The heart of a company is located in its information systems department. Strategic data, trade secrets, financial information, personal information of employees, customers and business associates are held, processed, stored on servers accessible through LAN, WAN, Intranets, or the Internet, or on laptops, personal digital assistants, and other mobile devices. To be more efficient, reduce cost, enhance customer services, or for other reasons, however, companies are outsourcing numerous functions that heavily rely on resources and databases located or stored in their information systems. For example: call center and customer relationship and support, medical records transcription and data entry, benefits administration, software maintenance or support, procurement, fulfillment and logistics, telemarketing, and the like.

Outsourcing transactions present a substantial risk. The client loses control over critical assets, which may become managed according to generic rules. The vendor takes over operations and constraints about which it may know very little, and that it tries to fit into its own business model and rules of operation. This article focuses on outsourcing contracts in which personally identifiable information is transferred. It analyses the risks of information privacy and information security violation, and proposes tips and solutions.

1. POTENTIAL RISKS IN OUTSOURCING

In most outsourcing transactions, the client transfers to a third party the total responsibility to handle a task or to manage a function. Concurrently, it makes available to that third party valuable confidential information, trade secrets (e.g. customer list) or personally identifiable information of its customers (e.g. the medical record to be transcribed). It grants the vendor custody of a precious cargo that requires special handling.

Client’s Concerns – For the clients, outsourcing means loss of control over critical assets. The company is opening its door and confidential files to a third party. Personal contact information, sensitive financial or medical information, confidential customer lists are provided to the outsourcing vendor. The client should be concerned about the vendor’s ability or commitment to protect these data with the same level of care as the company. The vendor might sell the database to a competitor, or use its knowledge to build a competing application. The vendor might hold back critical data, and use the loot to bargain for more money. The employees may leave, taking with them critical, sensitive information.

Vendor’s Concerns – Vendors, on the other hand, may be concerned because they cannot fathom the scope of actual responsibilities taken, or the exposure to unanticipated liability. There might be restrictions to the transfer of personal data to that vendor. Discovering and addressing these restrictions after the fact might result in substantial legal cost. Alternatively, the client might be subject to cumbersome regulatory requirements, and the vendor might unexpectedly be forced to spend considerable administrative and staff time in assisting the client in audits, or providing comprehensive documents, reports, or access to its own facilities. The administrative cost related to such audits or reporting, if unaccounted for in the original proposal, might reveal costly.

2. LEGAL FRAMEWORK

The collection, compilation, use, disclosure, or transfer of personal data is regulated by laws and regulations. These laws may dictate permitted uses of personal data, whether and to whom the data may be transferred or disclosed, or the security measures required to protect these data.

DATA PROTECTION Laws

There is a myriad of data privacy laws, data security laws that may apply to a specific company, or a specific line of business. Here are just a few examples.

Medical Information: The Health Insurance Portability and Accountability Act (HIPAA) applies to specific "covered entities" which are health plans, healthcare providers, and healthcare clearinghouses. In addition, these covered entities are required to impose similar restrictions to their “business associates”, that is, any person or entity that provides services to the covered entities and handles or has access to patients' protected information. Privacy and Security regulations under HIPAA have been published and are in effect. Compliance deadline for the security regulations is April 2005 for most entities. In addition, in most States, healthcare laws may set forth additional requirements and restrictions.

Financial Information: Although primarily enacted to regulate the banking, securities, insurance and other financial industries, the Gramm-Leach-Bliley Act (GLBA) establishes privacy-related provisions that apply to financial institutions. These provisions also affect third parties that receive nonpublic personal information from financial institutions. Privacy and security regulations implementing GLBA's requirements were enacted and are in effect. In addition to the GLBA, other federal laws, such as the Fair and Accurate Credit Transactions Act, and state laws, such as California’s Financial Privacy Act, also address the privacy and security of financial information.

Information Regarding Children: The Children's Online Privacy Protection Act (COPPA) governs what information online commercial businesses may collect about children under thirteen, and the extent to which they can use that information. COPPA applies not just to websites specifically directed towards children, but also to websites where the website operator has actual knowledge that the site collects information from individuals under thirteen. The law and its related regulations establish specific information privacy and security requirements.

Employment: Many laws govern the aspects of the employer-employee relationship that are confidential and require the handling of personal information. For example, the Fair Credit Reporting Act (FCRA) contains rules pertaining to background checks of prospective employees. The Electronic Communications Privacy Act (ECPA) governs the interception of electronic and wire communications, and limits access to certain networks and communications. There are also laws about permissible interview inquiries. There are, as well, State laws on numerous topics such as inquiry into arrest records for prospective employees. Use of personnel records is governed by both federal and state rules.

