Outsourcing Personal Data:Just How Secure is it?


By: Daniel A. Pepper

Securing personal data within our own borders seems to be challenging enough. On February 7, 2006, one of Massachusetts’ largest hospitals, Brigham and Women’s Hospital, said that it mistakenly faxed sensitive confidential patient information to an incorrect business fax number and is conducting an internal investigation into the matter.

Last year, Blue Cross and Blue Shield of North Carolina inadvertently printed Social Security numbers on envelopes it recently sent to 629 of its members.

Sending data processing tasks overseas doesn’t appear to relieve security concerns. Not long ago, a woman in Pakistan recently struck fear among executives who outsource. She had obtained sensitive patient documents from the University of California, San Francisco Medical Center through a medical transcription subcontractor that she worked for, and she threatened to post the files on the Internet unless she was paid more money. The transcriber ultimately rescinded her e-mailed threat, and the UCSF Medical Center fired the contractor who hired the subcontractor who was ultimately responsible for the Pakistani woman's work, but this incident exposed the fact that the hospital wasn't keeping track of exactly where its medical records were going or who had access to them.

To put the risks in perspective, India’s National Association of Software and Services companies reported recently that India’s outsourcing industry is creating jobs at the rate of nearly 100,000 a year, and its revenue is growing more than 40% annually. Analyst first Gartner Inc. estimates that global spending on offshore outsourcing services will top $50 billion by 2007. Many of these outsourced operations involve handling and processing customer transactions and sensitive personal information, and most U.S. companies aren’t ramping up security measures at these locations to manage that growth.

The United States has never enacted a comprehensive data protection or privacy law, and even highly-regulated data (such as healthcare information subject to the Health Insurance Portability and Accountability Act (HIPAA) regulations and financial information subject to the Gramm-Leach Bliley Act (GLBA)) are not subject to any trans-border regulations. However the lack of a data privacy law dealing with outsourcing does not mean that a company’s use of off-shore vendors is without risk. The U.S. laws do impose various obligations on companies to maintain the privacy and security of its U.S. databases, and these obligations necessitate that the company ensure the requirements of law are met.

But just because a company transfers the performance of a function to a third party, it does not mean that the company can also transfer its legal compliance obligations with respect to the performance of that function. In fact, despite transferring the function, the firm may well remain legally responsible to interested third parties (such as government entities, customers, employees, other vendors) for the successful performance of the function, and in some instances, the company may be responsible for ensuring that the processes used to perform the transferred function conform to applicable regulations. Of course, in addition to legal troubles, the public relations fallout for a company who falls prey to a data security breach can be devastating.

So what steps should a company take to secure their outsourcing operations abroad and protect customer data?

First and foremost, a strong and well-understood security policy must be put in place and followed vigorously before any data is outsourced overseas.

In addition:

·Visit the outsourcing site, and require the outsourcing vendor to provide proof of a security audit by a reputable third party or industry group. The vendor should demonstrate policies, procedures and technical safeguards are equal to or better than the company’s.

·Conduct a remote vulnerability scan to determine what internal information the company can access from the outside.

·Require the outsourcing vendor to encrypt all data in storage and in transit, and physical security controls should be in place to mitigate the risk of data leaving the facility via any media, recording devices, cameras and hard copies.

·Provide only partial information about a customer – not the full profile.

When executing a written contract with the outsourcer, the following provisions should be included:

·A prohibition on the service provider from disclosing or using data or information for any purpose other than to carry out the contracted services.

·The service provider should provide a copy of all customer data in its possession or control upon request.

·Never grant any subcontractor access to the outsourcer’s data unless the company has approved the subcontractor and assumes all security provisions of the outsourcing agreement.

·The outsourcer should be precluded from holding data hostage in the event of a dispute.

·The contract should be reviewed by counsel experienced in the outsourcer’s country’s laws to determine the enforceability of all aspects of the contract.

Finally, a company should develop a formal plan for responding to “worst case scenario” type events, such as misappropriation of personal data. It would identify both local legal resources that could be called upon quickly as well as the legal recourse that would be sought in the event of a security incident or breach of contract.

Daniel A. Pepper is the founder of Pepper Law Group, LLC, a law firm based in Somerville, New Jersey which provides strategic advice and sophisticated legal services to businesses, entrepreneurs, and entertainers in the areas of technology law, intellectual property, Internet law, entertainment law, business formation and general business counsel, and privacy and security law.

Dan is a member of the State Bars of New Jersey and Pennsylvania, the District Courts for the District of New Jersey and Western Pennsylvania, the American Bar Association, the American Corporate Counsel Association, the Internet & Computer Law Committee of the New Jersey State Bar Association, the Somerset County Business Partnership, the Philadelphia Volunteer Lawyers for the Arts, and the Free Speech Coalition. Dan has received a BV peer-review rating by Martindale-Hubbell, which is an indication of an exemplary reputation and well-established practice. He is also a member of the National Academy of Television Arts & Sciences and the Licensing Executives Society. He received his Bachelor of Arts degree from Rutgers University, and his Juris Doctor degree from the Duquesne University School of Law.

