Privacy: Outsourcing and the Need for a Vendor Compliance Strategy

March 2005

Sometimes it takes high profile missteps—or at least Paris Hilton—to capture the public's attention about the sensitivity and vulnerability of personal data. During February 2005 alone, reports of privacy and security breaches seemed to occur almost daily.

by Mark J. Becker, Esq., edited by Gary E. Clayton, Esq.
www.privacycg.com

The personal data accessed by con artists that duped ChoicePoint, the hackers who obtained addresses and e-mails from Ms. Hilton's cell phone, the lost Bank of America customer records, and the retrieval of W2 forms from a PayMaxx online service clearly demonstrate that companies must continually assess their privacy and data protection management programs on a regular basis to prevent or mitigate the risks associated with a breach of personally identifiable information.

The significant and complex responsibility a company assumes when it receives personally identifiable information becomes greater when services are outsourced. It is, therefore, critical for a company to understand and appreciate the risks inherent in domestic and offshore outsourcing. Although sometimes used interchangeably, "outsourcing" broadly refers to an outside vendor retained to perform a variety of services, such as payroll, telemarketing, and customer service, while "off-shoring," is a specific and politically charged term referring to the retention of a vendor located outside the United States.

Offshoring Incidents

When outsourcing involves turning over personally identifiable information to a third party, it is crucial, especially when offshoring, for a company to institute an oversight strategy that includes a comprehensive due diligence examination on a prospective vendor, a determination as to whether the vendor will subcontract the work, and inclusion of appropriate contractual language to protect your company and the individuals who provided the underlying personally identifiable information. The exposure a company risks by not taking additional steps to oversee its vendors can be illustrated by two prominent off-shoring incidents.

The most notorious incident involved a California hospital that outsourced some data processing work. A transcriber in Pakistan, upset with her pay, threatened to post the hospital's patient information on the Internet if she did not receive a pay raise. The hospital reportedly did not know that its vendor off-shored the work and was subjected to adverse publicity, which resulted in the introduction of numerous bills. The other notable incident involved Ziff Davis Media, when it ran a promotion on a site hosted by a third-party vendor. Due to what was termed as a "coding error," the third party's site exposed credit card information of some of the customers participating in the promotion. This violated Ziff-Davis' privacy policy and they wound up settling with attorneys general from California, New York, and Vermont for $125,000.

These incidents can be prevented, or at least mitigated, by approaching an outsourcing engagement with an understanding of the inherent risks and implementing a comprehensive and aggressive vendor compliance strategy to address those risks.

Outsourcing Risks

Services that are offshored will pose additional risks due to the autonomy of the overseas vendor and the difficulty in monitoring its activities. In June 2004, the Federal Deposit Insurance Corporation (FDIC) published a study on the risks associated with offshore outsourcing for financial institutions. (See Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks. Although the study focuses on the financial sector, the identified risks are applicable to any company. The FDIC identifies six risk areas that companies must understand and appreciate when engaging in offshore outsourcing. All the risks identified by the FDIC, except for the country risk, may also arise in domestic outsourcing.

• Country Risk:
  • Generally, this risk involves changes to a country's political landscape, socioeconomic conditions, and related issues that may impact the ability of the oversees vendor to meet its contractual obligations.
  • According to the report, in addition to the risk of data privacy breach there is also the potential for a diversion of funds due to the sensitive material handled by vendors. Specifically, overseas subcontractors may have access to bank account numbers and other documents required for a letter of credit. Some vendors may also process loans and have full access to loan data spanning the life of the loan.
  • The FDIC also reports that foreign organized crime groups may impact offshoring activities. Reportedly, a criminal group has attempted to buy existing call centers, establish their own call centers, and bribe workers to access the data.

• Reputation Risk: Is the result of negative publicity stemming from adverse events, such as a violation of consumer law, disruption of service, or poor service.

• Operations/Transactional Risk: Arises when there is a problem with service or product delivery and the company does not have an appropriate business plan or contingency plan to address problems.

• Compliance Risk: Occurs when the vendor violates laws, rules, regulations, internal policies, and ethical standards.

• Strategic Risk: Is when the third-party vendor is used in a way that does not further the goals of the company.

• Credit Risk: Occurs when the vendor breaches the terms of the contract with the company or does not perform as agreed, thus affecting the company's credit.

Vendor Management Strategy

Once you have determined that outsourcing makes sense, it is critical to create a vendor management strategy to ensure that you have covered all (or most) situations in order to limit any potential financial or reputation damage to your company.

• Examine Applicable Privacy Laws: Once a company determines where the outsourcing will take place, it must consult the relevant domestic and international privacy laws. In the United States, federal privacy laws are primarily industry specific affecting such areas as financial services (Gramm-Leach-Bliley Financial Services Modernization Act of 1999); healthcare (Health Information Portability and Accountability Act); online collection and use of personal information from children under 13 years of age (Children's Online Privacy Protection Act), privacy of student records (The Family Educational Rights and Privacy Act of 1974) and protection of video rental information (Video Privacy Protection Act of 1988). State and local laws of the jurisdiction in which the outsourcing will take place should also be consulted.

  In the case of offshore outsourcing, it is advisable to address the appropriate governing law and the enforcement of domestic law abroad within the contract. For instance, a U.S. company may be liable for its foreign vendor's privacy breach, but absent contractual language, that foreign vendor is not required to comply with U.S. privacy law.

• Due Diligence: The selection of a third-party vendor is akin to choosing a good babysitter for your data. You want to be sure that the vendor will not only abide by your own internal safeguards and procedures, but applicable laws, rules, regulations, and best practices as well. An extensive due diligence process should include the vendor's financial stability, any previous security or privacy breaches, its current privacy and security practices, and references prior to establishing a relationship with a vendor to handle personal or sensitive information.

• Monitoring: There is a certain level of control a company gives up when a service is outsourced. This is especially true when a vendor operates in a foreign country. Throughout its relationship, a company should remain vigilant in its vendor oversight responsibilities. This includes ensuring that privacy and data security controls are maintained, as well as continued adherence with contractual terms and compliance with laws, regulations, rules, and best practices.

• Never Lose Control: A vendor serves as a temporary custodian of data that was either directly entrusted by a company's customers or via a third party. Although not exhaustive, the vendor should agree to:

  • Recognize that the company maintains continued ownership of the data.
  • Prohibit any subcontracting without the company's written consent.
  • Prohibit the collection of personal data directly from the company's customers.
  • Ensure all workers sign confidentiality agreements that prohibit release of the material.
  • Implement internal and external security safeguards that are to be appropriately updated.
  • Provide prompt notice of any privacy or security breach or loss of personal data. The company should clearly enumerate the steps the vendor should take in the event of a breach or apparent breach.

Conclusion

The practice of outsourcing has many financial and operational benefits for companies. Although there are potential risks that may arise in an outsourcing arrangement, those risks should not preclude a company from outsourcing as long as the proper precautions have been instituted to protect the privacy and security of the underlying personally identifiable information.

---

Mark Becker is a director with Privacy Council, Inc., the global resource for privacy and data protection services. He is an attorney with experience in the areas of privacy, telecommunications, and government. Prior to joining Privacy Council, Inc., Mr. Becker served as the privacy officer for Arbitron Inc., was a director of regulatory affairs for e.spire Communications, and worked as an attorney for the Federal Communications Commission. He received his JD from Touro Law School in Huntington, New York, and his BS from Syracuse University's Newhouse School of Public Communications in Syracuse, New York. Mr. Becker can be reached by phone at 202-626-8596 and by e-mail at .

---

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.