Privacy: Outsourcing and the Need for a Vendor Compliance Strategy
March 2005
Sometimes it takes high profile missteps—or
at least Paris Hilton—to capture the public's attention about the sensitivity
and vulnerability of personal data. During February 2005 alone, reports of privacy
and security breaches seemed to occur almost daily.
by Mark J. Becker, Esq.,
edited by Gary E. Clayton, Esq.
www.privacycg.com
The personal data accessed by con artists that duped ChoicePoint, the hackers
who obtained addresses and e-mails from Ms. Hilton's cell phone, the lost Bank
of America customer records, and the retrieval of W2 forms from a PayMaxx online
service clearly demonstrate that companies must continually assess their privacy
and data protection management programs on a regular basis to prevent or mitigate
the risks associated with a breach of personally identifiable information.
The significant and complex responsibility a company assumes when it receives
personally identifiable information becomes greater when services are outsourced.
It is, therefore, critical for a company to understand and appreciate the risks
inherent in domestic and offshore outsourcing. Although sometimes used interchangeably,
"outsourcing" broadly refers to an outside vendor retained to perform a variety
of services, such as payroll, telemarketing, and customer service, while "off-shoring,"
is a specific and politically charged term referring to the retention of a vendor
located outside the United States.
Offshoring Incidents
When outsourcing involves turning over personally identifiable information
to a third party, it is crucial, especially when offshoring, for a company to
institute an oversight strategy that includes a comprehensive due diligence
examination on a prospective vendor, a determination as to whether the vendor
will subcontract the work, and inclusion of appropriate contractual language
to protect your company and the individuals who provided the underlying personally
identifiable information. The exposure a company risks by not taking additional
steps to oversee its vendors can be illustrated by two prominent off-shoring
incidents.
The most notorious incident involved a California hospital that outsourced
some data processing work. A transcriber in Pakistan, upset with her pay, threatened
to post the hospital's patient information on the Internet if she did not receive
a pay raise. The hospital reportedly did not know that its vendor off-shored
the work and was subjected to adverse publicity, which resulted in the introduction
of numerous bills. The other notable incident involved Ziff Davis Media, when
it ran a promotion on a site hosted by a third-party vendor. Due to what was
termed as a "coding error," the third party's site exposed credit card information
of some of the customers participating in the promotion. This violated Ziff-Davis'
privacy policy and they wound up settling with attorneys general from California,
New York, and Vermont for $125,000.
These incidents can be prevented, or at least mitigated, by approaching an
outsourcing engagement with an understanding of the inherent risks and implementing
a comprehensive and aggressive vendor compliance strategy to address those risks.
Outsourcing Risks
Services that are offshored will pose additional risks due to the autonomy
of the overseas vendor and the difficulty in monitoring its activities. In June
2004, the Federal Deposit Insurance Corporation (FDIC) published a study on
the risks associated with offshore outsourcing for financial institutions. (See
Offshore
Outsourcing of Data Services by Insured Institutions and Associated Consumer
Privacy Risks. Although the study focuses on the financial sector,
the identified risks are applicable to any company. The FDIC identifies six
risk areas that companies must understand and appreciate when engaging in offshore
outsourcing. All the risks identified by the FDIC, except for the country risk,
may also arise in domestic outsourcing.
- Country Risk:
- Generally, this risk involves changes to a country's political landscape,
socioeconomic conditions, and related issues that may impact the ability
of the oversees vendor to meet its contractual obligations.
- According to the report, in addition to the risk of data privacy
breach there is also the potential for a diversion of funds due to the
sensitive material handled by vendors. Specifically, overseas subcontractors
may have access to bank account numbers and other documents required
for a letter of credit. Some vendors may also process loans and have
full access to loan data spanning the life of the loan.
- The FDIC also reports that foreign organized crime groups may impact
offshoring activities. Reportedly, a criminal group has attempted to
buy existing call centers, establish their own call centers, and bribe
workers to access the data.
-
Reputation Risk: Is the result of negative
publicity stemming from adverse events, such as a violation of consumer
law, disruption of service, or poor service.
