How frequent are security breaches when organizations outsource their data? They likely occur far more than we know, says Sara Peters, senior editor with the Computer Security Institute. "Most of the time people don't want to admit that the incident occurred," she told CIOZone. "It's an embarrassment."
It's even more of an embarrassment if the outsourcing client doesn't have a handle on exactly what data was breached. "In an outsourcing arrangement you've got to know what the data is, where it is and who has access to it," Peters continues. Unfortunately, Peters believes that many companies simply can't answer these three questions definitively. The result: They may not know their information -- even if it's sensitive or proprietary such as 401K, payroll or customer names -- has been breached.
How prevalent are outsourcing breaches? Last year U.K. market researcher Ponemon Institute surveyed 900 British IT and marketing professionals as to whether their online marketing activities breached customers' privacy. Ponemon found two-thirds of firms had suffered data breaches, even though most respondents believed their organizations complied with privacy laws and regulations. Not quite half of the respondents who reported breaches said the breach was due to the outsourcing of personal information to third-party marketing organizations.
The 2009 Deloitte Technology, Media & Telecommunications (TMT) Global Security Survey produced similar results. Of the 200 companies responding, more than half of those that had experienced an external breach in the past 12 months had repeat occurrences stemming from a "trusted vendor." And almost 50 percent of the respondents reported that they were either "not very confident" or only "somewhat confident" in their outsourcing vendors' information security."
"Though outsourcing has become a standard operating practice, security practices related to third-party outsourcing are still in their infancy," the survey report states. "This exposes TMT companies to significant risk."
When some companies discover they've been victimized by breaches, they go to court and sue the outsourcer or subcontractor. In turn, the outsourcing client is often sued by individuals or businesses that feel they have been damaged by the breach.
Lawsuits of this kind, however, can be expensive and time-consuming. A better alternative, says Peters, is to negotiate from the beginning specifically who -- the client or the outsourcer -- bears responsibly for the data breach; who is responsible for notifying regulators about the breach and replacing the security holes that made the breach possible. "Work this out before signing any outsourcing agreement," Peters cautions. "It's vital."
Only registered users can write comments. Please login or register.