Outsourcing Personal Data:Just How Secure is it?


By: Daniel A. Pepper

Securing personal data within our own borders seems to be challenging enough. On February 7, 2006, one of Massachusetts’ largest hospitals, Brigham and Women’s Hospital, said that it mistakenly faxed sensitive confidential patient information to an incorrect business fax number and is conducting an internal investigation into the matter.

Last year, Blue Cross and Blue Shield of North Carolina inadvertently printed Social Security numbers on envelopes it recently sent to 629 of its members.

Sending data processing tasks overseas doesn’t appear to relieve security concerns. Not long ago, a woman in Pakistan recently struck fear among executives who outsource. She had obtained sensitive patient documents from the University of California, San Francisco Medical Center through a medical transcription subcontractor that she worked for, and she threatened to post the files on the Internet unless she was paid more money. The transcriber ultimately rescinded her e-mailed threat, and the UCSF Medical Center fired the contractor who hired the subcontractor who was ultimately responsible for the Pakistani woman's work, but this incident exposed the fact that the hospital wasn't keeping track of exactly where its medical records were going or who had access to them.

To put the risks in perspective, India’s National Association of Software and Services companies reported recently that India’s outsourcing industry is creating jobs at the rate of nearly 100,000 a year, and its revenue is growing more than 40% annually. Analyst first Gartner Inc. estimates that global spending on offshore outsourcing services will top $50 billion by 2007. Many of these outsourced operations involve handling and processing customer transactions and sensitive personal information, and most U.S. companies aren’t ramping up security measures at these locations to manage that growth.

The United States has never enacted a comprehensive data protection or privacy law, and even highly-regulated data (such as healthcare information subject to the Health Insurance Portability and Accountability Act (HIPAA) regulations and financial information subject to the Gramm-Leach Bliley Act (GLBA)) are not subject to any trans-border regulations. However the lack of a data privacy law dealing with outsourcing does not mean that a company’s use of off-shore vendors is without risk. The U.S. laws do impose various obligations on companies to maintain the privacy and security of its U.S. databases, and these obligations necessitate that the company ensure the requirements of law are met.

But just because a company transfers the performance of a function to a third party, it does not mean that the company can also transfer its legal compliance obligations with respect to the performance of that function. In fact, despite transferring the function, the firm may well remain legally responsible to interested third parties (such as government entities, customers, employees, other vendors) for the successful performance of the function, and in some instances, the company may be responsible for ensuring that the processes used to perform the transferred function conform to applicable regulations. Of course, in addition to legal troubles, the public relations fallout for a company who falls prey to a data security breach can be devastating.

So what steps should a company take to secure their outsourcing operations abroad and protect customer data?

First and foremost, a strong and well-understood security policy must be put in place and followed vigorously before any data is outsourced overseas.

In addition:

·Visit the outsourcing site, and require the outsourcing vendor to provide proof of a security audit by a reputable third party or industry group. The vendor should demonstrate policies, procedures and technical safeguards are equal to or better than the company’s.

·Conduct a remote vulnerability scan to determine what internal information the company can access from the outside.

·Require the outsourcing vendor to encrypt all data in storage and in transit, and physical security controls should be in place to mitigate the risk of data leaving the facility via any media, recording devices, cameras and hard copies.

·Provide only partial information about a customer – not the full profile.

When executing a written contract with the outsourcer, the following provisions should be included:

·A prohibition on the service provider from disclosing or using data or information for any purpose other than to carry out the contracted services.

·The service provider should provide a copy of all customer data in its possession or control upon request.

·Never grant any subcontractor access to the outsourcer’s data unless the company has approved the subcontractor and assumes all security provisions of the outsourcing agreement.

·The outsourcer should be precluded from holding data hostage in the event of a dispute.

·The contract should be reviewed by counsel experienced in the outsourcer’s country’s laws to determine the enforceability of all aspects of the contract.

Finally, a company should develop a formal plan for responding to “worst case scenario” type events, such as misappropriation of personal data. It would identify both local legal resources that could be called upon quickly as well as the legal recourse that would be sought in the event of a security incident or breach of contract.

Daniel A. Pepper is the founder of Pepper Law Group, LLC, a law firm based in Somerville, New Jersey which provides strategic advice and sophisticated legal services to businesses, entrepreneurs, and entertainers in the areas of technology law, intellectual property, Internet law, entertainment law, business formation and general business counsel, and privacy and security law.

Dan is a member of the State Bars of New Jersey and Pennsylvania, the District Courts for the District of New Jersey and Western Pennsylvania, the American Bar Association, the American Corporate Counsel Association, the Internet & Computer Law Committee of the New Jersey State Bar Association, the Somerset County Business Partnership, the Philadelphia Volunteer Lawyers for the Arts, and the Free Speech Coalition. Dan has received a BV peer-review rating by Martindale-Hubbell, which is an indication of an exemplary reputation and well-established practice. He is also a member of the National Academy of Television Arts & Sciences and the Licensing Executives Society. He received his Bachelor of Arts degree from Rutgers University, and his Juris Doctor degree from the Duquesne University School of Law.

