Offshore outsourcing poses privacy perils

WASHINGTON – Outsourcing jobs to offshore destinations can sharply increase data privacy risks and the complexity of managing that risk, several experts at the Fourth Annual Privacy and Data Security Summit here warned this week.

As a result, companies need to ensure that overseas vendors are contractually tied to specific conditions regarding how data is transmitted, accessed, used, stored and shared, they said. Those challenges include regulatory compliance, data protection and access issues, as well as monitoring and auditing issues.

“The risks are enormous to business strategy,” said Richard Purcell, founder of Nordland, Wash.-based consultancy Corporate Privacy Group and former chief privacy officer at Microsoft Corp.

For instance, security breaches at offshore locations can be harder to detect — and deal with — from a regulatory compliance standpoint. Under California law, for example, companies are required to notify customers of any database breach that may have compromised the customers’ personal data as soon as the breach is discovered. With overseas vendors, it becomes a lot harder to know whether, and exactly when, a material breach may have occurred, Purcell said.

Also, when data is sent overseas for processing, companies often make little attempt at categorizing it, said David Medine, an attorney at William Cutler Pickering LLP in Washington. Personal data covered by privacy laws might be combined in one database with data protected under HIPAA rules or other laws. That makes it much harder to provide adequate levels of protection for different classes of data.

“Not all data is the same. There are different sources of data, different types of data and different rule sets,” said Ken DeJarnette, an analyst at Deloitte & Touche LLP in San Francisco. “Without knowing what your data is, you won’t know what protection you need.”

Several companies that ship work overseas also handle data on European Union citizens and must abide by the more stringent requirements of EU privacy laws. In such cases, companies need to understand their own legal obligations and the measures their vendor has in place to meet these obligations, said Rena Mears, an analyst at Deloitte.

There are other issues as well, users said.

Ensuring adequate physical protection of data at a foreign site is more difficult than doing so at a local site. Also, it’s harder to find out if data is being improperly accessed or misused. Sometimes overseas vendors might subcontract work out to smaller vendors within their own countries or to those in other countries, adding yet another layer of risk.

A country’s data privacy laws and its legal system also make a difference, Medine said. India, which is the biggest outsourcing destination for many companies, has no formal data privacy law (although one is in the works).

Because of such issues, it’s important that companies deal with privacy issues in their contracts, said Amy Yates, general counsel at Hewitt Associates LLC, a human resources outsourcer in Lincolnshire, Ill. Shipping work to a third party doesn’t absolve the original company of responsibility for protecting that data, she said. Offshore vendors aren’t obligated to comply with the same privacy regulations their customers must meet as owners of the data.

That means spelling out what a vendor is expected to do and maintaining the right to audit it for compliance. “You can’t expect your vendor to fulfill your legal obligations for you. They are obligated only to their contract with you. So you need to tell them what to do,” Yates said.

It’s also important to have an incident response plan in place to deal with security or privacy breaches, said Marc Lowenthal, chief privacy officer at New Century Financial Corp. in Irvine, Calif. Lowenthal’s company has set up a team comprising the privacy officer, chief security officer, IT representatives and staff from legal audit and compliance teams.

Once a breach has occurred, “it really is about how you minimize your damage,” he said.