Problem solve Get help with specific problems with your technologies, process and projects.

How to write technology outsourcing contracts

Have you decided to outsource services but are afraid the company you outsource to may have a data breach? In this expert response, learn how to write technology outsourcing contracts that designate liability if there's a customer data breach.

We're going to outsource some of our services and want to write a contract that holds our outsourcer liable if there is a data breach. What sort of minimum security requirements should we list in the contract as necessary for the outsourcer to put in place?

The minimum requirements for technology-outsourcing contracts will vary somewhat based on what services you are...

outsourcing, what data the outsourcer will have access to and what vertical your business is in. Not knowing what you do or what services you are outsourcing, it's hard to give you specific advice. However, a good place to start is the Payment Card Industry Data Security Standard (PCI DSS). While not perfect, PCI DSS provides a great baseline, and as such makes for a great set of minimum requirements.

Rather then just demand PCI DSS compliance, use it as the basis for your requirements and remove the items that are not relevant to your organization. For example, if you aren't outsourcing access to credit card data, you don't need to include provisions that are specific to credit card number encryption or transmission; or, if the outsourcer isn't providing applications to you, you can remove the verbiage around secure development.

Alternately you may want to add provisions. For example, if you are outsourcing access to Social Security numbers, you will want to change the language of PCI DSS to address SSNs.

For more information:

This was last published in June 2009

Dig Deeper on Data security strategies and governance

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.