Punitive liabilities for data theft, loss — BPOs faced with higher insurance premiums

COMPANIES keen on outsourcing business processes, especially, banking and insurance companies are trying to include punitive financial liabilities on service providers for data theft or loss.
This could lead to higher costs and risks for service providers. With no claim experience to go by, insurers are quoting stiff premiums for providing insurance cover against such contingencies.
"A majority of the mega deals we are advising on now, all with an offshore component including, two large ones to Indian vendors, include such punitive liability clauses in the contracts where, depending on the deal size the liability could be two-three times the deal size or up to $250 million to $350 million," said Mr Siddharth Pai, Partner and Managing Director of TPI India.
TPI is an outsourcing advisory with a primary focus on deals larger than $50 million For a BPO outfit, although the deal size from a bank could be worth $10 million involving say, credit card processing, the potential liability for data theft could be well over $300 million.
The outsourcing financial institutions are trying to introduce unlimited liability clauses on service providers, Mr Pai said. While vendors are not prepared for such contractual clauses, what it boils down to is that they will have to agree to third party financial institutions providing guarantees for the liability amount.
"These are not asset-based bank guarantees but a form of insurance where the vendor pays a significantly higher premium, simply because these types of liabilities are too new to have an actuarial history," he said, adding that while such punitive clauses are the trend now, it remained to be seen how the contracts would evolve in the long term. These guarantees or insurance are evolving simply because there is no way even a run on the service provider's assets will cover the liability of the outsourcing company if there is data theft or information loss, he said.
Negotiations are still going on and the requirement for third party financial guarantees and punitive liabilities in contracts is a new phenomenon, Mr Pai said. Most major outsourcing contracts have a cap on liability insurance and although there are companies seeking to enforce punitive liability clauses, there are no Tier I and Tier II vendors who will take up contracts under such cases, said Mr Pradeep Mukherjee, Managing Director, neoIT, an outsourcing advisory. "The customer is getting rewards from outsourcing and should take on some of the risks as well." Nasscom says contracts have had strong financial liability clauses in the past but that it would not advice members on their commercial choices. "Our role will be in talking to the Government, banks and insurers to see what kind of cover can be provided and discuss on what will be the best way to deal with the requirements, although this is not a widespread phenomenon yet," Mr Kiran Karnik, President, Nasscom, told Business Line.