Posted on 02/20/2004 4:46:48 PM PST by StatesEnemy
A lack of control over data, compliance monitoring and auditing are key issues
FEBRUARY 20, 2004 ( COMPUTERWORLD ) - WASHINGTON -- Outsourcing jobs to offshore destinations can sharply increase data privacy risks and the complexity of managing that risk, several experts at the Fourth Annual Privacy and Data Security Summit here warned this week. As a result, companies need to ensure that overseas vendors are contractually tied to specific conditions regarding how data is transmitted, accessed, used, stored and shared, they said. Those challenges include regulatory compliance, data protection and access issues, as well as monitoring and auditing issues.
"The risks are enormous to business strategy," said Richard Purcell, founder of Nordland, Wash.-based consultancy Corporate Privacy Group and former chief privacy officer at Microsoft Corp.
For instance, security breaches at offshore locations can be harder to detect -- and deal with -- from a regulatory compliance standpoint. Under California law, for example, companies are required to notify customers of any database breach that may have compromised the customers' personal data as soon as the breach is discovered. With overseas vendors, it becomes a lot harder to know whether, and exactly when, a material breach may have occurred, Purcell said.
Also, when data is sent overseas for processing, companies often make little attempt at categorizing it, said David Medine, an attorney at William Cutler Pickering LLP in Washington. Personal data covered by privacy laws might be combined in one database with data protected under HIPAA rules or other laws. That makes it much harder to provide adequate levels of protection for different classes of data.
"Not all data is the same. There are different sources of data, different types of data and different rule sets," said Ken DeJarnette, an analyst at Deloitte & Touche LLP in San Francisco. "Without knowing what your data is, you won't know what protection you need."
Several companies that ship work overseas also handle data on European Union citizens and must abide by the more stringent requirements of EU privacy laws. In such cases, companies need to understand their own legal obligations and the measures their vendor has in place to meet these obligations, said Rena Mears, an analyst at Deloitte.
The commentators act as if the privacy violations are a side-effect, rather than an intended outcome. Wes should know.
Almost certain he'll be the VP, unless the Florida issue demands Graham. Don't worry, the dems won't background Wes on the net, as been done at FR. There's an inverse relationship between Dems proclaiming internet savvy and actually using it.
Well, if the data is offshore, and the support team is offshore, it sure is a lot easier to avoid "discovering" any database breach. After all, if the outsourced organization never reports a security breach to the company (and they have a lot of reasons not to do so), then it has become a good way of making sure that the company never "knows" about any security breaches. And thus, they are not subject to any laws.
Not that anyone from the government is actually enforcing those laws anyway.
Why should they?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.