-
Operations/Transactional Risk: Arises when
there is a problem with service or product delivery and the company does
not have an appropriate business plan or contingency plan to address problems.
-
Compliance Risk: Occurs when the vendor
violates laws, rules, regulations, internal policies, and ethical standards.
-
Strategic Risk: Is when the third-party
vendor is used in a way that does not further the goals of the company.
-
Credit Risk: Occurs when the vendor breaches
the terms of the contract with the company or does not perform as agreed,
thus affecting the company's credit.
Vendor Management Strategy
Once you have determined that outsourcing makes sense, it is critical to
create a vendor management strategy to ensure that you have covered all (or
most) situations in order to limit any potential financial or reputation damage
to your company.
-
Examine Applicable Privacy Laws: Once a
company determines where the outsourcing will take place, it must consult
the relevant domestic and international privacy laws. In the United States,
federal privacy laws are primarily industry specific affecting such areas
as financial services (Gramm-Leach-Bliley Financial Services Modernization
Act of 1999); healthcare (Health Information Portability and Accountability
Act); online collection and use of personal information from children under
13 years of age (Children's Online Privacy Protection Act), privacy of student
records (The Family Educational Rights and Privacy Act of 1974) and protection
of video rental information (Video Privacy Protection Act of 1988). State
and local laws of the jurisdiction in which the outsourcing will take place
should also be consulted.
In the case of offshore outsourcing, it is advisable to address the appropriate
governing law and the enforcement of domestic law abroad within the contract.
For instance, a U.S. company may be liable for its foreign vendor's privacy
breach, but absent contractual language, that foreign vendor is not required
to comply with U.S. privacy law.
-
Due Diligence: The selection of a third-party
vendor is akin to choosing a good babysitter for your data. You want to
be sure that the vendor will not only abide by your own internal safeguards
and procedures, but applicable laws, rules, regulations, and best practices
as well. An extensive due diligence process should include the vendor's
financial stability, any previous security or privacy breaches, its current
privacy and security practices, and references prior to establishing a relationship
with a vendor to handle personal or sensitive information.
-
Monitoring: There is a certain level of
control a company gives up when a service is outsourced. This is especially
true when a vendor operates in a foreign country. Throughout its relationship,
a company should remain vigilant in its vendor oversight responsibilities.
This includes ensuring that privacy and data security controls are maintained,
as well as continued adherence with contractual terms and compliance with
laws, regulations, rules, and best practices.
-
Never Lose Control: A vendor serves as
a temporary custodian of data that was either directly entrusted by a company's
customers or via a third party. Although not exhaustive, the vendor should
agree to:
- Recognize that the company maintains continued ownership of the
data.
- Prohibit any subcontracting without the company's written consent.
- Prohibit the collection of personal data directly from the company's
customers.
- Ensure all workers sign confidentiality agreements that prohibit
release of the material.
- Implement internal and external security safeguards that are to
be appropriately updated.
- Provide prompt notice of any privacy or security breach or loss
of personal data. The company should clearly enumerate the steps the
vendor should take in the event of a breach or apparent breach.
Conclusion
The practice of outsourcing has many financial and operational benefits for
companies. Although there are potential risks that may arise in an outsourcing
arrangement, those risks should not preclude a company from outsourcing as long
as the proper precautions have been instituted to protect the privacy and security
of the underlying personally identifiable information.
Mark Becker is a director with Privacy Council, Inc., the global resource for privacy and
data protection services. He is an attorney with experience in the areas of
privacy, telecommunications, and government. Prior to joining Privacy Council,
Inc., Mr. Becker served as the privacy officer for Arbitron Inc., was a director
of regulatory affairs for e.spire Communications, and worked as an attorney
for the Federal Communications Commission. He received his JD from Touro Law
School in Huntington, New York, and his BS from Syracuse University's Newhouse
School of Public Communications in Syracuse, New York. Mr. Becker can be reached
by phone at 202-626-8596 and by e-mail at mark.becker@privacycouncil.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.