The Data Security Risks with Offshore Outsourcing

We've all read news articles about how companies, in order to remain competitive, have moved jobs and work to other companies (outsourcing), and/or have moved jobs and work to companies in other countries (offshore outsourcing). Philip Alexander has written an excellent article in SearchCIO.com about the risks with offshore outsourcing... which can expose the sensitive personal data of customers, employees, and former employees.

Mr. Alexander gets right to the point:

"... there is more to consider than just the lower labor costs of employees in India verses their domestic counterparts... it's important to make sure that in addition to going after cheap labor, you're not buying yourself a slew of security exposures as well. The decision on whether or not to outsource should not rest solely with the CFO. The chief security and compliance officers should also be involved because of the many security- and regulatory-related issues involved with offshore outsourcing."

If you live in a state where consumer notification is required when the company has a data breach, it is important to remember that:

"With the rash of highly publicized data breaches, 36 states now have their own disclosure laws mandating that companies inform customers in the event of either an actual or suspected security breach. This applies to data breaches that occur overseas if you send sensitive customer data offshore."

I applaud Mr. Alexander for challenging CIOs (Chief Information Officers) CSOs (Chief Security Officers) to consider the risk and not just the financial benefits. Mr. Alexander lists two major issues regarding offshore data security and risk:

The first is granting offshore engineers access to computer systems located within your company's network. Are you monitoring the activities of the overseas engineers? If the work that's being sent offshore is project-based, are you ensuring that access is removed when the project is completed? Do you have security professionals monitoring the activities of the offshore engineers?

The second issue and most importantly:

"... review what type of work is safe to send offshore. For instance, outsourcing production support overseas entails a high degree of risk...  You should consider projects that don't entail sending sensitive customer information offshore, or granting remote access to your internal network. Software development doesn't require providing sensitive customer data offshore. The development work can be performed offshore, then the code can be securely transmitted to your company."

The only issue I have with Mr. Alexander's article is his focus on CIOs and CSOs. I believe that general management, human resources, and customer service senior managers should be challenged also, to consider the risks of offshore-outsourcing decision. All departments handle sensitive data and all departments need training in effective data security practices. All of this becomes even more critical as companies headquartered in other countries acquire or merge with US-based companies.

For some background, read this GAO report about Medicare and Medicaid.or this article about data breaches at outsourcing firms in India. I'd love to see an consultancy or accounting firm independently audit the major brokerages against the criteria Mr. Alexander stated in his article. What do you think?