Corporations can realize significant savings by contracting for offshore technology assistance, but you must ensure that the associated risks do not outweigh the savings.
A Missouri complaint that was recently filed provides a cautionary tale. While this case is in its infancy and the facts from the complaint remain allegations, it highlights the risks involved with this type of offshoring. The Plaintiff, Maritz Holdings, manages and operates rewards programs for its clients, including the provision of eGift cards through vendors like Target, Amazon, and Apple (iTunes), and it contracted with Cognizant Technology Solutions to provide offshore services in India according to an Offshore Contracting Master Services Agreement. See Maritz Holdings, Inc. v. Cognizant Tech. Solutions U.S. Corp., Case No. 4:18-cv-00826, (E.D. Mo. 2018) (Dkt. No. 1). Under this Agreement, Cognizant was required to restrict the use and disclosure of Maritz’s confidential information and immediately notify Maritz of any security breaches, including potential breaches. See id. at 3-4. During the term of this Agreement, perpetrators improperly redeemed $12M in eGift cards through multiple cyber-attacks on Maritz and/or Cognizant, which resulted in major losses to Maritz. See id. While this fraudulent scheme focused on eGift cards, theft of intellectual property, improper access of customer data, fraudulent wire payments, and other attacks can be lucrative for cyber-criminals. An offshore vendor may offer the path of least resistance to the crown jewels of the corporation.
The dust is still settling in this case, but the complaint alleges that Cognizant deserves at least some of the blame. Maritz is understandably looking to shift at least some of these massive losses to Cognizant, but without a full investigation into Cognizant’s role in the breach, it can be difficult assign liability and successfully recover the losses. As you can imagine, once the breach is discovered, the technology vendor has an incentive to hide the cause of the breach and slant the investigation in its favor. Further, the legal options for discovering the necessary information from a foreign company can be difficult, especially if a U.S. company is not a signatory on the agreement. These dynamics can make a $10M cyber event a tough pill to swallow.
However, these risks should not prevent you from using offshore talent and benefiting from the corresponding savings, but we recommend evaluating the following considerations before doing so. There is no silver bullet to prevent a cyber event or recover losses from a vendor due to a theft or a cyber event, but a few precautions can go a long way.
- Retain Control – When possible, inspect the software and systems used by the technology vendor to ensure that they meet established security requirements. Try to retain control of access to your offshore data center, website, data management system, or company network. This ensures that any foreign workers must abide by the same security protocols that have been established at your company to protect against these types of cyber-attacks.
- Security Review – Undertake a security review with the technology vendor to identify any weaknesses in its security policies. The review should be commensurate with the risks involved and focus not only on the security policy, but also the implementation of that policy.
- Protection of Intellectual Property – Perform an audit to determine what types of intellectual property (e.g., inventions, trade secrets, customer data, financial information) may be exposed to the technology vendor. Because much of this intellectual property can be quickly utilized by the vendor, a cyber-criminal, or even a competitor, it’s crucial to control and manage the access to this type of information. This is a significant risk that must be evaluated from the outset of the relationship since it can be difficult to investigate and prosecute intellectual property theft in foreign countries.
- Agreement – Enter an agreement with the technology vendor to mitigate these risks. Indemnification provisions, insurance requirements (including cyber insurance), venue provisions to identify a jurisdiction that can adjudicate a dispute between the parties, and breach notification provisions should be mandatory in these types of agreements. Since your company will likely be on the hook for a security breach, you must carefully consider these provisions. We also recommend requiring notification if the technology partner uses offshore talent on your systems. You never want to be in the dark about the individuals that have access to the crown jewels of the corporation.
RegitzMauck PLLC is an intellectual property boutique based in Dallas, Texas. The firm focuses on providing value-based legal services to cost-conscious clients seeking high-quality legal representation in intellectual property, cybersecurity, and data privacy matters and disputes.