Foreign Data Protection Laws – Abroad, over 50 countries have substantial data protection laws, with strong privacy protection and security requirements, as well as comprehensive, extensive rights for the data subjects. Transfers of personal information to a third party located outside the country’s borders are prohibited, unless specific requirements are fulfilled (e.g. customer consent, contract with the third party with strenuous requirements) or unless the country where the data is transferred has been deemed to offer “adequate” data protection. These laws, in addition, contain data security requirements. If a US company contemplates outsourcing services used by its foreign subsidiaries (for example in a global outsourcing arrangement), it must ensure that the contemplated transaction complies with the local laws that govern these subsidiaries.

Data Protection Law Requirements -- It is impossible to summarize in a few sentences the details and idiosyncrasies of the myriad of data protection laws that might affect a specific relationship. Generally, however, there are many similarities amongst US and foreign, because they tend to follow most of the same fair information principles that were defined by the OECD in the early 1980’s.

• Notice and Consent: The organization that intends to collect and keep personally identifiable information must notify the individual that it is collecting the information, and disclose the purposes for which the collection is made. Specific consent of the individual to the collection of information may be required.

• Scope of use: There may be restrictions on when and how the data is used, and specific restrictions for use of information in marketing

• Right of Access: The organization may have to provide the individuals with access to their own personal information, an accounting of the disclosures of the information to third parties, and the right to modify inaccurate information

• Security: The organization must protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

• Restrictions to Transfers to Third Parties: Data subjects must be notified that their personal information may be disclosed to third parties, and must be given the ability to choose whether it may be disclosed. The organization must also obtain adequate assurances from the third party that they will provide at least the same level of protection that the organization itself provides.

• Chief Privacy Officer: There may be an obligation to appoint an individual in charge of implementing the privacy policy.

• Audits: Regulated businesses and covered entities may have to submit to government audits.

In all cases violation of the related law may be accompanied with fines, and in some cases, prison terms. When entering into an outsourcing arrangement, a company should ensure that it complies with the applicable data privacy and security law requirements, such as those relating to transfer restrictions and consent. It should also ensure that its vendor will as well comply with the same requirements, provide adequate security, or limit uses and disclosures of the information to only the permitted uses. Each situation is different, and each company is subject to a unique specific set of laws and regulations.

WEBSITE PRIVACY STATEMENTS

Website Privacy Policies -- Even when there are no data protection laws, companies may be subject to self-imposed restrictions. Since many fields are not yet regulated in the United States, companies have been encouraged to self regulate. Many companies have adopted privacy policies, tailored to their own business purposes and ethics, which they frequently post on their website. These published privacy statements then become the defacto rule by which the company must abide.

FTC and State Attorney General Action –. If a company fails to protect the personal data that it has collected with security measures consistent with the representations made in its published privacy statement, it may be prosecuted for violation of its own privacy policy, even the company is not subject to any specific privacy law. Prosecution in this case, is initiated by the Federal Trade Commission and State Attorney Generals, generally after they have been notified of data security violations on a website. The FTC actions are based on violation of the Section 5 of the FTC Act, which prohibits “unfair and deceptive practices”. The States Attorney General actions are based on the State equivalent of this provision.

Examples of these actions abound: Guess?, Microsoft, Eli Lilly, Tower Records, ACLU, or Victoria’s Secret were prosecuted in recent years. In each case, the action pointed to alleged misrepresentations made in the site Privacy Statement about the security of personal information. In each case, the company had to agree to a stringent consent order, which generally included payment of fines, yearly audits, and 20-year supervision by the Federal Trade Commission.

Other actions have been initiated when companies have attempted to transfer or sell customer lists in violation of their published website privacy policy. For example, Toysmart's online privacy policy proclaimed it would "never share" their information with a third party. When Toysmart sought bankruptcy protection, and offered for sale its customer information, the FTC objected. The dispute was ultimately settled, with Toysmart agreeing that any buyer would have to be in the same business as Toysmart and agree to follow all of the requirements of Toysmart's privacy policy.

Companies contemplating outsourcing should review their published privacy statement, to ensure that there are no restrictions to the proposed transaction. They also should evaluate in which way the transfer to a third party vendor would affect the representations made in the privacy statement, such as the nature of the security measures taken, or the nature of the uses of the data collected on the site.

OFF SHORES OUTSOURCING AND OUTSOURCING BILLS

In addition to the privacy laws of the countries where it operates, a company that contemplates outsourcing should also be aware of the privacy laws of the country where the outsourcer will perform the services. Of great importance is the absence of such laws. Indeed, many outsourcing providers are located in countries that do not have data protection laws. For example, India, China, or Malaysia.

Absent adequate data protection laws, there are no standards to measure performance, and no recourse for improper processing or use of data, other than through a breach of contract action. Unfortunately, in most of these countries, the problem and deficiency in the legal framework, is compounded by deficiencies in the local judicial system. Slow, overloaded, crowded courts or corrupted judges. As a result, there is great concern about ensuring proper protection of the privacy rights in personal data of a US resident, when they are processed offshore.

