Managing the Privacy Risks Associated with Data Outsourcing

The “Information Age,” in which businesses collect, store, buy, sell and manage ever-increasing amounts of data, has also become the “Age of Outsourcing.” When the vast amounts of personal information collected by businesses are outsourced to various types of contractors and vendors, the legal consequences can be significant. Companies can manage these risks by recognizing and addressing in their outsourcing agreements the responsibilities and potential liabilities associated with handling sensitive data. This article suggests a framework for ensuring that outsourcing agreements enhance, rather than jeopardize, data security.

Where Are the Risks?

Legislation currently pending in Congress could impose more uniform federal data privacy protections. Currently, however, unlike the European Union, Canada, and many other countries that have taken a centralized, national approach to data privacy regulation, the United States continues to take a sectoral approach, with different rules for different types and sources of personal information, and myriad inconsistent state laws. Financial information may be governed by credit reporting, banking, identity theft prevention and other financial privacy laws; health information may be governed by Department of Health and Human Services rules implementing HIPAA and HITECH; consumer information often falls under the jurisdiction of the Federal Trade Commission; and personal information derived from telephone or cable television records may be governed by Federal Communications Commission rules. In the event of a breach of personally identifiable information, such as Social Security Numbers, account numbers, dates of birth, and physical and virtual addresses, multiple state laws requiring notification to affected individuals are likely to apply. Certain types of data, such as consumer credit reports, are required by law to be destroyed when no longer in use. The list of privacy-related obligations goes on, and is growing.

A handful of states, notably Massachusetts, impose specific data protection requirements on designated information. For example, businesses that “own or license” information that includes a Massachusetts resident's first and last name in combination with a Social Security Number (SSN), driver's license or state-issued identification card number, financial account number, or credit or debit card number, are required to take “reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information” consistent with the Massachusetts rules and any applicable federal regulations. Nevada state law requires data collectors to use encryption when data storage devices containing personally identifiable information are transferred outside the secure system of a data collector, or moved beyond the data controller's “logical or physical controls.” New Hampshire has enacted requirements for protection of health information that are in addition to the burdens imposed by federal law. Connecticut requires protection of SSNs in business records, and requires those who collect SSNs to post a privacy protection policy which protects the confidentiality of SSNs, prohibits the unlawful disclosure of SSNs, and limits access to SSNs.

Privacy Regulations

In general, both state and federal privacy regulations are focused on protecting individuals from exposure of information that might facilitate identity theft or other criminal acts against them, or that could reveal personal details most people prefer to keep private, including health information, financial status, e-mail communications, phone records, video rental habits, and so on. In addition, regardless of whether a specific legal obligation attaches, businesses should anticipate negative repercussions whenever information for which there is an expectation of privacy is used in a way that the employee, customer, or patient did not intend.

For these reasons, whenever a business conveys to an outside party sensitive information regarding an individual, such as the examples above, consideration should be given to how the third-party will protect such data. In the past, many businesses have assumed that a blanket assignment of liability in third-party contracts, coupled with broad hold harmless and indemnity clauses, sufficed to transfer the risk to the vendor. In the current environment of heightened data privacy concerns, however, employees, patients, and customers (and the regulators tasked to protect them) are unlikely to be satisfied by a company that simply points the finger at the vendor to which the company has elected to outsource sensitive information. This is particularly so where the company's pockets are deep and the vendor's pockets shallow, if the data loss is one that results in substantial damages or fines.

How Can Businesses Protect Sensitive Data That Is Outsourced?

The easiest way to protect sensitive data from exposure in the outsourcing process is not to outsource it at all. Consider whether the outside contractor needs to receive sensitive personal information to perform the contractor's assigned function. It is not uncommon to find that companies routinely collect and convey data points, such as SSNs or dates of birth, in contexts where that information serves no essential purpose, but greatly increases the risk of identity theft or other potential sources of liability. Outdated employment, insurance, and medical forms, forms used to open accounts for new customers, directory forms, order fulfillment forms, and contest entry forms used to collect marketing information are common culprits. As a rule of thumb, companies should collect only what they need, and share only what they have to.

