Outsourcing Personal Data:Just How Secure is it?

By: Daniel A. Pepper

Securing personal data within our own borders seems to be challenging enough. On February 7, 2006, one of Massachusetts’ largest hospitals, Brigham and Women’s Hospital, said that it mistakenly faxed sensitive confidential patient information to an incorrect business fax number and is conducting an internal investigation into the matter.

Last year, Blue Cross and Blue Shield of North Carolina inadvertently printed Social Security numbers on envelopes it recently sent to 629 of its members.

Sending data processing tasks overseas doesn’t appear to relieve security concerns. Not long ago, a woman in Pakistan recently struck fear among executives who outsource. She had obtained sensitive patient documents from the University of California, San Francisco Medical Center through a medical transcription subcontractor that she worked for, and she threatened to post the files on the Internet unless she was paid more money. The transcriber ultimately rescinded her e-mailed threat, and the UCSF Medical Center fired the contractor who hired the subcontractor who was ultimately responsible for the Pakistani woman's work, but this incident exposed the fact that the hospital wasn't keeping track of exactly where its medical records were going or who had access to them.

To put the risks in perspective, India’s National Association of Software and Services companies reported recently that India’s outsourcing industry is creating jobs at the rate of nearly 100,000 a year, and its revenue is growing more than 40% annually. Analyst first Gartner Inc. estimates that global spending on offshore outsourcing services will top $50 billion by 2007. Many of these outsourced operations involve handling and processing customer transactions and sensitive personal information, and most U.S. companies aren’t ramping up security measures at these locations to manage that growth.

The United States has never enacted a comprehensive data protection or privacy law, and even highly-regulated data (such as healthcare information subject to the Health Insurance Portability and Accountability Act (HIPAA) regulations and financial information subject to the Gramm-Leach Bliley Act (GLBA)) are not subject to any trans-border regulations. However the lack of a data privacy law dealing with outsourcing does not mean that a company’s use of off-shore vendors is without risk. The U.S. laws do impose various obligations on companies to maintain the privacy and security of its U.S. databases, and these obligations necessitate that the company ensure the requirements of law are met.

But just because a company transfers the performance of a function to a third party, it does not mean that the company can also transfer its legal compliance obligations with respect to the performance of that function. In fact, despite transferring the function, the firm may well remain legally responsible to interested third parties (such as government entities, customers, employees, other vendors) for the successful performance of the function, and in some instances, the company may be responsible for ensuring that the processes used to perform the transferred function conform to applicable regulations. Of course, in addition to legal troubles, the public relations fallout for a company who falls prey to a data security breach can be devastating.

So what steps should a company take to secure their outsourcing operations abroad and protect customer data?

First and foremost, a strong and well-understood security policy must be put in place and followed vigorously before any data is outsourced overseas.

In addition:

·Visit the outsourcing site, and require the outsourcing vendor to provide proof of a security audit by a reputable third party or industry group. The vendor should demonstrate policies, procedures and technical safeguards are equal to or better than the company’s.

·Conduct a remote vulnerability scan to determine what internal information the company can access from the outside.

·Require the outsourcing vendor to encrypt all data in storage and in transit, and physical security controls should be in place to mitigate the risk of data leaving the facility via any media, recording devices, cameras and hard copies.

·Provide only partial information about a customer – not the full profile.

When executing a written contract with the outsourcer, the following provisions should be included:

·A prohibition on the service provider from disclosing or using data or information for any purpose other than to carry out the contracted services.

·The service provider should provide a copy of all customer data in its possession or control upon request.

·Never grant any subcontractor access to the outsourcer’s data unless the company has approved the subcontractor and assumes all security provisions of the outsourcing agreement.

·The outsourcer should be precluded from holding data hostage in the event of a dispute.

·The contract should be reviewed by counsel experienced in the outsourcer’s country’s laws to determine the enforceability of all aspects of the contract.

Finally, a company should develop a formal plan for responding to “worst case scenario” type events, such as misappropriation of personal data. It would identify both local legal resources that could be called upon quickly as well as the legal recourse that would be sought in the event of a security incident or breach of contract.

Daniel A. Pepper is the founder of Pepper Law Group, LLC, a law firm based in Somerville, New Jersey which provides strategic advice and sophisticated legal services to businesses, entrepreneurs, and entertainers in the areas of technology law, intellectual property, Internet law, entertainment law, business formation and general business counsel, and privacy and security law.

Dan is a member of the State Bars of New Jersey and Pennsylvania, the District Courts for the District of New Jersey and Western Pennsylvania, the American Bar Association, the American Corporate Counsel Association, the Internet & Computer Law Committee of the New Jersey State Bar Association, the Somerset County Business Partnership, the Philadelphia Volunteer Lawyers for the Arts, and the Free Speech Coalition. Dan has received a BV peer-review rating by Martindale-Hubbell, which is an indication of an exemplary reputation and well-established practice. He is also a member of the National Academy of Television Arts & Sciences and the Licensing Executives Society. He received his Bachelor of Arts degree from Rutgers University, and his Juris Doctor degree from the Duquesne University School of Law.

