SNHU Offshore Outsourcing Privacy Risks Discussion

3 replies with references:

1. Offshore outsourcing of information system responsibilities can pose certain risks to the principles of confidentiality and privacy. One potential risk is the exposure of sensitive data to unauthorized access or breaches during the transfer process. Offshore outsourcing involves sharing data with external parties, which increases the likelihood of data interference or unauthorized disclosure. Furthermore, different countries may have varying data protection laws and regulations. Offshore outsourcing may involve transferring data to areas with weaker privacy laws, possibly compromising the confidentiality and privacy of the information. It is critical to ensure that the outsourcing partner adheres to robust security measures and complies with relevant data protection regulations. Additionally, language and cultural differences can impact the understanding and handling of sensitive information. Miscommunication or misinterpretation of data handling procedures may lead to unintended privacy breaches. To mitigate these risks, businesses should carefully select outsourcing partners with strong security measures and a proven track record in data protection. Implementing comprehensive data protection agreements and conducting regular audits can also help ensure compliance with confidentiality and privacy principles.

An organization’s duty or responsibility to protect the privacy of its customers’ personal information should be of utmost importance. Safeguarding customer data is not only an ethical obligation but also a legal requirement in many jurisdictions. First and foremost, organizations should establish robust security measures to protect customer information from unauthorized access, use, or disclosure. This includes implementing strong encryption, access controls, and firewalls to prevent data breaches. Regular security assessments and audits should be conducted to identify and address any vulnerabilities. Additionally, businesses should also clearly communicate their privacy practices to customers, including how their personal information is collected, used, and stored. Obtaining explicit consent from customers before collecting or sharing their data is essential. Transparency is key, and organizations should provide easily accessible privacy policies that outline their data handling practices. Businesses should only collect and retain customer data that is necessary for the intended purpose. Unnecessary data should be securely disposed of to minimize the risk of unauthorized access. In the event of a data breach or privacy incident, organizations should have a well-defined incident response plan in place. This includes promptly notifying affected customers, cooperating with relevant authorities, and taking appropriate measures to mitigate the impact of the breach. Overall, all company’s duty is to protect the privacy of its customers’ personal information

should encompass proactive measures to prevent breaches, transparent communication, responsible data collection practices, and a swift and effective response to any incidents that may occur. By prioritizing customer privacy, organizations can build trust, maintain their reputation, and comply with legal obligations.

2. Some of the pros of offshore outsourcing information system functions include possible company cost savings, being able to refocus accounting and IT resources, and even an increase in overall efficiency. The cons to offshore outsourcing information system functions include high security risks and possible privacy violations, a reduction in job opportunities, and possible negative effects on the overall economy. Privacy violations are the largest concern for outsourcing data and as Basu and Nikm states, “Virtually any outsourced business process may involve privacy violations arising from mistakes or negligence in the receipt, cutody, processing, storage, access, encryption and transmission of confidential records of individuals in a class could form the basis of a mass tort” (Basu & Nikam, 2006, p. 2).

I believe that companies have a responsibility to make every effort in protecting the data of their clients. There are four basic practices that act as a strong line of defense in protecting the confidentiality and privacy of clients, (1) identify and classify the information to be protected, (2) encrypt the information, (3) control access to the information, and (4) train employees to properly handle the information (Romney, Steinbart, Summers, & Wood, 2020, p. 369). Once the data is identified, various tools should be utilized to secure the data, such as a data masking program that is intended to replace the real data with fake data (Romney et al, 2020, p. 369). This becomes important when transferring data and those handling the information are not authorized access to the specific information. In addition to this and other programs that would help mask the data in some form would be to provide regular training to employees being that they are the first line of defense in maintaining customer and client privacy and confidentiality. Employees can practice encrypting documents they send out or creating secured share drives only for specific individuals for a larger volume of documents. Also, implementing a strong internal control process can guarantee that regular system checks and updates are conducted to make sure the systems and programs are still running optimally.

3. Everyone should be aware of the sensitive information they give different organizations. The organizations are responsible for protecting the personal information they collect. There are four actions that need to be taken to protect confidentiality and privacy. They first need to identify who has access to personal information and where it is stored. The next step would be to encrypt the information that needs protecting as an extra barrier. The third action is probably the hardest, which is controlling access to information from unauthorized sources. The last action is the most important and that is training employees. Employees need to know what information needs to be protected, how to protect it, and what information can be shared. (Romney et al., 2021)

I believe that it is a well-known fact that other countries don’t follow US laws; therefore, when an organization outsources part of the information systems functions offshore, that information is not being protected the same way that it would be in the US. The risk when the information needing protection is in another country is higher. Offshore outsourcing is risk management. The cost savings of outsourcing versus the risk of loss due to a data breach. The healthcare industry and financial industry tend to have even higher risks because of the nature of the information they are protecting. (Basu & Nikam, 2006) That is where HIPPA and SOX compliance requirements come into play.

The FDIC published a study in 2004 about the risks associated with offshore outsourcing. There is a risk that the country involved may not have the ability to protect the data because of political changes or organized crime groups trying to bribe workers or buy the existing overseas company to get access to the data. There is a risk that the organization in another country receiving data could violate laws, regulations, and ethical standards. Their facilities may not be adequately secured and susceptible to theft. Then there is always going to be a risk from the personnel hired. If the screening of new employees is not up to par, there could be fraud attempts, extortion, and information disclosed to the wrong people. (Basu & Nikam, 2006)

Hiring the wrong employee is the exact problem that happened with the University of California at San Francisco Medical Center (UCSF). UCSF sent transcription work to Transcription Stat, a company it had been using for twenty years. One of the subcontractors from Transcription Stat subcontracted out her work to Tom Spires. Spires also employed subcontractors. One of the subcontractors that Spires hired was in Pakistan. Her name was Lubma Baloch and she was having a dispute about the pay she was receiving from Spires. Keep in mind Spires and Baloch did not work for UCSF or Transcription Stat. On October 7, 2003, USCF received an email from Baloch, the Pakistani woman, demanding that UCSF require Spires to pay her. If not, she would “expose all the voice files and patient records of UCFS”. She even attached reports about two patients to show she was serious. This was resolved when one of the parties eventually paid Baloch and she did not post the information on the internet. (Davino, 2004)