| As companies seek greater ways to find cost | | | | mean that the company can also transfer its legal |
| savings, the lure of contracting cheap labor overseas | | | | compliance obligations with respect to the |
| continues to grow. Outsourcing overseas is becoming | | | | performance of that function. In fact, despite |
| increasingly common in the banking, financial services, | | | | transferring the function, the firm may well remain |
| retailing, insurance, and telecommunications sectors. But | | | | legally responsible to interested third parties (such as |
| when companies choose to outsource the processing | | | | government entities, customers, employees, other |
| of sensitive personal information, are they losing control | | | | vendors) for the successful performance of the |
| of security as well? | | | | function, and in some instances, the company may be |
| Securing personal data within our own borders seems | | | | responsible for ensuring that the processes used to |
| to be challenging enough. On February 7, 2006, one of | | | | perform the transferred function conform to applicable |
| Massachusetts’ largest hospitals, Brigham and | | | | regulations. Of course, in addition to legal troubles, the |
| Women’s Hospital, said that it mistakenly faxed | | | | public relations fallout for a company who falls prey to |
| sensitive confidential patient information to an incorrect | | | | a data security breach can be devastating. |
| business fax number and is conducting an internal | | | | So what steps should a company take to secure their |
| investigation into the matter. | | | | outsourcing operations abroad and protect customer |
| Last year, Blue Cross and Blue Shield of North Carolina | | | | data? |
| inadvertently printed Social Security numbers on | | | | First and foremost, a strong and well-understood |
| envelopes it recently sent to 629 of its members. | | | | security policy must be put in place and followed |
| Sending data processing tasks overseas | | | | vigorously before any data is outsourced overseas. |
| doesn’t appear to relieve security concerns. Not | | | | In addition: |
| long ago, a woman in Pakistan recently struck fear | | | | · Visit the outsourcing site, and require the |
| among executives who outsource. She had obtained | | | | outsourcing vendor to provide proof of a security audit |
| sensitive patient documents from the University of | | | | by a reputable third party or industry group. The |
| California, San Francisco Medical Center through a | | | | vendor should demonstrate policies, procedures and |
| medical transcription subcontractor that she worked | | | | technical safeguards are equal to or better than the |
| for, and she threatened to post the files on the Internet | | | | company’s. |
| unless she was paid more money. The transcriber | | | | · Conduct a remote vulnerability scan to |
| ultimately rescinded her e-mailed threat, and the UCSF | | | | determine what internal information the company can |
| Medical Center fired the contractor who hired the | | | | access from the outside. |
| subcontractor who was ultimately responsible for the | | | | · Require the outsourcing vendor to encrypt all |
| Pakistani woman's work, but this incident exposed the | | | | data in storage and in transit, and physical security |
| fact that the hospital wasn't keeping track of exactly | | | | controls should be in place to mitigate the risk of data |
| where its medical records were going or who had | | | | leaving the facility via any media, recording devices, |
| access to them. | | | | cameras and hard copies. |
| To put the risks in perspective, India’s National | | | | · Provide only partial information about a |
| Association of Software and Services companies | | | | customer – not the full profile. |
| reported recently that India’s outsourcing | | | | When executing a written contract with the |
| industry is creating jobs at the rate of nearly 100,000 a | | | | outsourcer, the following provisions should be included: |
| year, and its revenue is growing more than 40% | | | | · A prohibition on the service provider from |
| annually. Analyst first Gartner Inc. estimates that global | | | | disclosing or using data or information for any purpose |
| spending on offshore outsourcing services will top $50 | | | | other than to carry out the contracted services. |
| billion by 2007. Many of these outsourced operations | | | | · The service provider should provide a copy |
| involve handling and processing customer transactions | | | | of all customer data in its possession or control upon |
| and sensitive personal information, and most U.S. | | | | request. |
| companies aren’t ramping up security measures | | | | · Never grant any subcontractor access to the |
| at these locations to manage that growth. | | | | outsourcer’s data unless the company has |
| The United States has never enacted a | | | | approved the subcontractor and assumes all security |
| comprehensive data protection or privacy law, and | | | | provisions of the outsourcing agreement. |
| even highly-regulated data (such as healthcare | | | | · The outsourcer should be precluded from |
| information subject to the Health Insurance Portability | | | | holding data hostage in the event of a dispute. |
| and Accountability Act (HIPAA) regulations and | | | | · The contract should be reviewed by counsel |
| financial information subject to the Gramm-Leach Bliley | | | | experienced in the outsourcer’s |
| Act (GLBA)) are not subject to any trans-border | | | | country’s laws to determine the enforceability |
| regulations. However the lack of a data privacy law | | | | of all aspects of the contract. |
| dealing with outsourcing does not mean that a | | | | Finally, a company should develop a formal plan for |
| company’s use of off-shore vendors is without | | | | responding to “worst case scenario” type |
| risk. The U.S. laws do impose various obligations on | | | | events, such as misappropriation of personal data. It |
| companies to maintain the privacy and security of its | | | | would identify both local legal resources that could be |
| U.S. databases, and these obligations necessitate that | | | | called upon quickly as well as the legal recourse that |
| the company ensure the requirements of law are met. | | | | would be sought in the event of a security incident or |
| But just because a company transfers the | | | | breach of contract. |
| performance of a function to a third party, it does not | | | | |