If the outsourcing transaction is to be consumed in a country without adequate privacy protection, the client should negotiate comprehensive contractual provisions, with proper indemnification and protection in case of an incident. Periodic audits would also be critical to ensure compliance.

To address the concern with lack of data protection in certain foreign countries, numerous bills were introduced to forbid or restrict offshore outsourcing. Three federal bills would require notices to consumers or customer consent before personal information is transferred abroad. In addition, offshore outsourcing bills are pending in more than 35 States. Over 60% of these bills would restrict, preclude, or regulate the transfer of personal data outside the United States.

Other Legal CONCERNS

In addition to the laws described above, a company contemplating outsourcing should also take into account the requirements in other laws that directly or indirectly affect the security measures taken to protected data, or the use made of these data. Section 404 of the Sarbanes Oxley Act, for example, requires that companies have adequate control over their data, so that they can certify of their authenticity. What controls would the outsourcer provide? The CAN-SPAM act imposes specific requirements when sending commercial emails, and calls for the establishment of opt-out databases, to record individuals ’s preferences with respect to commercial emails. Will the outsourcer keep track accurately of the opt-out requests, and implement them? California’s SB 1386 (Identity Theft Protection Act) requires companies to disclose to their customers when security breaches have occurred. Will the outsourcer monitor security breaches and notify the client promptly?

In each of these cases, if a company is subject to a specific law, it must ensure that its outsourcing vendor will in turn abide by the law (whether or not the outsourcer is located within the US jurisdiction). It should also ensure that the vendor will assist the company in complying or responding to government and law enforcement inquiries. If a breach of privacy or security occurs, the client will be on the first line of fire, whether or not it was responsible for the breach, because the client remains primarily responsible to the public for compliance with US laws.

3. Due Diligence; Contracts; Audits

Due Diligence

Given these extensive legal obligations, requirements, concerns and liability, before outsourcing, both the client and the vendor should conduct appropriate due diligence to evaluate the potential risks, exposures and liability in the contemplated relationship. For example, the following questions would be relevant:

- What security or privacy audits have been performed internally or by third parties? What were the results of these audits? What specific steps were taken to address especially high-risk recommendations?

- Are there restrictions to the transfer of the data to the outsourcing vendor?

- What are the company’s and the vendor’s privacy policies and security policies? Are they compatible?

- What are the resources needed to implement the data privacy and security requirements of the client? Does the vendor have adequate resources to do so?

- Does the vendor have the ability to respond to individuals’ requests under their right of access and amendment of their personal information?

- What conflicts does the vendor have? Are any of the client’s competitors also clients or prospects of this vendor?

- Are there data protection laws in the vendor’s country, and how are they enforced?

- How will the vendor address changes in data security threats, technology, or client’s needs.

- How will documents be retained to provide evidence in case of litigation?

- How will responses to subpoenas or audit inquiries be handled?

Outsourcing Contract

The parties should remain sensitive to data privacy and security issues in the negotiation of the contract terms, and in all phases of the relationship, as well. The written agreement should define, as appropriate, how data privacy and security issues will be addressed during the term of the contract and upon termination. The outsourcing agreement should also address the ownership and disposition of the databases of private information the participants might have developed or shared during the life of the contract.

Appropriate clauses might include detailed requirements with respect to the use or handling of the data, such as segregating the protected data from other customers’ data, or implementing specific security measures. Allocation of responsibilities, liability obligations, and risk management provisions should be incorporated in the agreement, as well. The parties should consider representations and warranties with respect to the data and the scope of use of the data. Indemnification, limitation of liability, and insurance provisions are appropriate, to address liability that may result from loss or misuse of data or breach of contract. The contract should also anticipate changes in legal and regulatory requirements. Companies should be concerned about the many restrictions and the need to be informed of the new developments, to ensure that the outsourcing contract is updated as needed.

Ongoing Audits

The customer should plan to conduct periodic audits of data protection practices, to ensure that they comply with the contract. When the contract has been executed, periodic audits are essential to ensure and verify continued performance by the vendor and compliance with the privacy and security requirements. The contract should provide for such audits, and the client should have the discipline to conduct them.

4. Conclusion

The proliferation of data privacy and data security laws in the United States and abroad, and the ubiquity of website privacy statements have brought to the forefront the need to focus on how personally identifiable information is collected, processed, stored, and disseminated. Companies must carefully address privacy and security concerns with even greater precautions before entering into a relationship with an outside partner. There are many restrictions--legal, government, or self-inflicted--to be concerned about. Before entering into an outsourcing relationship, it is critical to first fully analyze the privacy and security issues, and evaluate the security risks inherent in the arrangement. The parties should identify which laws apply to themselves, their counterpart, and to the proposed arrangement. They should evaluate whether and how the vendor will be able to fulfill all the privacy and security requirements to which the client is subject. The participants should negotiate the outsourcing agreement consistent with the findings, with sufficient safeguards and audits to ensure adequate safe performance. Prudence and careful evaluation, and consultation with competent legal counsel are strongly recommended.