Originally appeared in Kaye Scholer’s Fall 2016 Consumer Products: Adapting to Innovation Report.
When millions of customers can be affected by large-scale data breaches at national retailers and major airlines can be literally ground to a halt when technology fails, the increasing dependency of companies across the economy on technology is apparent to everyone. Significantly less apparent, however, is the degree to which companies rely on third-party service providers to supply the technological infrastructure on which they depend, and the legal responsibilities such reliance creates.
Rewards and Risks of Relying on Technology Service Providers
If you are the person tasked with solving the issues that erupt when technology fails at your company, you would most likely be getting on a conference bridge with representatives from a number of technology service providers rather than dealing with corporate headquarters. Technology service providers support the technology infrastructure for most companies in this country and, consequently, can be at the root of many of the technology crises your business faces today.
There are many commercial reasons to rely on third-party providers, not the least of which is that a company will get to market faster and save resources. In many circumstances, it makes more business sense to find a service provider specializing in a particular technology versus building the same thing in-house, which could take years and be at great cost to the company. It is precisely because companies often use service providers to attain unfamiliar technical expertise, that they often feel a great sense of relief that someone else is “handling it,” and remove themselves from the details. In doing so, companies often miss the fact that although a third party is now “handling it,” they themselves are still on the hook to comply with applicable laws and all of their existing contracts affected by the service provider’s activities.
In fact, multiple contracts and legal requirements can even govern one single activity performed by a technology service provider, and can create a legal compliance challenge. In the payments space, merchants outsource the processing of credit card payment transactions to “merchant acquirers” and/or payment processors, often believing that once outsourced, the obligations required to process credit card transactions are no longer their responsibility. Merchants are often unaware that they may have other legal obligations that limit or are affected by the acquirer’s or processor’s activities.
For example, the merchant’s agreements with credit card issuers and its required adherence to credit card network rules are all necessary to complete a credit card transaction. These agreements and rules all require merchants to adhere to the most recent version of the credit card networks’ security standards, the Payment Card Industry Data Security Standards (PCI DSS), to process or transmit credit card data related to payment transactions. While the merchant may think it will comply with its multiple obligations to be PCI DSS compliant because its acquirer and/or payment processor will comply with PCI DSS on its behalf, the agreements with the acquirer and/or payment processor generally also require the merchant to comply with PCI DSS.
Some acquirers and payment processors will guide you in such a way to help ensure that you can rely on their systems to make your online payment experiences PCI compliant. However, not all are willing to do this, and, even those that do will not take this obligation out of their agreements with you. If their system is not PCI compliant, yours cannot be, either, and you are somewhat oddly in breach of your agreement with the acquirer or payment processor. In essence, these companies want to try their best to make sure you share in the liability in case their compliance fails. This risk can really only be mitigated by practical mitigants such as verifying the acquirer’s or payment processor’s compliance with certain requirements of PCI DSS through various levels of audits and reporting. Otherwise the merchant risks breaching its other agreements required for payment transactions, possibly resulting in contract terminations, breach of contract claims and/or the inability to offer certain payment methods.
Managing Your Technology Infrastructure Obligations
Merchants outsourcing credit card processing is just one example of how the technology infrastructure of many companies can often be supported by a rather byzantine set of contracts and/or applicable laws. So how does a company get a handle on the panoply of legal obligations that it has in connection with its technology infrastructure? At a minimum, there are three steps:
- Synthesize all of the relevant contracts supporting the technology infrastructure (including the service provider agreements supporting the business), with the laws, rules, regulations and regulatory guidance applicable to the company’s and the service providers’ activities;
- After you have determined the scope of the company’s legal obligations, ensure that the service provider contracts contain the “right” contractual obligations. These include requirements derived from applicable laws, specific regulatory expectations of the company in the form of contractual provisions and pass-through obligations and indemnities from the company’s contracts that are affected by the service provider activities. All of these terms should be moved into the service provider agreements to ensure legal compliance for the company; and
- Implement policies and practices, to the extent possible, to address any gaps and mitigate risks if service provider contracts do not have the necessary obligations, such as renegotiating the contracts and/or increasing service provider oversight.
Beyond these contractual issues there are other measures to be implemented by your company to ensure ongoing compliance with laws and contractual obligations and to mitigate legal risks. But ongoing compliance is impossible without first laying the foundation of your company’s obligations. It is critical to find technology service providers to support your business—but never forget your business is still your home—it’s your responsibility.
Companies often miss the fact that although a third party is now “handling it,” they themselves are still on the hook to comply with applicable laws and all of their existing contracts affected by the service provider’s activities.