Are You Ready to Pay for the Sins of Your Contracted Entities?

Over the years when working with a wide range of organizations, helping them to identify where all forms of their business information (including customer, client, patient and employee information) is located.  One of the key activities is identifying and documenting all business associates, service providers, business partners, and all other types of outsourced entities that possess or have other types of access to this information.

Out of a few hundred organizations, I’ve found fewer of them than what I can count on my fingers that accurately knew and had documented all their outsourced entities. Why? There are a wide range of reasons. Some of the most common I’ve heard include:

  • Business units outside of the information security, privacy and acquisitions areas directly contracted outside entities to do some type of service involving the information and did not notify the central corporate office with this information.
  • Some of the outsourced entities were provided with access to information after the relationship was created, and such information possession or access was not initially anticipated.
  • Activities were subcontracted by the outsourced entities (sometimes two, three and even four more levels down!) that the organizations were not aware of, giving many more entities access to their information.
  • Existing outsourced entities were acquired by other organizations, and subsequently a vast amount more of access was provided to others within that new organization to the organizations’ business information beyond what was initially established.
  • Business associates, or other type of contracted entities, that did past work for the organizations still had access to information, even though they are no longer doing work for the organizations.

Not knowing who possesses, or accesses, your information, in any form, is a huge risk not only to the applicable individuals about whom the information applies, but also to your organization, putting your business at great risk of liability for the mistakes or malicious activities of those mystery third parties. 

You cannot outsource your responsibilities

I am still hearing way too many organizations state something very similar to: “We outsourced so we wouldn’t be liable for the security of the information when it is under the care of the outsourced entity.” It simply does not work that way, folks; for many reasons. Here are a couple of high-level reasons.

Reason #1: Laws and regulations establish your responsibilities for outsourced activities

A few of the regulations that contain legal requirements, either directly or implied, for performing business partner security program reviews, which establish responsibility on your part for you to know who your outsourced entities are to begin with, include:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm Leach Bliley Act (GLBA)
  • Sarbanes Oxley (SOX) Act
  • Federal Trade Commission (FTC) Act
  • Fair and Accurate Credit Transactions Act (FACTA)
  • Internal Revenue Code (IRC) Section 7612
  • U.S. state breach notice laws
  • European Union Data Protection Directive 95/46/EC

And the list could go on for several pages. 

Reason #2: Your published policies may obligate your organization to track all contracted entities

Do you know what your organization’s privacy policy and security policy promise? Do you know what the privacy and security notices that are sent to your customers, employees, patients and possibly even general consumers say? Do they say something similar to the following, actual policy statements I’ve seen?

  • We restrict access to personal information to employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations.
  • We do not and will not share your usernames and passwords with anyone.
  • We monitor all activities for potential fraud.
  • We use the highest commercially available encryption from the point in time we collect your personal information until we no longer need your information for business purposes.

If you are making these promises, then you are expected to ensure that all the contracted entities to whom you entrust the information keeps these promises that you made. The promise follows the information. How many of your contracted entities are complying with the promises you’ve made to your customers, patients, employees and consumers? How do you know?

How will you know if your contracted entities are appropriately protecting information if you don’t even know all the entities performing contracted information storage, processing and other types of access? If you don’t even know all your outsourced entities, then you don’t know, and it is likely those many unknown entities are not following your policies; they are breaches and liabilities just waiting to happen. 

Bottom line for all organizations, from the largest to the smallest:  

  1. You probably have business associates, business partners, vendors and other contracted entities that you do not know about.
  2. Your Business Associate Agreement, or any other type of service contract, may be outdated.
  3. You may have business associates, or other types of contracted entities, that did past work for you that may still have access to your data, even though they are no longer doing work for you.
  4. You need to have a business partner / outsourced entity management process in place to be able to track all those that have access to your valuable information, and then to ensure their controls fulfill the security and privacy promises you’ve made, as well as meet your legal information protection obligations.

All organizations need to identify and document all the outsourced and contracted entities that possess or otherwise access their information, in all forms. After identifying them, make sure that they have appropriate controls in place, and then establish an oversight method so you can demonstrate due diligence. Then, in the event they have some type of security incident and/or a privacy breach, you will have documented evidence that you did all you could to ensure all hands secured the information appropriately, and you also will have limited your liability as much as possible.

Additional information about tracking contracted entities

Here are some additional sources of information related to outsourced entity oversight:


This post was written as part of the IBM for Midsize Business ( program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.


Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply