Recently, I have had some rather heated discussions with a variety of people regarding subcontractors. Specifically, I'm talking about a business entering into a transaction with a vendor in which the business' most sensitive data, including personally identifiable customer data, would be entrusted to the vendor. The issue is "what happens if the vendor decides to hand off that information to a subcontractor -- even subcontractors in another country?"
There are two schools of thought. In one school, we have the people that say "I don't care who they subcontract to as long as we have a strong contract with the original vendor." The other school holds that subcontracting, particularly offshoring, must be strictly controlled and appropriate due diligence performed on any subcontractors who will have possession of sensitive data. I place myself firmly in the second school. I do not believe it is enough to have a good contract with the original vendor. It does no good to be able to sue that vendor when a data compromise occurs involving a subcontractor who had poor security practices. We don't want data compromises in the first place and that means ensuring everyone who has contact with the data has appropriate security measures in place. You can't achieve that level of protection if you don't know who has your data or even where your data is located.
If we look to the financial services industry for guidance on this point, there is the FFIEC's Information Technology Examination Handbook, which includes specific guidance on this point. Under the subsection on Contract Issues, the Handbook provides as follows:
Some service providers may contract with third parties in providing the services to the financial institution. Institutions should be aware of and approve all subcontracts.
I completely agree. Relying only on due diligence conducted on the original vendor is useless when that vendor subcontracts performance to a business that may have very different information security practices, may be financially unstable (ever tried to get data back from a vendor that has filed for bankruptcy protection? It's nearly impossible), or located offshore where information security practices and related laws may fall far short of those in the United States.
I firmly believe current practices in information security and the requirements imposed by regulators such as the FTC and those in the financial services industry require businesses to take care in entering into contracts in which the original vendor has broad subcontracting rights. I am not saying that subcontracting must be prohibited. What I am saying is that subcontracting must be controlled and the business permitted a reasonable opportunity to conduct due diligence on any proposed subcontractors. Businesses that fail to exercise this degree of care may find themselves answering some very hard questions from their customers, regulators, and shareholders in the event of a data compromise at a subcontractor over which the business conducted no due diligence and, worse yet, was not even aware existed.