This paper examines the legal doctrine of negligent entrustment as it applies to organizations that outsource data handling and IT operations. It discusses the affirmative duty of care companies owe to protect personally identifiable information even when operations are delegated to third-party vendors, including international back-office providers. The paper reviews relevant regulatory frameworks—including the Sarbanes-Oxley Act (SOX) and HIPAA—and analyzes the internal control risks introduced by large-scale IT outsourcing. It concludes with practical guidance on vendor due diligence, contract requirements, and monitoring practices necessary to mitigate legal exposure.
Negligent entrustment occurs when personally identifiable information is outsourced to an insecure back-office operation (Rustad, 2007). Organizations have an affirmative duty to ensure that data is secure regardless of whether it is handled in-house or outsourced, and regardless of where the outsourcing takes place. Liability centers on the companies that have direct obligations to consumers and businesses, not solely on the outsourced operation itself.
The United States maintains international standards for the protection of intellectual property. US companies have an independent duty of care to ensure that third-party back-office operations comply with reasonable data security standards. It is a company's duty to conduct security audits before transmitting sensitive information. Negligent enablement lawsuits arise to hold the handler of information directly liable for facilitating or enabling cybercrime through direct negligence. A US organization that fails to perform security audits on its outsourced operations can be held liable for the negligent acts of those operations.
Depending on the organizational industry, laws such as SOX, HIPAA, and identity theft statutes apply to the US organization. There are also global requirements that raise legal issues concerning taxes, labor laws, and safety regulations (Jones, n.d.). Firms must legally protect information, safeguard the privacy of employees and customers, and protect trade secrets. The firm bears legal responsibility for ensuring that information is protected under all applicable laws, even when that information is outsourced. Companies face significant legal risk if they lack adequate means to ensure that outsourced information is properly safeguarded. They must maintain a method of monitoring outsourced operations to ensure the ongoing protection of the information itself.
Under SOX Section 404, Management Assessment of Internal Controls, the majority of internal controls are embedded in the technology system (Hall, 2007). Additionally, SOX Section 302, Corporate Responsibility for Financial Reports, requires senior financial executives to disclose deficiencies in internal controls and fraud, whether material or not. Auditors must also attest to the adequacy of internal controls. Corporate management therefore faces significant risks when outsourcing IT, as organizations remain liable regardless of whether IT operations are managed in-house or externally.
There are several negative implications associated with IT outsourcing. The ability of top management and directors to monitor financial reporting is diminished to the extent that a firm distances itself from IT operations through large-scale outsourcing. Management tends to lose the ability to understand technology and IT strategy and consequently cannot effectively oversee operations, procedures, and controls. IT outsourcing increases the likelihood that other internal control failures will go undetected. The cost of oversight is likely to escalate given management's responsibility for certifying controls annually. Organizations may also be exposed to large termination fees, and potential problems multiply as outsourcing arrangements grow in scope.
Organizations can still outsource and comply with all applicable laws without incurring sanctions. Planning the project carefully, defining the scope of the engagement, investigating the validity of vendors, and ensuring that contracts address all areas of liability, performance standards, responsibility, pricing, and operational requirements are all essential steps in mitigating liability exposure (Chinn, n.d.). There must also be a mechanism for monitoring vendor operations to ensure legal compliance and to maintain adequate control over the information system. HIPAA compliance, for example, requires covered entities and their business associates to maintain appropriate administrative, physical, and technical safeguards regardless of whether functions are performed internally or by a third party.
Chinn, D. (n.d.). Requirements for IT outsourcing. Retrieved from eHow Money:
Hall, J. A. (2007). The Sarbanes-Oxley Act: Implications for large-scale IT outsourcing. Communications of the ACM, 50(3), 95–100.
"Vendor due diligence and contract safeguards"
"Cited sources and bibliography"
You’re 94% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.