More Resources

Unable to open RSS Feed $XMLfilename with error HTTP ERROR: 404, exiting

More E-Commerce Information:

Group 1

Group 2

Group 3

Group 4

Group 5

Group 6

Group 7

Group 8

Group 9

Group 10

Group 11

Group 12

Group 13

Group 14

Group 15

Group 16

Chinas IT Industry to Maintain Fast Growth
China's IT industry is expected to see a sales revenue of 2.68 trillion yuan (US$322.

7 Must Have Scripts to Look for When Shopping for E-commerce Hosting
When shopping for e-commerce hosting there are a lot of things you need to keep and mind. When you know what to look for it is a lot easier to ensure you get exactly what you need and not leave any important information out.

Dont Get Ripped Off Getting A Merchant Account
Far too many people get ripped off when setting up a merchant account for their online business. The biggest reason is that they don't understand their options and are intimidated by the whole process.

The Secret Science Of Online Shopping
In theory you could create a retail web site with a limitless selection; an online store where every kind of merchandise known to man could be sold. Would people be interested in buying from such a huge enterprise?Why do people buy online?Location: You can shop online from almost anywhere as long as you have access to a power supply and a telephone connection.

Your Site is all Direct Marketing
This may not be a popular view, but I think writing a web site is very similar to writing a piece of direct mail. I'm not talking about smash-and-grab fliers.

The Check is in the E-mail
Have you ever had someone who owed your business money say, "the check is in the mail." Well now there is an answer to that old tired way of brushing you off and not seeing that check come in the mail week after week after week.

Retirement Signature Frames - The Perfect Retirement Gift!
When most people think of a retirement gift, they think of a watch. It's the tried and true gift that companies give employees to say thanks for all the years of hard work.

Do You Need A Merchant Account?
Deciding when to get your own merchant account for internet sales can be a confusing and expensive venture. If you have a small to medium sized business and only sell a small amount of products then having your own merchant account may not be the answer for you.

eCommerce, How Much Does It cost?
Making profits with your existing website design or creating a new online store can be exciting, affordable and most of all; rewarding. Mmmm .

What Does It Take to Make Money Online?
What a loaded question! Let's narrow that down a bit and take it from the perspective of someone who wants to work from home and make money online in a home business. That will make it an easier question to answer.

How Measuring Key Performance Indicators Can Improve E-Commerce Strategy - Part One
The problem with most e-commerce marketing strategy today is that companies don't understand how they use things like web analytics. Most e-commerce directors or web marketers are given a budget and told to stick to it, and good analytics don't usually come cheap.

Mr and Mrs Smith Go Online, as Internet Technology Moves from Fantasy to Normality
According to NOP World, 48% of all Internet users have researched or purchased financial products such as insurance and loans on the internet, or used online banking facilities. In April, NOP World had already recorded estimates of 28 million people online in Great Britain, with 13.

Excuse Me, Are You Wasting Traffic?
The largest cost and concern of an internet business is customer acquisition; traffic. Both quantity and quality of traffic directly determines the succes of an internet business.

How Merchant Accounts Can Save You Money
We all know that accepting credit cards is the key to online sales. Unfortunately, most merchants are unaware that acquiring a merchant account can actually save them money.

Your Affiliate Web Site Is Built - Now What?
When I first got my web site built, I thought I finally hada presence on-line. Wrong! I soon found out that I needed someone to host my site, and I needed a domain name.

Say Something Worth Talking About
I recently published a short e-book called 'One Thing I Know About Doing Business Online'. Seventeen people contributed - including Seth Godin, Jeffrey Zelman, Danny Sullivan, Jared Spool, Gerry McGovern and Ann Handley.

Evaluating Vendors of Ecommerce Fulfillment Services
Once your website has secured an order, you have to fulfill it. While the fulfillment of digital goods is usually handled online, the delivery of physical goods is handled in a "brick-and-mortar" world.

Is Your Business Afraid of the Internet?
My Business is Afraid of the InternetBill Gates, CEO of Microsoft, once said that there would soon be two types of businesses, those online, and those out of business. Those words still ring true today, and many small businesses are missing a huge boat by not getting online.

How To Eliminate Credit Card Refunds From Digital Thieves
Can you encounter the number of times where a Credit Card Sale was generated, only to receive a "Refund Notification" from your contracted e-commerce processor on behalf the "customer"?Welcome to the electronic world of "cyber-shoplifting".Unscrupulous surfers, disguised as potential "customers", systematically opt to ordering goods (using credit cards) in electronic form of delivery, only to request a refund minutes or days later after receiving the product.

Ecommerce - Boost Your Business ROI
Did you know that over 90% of all online orders are processed by credit cards and that web sites that offer customers the ability to pay with credit cards can achieve up to 300% more sales than those that do not?It's a fact. Not only do more customers buy, statistics prove that customers actually buy more when given the option to pay with their credit card.