When customers sign a contract with a service provider that will be holding the customer's confidential data (for example, the customer's business records, human resources data, personally identifiable information, protected health information, payroll data), in addition to laying out the service provider's responsibility for protecting the data, customers focus on restrictions allowing the customer to audit and confirm over the life of the contact that its data is being stored and maintained securely and appropriately by the service provider.
However, everyone (including service providers) seems to be outsourcing or subcontracting today. Customers must be vigilant about ensuring that their service contracts allow them not only to review, audit and confirm that their service provider is maintaining their data appropriately, but also that the customer can track and audit any customer data held by their service providers' subcontractors (and those subcontractors' subcontractors, and so on).
Service providers today frequently partner with subcontractors to provide discrete portions of their suite of services - sometimes those subcontracted services are (arguably) "not material" to the overall scope of the services provided, while sometimes those subcontracted services are mission-critical.
the service provider that partners with a disaster recovery subcontractor, rather than provide disaster recovery services itself;
the data hosting provider that elects not to store backup tapes itself, but to utilize an off-site records management and storage subcontractor; and
the service provider that hosts and utilizes mission critical third party software to provide services to a customer, but decides to utilize a data center or hosting subcontractor (rather than host the software itself).
In all of the examples above, the customer's data (disaster recovery tapes, back-up tapes or data, or data stored within third party software) could be held by the downstream subcontractor, but the customer would have no direct contract with the subcontractor.
What if the data is held by the third party subcontractor, and the customer's auditors wish to confirm the security of the data? What if government inspectors or regulators ask to review the data? What if one of the customer's clients exercises its contractual rights to audit the systems used to keep that data secure? In all of these cases, the specific right to audit that data (and the security of the data) does not lie within the contract terms of the customer's agreement with its primary subcontractor, but instead within the terms of a downstream contract between the service provider and its subcontractor.
How does a customer ensure that it has the ability to maintain control over that data? In some ways, this can be as easy as adding language into a customer contract prohibiting service providers from subcontracting without the customer's prior permission. But as we noted above, service providers are frequently partnering with subcontractors to provide portions of a suite of services that are not within their skills sets (or outside of their "sweet spot"). A blanket prohibition on subcontracting may not be realistic, if a customer desires to contract with a particular service provider that must subcontract a portion of the services.
There are several protections a customer can consider including in its service provider contracts to address these issues:
the right for the customer to audit or assess the security provided by a proposed downstream subcontractor, before the service provider is allowed to send the customer's data or information to that subcontractor (i.e., a site assessment);
contractual guarantees that the service provider will include, within its downstream contracts with its subcontractors, protections allowing the customer to access and audit any of the customer's data and information held by the subcontractor (and remediate any deficiencies identified during an audit);
the right to force the service provider to no longer use a subcontractor, if problems or deficiencies are later identified with respect to the subcontractor; and
express language making clear that these protections apply to all further downstream subcontracts: not just the subcontractors of the customer's service provider (which is, thus, 2 rungs removed from the customer) but also the subcontractors of those subcontractors (3 rungs removed from the customer), and so on.
Customers may want to bulk up the contractual guarantees described in the second bullet directly above, including requiring service providers to represent and warrant that they will have such protections in their subcontractor agreements. And customers also may want to think about what the consequences would be if the customer exercises its rights described in the third bulleted item above, to have the service provider quit using a particular subcontractor: (i) who pays for identifying and contracting with the replacement subcontractor? (ii) how quickly must the alternate subcontractor be identified and put into place? (iii) what if an alternate subcontractor cannot be identified in a timely basis? One final consideration. There are numerous customers who have contractual protections prohibiting their service provider from subcontracting (or allowing subcontracts only with the customer's permission), who discover several years into their relationship that the service provider has indeed subcontracted a portion of the services in violation of the agreement. It might not be an intentional breach of the contract restrictions - the service provider may not have remembered that it was required to seek the customer's permission, or perhaps the service provider is required to seek permission only for "material" subcontracts and there is disagreement as to whether or not a particular subcontract was or was not material. Given that a customer could look up one day and realize that an unexpected subcontractor is supporting the delivery of the services, customers should make sure that the contractual protections discussed above apply to any of the service provider's subcontractors that provides services that affect the customer's data or information, not simply subcontractors that have been approved by the customer.