Within a week, two outsourcing suppliers have grabbed the
headlines for failing to look after client data.
First, a contractor working for the Home Office lost an
unencrypted memory stick containing the details of almost
130,000 criminals.
Then a data archiving company was exposed for lax data
protection when an old
server containing the banking details of millions of people was
sold on eBay.
Earlier in the month,
Barclays-owned credit-card firm Goldfish sent out the wrong
account details to customers after a processing error at the
printer the company uses to process statements.
And in November,
Allied Irish Bank sent 15,000 payment advice slips to the wrong
addresses following a technical problem.
In each of these incidents a business was left exposed by a
third-party supplier. They have highlighted potential risks that
may lead many organisations to reassess their outsourcing
policies.
The traditional approach to security and outsourcing has always
been to threaten suppliers with punitive actions if they fail to
keep data safe.
But Stephen Boulton, head of IT at Leek United Building Society,
says a better approach is to put business processes in place that
limit the risk of data loss.
The building society, for example, sends data outside the
organisation only by secure file transfer. Nothing is sent by post,
data is never stored on portable storage devices, and the data
handling processes are regularly reviewed.
Duncan Tait is managing director at Unisys for the UK, Middle
East and Africa region. He advises businesses hold individuals
personally accountable for data protection.
Organisations looking to outsource, says Tait, should look for
evidence that potential suppliers can, and do in fact, manage their
staff from a security perspective.
Martyn Hart, chairman of the National Outsourcing Association
agrees. He says the recent losses of data indicate either a lack or
failure of business processes. They would have taken place even if
the processes had not been outsourced.
Contractual obligations and technologies such as data and
storage encryption are widely acknowledged as having a role to play
in ensuring data security. But the consensus is that making sure
business processes are secure is the only reliable way of keeping
data safe and confidential.
Rather than a review of outsourcing policies, organisations need
to take a hard look at their business processes and ask searching
questions of their suppliers.
Hart says just as the call centre scandals in recent years over
the sale of customer details by staff to fraudsters resulted in an
improvement of the business processes in that industry, so the
latest incidents will force organisations to re-evalute their
security.
Outsource suppliers will be under the most pressure to up their
ante. Any failure to protect customer information will damage brand
reputation and impact on revenue streams, he says.