Outsourcing jobs overseas can sharply increase data privacy risks and the complexity of managing that risk, experts at the Fourth Annual Privacy and Data Security Summit in Washington DC have warned.
As a result, companies need to ensure that overseas suppliers are contractually tied to specific conditions regarding how data is transmitted, accessed, used, stored and shared. Those challenges include regulatory compliance, data protection and access issues, as well as monitoring and auditing issues.
"The risks are enormous to business strategy," said Richard Purcell, founder of consultancy Corporate Privacy Group and former chief privacy officer at Microsoft.
For instance, security breaches at offshore locations can be harder to detect - and deal with - from a regulatory compliance standpoint. Under California law, for example, companies are required to notify customers of any database breach that may have compromised the customers' personal data as soon as the breach is discovered.
With overseas suppliers, it is much harder to know whether, and exactly when, a material breach may have occurred, Purcell said.
When data is sent overseas for processing, companies often make little attempt at categorising it, said David Medine, an attorney at William Cutler Pickering in Washington. Personal data covered by privacy laws might be combined in one database with data protected under HIPAA rules or other laws. That makes it much harder to provide adequate levels of protection for different classes of data.
"Not all data is the same. There are different sources of data, different types of data and different rule sets," said Ken DeJarnette, an analyst at Deloitte & Touche in San Francisco. "Without knowing what your data is, you won't know what protection you need."
Companies need to understand their own legal obligations and the measures their supplier has in place to meet these obligations, said Deloitte analyst Rena Mears.
India, which is the biggest outsourcing destination for many companies, has no formal data privacy law, although one is in the works.
Amy Yates, general counsel at Hewitt Associates, a human resources outsourcer, said shipping work to a third party does not absolve the original company of responsibility for protecting that data. Offshore suppliers are not obliged to comply with the same privacy regulations their customers must meet as owners of the data.
That means spelling out what a supplier is expected to do and maintaining the right to audit it for compliance. "You can't expect your vendor to fulfill your legal obligations for you. They are obligated only to their contract with you. So you need to tell them what to do," Yates said.
Marc Lowenthal, chief privacy officer at New Century Financial, said an incident response plan needs to be in place to deal with security or privacy breaches. Lowenthal's company has set up a team comprising the privacy officer, chief security officer, IT representatives and staff from legal audit and compliance teams.
Once a breach has occurred, "it really is about how you minimise your damage", he added.
Jaikumar Vijayan writes for Computerworld