Offshore Outsourcing Poses Privacy Perils

Computerworld - WASHINGTON -- Outsourcing jobs to offshore locations can sharply increase data privacy risks and the complexity of managing them, privacy and security professionals said last week.
Consequently, companies with an offshore outsourcing strategy need to ensure that their overseas vendors are contractually tied to safeguarding data security. That was a key message at the Fourth Annual Privacy and Data Security Summit here.
Although data privacy legislation is pending in India, the largest offshore outsourcing destination, no such laws are in place there now . That's what makes it especially important for companies to thoroughly understand and deal with privacy issues in their contracts, said Amy Yates, general counsel at Hewitt Associates LLC, a human resources outsourcer in Lincolnshire, Ill.
Shipping work to a third party doesn't absolve a company of responsibility for protecting that data, Yates said. Offshore vendors aren't legally obligated to comply with any of the privacy regulations that their customers are required to meet as owners of the data.
"You can't expect your vendor to fulfill your legal obligations for you," Yates said. "They are obligated only to their contract with you. So you need to tell them what to do."
That means spelling out as specifically as possible how the vendor is expected to use and protect sensitive data and stipulating the right to audit vendors for compliance.
Response Strategy
It's also important to have a good incident-response capability to deal with security or privacy breaches, said Marc Lowenthal, chief privacy officer at New Century Financial Corp. in Irvine, Calif. The company has set up an incident-response team that includes Lowenthal, the chief security officer, IT representatives and employees from audit and compliance teams.
Once a breach has occurred, "it really is about how you minimize your damage," Lowenthal said.
Regulatory compliance can be especially difficult to manage offshore, privacy experts said. Under California's SB 1386 law, for instance, companies are required to notify customers of any database breach that may have compromised their personal data, as soon as the breach is discovered. With overseas vendors, it becomes a lot more difficult to know whether, and exactly when, a material breach may have occurred, said Richard Purcell, founder of Corporate Privacy Group, a Nordland, Wash.-based consultancy.
Moreover, personal data that is covered by a privacy law such as Gramm-Leach-Bliley might reside in a database along with data protected under the Health Insurance Portability and Accountability Act, SB 1386 or European Union laws.
"Not all data is the same. There are different sources of data, different typesof data and different rule sets," said Ken DeJarnette, an analyst at Deloitte & Touche LLP in San Francisco. "Without knowing what your data is, you won't know what protection you need."