Contractor data losses highlight outsourcing risks

Within a week, two outsourcing suppliers have grabbed the headlines for failing to look after client data.

First, a contractor working for the Home...

Within a week, two outsourcing suppliers have grabbed the headlines for failing to look after client data.

First, a contractor working for the Home Office lost an unencrypted memory stick containing the details of almost 130,000 criminals.

Then a data archiving company was exposed for lax data protection when an old server containing the banking details of millions of people was sold on eBay.

Earlier in the month, Barclays-owned credit-card firm Goldfish sent out the wrong account details to customers after a processing error at the printer the company uses to process statements.

And in November, Allied Irish Bank sent 15,000 payment advice slips to the wrong addresses following a technical problem.

In each of these incidents a business was left exposed by a third-party supplier. They have highlighted potential risks that may lead many organisations to reassess their outsourcing policies.

The traditional approach to security and outsourcing has always been to threaten suppliers with punitive actions if they fail to keep data safe.

But Stephen Boulton, head of IT at Leek United Building Society, says a better approach is to put business processes in place that limit the risk of data loss.

The building society, for example, sends data outside the organisation only by secure file transfer. Nothing is sent by post, data is never stored on portable storage devices, and the data handling processes are regularly reviewed.

Duncan Tait is managing director at Unisys for the UK, Middle East and Africa region. He advises businesses hold individuals personally accountable for data protection.

Organisations looking to outsource, says Tait, should look for evidence that potential suppliers can, and do in fact, manage their staff from a security perspective.

Martyn Hart, chairman of the National Outsourcing Association agrees. He says the recent losses of data indicate either a lack or failure of business processes. They would have taken place even if the processes had not been outsourced.

Contractual obligations and technologies such as data and storage encryption are widely acknowledged as having a role to play in ensuring data security. But the consensus is that making sure business processes are secure is the only reliable way of keeping data safe and confidential.

Rather than a review of outsourcing policies, organisations need to take a hard look at their business processes and ask searching questions of their suppliers.

Hart says just as the call centre scandals in recent years over the sale of customer details by staff to fraudsters resulted in an improvement of the business processes in that industry, so the latest incidents will force organisations to re-evalute their security.

Outsource suppliers will be under the most pressure to up their ante. Any failure to protect customer information will damage brand reputation and impact on revenue streams, he says.

Read more on IT risk management