Security: HR outsourcing deal-maker or deal-killer?

What does security actually mean, in the context of human resources outsourcing, and how is security different from privacy? Is it even different? Are security concerns any different for a multinational company or a company that is considering offshore outsourcing, and is the customer or the service provider ultimately held responsible in the event of failure? One thing’s for sure – as corporations continue to broadly adopt outsourcing as a strategy to manage their HR processes and capabilities, concerns around security take on an entirely different dimension.

Security is not just a consequential phenomenon that results from proliferation of information technology. Security has been a human resources concern since long before HR departments began to IT-enable their processes and capabilities. Prior to IT-enabled HR, the definition of security was more passive – the state of being safe or secure. Questions around who physically saw what records, where the records were stored and how they were transported there, for example, were usually the types of security topics discussed in the context of HR. However, today’s IT-enabled HR systems have amplified and broadened security needs to the extent that security concerns now overarch all IT-enabled HR processes as well. Now add the backdrop of the changing regulatory environment related to privacy, and the outsourcing phenomenon – corporations are broadly adopting HR outsourcing as a strategic alternative to manage their HR processes and capabilities – and suddenly security takes on an entirely different meaning. As such, today’s definition of security has taken on a more active context – the measures taken to guard against espionage or sabotage, crime or attack.

Security in the 21st century

The global trend towards outsourcing requires transmission of important data, and transfers the processing of this data to remote facilities – some of which might very well be offshore. As crucial information about an individual (such as financial, insurance and medical data) begins to get handled by remotely located and sometimes offshore service providers, companies should be concerned about the manner in which the data is being collected, stored and utilized, and who gets to see what data, and where. In essence, this important information infrastructure is placed in the hands of service providers, thereby creating the need for information security solutions that will protect all of the customer’s information assets. And incidentally, these information assets extend beyond the information companies collect from their employees. These assets include HR-related information that might be proprietary to the company itself.

The distinction between data privacy and security

At the outset, it is important to draw attention to the fact that data privacy and security is not the same as confidentiality. Not all personal or HR data is confidential, nor is it secret for that matter. Contracts with service providers, therefore, must contain provisions that address the use, sharing and disclosure of personal data and how the service provider keeps that data secure. To make matters a bit more complicated, regulatory security requirements in the United States are different than Europe, for instance. And even within the US these can vary from state to state. In the US, a patchwork of federal and state laws, regulations and case law collectively address privacy in specific circumstances. However, US privacy laws do not address transfer of technology based on geography, which is not necessarily the case in the European Union. Although US law generally anticipates outsourcing, there are still certain industry sectors that have additional requirements. For example, the financial services sector has the Gramm-Leach-Bliley Act (GLB). GLB requires notices to customers and consumers regarding data collected, how it is used and protected, and whom it is shared with. Financial services firms must have data security programs to protect personal information against unauthorized access. In the US there is also HIPAA, the Health Insurance Portability and Accountability Act. HIPAA sets privacy and security standards for health information, and applies to “covered entities” that are health plans, healthcare providers and healthcare clearinghouses. HIPAA mandates that covered entities must impose privacy and security restrictions on “business associates”. This would include any entity that provides services to the covered entities or has access to patient information.

There are scores of other US privacy and security laws such as the Fair Credit Reporting Act, Children’s Online Privacy Protection Act, and so on. And if you think the US regulatory environment is tough to handle, multinationals or companies who outsource offshore have to deal with EU privacy and security. For example, EU law prohibits the transfer of personal data to non-EU jurisdictions unless an “adequate level of protection” is guaranteed. And here’s a surprise – the US is not adequate, but Canada and Switzerland are, for example. There is the safe harbor concept and enforcement is spotty, which could all change, but the reality is that the EU model is slowly becoming the worldwide model. All in all, over 50 countries have substantial privacy and security laws, and global outsourcing needs to meet all their respective requirements.

With what’s been said thus far serving as the backdrop, the following are a few noteworthy items that companies and outsourcing providers need to embrace:

• There is no privacy without security. These two matters are not necessarily mutually exclusive.
• Most major US privacy laws now require security standards.
• Companies’ statements of privacy and security to consumers and employees must be honored.
• And most importantly, albeit shocking, it is the company and not the service provider that will always remain accountable.

Data privacy and security best practices

Before a company considers outsourcing, the company should create, implement and enforce a robust internal data privacy and security policy. This policy should account for all applicable laws, foreign and domestic. A company needs to make data privacy and security a big part of their due diligence of the service provider, and should not rely on the service provider’s colorful marketing metaphors! And when a company is ready to outsource, the following should be considered: What is being outsourced? What data is involved? Where will the data go? Who has access? What security protocols are in place? What if the service provider has a multi-customer platform?

When the time comes to negotiate an agreement, the contract should have robust confidentiality provisions, address ownership of the data, compliance with the company’s privacy and security policies (including when the policy changes), indemnification and audit rights. And if a company is subject to Sarbanes-Oxley, the company’s management must still maintain the same level of control over financial reporting including testing, assessing and maintaining, regardless of where geographically such activities are performed, or by whom for that matter. The outsourcing contract should also provide that the service provider engage an outside auditor to test and issue a SAS 70 report on the internal controls. Although service providers need not automatically disclose the extent or substance of the audit, the company should contractually require such a term in the agreement. The company should also ensure that this information is available if any processes are subcontracted by the service provider to a third party.

Tough questions that result from security concerns

Prior to moving forward and outsourcing, the company’s management needs to ask itself some important questions. Consideration must be given to whether or not outsourcing processes that are integral parts of a company’s internal control structure pose too great a compliance risk, and if there is a cost-effective way to ensure that the necessary internal control requirements are fulfilled.

Understanding what’s at stake can often drive the decision of whether or not to outsource. If a decision is made to move forward with outsourcing, and perhaps even offshore outsourcing, then the company seeking to outsource should consider moving data privacy and security to the forefront of the service provider due diligence list.