When outside contractors are hired to provide products or services to an organization, they often require information that could be considered confidential. A good example of this is an external consultant. In many cases, external consultants are either self-employed or employed by a consulting firm and work on an hourly basis for the client company. They are generally highly skilled professionals who are brought in to work on a specific project. When the project is finished, they move on to the next client company. Some client companies hire contractors indefinitely, so in day-to-day practice, they are just like regular employees of the company.

This assumption, that a contractor is “just like a regular employee,” can be useful when building team coherence, but it can also be dangerous. The contractor’s primary alliance is to the consulting company, which provides payment. If a conflict of interest arises between the consulting company and the client company, the contractor is likely to side with the consulting company.

Contractors often supply their own laptop computers and other equipment they need to perform their jobs. This can be problematic, because those laptops may or may not have the same security safeguards in place as corporate laptops. To illustrate this risk, consider a programmer who is brought in to create a specific application for a company. One of the terms of the contract states that the contractor will supply his own laptop. The contractor agrees and does the work on his personal system, which he also uses to play online games and download music from various sites. At some point, he downloads a file infected with a virus. Because his virus scanner is out of date, the virus goes undetected and infects his system. When he connects his laptop to the corporate network to view design requirements for the application he is developing, the virus uploads itself and infects the file server, quietly sending information from the file server to the hacker who originally created the virus.

When a company contracts with a vendor to manage confidential information, the client company is responsible for ensuring that the vendor has stringent access controls in place. This is especially true in regulated industries such as health care and finance.

A good example of this scenario is an insurance company that outsources its claims management application to a third-party vendor. The vendor runs the application on its servers, allowing the insurance agents to access it from any browser. This is convenient for the agents, who can submit a claim report directly from the site of the incident. It is also convenient for the insurance company because it no longer has to maintain and update its own servers. Unfortunately, the insurance company is still legally responsible for the information contained within those claims—including personally identifiable and sensitive customer information such as addresses, telephone numbers, and mortgage or auto loan information. If the vendor does not implement stringent access controls to protect those data, the client company is legally responsible for the disclosure as well as the vendor.

The most common way to safeguard confidential information that is processed or stored with a vendor is through contractual obligation. Before a vendor-client agreement can be reached, specific access control requirements should be laid out that describe what the vendor is required to do to safeguard any confidential information received in the course of dealing with the client company.

As business needs evolve, so do the partnerships that meet those needs. In the realm of access control, the key thing to remember is that the owner of the confidential information—the client company—is responsible for ensuring that it is handled securely. If the client company fails to do due diligence and hires a third party without investigating the third party’s access control policies, the client company can be held partly responsible for the inevitable disclosure of confidential information.