Supplier Risk Monitoring

Risks of Data Theft and Breach of Privacy When Offshoring

Written by Vandana Mohanchandran

As business leaders seek more centralized and low-cost methods of processing information, they are turning to offshore outsourcing to fulfill many of their business processes. However, one of the biggest worries of outsourcing is data theft and breach of privacy. Although there are equipped security guards situated outside most outsourcing companies, and while companies routinely plan their data center recovery, they do not have adequate follow-through when it comes to protection of operations.

Lately, there have been allegations that outsourcing employees have stolen data outsourced to service providers. For example, Focused Technologies Imaging Services (FTIS) was awarded a US$3.45 M contract from New York State in 2008 that required the employees to scan State Division of Criminal Justice Services records including fingerprints, Social Security numbers (SSNs), and dates of birth. FTIS outsourced more than a third of the contract to an Indian company for US$82,000. In March 2016, after a lawsuit was filed, FTIS agreed to pay US$3.1 M in penalties and fees for unlawfully outsourcing the work to India and risking the privacy of millions of people.

Privacy Laws Practiced at Major Outsourcing Locations

The United States does not have one particular data protection law. Instead, it has several laws dealing with data privacy issues. The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act) allows data stored in the US to be accessed by the government, if required. In June 2011, Microsoft stated that, as an American company that stores data on servers in the European Union (EU), it could provide details of that data to US authorities without informing users. Similarly, any data which is housed, stored, or processed by a US-based company is vulnerable to scrutiny by authorities. This should be considered when engaging a US outsourcing company or other outsourcing company hosting data in the US.

For a company headquartered in the EU, data is generally subject to national and EU law as well as applicable laws of the country in which it is stored or disclosed to. For example, in Ireland, the Data Protection Acts 1998-2003 is the main law dealing with data protection. While the EU generally has strict laws in terms of how personal data is handled, other countries may not provide an adequate level of data protection. Foreign owned suppliers operating in the EU could also be subject to the laws of their own government, allowing foreign governments to access to data held by the vendor in the EU.

In India, the legal aspects of data protection are distributed under various acts, such as the Information Technology Act 2000. This Act addresses electronic data, computer crimes, hacking, damage to computer source code, and breach of confidentiality provisions. Privacy rules of this Act do not apply only to Indian companies.

At present, there is no comprehensive data protection law in China, but provisions related to personal data protection are found across various laws. A draft Personal Data Protection Law has been under review by the Chinese government for many years, but there is still no indication as to if and when such law will be passed.

The Philippines enacted the Data Privacy Act of 2012, which took effect on September 8, 2012.

Keeping Your Offshore Data Safe

As security and regulatory risks are the greatest concerns in outsourcing, business leaders must study which projects can be sent offshore and which cannot. Intellectual property is another area of concern. Business leaders must have measures in place to prevent potential abuse or theft of intellectual property. Additionally, data being stored could be seen as a potential threat to the local government. Lately, China has taken several measures to tighten control and censorship over data stored by multinational corporations operating there. However, China repeatedly affirmed that foreign businesses have nothing to fear as the new measures are intended to address growing security threats, such as terrorism.

There are important data security, regulatory compliance as well as legal risks that businesses need to address. Unfortunately, data breaches are likely to continue to occur in many parts of the world. However, having verified data security methodologies in place can help minimize damage. Business leaders can conduct due diligence and risk assessments when choosing service providers, as well as implement appropriate contractual measures designed to meet objectives. Networks must be regularly checked for vulnerabilities and potential security risks. If a contract with a vendor provides for it, then business leaders could ask for reports from internal audit of security, Business Continuity Plan (BCP)/Disaster Recovery (DR); as well as conduct their own audits.

To know more about risk mitigating measures to reduce both the number of incidents and the consequences of data theft and misuse in outsourcing, subscribe to reports and alerts from Supply WisdomSM. Contact us for more information or to get started with a free trial.

Announcing Supply Wisdom® Exuma

The next evolution in Automated Risk Management is here. Now you can automate risk mitigation across the entire risk management lifecycle, from Risk Identification to Risk Decision to Risk Action.