms will fail to protect shareholder wealth. (p. 97)
Businesses engaging in IT outsourcing may find themselves held liable for actions taken by the contracting firm.
The credit card company Visa USA found itself in exactly the described position in 2005. Visa outsourced credit card data processing to CardSystems Solutions. As Rustad and Koenig (2007) explain, “Cybercriminals used a computer virus to gain illegal access to CardSystems Solution’s computer system in order to steal 40 million credit card users’ personal data” (p. 3). When a class action lawsuit was brought against CardSystems Solutions, Visa was also named as a defendant. The outsourcing of the card processing operation did not protect Visa from liability for CardSystems Solutions mishandling of data that Visa provided. Visa’s defense rests upon a contention that, as David Bank reports in his Wall Street Journal article, “Security Breaches of Customers’ Data Trigger Lawsuits,” in 2005, “CardSystems Solutions Inc. violated Visa’s standards for holding card data.” However, the resolution of the class-action allegations against Visa and the dispute over CardSystems Solutions’ contractual obligations will only be resolved through costly legal disputes that undermine the value of the original outsourcing agreement and further highlight the risks associated with outsourcing. Although the class-action lawsuit was eventually dismissed, Visa incurred significant legal costs and negative publicity as a result of the outsourcing.
Businesses choosing to outsource must ensure that strong controls are in place to ensure that significant risks are avoided. The risks associated with outsourcing can be substantial and experts believe that the trend toward lawsuits and other risks is increasing. As Rustad and Koenig state, “Unless US companies voluntarily police the security practices of Third World back-office operations, they will face a litigation nightmare over data leak- ages. The coming wave of negligent entrustment lawsuits threatens the future of the back-office industry throughout the world” (p. 5). Although Rustad and Koenig are discussing global outsourcing, the statements apply to all outsourcing arrangements.
Bank, David. (2005). “Security Breaches of Customers’ Data Trigger Lawsuits,” Wall Street Journal, July 21, 2005. Retrieved from http://online.wsj.com/article/0,,SB112190567640291593,00.html
Gorla, N., & Mei, B. L. (2010). Will negative experiences impact future it outsourcing? Journal of Computer Information Systems, 50(3), 91-101. Retrieved from http://ezproxy.library.capella.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=49548282&site=ehost-live&scope=site
Hall, J. A., Liedtka, S. L., Gupta, P., Liedtka, J., & Tompkins, S. (2007). The sarbanes-oxley act: IMPLICATIONS FOR LARGE-SCALE IT OUTSOURCING. Communications of the ACM, 50(3), 95-100. Retrieved from http://ezproxy.library.capella.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=24209679&site=ehost-live&scope=site
Rustad, M. L., & Koenig, T. H. (2007). Negligent entrustment liability for out sourced data. Journal of Internet Law, 10(10), 3-6. Retrieved from http://ezproxy.library.capella.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=24619583&site=ehost-live&scope=site