Dan Berthiaume
Like any other contractually obligated service providers, ITO providers carry an inherent risk of being sued for breach of contract. However, recent trends in outsourcing contracts have placed an increasing amount of risk on the shoulders of the service provider. 
Fortunately, as outlined in a recent white paper from global insurance broker Lockton and international insurance carrier AIG, there are steps ITO providers can take to minimize their exposure to the growing variety of legal risks they face. The report divides common causes of legal risks for ITO providers into two broad categories: Service Errors and Data Security/Privacy. A brief review of recommended strategies to reduce exposure in both areas may prove helpful for ITO providers who are simply trying to assist their clients and meet contractual obligations.
Minimizing Service Error Risk
The report states major service errors are typically associated with ITO, as opposed to BPO, often resulting from performance failures in large, complex ERP or CRM software implementations. In any event, following are recommendations for ITO providers to avoid generating risk from three common service error-related issues.
Failures of Third-Party Suppliers and Contractors – ITO providers often use third-party subcontractors to help supplement specific points in the larger solution or service being offered, but this decreases direct control of how the contract is executed and increases risk of service error. As ITO providers are legally responsible for subcontractor performance (or lack thereof), they should make sure all subcontractors are familiar with all contractual obligations and perform rigorous subcontractor vetting and auditing.
Legacy Issues through Acquisitions – Many ITO providers have grown through acquisitions, and often inherit longer-term contracts as a result of purchasing the assets of other providers. Since these providers (especially if they were smaller-sized organizations) may have structured contracts in a way that creates unnecessary risk exposure or have created error-prone service delivery systems, ITO providers need to include contract analysis, insurance history and possibly interviews with clients as part of due diligence.
Undocumented Work – While ITO providers will often start work before a contract is fully drafted and signed, this practice can create serious exposure to legal action. ITO providers should always wait until a contract is officially written and signed before starting work, or at least have a binding letter of intent covering the scope and expectations of work performed before the contract is official.
Protecting Client Data Security and Privacy
Outsourcing IT functions inescapably raises the risk of client data security and privacy breaches, which are a prime cause of ITO lawsuits. ITO providers can take a few basic steps to maximize client data security and privacy.
Human Error and Preventable Loss – Simple human error and lapses in network security are by far the leading causes of data security/privacy breaches. Steps such as data encryption, firmly enforced policies that require unique, complicated user passwords, securing wireless connections on virtual private networks, and installation/updating of antivirus software from reputable, well-established vendors
Software Design, Development and Testing – ITO providers involved in software design, development and testing may be liable for errors and flaws in these activities. This risk is heightened for software used in highly regulated industries such as financial services and healthcare. Awareness of the potential exposure posed by faulty software services which leads to careful oversight of design, development and testing, including thorough review of all functionality and potential flaws before delivery to the client, is the best preventative strategy.
Global Virtual Unrest – Hackers are no longer merely traditional criminals plying their trade in cyberspace. Nation-states, terrorist groups, sociopolitical activists, and corporations engaging in industrial espionage and sabotage are all increasingly involved in data security and privacy breaches. ITO providers need to keep abreast of all global developments that may prompt a hacking attack on their clients, especially if clients are engaged in any type of controversial, international or classified activity. Specialized security and employee training may be needed to counteract some of these threats.