That said, there obviously are many types of sensitive information that are essential for payroll, benefits, customer service, and marketing, and that must routinely be shared with vendors in order to fulfill those functions. For information that must be outsourced, companies should start by conducting due diligence on their vendors. Ask about the vendor's internal privacy and data security policies. What administrative, physical and technological safeguards will be provided to protect the company's outsourced data? Is access to the vendor's premises controlled by key cards that track entry and exit, are file cabinets locked, and do the computer systems include up-to-date firewalls, passwords, and ' if appropriate or required by law ' encryption? It also is very important to ask what training the vendor provides to its employees who will handle the company's sensitive data. Are the employees versed in applicable privacy restrictions, and are there disciplinary consequences for employees who violate the rules? Does the vendor have clear policies against putting the company's sensitive information on portable storage devices, such as laptops, removable drives, etc.? Is sensitive data destroyed or returned when no longer needed?

If the vendor will further outsource any of the company's data to subcontractors, the same due diligence on those subcontractors is warranted. Indeed, proposed changes to the HIPAA rules for health care information implementing last year's HITECH Act specifically extend HIPAA obligations to both contractors and subcontractors. To state the obvious, data security is only as strong as the weakest link in the chain.

Outsourcing agreements should also explicitly address the vendor's handling of the company's information for purposes other than the primary purpose of the outsourcing agreement. For example, how is the vendor expected to respond in the event information in the vendor's possession is subpoenaed? Will the company's information be used by the vendor for the vendor's own purposes, or shared with other parties? Absent specific restrictions in the outsourcing agreement, businesses may be surprised to learn that their information has been incorporated into larger databases maintained by the vendor and/or resold to others. This occurs more commonly with demographic or customer preference information provided to third-parties for marketing purposes. Not only can such re-use of information be detrimental to the originating company's business goals, it may well violate the terms of the company's privacy policies and customer agreements, thereby potentially running afoul of Federal Trade Commission law.

Last, while assignment of liability clauses, indemnities, and hold harmless provisions may not, by themselves, adequately protect a company from legal liability and reputational damage in the event a vendor is responsible for a major data breach, these provisions should of course be included in every outsourcing agreement. In addition, the contract should address the vendor's procedures for identifying and providing notice of any data breach, and mitigating damages, should a breach occur.

What Should Be Done if a Breach Occurs?

First and foremost, if a breach of sensitive data occurs, it is imperative to act quickly to control the damage. Having a breach response plan in place before there is a problem will facilitate prompt damage control. Similarly, for outsourced information, it is essential that vendor agreements address which entity ' the vendor or the company that provided the information ' will be responsible for which steps in the event of a breach. Perhaps most importantly, the vendor agreement should stipulate the timeframe within which the vendor will notify the company of any breach (preferably immediately), and the steps the vendor will immediately take to plug the leak, retrieve lost information, and protect the individuals affected. In certain instances, state or federal breach notification laws will stipulate procedures that must be followed including, in some cases, notification to law enforcement. In every situation, a coordinated response by the company and its vendor will be important to minimize the company's legal liability and reputational risk.

Summary

Following are the key elements of an effective framework to protect outsourced personally identifiable information:

• Know what legal obligations attach to the information being outsourced, based on the type and source of the data the third-party vendor will receive.
• Outsource only the minimum data necessary to the task.
• Conduct due diligence on both outside contractors and their subcontractors, to verify that they have adequate data protections in place.
• Review outsourcing agreements for specific restrictions on data sharing and re-use; assignment of liability clauses, indemnities, and hold harmless provisions; and breach notification requirements.

Have a well-thought-out breach management plan that identifies the steps both the company and its vendors will take in the event of a breach.

Elise Dieterich leads the Privacy & Data Security practice group at Sullivan & Worcester LLP. She can be reached at [email protected]. This article follows on the article “Five Steps for Managing the Risks Associated with Sensitive Data,” authored by Ms. Dieterich and Jonathan M. Cohen, a partner at Gilbert LLP, which appeared in the June 2010 edition of The Corporate Counselor.

