By Kurt Seifried (kurt@seifried.org)

A significant risk in outsourcing of anything, including call centers, back end office functions or data processing is the risk to your intellectual property. The news reports of data and privacy breaches as well as outright theft and fraud have become common place, to say nothing of the number of incidents that go unreported or undetected.

With outsourcing there is almost always some transfer of intellectual property to the third party. This of course places the information at risk for theft or misuse by other parties; examples include [1]:

• Shipping of tapes and other backup media to off site storage facilities
• Accounting firms losing laptops with customer data
• Customer data being used to steal money from customer bank accounts

These activities greatly expand the risk to companies, who often have little or no idea of how the data is actually handled, and what safeguards are in use.

So what can be done to address this risk?

The first would be to ensure that security policies and acceptable use policies at outsourcing firms are in line with the parent companies policies. This could involve the outsourcing company tightening their policies, the negotiation of service level agreements, or contractual terms specifying controls (technological or procedural) that must be placed on the information and access to it.

The specification of penalties to be paid by the outsourcing firm in the event of a breach can also minimize the cost of an incident; alternatively insurance can be required for the outsourcing firm, similar in concept to bonded couriers. Of course this will not directly prevent an incident however the financial penalties involved can encourage outsourcing companies to take better care with third party information.

Researching the companies in question to see if they have systematic problems with data loss, misuse or theft is another possibility, however not necessarily a reliable one. Many incidents go unreported, and past performance may not accurately predict current and future performance. However using Google and information services such as Lexis-Nexis to research a company can provide a minimal level of due diligence that should be practiced.

Finally regulatory laws and cultural views on intellectual property can be assessed, for example a company operating in a jurisdiction with clear laws regarding the public disclosure of data theft or loss will likely be more trustworthy than a company operating in a jurisdiction with no such reporting requirement. As well there are a number of organizations that measure and report on the risk to intellectual property in various countries. One such organization is the International Intellectual Property Alliance [2].

The International Intellectual Property Alliance (IIPA) is a private sector coalition formed in 1984 to represent the U.S. copyright-based industries in bilateral and multilateral efforts to improve international protection of copyrighted materials.
Although your company may not directly participate in copyright-based industries such as publishing the yearly country reports made available by the IPPA may be of value when assessing the risk associated with outsourcing operations to a company in a particular country [3].

In summary the risks associated with outsourcing and the inherent transfer of intellectual property that comes with such activities can be assessed, qualified and minimized. However to do so requires that companies approach outsourcing with their eyes open and be willing to negotiate deals firmly, with the possibility of walking away from negotiations should an outsourcing company not prove amenable to changes.

Of course if all these strategies worked there would be fewer incidences of data theft, loss and misuse.

[1] http://www.theregister.co.uk/2005/12/28/marriott_tapes_missing/

http://www.theregister.co.uk/2006/06/01/ey_hotels_laptop/

http://news.com.com/Insecurities+over+Indian+outsourcing/2100-7355_3-5685170.html

[2] http://www.iipa.com/

[3] http://www.iipa.com/countryreports.html

Related posts:

1. The risks of thinking globally but acting locally
2. Privacy Laws - A Threat To U.S. Financial Services Corporations?
3. The Hacker Career Path
4. No Hacking Required
5. Strong Authentication for Online Banking - A Risk To Customers?

Posted by Kurt.Seifried on Thursday, October 12th, 2006, at 8:00 am, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.