Companies have been processing information off shore for many years, and business processes and IT have been successfully outsourced offshore for over two decades. Although, there have been some instances of abuse and misuse of protected information, generally, our experience has shown that there are very few breaches of privacy in outsourced offshore processing. Outsourcing providers be they on shore or off shore, are most vigilant when it comes to protecting information and providing for security in general. Protecting their reputation in the marketplace is the main driver for this vigilance. Clients must have trust and confidence in their ability to manage and maintain a secure environment and comply with regulations. Their very survival depends upon it. The last thing any provider wants is to have the company name splashed across CNN or a newspaper story involving fraud or abuse.
I also believe that generally, there is a far greater degree of compliance with the 4 P’s (Policy, Processes, Practices and Persistence) in off shore center. This is not just because of concern for reputation but the result of a greater propensity to be disciplined and compliant to rules and laws. Off shore centers generally have a greater commitment to the Quality Program that requires discipline and continuous compliance to processes and practices. The following are some of the lessons learned we have observed regarding the overall protection of information in an outsourced environment – off or on shore:
·Failure to create and maintain a well defined policy for the protection of information
One of the most important aspects of establishing any discipline is to define the policy at the time of commencement, so as not to create any misinformation and to set appropriate expectations. A key lesson learned has been that offshore service providers fail to establish a policy and training based on that policy document. Many wait until the clients demand such a document and/or first violation. It is important that like any important management document, it is reviewed periodically and adjusted for changes that may have occurred.
·Not providing adequate identification of the “protected” information
Even with the establishment of the policy document, employees must have a single source of information where the protected information elements are defined. Sometimes even those providers who have established a policy and training program do not identify which information is “private” and therefore covered under the policy. This defeats the purpose of the policy statement.
Additionally, we have seen where there is no visible, identifiable tag on the protected information. This is usually done with marked documents; for example, color coded, for physical documents or scrambled and/or highlighted field for digital information.
·Insufficient preparation prior to entering into an agreement and subsequently not defining all of the aspects of security of private information in the contract with the service provider
One of the most common problems identified has been that both businesses and service providers do not spend required up front time to define the privacy issues associated with the agreement before entering into a contract. This leaves a lot of opportunity for mishandling the private information and can cause future disputes. Many outsourcing agreements do not adequately address the process by which the private information is identified by the two parties as well as the obligation of the two parties to assure that there is a clear definition and acceptance of terms and conditions for handling such information. Often, such items are buried as part of the general security and confidentiality agreement clauses.
·Not conducting a thorough due diligence and performing risk analysis before the contract is completed, so that the contractual provisions can directly address weaknesses and inadequacies in the service provider’s environment
Another lesson learned has been that protection of private information is not included as part of the due diligence by both businesses and providers. It is difficult to establish a baseline for protection as well as agree on terms of protection if both parties are not fully aware of the existing conditions and requirements. We have rarely seen a joint risk analysis done by both the parties as part of due diligence and inclusion of mitigating and avoidance actions as part of the transition and/or governance plans.
·Not implementing a governance program that assures periodic evaluation and degree of compliance to all aspects of the information security
Finally, one of the most important lessons learned has been that the governance program must include management of the private information. A solid governance program would include compliance checklists and risk management exercises that cover all aspects of anticipated failure in compliance. Since, there is a large business impact of mishandling private information (much as security and disaster recovery would be); it should be one of the key aspects of the governance process.
In the three articles on Protecting the Privacy of Information, we have reviewed the requirements of the information that must be protected, a framework for establishing a solid protection program and finally, some of the lessons learned. Although most service providers (and businesses alike) are taking the protection of private information seriously, not enough investment is made in creating and managing the protection environment. Without this, there will continue to be negative public stories about mishandling of private information and in some cases; it will be attributed to the concepts of outsourcing rather than to mismanagement.