Outsourcing can be risky business. The Ponemon Institute reports that 65% of companies who outsourced work to a vendor have had adata breachinvolving consumer data and 64% say it has happened more than once. Their study,Securing Outsourced Consumer Data,sponsored byExperian® Data Breach Resolutionalso found that the most common cause for breaches were negligence and lost or stolen devices. Despite the gravity of these errors, only 38 percent of businesses asked their vendor to fix the problems that led to the breach and surprisingly, 56% of the companies learned about the data breach accidentally instead of through security protocols and control procedures.
These findings come from a survey of 748 people in a supervisory (or higher) job who work in vendor management at companies that share or transfer consumer data mainly for marketing, finance and outsourced IT operations including cloud services and payment processing. The survey also polled the vendors and 57% of them reported that they in turn, outsourced work to a third party. 23% of vendors could not tell how often data loss happened which is a sign that they don’t have proper procedures and policies in place to know when incidents occur. When asked about theirdata breach notificationpractices, only 16 percent of vendors said they immediately notified their client after the breach investigation with 25 percent saying they don’t even tell clients aboutbreaches of data.
Keeping all work and information in house is not feasible in today’s multi-corporate companies, and outsourcing is a business reality, however, all parties have a responsibility to protect the sensitive and confidential data that is entrusted to them. When outsourcing consumer data to vendors, here are a few guidelines companies need to follow to safeguard the information:
1. Make sure you hold vendors to the same security standards as your own in-house security policies and practices.
2. Make sure the vendor has appropriate security and controls procedures in place to monitor potential threats.
3. Audit the vendor’s security and privacy practices and make sure in your contract with them, the vendor is legally obligated to fix data problems should a breach occur including notifying consumers.
4. Monitor the security and privacy practices of vendors you work with especially if you share consumer data with them.
5. Require background checks for vendor employees who have access to confidential information.
The goal of this study was to better understand what companies are doing to protect consumer data they outsource and where improvements could be made to insure privacy and security when sharing private information with third parties. The solution seems to be that all parties must first agree thatdata privacy and protectionis paramount and then work toward the mutual goal of achieving responsible privacy and security practices.