More Resources

Unable to open RSS Feed $XMLfilename with error HTTP ERROR: 404, exiting

More E-Commerce Information:

Related Articles

Top Ten Qualities to Look for in an Online Pharmacy
As you may have noted, there are thousands or even hundreds of thousands of websites selling pharmaceutical products or drugs. These are called ONLINE PHARMACIES or PHARMACIES ONLINE.
12 Easy and Effective Ways To Create Reports
1. Combine a few of your articles into a free report.
How E-commerce Web Site Design Differs From Normal Web Design
When it comes to e-commerce everything is a little bit different, even the web site design for an e-commerce site as compared to a normal web design. If you are interested in developing an e-commerce site, then it is important to learn about the differences between the two types of website designs and how you can design the best e-commerce website with your resources.
The Clickbank Crash of 2003: Lessons Learned
I had a rude awakening recently. I checked the days worth of sales from one of my sites and there were none.
Why This Is The Perfect Time To Start Charging For Website Subscriptions
If you're a writer, researcher, subject matter expert, enthusiastic hobbyist, or an authority on almost any topic, there has never been a better time to start your own subscription website or online newsletter.And if you're already publishing a hobby website, now is the ideal time to convert at least a portion of the content to fee-paid access.
Selling From Your Website
Greetings!Friends and relitives ask us all the time " How do sell from your website?" and no doubt you want to know as well. Over the next two issues we will be covering this very thing! We decided to divide it into two camps - tangibles and non-tangibles.
Government Buying and Selling on the Internet
Global Insight, a leading economic and financial forecasting company, (formerly DRI-WEFA), states that all levels of government (federal, state, and local) should see steady increases in the purchases of goods and services through the year 2009.Vendors willing to make the commitment to sell to government can reap the benefits of this projected government spending.
7 Must Have Scripts to Look for When Shopping for E-commerce Hosting
When shopping for e-commerce hosting there are a lot of things you need to keep and mind. When you know what to look for it is a lot easier to ensure you get exactly what you need and not leave any important information out.
3 Powerful Concepts That Climb Marketing Mountains
You have probably heard many times how you should offerfree reports. Like many of us, the idea of putting in workto give something away may have gone through youtransparent.
Shopping Cart Usability
Usable Shopping Carts Increase SalesE-commerce has been around since 1993 under many different names, but one thing remains constant; shoppers want usable web sites. Without a usable shopping cart the sites typically fail from poor performance.
The Five Most Commonly Encountered, Off-putting E-commerce Errors
While getting less public handwringing than during holiday season, the "abandoned shopping cart problem" continues to wreak havoc on online sales. Recently I judged a raftload of sites for the Webby Awards (my second time) and for the Inc.
Increasing E-Commerce Website Sales: A Guide for the Online Newbie
Because of this encouraging surge in activity, many individuals are now interested in becoming e-commerce merchants. To profit from your online business, you must first produce a unique website that will intrigue visitors and interest them in your items.
Website Marketing: 10 Resourceful Things You Can Do With A Product That Doesnt Sell
Do you have any product that has not been moving well?Would you like to learn what to do with it?Here are website marketing secrets to help you:1. Sell the reprint/reproduction rights to the product.
Grow Your Business Using B2B Emarketplace - Part I
If you are a small to medium size company and selling or planning to sell products and services over the Net and still did not try out emarketplaces, you are simply loosing a great opportunity!Research firm eMarketer predicts that worldwide B2B ecommerce revenues will surpass US$ 1.4 trillion by the end of 2003.
Online Shopping: Legal Challenges for Taxing Authorities
E-commerce offers customers the chance to eliminate many stages in the sales/distribution chain. The mark-ups that occur between manufacturers, wholesalers, distributors, retailers and consumers can add the cost of goods purchased by consumers.
Tell Site Visitors What To Do
Your site visitors make all the choices when it comes to browsing the Web.No other medium gives users, readers or customers such control over their own experience.
The Five Steps of E-Commerce
You set up a retail business, you advertise in your local newspaper, you get customers coming into your store, and you receive payment at the cash register. Create an online store, and.
Gooooooooooogle It!
..
Do You Need A Merchant Account?
Deciding when to get your own merchant account for internet sales can be a confusing and expensive venture. If you have a small to medium sized business and only sell a small amount of products then having your own merchant account may not be the answer for you.
The Top 10 E-Commerce Ways to Follow up with Clients - Part 1
Did you know that 80% of all sales are made after the 5th contact? The biggest mistake we make is not following up with our clients regularly. We not only lose the chance to offer other services and products, we lose the chance for satisfied clients' referrals.