Outsourcing can bring on security migraines

If you live in the San Francisco Bay Area, you probably know about the outsourced medical records hubbub at the University of California San Francisco’s hospital. If you don’t, here’s the gist. In a story that ran last Sunday in the San Francisco Chronicle, business columnist David Lazarus revisited and updated the October 2003 incident, when a Pakistani transcriptionist threatened to release UCSF doctors’ recordings and transcriptions of patient records onto the Internet if she wasn’t paid by the transcription contractor that hired her. As it turned out, that contractor was actually a subcontractor of the hospital’s transcription service partner.

As you might imagine, this caused quite an uproar. After all, the university had a contract with their transcription service that required that the service not divulge the contents of the recordings or transcriptions. But that transcription service had subcontracted to another U.S. company, and that subcontractor had broken its contract and farmed the work out to Pakistan.

It’s pretty clear that there are security holes here. Apparently nobody carefully checked to see who was actually doing the work or how the subcontractor was able to turn around so much work so quickly. The recordings were sent out, and text for patient records came back. No one dug deeply into where the work went or how it was done. Add to that some allegedly underhanded actions by one of the transcription company’s subcontractors, and the situation quickly gets cloudy.

Sadly, this is more typical than you might think. Companies, under pressure to control costs, forget about accountability. Ask who is responsible for ensuring that private information remains private, and you get shrugged shoulders and finger pointing.

The problem is that the reality of outsourcing doesn’t match many prevailing assumptions. Financial managers focus on lower costs. What rarely gets discussed is that the laws regarding protection of intellectual property, personal information, or financial information are certainly different in other countries. This means that when offshore workers sell your customer credit card numbers to the Mafia, they may not be breaking their own laws.

You don’t outsource, you say? That may solve the immediate concern about information you handle directly. But how about the information handled by your business partners? If one of your suppliers, for example, outsources credit processing, you could find that the customer information you so carefully strive to protect is put at risk. And your company is still at risk if something happens, just as you would be if you lost the information yourself.

Unfortunately, there is no easy solution. First you need to find out about every partner with whom you trade financial or personal information or intellectual property. Then you need to find out from those partners exactly what happens to it. Who processes it? Where is it stored? What precautions are taken to ensure that it’s protected?

If it turns out that your partners have other partners who have hands on your data, you may need to insist that additional requirements are added to your contracts to address those partners. You may even think about seeking another partner, even if the cost is slightly higher. After all, that cost won’t seem so high when you’re looking at lawsuits and criminal charges after the information gets out.