The “Information Age,” in which businesses collect, store, buy, sell and manage ever-increasing amounts of data, has also become the “Age of Outsourcing.” When the vast amounts of personal information collected by businesses are outsourced to various types of contractors and vendors, the legal consequences can be significant. Companies can manage these risks by recognizing and addressing in their outsourcing agreements the responsibilities and potential liabilities associated with handling sensitive data. This article suggests a framework for ensuring that outsourcing agreements enhance, rather than jeopardize, data security.

Where Are the Risks?

Legislation currently pending in Congress could impose more uniform federal data privacy protections. Currently, however, unlike the European Union, Canada, and many other countries that have taken a centralized, national approach to data privacy regulation, the United States continues to take a sectoral approach, with different rules for different types and sources of personal information, and myriad inconsistent state laws. Financial information may be governed by credit reporting, banking, identity theft prevention and other financial privacy laws; health information may be governed by Department of Health and Human Services rules implementing HIPAA and HITECH; consumer information often falls under the jurisdiction of the Federal Trade Commission; and personal information derived from telephone or cable television records may be governed by Federal Communications Commission rules. In the event of a breach of personally identifiable information, such as Social Security Numbers, account numbers, dates of birth, and physical and virtual addresses, multiple state laws requiring notification to affected individuals are likely to apply. Certain types of data, such as consumer credit reports, are required by law to be destroyed when no longer in use. The list of privacy-related obligations goes on, and is growing.

A handful of states, notably Massachusetts, impose specific data protection requirements on designated information. For example, businesses that “own or license” information that includes a Massachusetts resident's first and last name in combination with a Social Security Number (SSN), driver's license or state-issued identification card number, financial account number, or credit or debit card number, are required to take “reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information” consistent with the Massachusetts rules and any applicable federal regulations. Nevada state law requires data collectors to use encryption when data storage devices containing personally identifiable information are transferred outside the secure system of a data collector, or moved beyond the data controller's “logical or physical controls.” New Hampshire has enacted requirements for protection of health information that are in addition to the burdens imposed by federal law. Connecticut requires protection of SSNs in business records, and requires those who collect SSNs to post a privacy protection policy which protects the confidentiality of SSNs, prohibits the unlawful disclosure of SSNs, and limits access to SSNs.

Privacy Regulations

In general, both state and federal privacy regulations are focused on protecting individuals from exposure of information that might facilitate identity theft or other criminal acts against them, or that could reveal personal details most people prefer to keep private, including health information, financial status, e-mail communications, phone records, video rental habits, and so on. In addition, regardless of whether a specific legal obligation attaches, businesses should anticipate negative repercussions whenever information for which there is an expectation of privacy is used in a way that the employee, customer, or patient did not intend.

For these reasons, whenever a business conveys to an outside party sensitive information regarding an individual, such as the examples above, consideration should be given to how the third-party will protect such data. In the past, many businesses have assumed that a blanket assignment of liability in third-party contracts, coupled with broad hold harmless and indemnity clauses, sufficed to transfer the risk to the vendor. In the current environment of heightened data privacy concerns, however, employees, patients, and customers (and the regulators tasked to protect them) are unlikely to be satisfied by a company that simply points the finger at the vendor to which the company has elected to outsource sensitive information. This is particularly so where the company's pockets are deep and the vendor's pockets shallow, if the data loss is one that results in substantial damages or fines.

How Can Businesses Protect Sensitive Data That Is Outsourced?

The easiest way to protect sensitive data from exposure in the outsourcing process is not to outsource it at all. Consider whether the outside contractor needs to receive sensitive personal information to perform the contractor's assigned function. It is not uncommon to find that companies routinely collect and convey data points, such as SSNs or dates of birth, in contexts where that information serves no essential purpose, but greatly increases the risk of identity theft or other potential sources of liability. Outdated employment, insurance, and medical forms, forms used to open accounts for new customers, directory forms, order fulfillment forms, and contest entry forms used to collect marketing information are common culprits. As a rule of thumb, companies should collect only what they need, and share only what they have to.