More Resources

Unable to open RSS Feed $XMLfilename with error HTTP ERROR: 404, exiting

More E-Commerce Information:

Related Articles

7 Suggestions for an i-Mom Friendly Web Site (e-commerce news and statistics)
The Internet began as a male dominated medium, but those days are long gone and merchants are advised to make sure their websites are female friendly to faciliate the rising surge of busy i-Moms shopping online for their family and friends.Women now account for 51.
Selling Online for Newbies
If you are interested in selling online, it is quite easy to get started. First of all you must have a product or service to sell.
Rules for Achieving Online Success
The Internet brought a great deal of benefits to our life. Access to a lot of free and useful information is, probably, one of the most important out of them.
Why Our Site Was Removed From The ODP
Our website, Best Of The Home, has been listed in the Open Directory Project for over a year. Recently, I conducted a search of the ODP for my site, to update it, and found that it was no longer listed in any category.
Accepting Credit Cards For Your Online Business
Did you know that one of the best ways to increase sales for any online or offline business is to offer your customers the convenience of paying by credit card? As a merchant, you have several options available when it comes to becoming part of the credit card acceptance and processing chain. Here's a quick guide to get you thinking.
Intranet Project Names - Some Ideas
"What's in a name? That which we call a rose By any other word would smell as sweet."In this famous quote from Act II of Romeo and Juliet, Juliet tells Romeo that a name is an artificial and meaningless convention, and the fact he is a Montague and she a Capulet (warring families) means nothing to their love.
Mr and Mrs Smith Go Online, as Internet Technology Moves from Fantasy to Normality
According to NOP World, 48% of all Internet users have researched or purchased financial products such as insurance and loans on the internet, or used online banking facilities. In April, NOP World had already recorded estimates of 28 million people online in Great Britain, with 13.
Website Marketing: 10 Resourceful Things You Can Do With A Product That Doesnt Sell
Do you have any product that has not been moving well?Would you like to learn what to do with it?Here are website marketing secrets to help you:1. Sell the reprint/reproduction rights to the product.
Turn Your Rusty Junk Into eBay Gold
Often times people to stop to realize the income potential of their "junk". And, when they DO decide it might be worth selling, they never give eBay a second thought.
How to Gain Your Visitors Trust
If you are serious about selling on the world wide web and being successful, your number one priority must be gaining your visitor's trust. Without trust you won't sale much and that's really being optimistic.
Dont Get Ripped Off Getting A Merchant Account
Far too many people get ripped off when setting up a merchant account for their online business. The biggest reason is that they don't understand their options and are intimidated by the whole process.
When Do You Ask For A Refund?
Have you ever asked to have your money refunded after buying something online? Do you do this often? What are the reasons you've asked for refunds? Savvy marketers will try to find out why without making you feel you should not have asked. This would be valuable information to them.
The Top 10 E-Commerce Ways to Follow up with Clients - Part 2
Did you know that 80% of all sales are made after the 5th contact? The biggest mistake we make is not following up with our clients regularly. We not only lose the chance to offer other services and products, we lose the chance for satisfied clients' referrals.
Implications Of E-Commerce For Tax Legislation
As e-commerce develops ambiguities in the current tax code in which it may be exposed. It would not be regarded as too early to take premature steps for undertaking such a review at a time when detailed international legislation are going on to promulgate acceptable standards laws for imposition taxation in this regard.
Google Catalogs - Old Gashioned Mail Order Meets High Tech Search
In addition to Google's Froogle shopping service (still in beta), which features a searchable database of online merchants, Google is also beta-testing their Google Catalog service. Google Catalogs provides a searchable central repository of hundreds of mail-order catalogs.
5 Tips for Online Shopping
Shopping online has become more and more popular in America as we are all looking to save a little time and money. E-commerce sales are growing at astronomical numbers ranging from 20-25% per year.
How To Find the Best Merchant Account For Your Business
What a great idea! Start accepting credit cards and watch your profits soar. Nothing could be simpler.
Building eCommerce Websites That Work - Part 1
You want to succeed at eCommerce? Welcome to a very big family. Right off, let's be clear - there are lots of ways to do business on the internet.
Shop: Is Shopping Online Secure?
Is shopping online becoming popular and safe enough for you and I to do the vast majority of our shopping on the Internet?As I contemplated, when I initially set up my website: www.shopshopshop.
The Check is in the E-mail
Have you ever had someone who owed your business money say, "the check is in the mail." Well now there is an answer to that old tired way of brushing you off and not seeing that check come in the mail week after week after week.