• United States



The trouble with subcontractors

Mar 12, 20073 mins
Data and Information SecurityIT Leadership

Recently, I have had some rather heated discussions with a variety of people regarding subcontractors.  Specifically, I’m talking about a business entering into a transaction with a vendor in which the business’ most sensitive data, including personally identifiable customer data, would be entrusted to the vendor.  The issue is “what happens if the vendor decides to hand off that information to a subcontractor – even subcontractors in another country?” 

There are two schools of thought.  In one school, we have the people that say “I don’t care who they subcontract to as long as we have a strong contract with the original vendor.”  The other school holds that subcontracting, particularly offshoring, must be strictly controlled and appropriate due diligence performed on any subcontractors who will have possession of sensitive data.  I place myself firmly in the second school.  I do not believe it is enough to have a good contract with the original vendor.  It does no good to be able to sue that vendor when a data compromise occurs involving a subcontractor who had poor security practices.  We don’t want data compromises in the first place and that means ensuring everyone who has contact with the data has appropriate security measures in place.  You can’t achieve that level of protection if you don’t know who has your data or even where your data is located. 

 If we look to the financial services industry for guidance on this point, there is the FFIEC’s Information Technology Examination Handbook, which includes specific guidance on this point.  Under the subsection on Contract Issues, the Handbook provides as follows:   

Some service providers may contract with third parties in providing the services to the financial institution.  Institutions should be aware of and approve all subcontracts.

I completely agree.  Relying only on due diligence conducted on the original vendor is useless when that vendor subcontracts performance to a business that may have very different information security practices, may be financially unstable (ever tried to get data back from a vendor that has filed for bankruptcy protection? It’s nearly impossible), or located offshore where information security practices and related laws may fall far short of those in the United States. 

 I firmly believe current practices in information security and the requirements imposed by regulators such as the FTC and those in the financial services industry require businesses to take care in entering into contracts in which the original vendor has broad subcontracting rights.  I am not saying that subcontracting must be prohibited.  What I am saying is that subcontracting must be controlled and the business permitted a reasonable opportunity to conduct due diligence on any proposed subcontractors.  Businesses that fail to exercise this degree of care may find themselves answering some very hard questions from their customers, regulators, and shareholders in the event of a data compromise at a subcontractor over which the business conducted no due diligence and, worse yet, was not even aware existed.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author