Offshore Outsourcing Poses Privacy Perils
Contracts need to stipulate exactly how overseas vendors will safeguard data
Computerworld - WASHINGTON -- Outsourcing jobs to offshore locations can sharply increase data privacy risks and the complexity of managing them, privacy and security professionals said last week.
Consequently, companies with an offshore outsourcing strategy need to ensure that their overseas vendors are contractually tied to safeguarding data security. That was a key message at the Fourth Annual Privacy and Data Security Summit here.
Although data privacy legislation is pending in India, the largest offshore outsourcing destination, no such laws are in place there now . That's what makes it especially important for companies to thoroughly understand and deal with privacy issues in their contracts, said Amy Yates, general counsel at Hewitt Associates LLC, a human resources outsourcer in Lincolnshire, Ill.
Shipping work to a third party doesn't absolve a company of responsibility for protecting that data, Yates said. Offshore vendors aren't legally obligated to comply with any of the privacy regulations that their customers are required to meet as owners of the data.
"You can't expect your vendor to fulfill your legal obligations for you," Yates said. "They are obligated only to their contract with you. So you need to tell them what to do."
That means spelling out as specifically as possible how the vendor is expected to use and protect sensitive data and stipulating the right to audit vendors for compliance.
Response Strategy
It's also important to have a good incident-response capability to deal with security or privacy breaches, said Marc Lowenthal, chief privacy officer at New Century Financial Corp. in Irvine, Calif. The company has set up an incident-response team that includes Lowenthal, the chief security officer, IT representatives and employees from audit and compliance teams.
Once a breach has occurred, "it really is about how you minimize your damage," Lowenthal said.
Regulatory compliance can be especially difficult to manage offshore, privacy experts said. Under California's SB 1386 law, for instance, companies are required to notify customers of any database breach that may have compromised their personal data, as soon as the breach is discovered. With overseas vendors, it becomes a lot more difficult to know whether, and exactly when, a material breach may have occurred, said Richard Purcell, founder of Corporate Privacy Group, a Nordland, Wash.-based consultancy.
Moreover, personal data that is covered by a privacy law such as Gramm-Leach-Bliley might reside in a database along with data protected under the Health Insurance Portability and Accountability Act, SB 1386 or European Union laws.
"Not all data is the same. There are different sources of data, different typesof data and different rule sets," said Ken DeJarnette, an analyst at Deloitte & Touche LLP in San Francisco. "Without knowing what your data is, you won't know what protection you need."
Read more about Outsourcing in Computerworld's Outsourcing Topic Center.


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Thinking Outside The Data Warehouse
- This high level, business problem focused eBook uses 5 customer scenarios to show how people and organizations are tackling real issues using IBM...
- Using BD for Smarter Decision Making
- This paper looks at new developments in business analytics and discusses the benefits analyzing big data bring to the business.
- Forrester Whitepaper: IT Operations Managers Must Rethink Their Approach to Private Cloud
- Organizations of all types are attracted by the promises of private cloud computing, but few actually have the virtual maturity to be successful....
- Roadmap to the Cloud Summary HP Brochure
- This white paper reveals the key steps you need to take in order to build an effective cloud computing infrastructure. Start building your...
- Five Myths of Cloud Computing
- In recent years, cloud computing has been as visible as any topic in IT. Its front-page news status has been accelerated by Amazon,...
- Live Webcast
Data Privacy and Protection in Production Environments: New Research from Ponemon Institute - Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Live Webcast
A Geek's Guide to Presenting to Business People - Live Webcast: Wednesday, June 20th at 1:00 PM EDT
Join this live webinar with Paul Glen, author of Leading Geeks, to learn how to... - Live Webcast
Today's NAS: A Solution Beyond Old Limits - Date: Tuesday, July 17, 2012 2:00 PM EDT
Traditional NAS systems don't scale beyond fixed limits. Proliferation of NAS systems leads to management... - Seven Deadly Sins of Cloud Security (Video)
- As cloud computing gains popularity, too few people are aware of the security threats that are emerging. In this short video, experts from...
- Delivery Management -- Extending Lifecycle Management
- Date: Wednesday, June 20, 2012, 1:00 PM EDT
Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs,... - Leverage automation today to reduce IT complexity
- Date: Tuesday, June 5, 2012, 2:00 PM EDT
Whether your B2B complexity is caused by multiple technologies due to M&A, business or application specific... - Redefine Expectations in the Data Center
- Need to do more with less? Watch this video to learn how HP ProLiant Gen8 servers can help your business deploy servers three...
- BMC Control-M - Single Point of Control Demo
- With BMC Control-M, you schedule and manage everything - down to the very last platform and application - from one simple interface. It's...