Are you practicing safe outsourcing?

One political hot potato in this election year is the outsourcing of tech jobs to other countries. Last month's column featured our case "When Contracts Are Not Dependable." As the case illustrated, outsourcing without properly assessing a vendor's privacy and data controls can create a real headache for the chief privacy officers (CPO) and CIOs responsible for safeguarding personal and sensitive information located in distant places.

Key Outsourcing Issues

What are the key risks when sensitive information is transferred to or shared with a vendor? Unintentional harm to the public can result when companies do not apply rigorous information risk management requirements for selecting a qualified vendor and do not monitor vendors for compliance with contractual requirements.

Complex organizations may experience chaos in trying to remotely manage and protect the security and privacy of sensitive information. Therefore, companies need to make sure the vendor has the resources or technologies to create information security safeguards and technologies. The critical infrastructure or backbone of the vendor's location (country) must also have the capacity to handle data protection requirements.

Leading Practices

Our Institute decided to investigate what some major companies are doing to reduce the risks while reaping some of the cost benefits from outsourcing. We conducted a detailed benchmark study of 24 major U.S. corporations.

- Following are some of the practices they have adopted. Your organization might want to consider them as well.

- Integrate information security and privacy into vendor selection process.

- Appoint a high-level officer to assume responsibility for evaluating vendors for adequacy to meet corporate policy and legal requirements.

- Evaluate historical experience and reputation of the vendor. One way is to look at complaints and trace patterns back to a given activity or campaign under the control of the outsourced vendor.

- Consider the vendor's location, critical infrastructure and national backbone issues.

- Consider cultural and ethical dimensions that may impact due care in the maintenance and protection of customer or employee information.

- Perform site evaluations and, when appropriate, consider independent audit.

- Provide good faith disclosure to customers about outsourcing risks (including fair redress process to report problems directly to the company).

- Ensure the vendor performs background checks, and provides good supervision to its employees.

- Ensure the vendor has an upstream communication mechanism for security and privacy breaches immediately after they occur.

- Balance sound information security and privacy risk management against economic (cost minimization) objectives.

And A Case Study

A significant issue for outsourcing sensitive personal information is that cybercriminals may look at outsourced operations as an easier door -- complete with welcome mat -- to the corporate data repository. Consider the case of a large national financial services organization with operations in domestic and various off shore locations.

The company decided to outsource its customer care and call center operations and was investigating contract (vendor) companies in the U.S., India, China, Panama and the Ukraine. The company decided to sign a contract with an offshore vendor in the Ukraine for three reasons:

- The workforce was well-educated and the vendor had the necessary call center setup skills.

- The cost of operations was very favorable and included significant tax incentives provided by the government.

- The outsourcing industry in the Ukraine was booming.

After the decision was made, the company's legal and procurement team formulated contracts with the vendor to ensure that it took full responsibility for complying with the privacy policy, which included a strict do-not-share with third parties for secondary uses without consent, and all U.S. regulatory requirements. The Ukraine vendor also agreed by legal contract to comply with strict data protection and information security requirements as suggested by the Federal Trade Commission's Safeguards Rule.

Only nine months after implementing new customer care and call center activities, thousands of U.S. customers received questionable billings on their credit card statements for magazine subscriptions or Web services never contracted. Hundreds of customers complained that they became victims of identity theft, likely resulting from personal information leaked by the bank. A few customers reported that their entire bank balances were wiped out to untraceable locations.

In response, the company hired a forensic expert to determine where the possible data leak occurred. They discovered that it happened from an offshore/outsourced location, perhaps an "insider job" from the Ukrainian call center.

Further investigation found the leak, which was uncovered by the vendor's IT director months earlier -- but not communicated. The root source was a direct download of sensitive customer information. This was perpetrated by a new IT employee of the vendor with remote access to the company's data warehouse.

While the IT employee did not have a criminal history, her husband was a convicted mobster on a U.S. cybercrime watch list. She claimed that her company did not explain security and privacy requirements to employees. She believed that the downloading and sharing of information would not harm anyone.

Not Necessarily Risky Business

Despite the crisis faced by the financial organization, outsourcing is not necessarily a problem. Whether or not your company has outsourced the management of sensitive information to other countries and third-party vendors, the same advice holds true. That is: to reduce the risk of a privacy and security breach, companies need to take reasonable steps to prevent what can be the root of all evil -- the unauthorized access to sensitive information or lax controls over information sharing.

Contrary to the opinions of others, I don't believe the outsourcing of data management activities to offshore locations necessarily creates undue risk for the public. In most cases, these risks can be controlled or moderated with reasonable safeguards, procedures and internal controls.

If you are interested in learning more about what Ponemon Institute is doing about secure vendor relations, please send an e-mail to

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Federal Trade Commission

Show Comments