An increasing number of companies are outsourcing internal functions to provide a significant cost savings and other benefits to the company. While outsourcing can be extremely beneficial, companies must carefully manage the risks created by placing data into the hands of an outsourcing provider. Outsourcing frequently results in a company’s data being stored outside of the company’s firewalls, often in systems managed by the outsourcing provider. Outsourcing can also result in movement of the company’s data to new and different countries, particularly when the outsourcing involves cloud computing.
Placing company data into the hands of an outsourcing provider raises various risks, perhaps none more pronounced than in data privacy and security. New laws and regulations, an increase in technology solutions and providers, and increased cybersecurity threats heighten the concerns in this area. Companies must respond to these increased risks in three key ways, through: (a) security assessments that lead to a comprehensive written data security plan, (b) the careful selection and monitoring of outsourcing providers and (c) well-crafted contractual protections with those providers. This article discusses some of the key considerations for companies to evaluate in implementing privacy and security protections in outsourcing.
First, Know Thyself
Having a written information security plan has become the standard of care to establish minimum compliance with privacy and related security laws in the US. Companies that have not done so should undertake a privacy and security assessment. This should be aimed at understanding where the greatest risks and vulnerabilities lie for data protection, particularly with respect to personal data, which is more highly regulated than most other types of business data.
After the assessment, the company should update or create its written information security plan to address those material compliance gaps and risks identified with respect to data protection. Given the growth of outsourcing and use of third parties that have access to regulated data, a written information security plan must address the selection and use of third parties. These procedures for evaluating and selecting a third-party provider, as well as for ongoing monitoring and updating of requirements in the contractual relationship, must be consistently implemented with all third-party providers who will have a material role in processing and securing company data.
For particular outsourcing deals, prior to the selection of a provider, a company should understand what types of data it will be providing to the outsourcing provider, and the privacy and security laws and regulations that apply to that data. For example, certain types of personal data (e.g., name with financial account number or social security number) may trigger data breach notification laws in the US. Knowing the country of origin of the data, and the countries in or from which the outsourcing provider is likely to store, process and remotely access such data, is also important. Countries in the EU and several others have special requirements pertaining to personal data and its movement outside of their borders to other countries. Companies must understand these legal requirements so that they may incorporate the correct obligations around the collection, use, security and transfer of company data.
Carefully Select and Monitor Providers
The written information security plan should include policies and procedures for the company to follow in the selection and ongoing monitoring of the outsourcing provider. Selection procedures may include use of third-party checklists and evaluation tools, on-site due diligence visits, interviews with key security personnel, review of third-party or internal audit reports and certifications maintained by the provider, review of security procedures and information security plans maintained by the provider, and other similar activities. Once the provider is under contract with the company, the company should designate company representatives to monitor the provider’s ongoing privacy and security compliance. This may be done through repeating some or all of the procedures used during the initial selection process, as well as periodic meetings to assess whether changes are necessary due to legal developments and new security threats.
Contract for Data Security
To adequately protect its data, a company must ensure that an outsourcing provider is contractually obligated to have reasonable and appropriate security measures to protect regulated data. However, many laws and regulations do not provide specific guidance about what constitutes “reasonable and appropriate measures.” It can be challenging and often impractical to attempt to collate the company’s requirements into one comprehensive contract security schedule. As a result, company requirements may come from reference to a variety of sources. These may include: (i) laws and regulations applicable to the company (such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and other laws with data security requirements), (ii) the company’s own written information security plan and implementing procedures, (iii) the audit control objectives used by the company, (iv) industry standards to which the company adheres (such as the ISO 27001 series), (v) restrictions from the company’s own customer agreements and third-party contracts, and (vi) various other sources (such as the Federal Trade Commission’s complaints and enforcement actions, and various government publications, such as NIST’s Cybersecurity Framework).
For bespoke outsourcing arrangements, like traditional IT outsourcing, incorporation of these requirements is routine. However, for newer IT solutions, such as cloud computing, it may be more difficult to incorporate particular company requirements into the agreement. Many cloud providers offer standardized platforms with their own chosen levels of security. Because of standardization, cloud providers are often not able to customize security requirements for individual customers. In those cases, the company may need to assess the security and compliance levels offered by the provider, and determine whether the offering can satisfy the company’s own requirements.
Management of privacy and security risks in outsourcing involves three major steps for a company: an assessment leading to a written information security plan, careful selection and ongoing monitoring of outsourcing providers, and inclusion of reasonable and appropriate security measures in those contracts. By following these steps, companies can proactively manage privacy compliance and security threats, thereby reducing risk and maximizing the intended benefits of outsourcing.
This article was originally published by Inside Counsel.