Choose Site

Outsourcing stakeholders should check out Deloitte's 2014 Global Outsourcing and Insourcing Survey. The survey results highlight what the future may hold for companies across several business functions and provide “insight into client executives' plans and perceptions related to the outsourcing industry.”

The Payment Card Industry (PCI) Security Standards Council recently published new guidance supporting PCI Data Security Standard 3.0 (PCI DSS 3.0). This guidance was released to help merchants reduce the risk of compromising payment card data when engaging third parties as service providers (e.g., call centers and e-commerce payment providers). The guidance provides a series of payment security best practices to use when engaging service providers and is designed to help merchants and their service providers better understand their respective roles and responsibilities in securing and protecting payment card data.

As outsourcing service providers and customers become more mature, a larger number of customers are relying on multiple service providers for services that were traditionally provided by one provider as part of a larger outsourcing transaction. Although multi-sourced environments are on the rise, they are not without issues or concerns. Before implementing a multi-sourcing strategy, customers should be careful to address certain key issues during the negotiation of each new outsourcing relationship.

With facilities management outsourcing on the rise, we are seeing an increase in inquiries from customers about how to contract for these services. One question inevitably raised is, "What are the issues unique to facilities management outsourcing?"—i.e., the issues that you would not see in other business process outsourcing (BPO) transactions. Although, for the most part, the contractual framework and issues are similar across BPO transactions, the very nature of facilities management services requires the customer to consider certain additional issues and to heighten the focus on existing issues.

A recent article in CIO magazine highlights the potential security risks posed by using USB thumb drives. The premise of the article—that the firmware in these devices is generally not protected and can be replaced with malware that can infect your systems—sends chills down the spine of the risk-adverse lawyers and sourcing professionals involved in negotiating IT services contracts and associated security requirements.

The National Institute of Standards and Technology (NIST), the government agency charged with promoting U.S. innovation and industrial competitiveness by advancing technology, recently published a list of 65 forensic challenges associated with cloud-based environments. These challenges range from standard business practices to technological architecture and include the following:

Gone are the days when parental consent meant a signed permission slip—in the realm of data collection from children through the Web, parental consent takes on a whole new look. The Children’s Online Privacy Protection Act (COPPA)—which restricts the collection, use, and disclosure of certain personal information from children under the age of 13 by operators of commercial websites or online services (including mobile applications)—generally requires that the operator obtain a parent’s “verifiable parental consent” prior to collecting such information. Recent updates to the Federal Trade Commission’s (FTC’s) guidance on COPPA added some clarity to the scope of this necessary parental consent.

The UK’s Financial Conduct Authority (FCA) recently published a nonexhaustive checklist of questions for regulated firms to consider when outsourcing critical information technology (IT) services. This comprehensive approach of good vendor procurement and risk management practices is similar to the guidance provided by the U.S. Office of the Comptroller of the Currency.

With privacy and security obligations consuming more and more attention during contract negotiations, open-source issues seem almost an afterthought. Once the darling of doomsayers and CLE workshops, open source is not at the top of everyone’s deal-breaker list anymore. But what open-source issues should customers think about in today’s environment?

Back in the good ol’ days, a customer could reasonably add a representation to a software or development agreement that promised “no open-source materials will be provided in the work product/software.” Those days are long gone because nearly every product incorporates open source. It seems that every vendor has a list of open-source software that is incorporated into its products and is more than eager to share the list with customers.

It was recently reported that thousands of websites—including—have been using advanced persistent tracking mechanisms unbeknownst to visitors and potentially in violation of the sites’ own privacy policies.

One such website-visitation tracking mechanism—canvas fingerprinting—secretly extracts a persistent, long-term fingerprint that is much harder for visitors to block or opt out of than cookies. The White House’s privacy policy specifically mentions its use of cookies, but not canvas fingerprinting. It also provides a link to a detailed explanation of the types of cookies it employs, how third-party providers analyze the collected data, and how visitors can manage their browser settings.