Outsourcing jobs overseas can sharply increase data
privacy risks and the complexity of managing that risk, experts at
the Fourth Annual Privacy and Data Security Summit in Washington
DC have warned.
As a result, companies need to ensure that overseas suppliers
are contractually tied to specific conditions regarding how data is
transmitted, accessed, used, stored and shared. Those challenges
include regulatory compliance, data protection and access issues,
as well as monitoring and auditing issues.
"The risks are enormous to business strategy," said Richard
Purcell, founder of consultancy Corporate Privacy Group and former
chief privacy officer at Microsoft.
For instance, security breaches at offshore locations can be
harder to detect - and deal with - from a regulatory compliance
standpoint. Under California law, for example, companies are
required to notify customers of any database breach that may have
compromised the customers' personal data as soon as the breach is
discovered.
With overseas suppliers, it is much harder to know whether, and
exactly when, a material breach may have occurred, Purcell
said.
When data is sent overseas for processing, companies often make
little attempt at categorising it, said David Medine, an attorney
at William Cutler Pickering in Washington. Personal data covered by
privacy laws might be combined in one database with data protected
under HIPAA rules or other laws. That makes it much harder to
provide adequate levels of protection for different classes of
data.
"Not all data is the same. There are different sources of data,
different types of data and different rule sets," said Ken
DeJarnette, an analyst at Deloitte & Touche in San Francisco.
"Without knowing what your data is, you won't know what protection
you need."
Companies need to understand their own legal obligations and the
measures their supplier has in place to meet these obligations,
said Deloitte analyst Rena Mears.
India, which is the biggest outsourcing destination for many
companies, has no formal data privacy law, although one is in the
works.
Amy Yates, general counsel at Hewitt Associates, a human
resources outsourcer, said shipping work to a third party does not
absolve the original company of responsibility for protecting that
data. Offshore suppliers are not obliged to comply with the same
privacy regulations their customers must meet as owners of the
data.
That means spelling out what a supplier is expected to do and
maintaining the right to audit it for compliance. "You can't expect
your vendor to fulfill your legal obligations for you. They are
obligated only to their contract with you. So you need to tell them
what to do," Yates said.
Marc Lowenthal, chief privacy officer at New Century Financial,
said an incident response plan needs to be in place to deal with
security or privacy breaches. Lowenthal's company has set up a team
comprising the privacy officer, chief security officer, IT
representatives and staff from legal audit and compliance
teams.
Once a breach has occurred, "it really is about how you minimise
your damage", he added.
Jaikumar Vijayan writes for
Computerworld