Data Protection, Security Determine Outsourcing Outcomes

MBA (6/24/2008 ) Palaparty, Vijay
Data protection and security could determine the success—or failure—in the outsourcing and offshoring lifecycle of various projects.

Intellect, a London-based trade association that represents the United Kingdom’s technology industry, released guidelines to help organizations address data issues early in the process.

“The money that outsourcers and their customers pay in data breach fines would be better spent improving data security processes so these breaches don’t occur in the first place,” said John Higgins, director general of Intellect. “Consumer data is a highly valuable commodity and should be treated as such. Companies recognize their responsibility towards consumers’ data but don’t always understand the best way to achieve this. Guidance can help address the situation.”
The guidelines report, Intellect Data Security and Data Protection Guidelines for Offshoring and Outsourcing, said both vendors and customers should anticipate and address data security and protection issues which could affect project success. “The lead-time that anticipation provides can be critical to developing efficient solutions,” the report said.

"When thinking about the security of private information handled by constituents of the mortgage industry, it is critical to think of every possible breach scenario and mitigate the risk at all possible levels,” said Philippe Turpault, vice president of product management and marketing at Lydian Data Services, Boca Raton, Fla., “Above and beyond being a technical issue, where technologists have to ensure the security of the data both in their platforms and transiting between clients’ systems, it is also a people issue that needs to be properly addressed through the right on-boarding, off-boarding and termination processes and procedures. It also needs to be constantly monitored and challenged, using a comprehensive set of checks and balances.”

The Intellect report, which includes information on non-European countries that have data protection laws—including the United States, Canada, Russia, Dubai, Korea and Australia—provides an overview of the types of issues outsourcing projects might encounter.

It tells the best time to address the issues and which party is legally obliged or best placed to deal with them. The report also provides a checklist of data security and protection related actions that must be taken, ranging from determining data volume that will flow between outsourcer and customer, to procedures for destroying retained data at the end of a project.

Structured around key stages of the outsourcing lifecycle, the first stage is to analyze—reviewing services and data as well as data protection and compliance requirements. The next stage is to scope and select, which involves reviewing confidentiality agreements and conducting a data security and data protection audit of the vendor.

The contract stage specifies obligations and legal matters as well as incorporating legal remedies in the event of a breach. The next stage in the lifecycle is to implement and then manage, monitoring compliance and changes and incidents.

The final two stages are termination, transfer or step-in and then exit. The termination, transfer or step-in stage involves the impact of data security by some kind of termination and in satisfying data protection requirements. The exit stage involves the impact on data by the exit and dealing with overwriting/destruction of retained data.

"Outsourcing IT operations involves the transfer of personal data to a third party,” said David Evans, senior data protection practice manager at the Information Commissioner’s Office in the U.K. “For an organization to retain the trust of its staff and clients it is important that their outsourcing complies with the Act. This means ensuring that personal information is stored and processed securely, that is accurate and up to date and accessed only by those with justifiable reason."

"The transfer of and/or remote access to sensitive personal data is extremely important in today's world,” said Richard Johnston, president of Acris Solutions, Laguna Hills, Calif. “Nothing is more important than data security, and with secure access centered on the SSL certificate, user IDs, passwords, company IDs and unique user permissions, we feel comfortable security features' ability to protect client data.

Johnston said, however, that defense and data protection features are not always used properly, resulting in security shortfalls and breaches. “Until the community at large comes to grips with the realities of data protection's being more important than ease of use concerns, there will be many more attacks, penetrations, thefts, losses and ultimately fines to the responsible parties,” he said. “With the sophisticated tools available from technology providers today, it doesn't have to be that way."

"Data is an extremely high priority on today's agenda," said Bill Adamowski, group president, general partner and co-founder of ISGN, Bensalem, Pa. "Having a clear set of guidelines and checklists should be viewed by the outsourcing community as a great tool in that this provides clarity on how to address these important issues. Having consistency between clients and within the industry makes for better efficiencies, which is what outsourcing is all about to begin with.”

"Data security and protection is ultimately the responsibility of outsourcing companies when sensitive data are involved onshore or offshore," said Limin Hu, executive vice president and CTO of Ellie Mae, Dublin Calif. "It's great to have guidelines and requirements, but outsourcing data invariably creates additional risk factors and overhead that a company needs to carefully evaluate the benefits and risks before doing so. As a consequence, additional planning and continuous monitoring are required to ensure a successful outsourced data operation."