Thursday, March 6, 2008
Outsourcing Personal Data - Just How Secure is it?
Outsourcing Personal Data - Just How Secure is it? As companies seek greater ways to find cost savings, the lure of contracting cheap labor overseas continues to grow. Outsourcing overseas is becoming increasingly common in the banking, financial services, retailing, insurance, and telecommunications sectors. But when companies choose to outsource the processing of sensitive personal information, are they losing control of security as well? Securing personal data within our own borders seems to be challenging enough. On February 7, 2006, one of Massachusetts largest hospitals, Brigham and Women s Hospital, said that it mistakenly faxed sensitive confidential patient information to an incorrect business fax number and is conducting an internal investigation into the matter. Last year, Blue Cross and Blue Shield of North Carolina inadvertently printed Social Security numbers on envelopes it recently sent to 629 of its members. Sending data processing tasks overseas doesn t appear to relieve security concerns. Not long ago, a woman in Pakistan recently struck fear among executives who outsource. She had obtained sensitive patient documents from the University of California, San Francisco Medical Center through a medical transcription subcontractor that she worked for, and she threatened to post the files on the Internet unless she was paid more money. The transcriber ultimately rescinded her e-mailed threat, and the UCSF Medical Center fired the contractor who hired the subcontractor who was ultimately responsible for the Pakistani woman s work, but this incident exposed the fact that the hospital wasn t keeping track of exactly where its medical records were going or who had access to them. To put the risks in perspective, India s National Association of Software and Services companies reported recently that India s outsourcing industry is creating jobs at the rate of nearly 100,000 a year, and its revenue is growing more than 40% annually. Analyst first Gartner Inc. estimates that global spending on offshore outsourcing services will top $50 billion by 2007. Many of these outsourced operations involve handling and processing customer transactions and sensitive personal information, and most U.S. companies aren t ramping up security measures at these locations to manage that growth. The United States has never enacted a comprehensive data protection or privacy law, and even highly-regulated data (such as healthcare information subject to the Health Insurance Portability and Accountability Act (HIPAA) regulations and financial information subject to the Gramm-Leach Bliley Act (GLBA)) are not subject to any trans-border regulations. However the lack of a data privacy law dealing with outsourcing does not mean that a company s use of off-shore vendors is without risk. The U.S. laws do impose various obligations on companies to maintain the privacy and security of its U.S. databases, and these obligations necessitate that the company ensure the requirements of law are met. But just because a company transfers the performance of a function to a third party, it does not mean that the company can also transfer its legal compliance obligations with respect to the performance of that function. In fact, despite transferring the function, the firm may well remain legally responsible to interested third parties (such as government entities, customers, employees, other vendors) for the successful performance of the function, and in some instances, the company may be responsible for ensuring that the processes used to perform the transferred function conform to applicable regulations. Of course, in addition to legal troubles, the public relations fallout for a company who falls prey to a data security breach can be devastating. So what steps should a company take to secure their outsourcing operations abroad and protect customer data? First and foremost, a strong and well-understood security policy must be put in place and followed vigorously before any data is outsourced overseas. In addition: • Visit the outsourcing site, and require the outsourcing vendor to provide proof of a security audit by a reputable third party or industry group. The vendor should demonstrate policies, procedures and technical safeguards are equal to or better than the company s. • Conduct a remote vulnerability scan to determine what internal information the company can access from the outside. • Require the outsourcing vendor to encrypt all data in storage and in transit, and physical security controls should be in place to mitigate the risk of data leaving the facility via any media, recording devices, cameras and hard copies. • Provide only partial information about a customer - not the full profile. When executing a written contract with the outsourcer, the following provisions should be included: • A prohibition on the service provider from disclosing or using data or information for any purpose other than to carry out the contracted services. • The service provider should provide a copy of all customer data in its possession or control upon request. • Never grant any subcontractor access to the outsourcer s data unless the company has approved the subcontractor and assumes all security provisions of the outsourcing agreement. • The outsourcer should be precluded from holding data hostage in the event of a dispute. • The contract should be reviewed by counsel experienced in the outsourcer s country s laws to determine the enforceability of all aspects of the contract. Finally, a company should develop a formal plan for responding to "worst case scenario" type events, such as misappropriation of personal data. It would identify both local legal resources that could be called upon quickly as well as the legal recourse that would be sought in the event of a security incident or breach of contract. Daniel A. Pepper is the founder of Pepper Legal Consulting Group, LLC, a law firm based in Somerville, New Jersey focusing on representing e-commerce businesses, and users and providers of technology. More information on the firm can be found at http://www.informationlaw.com or by telephone at 908.698.0330.