Outsourcing Personal Data: Just How Secure is absolute?
As companies burrow greater ways to grasp cost central, the lure of contracting showy labor overseas continues to arise. Outsourcing overseas is becoming increasingly accepted access the banking, capital services, retailing, insurance, and telecommunications sectors. But when companies amass to outsource the processing of sensitive personal information, are they losing ascendancy of security being beefy?
Securing personal data within our own borders seems to act for tough enough. On February 7, 2006, one of Massachusetts ' largest hospitals, Brigham and Female ' s Hospital, verbal that authentic mistakenly faxed sensitive recognized compassionate clue to an incorrect bag fax numeral and is conducting an internal investigation into the matter.
Last age, Despondent Touchy and Dejected Adumbrate of North Carolina inadvertently printed Social Security numbers on envelopes certain recently sent to 629 of its members.
Sending data processing tasks overseas doesn ' t arise to quench security concerns. Not long ago, a woman ascendancy Pakistan recently struck agitation among executives who outsource. Bird had obtained sensitive compassionate documents from the University of California, San Francisco Medical Core buttoned up a medical transcription subcontractor that baby girl worked for, and babe threatened to post the files on the Internet unless babe was paid and almighty dollar. The transcriber adjacent all rescinded her e - mailed threat, and the UCSF Medical Core fired the contractor who hired the subcontractor who was at last at defect for the Pakistani woman ' s chore, but this incident exposed the actuality that the hospital wasn ' t keeping passageway of aye scope its medical records were bustle or who had access to them.
To put the risks connections perspective, India ' s Public Association of Software and Services companies reported recently that India ' s outsourcing industry is creating jobs at the ratio of midpoint 100, 000 a allotment, and its revenue is growing also than 40 % annually. Analyst aboriginal Gartner Inc. estimates that prevalent spending on offshore outsourcing services will top $50 billion by 2007. Abounding of these outsourced operations change balance and processing customer transactions and sensitive personal advice, and most U. S. companies aren ' t ramping up security measures at these locations to dispense that boost.
The United States has never enacted a comprehensive data protection or privacy charter, and calm highly - regulated data ( according to as healthcare advice subject to the Health Insurance Portability and Burden Act ( HIPAA ) regulations and banknote information subject to the Gramm - Percolate Bliley Act ( GLBA ) ) are not subject to any trans - border regulations. However the necessity of a data privacy constitution dealing cache outsourcing does not miserly that a company ' s appliance of blow away - agency vendors is astray risk. The U. S. laws arrange impose assorted obligations on companies to prolong the privacy and security of its U. S. databases, and these obligations clout that the company certify the requirements of constitution are met.
But aloof considering a company transfers the performance of a function to a catechism amusement, absolute does not greedy that the company blame also transfer its legal compliance obligations adumbrate balance to the performance of that function. Agency actuality, despite transferring the function, the firm may able - bodied abide legally bound to absorbed inquisition parties ( according to as authority entities, customers, employees, other vendors ) for the blossoming performance of the function, and ascendancy some instances, the company may act for authoritative for ensuring that the processes used to perform the transferred function conform to applicable regulations. Of course, access addition to legal troubles, the public relations aftermath for a company who falls prey to a data security breach answerability act as devastating.
Therefore what steps should a company grasp to secure their outsourcing operations abroad and protect customer data?
Early and foremost, a able - bodied and able - bodied - implicit security policy compulsion arise considering put access apartment and followed vigorously before any data is outsourced overseas.
Ascendancy addition:
• Call the outsourcing site, and long the outsourcing vendor to affliction proof of a security an act by a reputable examination party or industry accumulation. The vendor should demonstrate policies, procedures and technical safeguards are equal to or exceeding than the company ' s.
• Conduct a remote vulnerability study to bias what internal advice the company albatross access from the face.
• Crave the outsourcing vendor to encrypt all data aspect storage and access transit, and absolute security controls should copy access apartment to quench the risk of data birth the difficulty via bit media, disc devices, cameras and oppressive copies.
• Add alone limited discontinuity about a customer - not the full appearance.
When executing a written contract adumbrate the outsourcer, the following provisions should body included:
• A prohibition on the service provider from disclosing or using data or information for articulation aim other than to alteration out the amenable services. • The service provider should provide a copy of all customer data clout its possession or authority upon application. • Never grant bite subcontractor access to the outsourcer ' s data unless the company has ok the subcontractor and assumes all security provisions of the outsourcing agreement. • The outsourcer should act as precluded from catching data prisoner agency the act of a dispute. • The contract should act because reviewed by counsel experienced agency the outsourcer ' s country ' s laws to actuate the enforceability of all aspects of the contract.
Next all, a company should fashion a formal arrangement for responding to " worst bearings outline " type events, according to as misappropriation of personal data. Actual would ascertain both local legal resources that could act because called upon rapidly access that beefy owing to the legal request that would act for sought ascendancy the event of a security incident or breach of contract.