That said, there obviously are many types of sensitive information that are essential for payroll, benefits, customer service, and marketing, and that must routinely be shared with vendors in order to fulfill those functions. For information that must be outsourced, companies should start by conducting due diligence on their vendors. Ask about the vendor's internal privacy and data security policies. What administrative, physical and technological safeguards will be provided to protect the company's outsourced data? Is access to the vendor's premises controlled by key cards that track entry and exit, are file cabinets locked, and do the computer systems include up-to-date firewalls, passwords, and ' if appropriate or required by law ' encryption? It also is very important to ask what training the vendor provides to its employees who will handle the company's sensitive data. Are the employees versed in applicable privacy restrictions, and are there disciplinary consequences for employees who violate the rules? Does the vendor have clear policies against putting the company's sensitive information on portable storage devices, such as laptops, removable drives, etc.? Is sensitive data destroyed or returned when no longer needed?

If the vendor will further outsource any of the company's data to subcontractors, the same due diligence on those subcontractors is warranted. Indeed, proposed changes to the HIPAA rules for health care information implementing last year's HITECH Act specifically extend HIPAA obligations to both contractors and subcontractors. To state the obvious, data security is only as strong as the weakest link in the chain.

Outsourcing agreements should also explicitly address the vendor's handling of the company's information for purposes other than the primary purpose of the outsourcing agreement. For example, how is the vendor expected to respond in the event information in the vendor's possession is subpoenaed? Will the company's information be used by the vendor for the vendor's own purposes, or shared with other parties? Absent specific restrictions in the outsourcing agreement, businesses may be surprised to learn that their information has been incorporated into larger databases maintained by the vendor and/or resold to others. This occurs more commonly with demographic or customer preference information provided to third-parties for marketing purposes. Not only can such re-use of information be detrimental to the originating company's business goals, it may well violate the terms of the company's privacy policies and customer agreements, thereby potentially running afoul of Federal Trade Commission law.

Last, while assignment of liability clauses, indemnities, and hold harmless provisions may not, by themselves, adequately protect a company from legal liability and reputational damage in the event a vendor is responsible for a major data breach, these provisions should of course be included in every outsourcing agreement. In addition, the contract should address the vendor's procedures for identifying and providing notice of any data breach, and mitigating damages, should a breach occur.

What Should Be Done if a Breach Occurs?

First and foremost, if a breach of sensitive data occurs, it is imperative to act quickly to control the damage. Having a breach response plan in place before there is a problem will facilitate prompt damage control. Similarly, for outsourced information, it is essential that vendor agreements address which entity ' the vendor or the company that provided the information ' will be responsible for which steps in the event of a breach. Perhaps most importantly, the vendor agreement should stipulate the timeframe within which the vendor will notify the company of any breach (preferably immediately), and the steps the vendor will immediately take to plug the leak, retrieve lost information, and protect the individuals affected. In certain instances, state or federal breach notification laws will stipulate procedures that must be followed including, in some cases, notification to law enforcement. In every situation, a coordinated response by the company and its vendor will be important to minimize the company's legal liability and reputational risk.

Summary

Following are the key elements of an effective framework to protect outsourced personally identifiable information:

• Know what legal obligations attach to the information being outsourced, based on the type and source of the data the third-party vendor will receive.
• Outsource only the minimum data necessary to the task.
• Conduct due diligence on both outside contractors and their subcontractors, to verify that they have adequate data protections in place.
• Review outsourcing agreements for specific restrictions on data sharing and re-use; assignment of liability clauses, indemnities, and hold harmless provisions; and breach notification requirements.

Have a well-thought-out breach management plan that identifies the steps both the company and its vendors will take in the event of a breach.

Elise Dieterich leads the Privacy & Data Security practice group at Sullivan & Worcester LLP. She can be reached at [email protected]. This article follows on the article “Five Steps for Managing the Risks Associated with Sensitive Data,” authored by Ms. Dieterich and Jonathan M. Cohen, a partner at Gilbert LLP, which appeared in the June 2010 edition of The Corporate Counselor.