Outsourcing, Data, and Risk

ValueNotes Research estimates that in 2011 1.6 million U.S. tax returns will be prepared in India. (ValueNotes Sourcing Practice, 2011). Tax returns are a source of personal identifiable information such as name, address, Social Security number, occupation, and telephone numbers. All of this personal data can be used in a number of identity theft schemes.

Rustad notes that “Data theft in a single year put the personal information of 55 million consumers at risk.” (Rustad & Koenig, 2007, p. 3). When companies outsource IT work to other countries for processing, it makes the data more vulnerable. Data can be compromised by a number of methods. There can be willful hacking attacks, insider data theft, or even terrorist attacks.

The Sarbanes-Oxley Act of 2002 (SOX) was enacted in response to some financial disasters. “The Act requires publically traded companies to explicitly evaluate and report to the public on the effectiveness of specified internal controls.” (Herrod, 2005/2006, p. 47).

Information Technology (IT) departments and functions are an integral component to SOX compliance. SOX legislation mandates internal controls and requires companies produce accurate financial reports.
Outsourcing can impact SOX compliance by presenting an unrealistic account of IT expenses. SOX requires that IT and business strategy collaborate and communicate within an organization.

When IT functions are outsourced this functionality is lost. Another problem with outsourcing of IT is that security breaches may not be accurately reported back to the regulated entity. This may result in an inaccurate financial value for the company. Hall describes a situation with an IT services vendor, Electronic Data Systems Corp. (EDS).

When EDS had financial problems they had to make a dramatic reduction in their staff. This caused the quality of their services to also decline, which in turn caused financial problems for the clients they worked for. (Hall, Liedtka, Gupta, Liedtka, & Tompkins, 2007, p. 100).

Companies that intend to outsource IT functions first must have a clear understanding of the legal environment. This includes current U.S. laws as well as laws that may differ in the vendor’s country. India, for example, has recently amended its Information Technology Act to include stricter penalties for computer damages and network damages. (Singh, 2009, p. 14).

A self-regulatory body, the Data Security Council of India (DSCI) has been created to “establish, popularize, monitor, and enforce privacy and data protection standards for India’s ITeS-BPO (Information Technology enabled Services/Business Process Outsourcing) industry.

Data privacy standards in India are closer European Union (EU) standards than to U.S. standards. The EU standards for data protection favor the individual’s rights over the rights of business and commerce. “The right to privacy is a highly developed area of law in Europe.” (Singh, 2009, p. 12).

Doomun recommends that companies engaged in outsourcing create multiple layer security agreements to compliment service level agreements (SLAs). These agreements are based upon the ISO 17799:2005 framework standard. “BS7799 encompasses ten major domains, namely:

(1) security policy;
(2) security organisation;
(3) asset classification and control;
(4) personnel security;
(5) physical and environmental security;
(6) communications and operations management;
(7) system access control;
(8) system development controls;
(9) business continuity planning; and
(10) compliance and auditing.” (Doomun, 2008, p. 851).

The use of a framework such as this enables both the client and the vendor to negotiate a proper SLA. It is away to integrate the security function into the contract, and a way to measure compliance. There are numerous challenges to the current information, outsourcing, and data protection legislation. One issue is that often, these outsourcing agreements are international in nature, so there may be confusion as to what set of standards or laws apply.

For example, if the data processing is done in India, do U.S. data privacy laws, such as HIPAA, apply? Or do India’s laws apply? Another issue is the dynamic state of information technology and how those dynamics integrate with the legal environment. There are also jurisdictional issues associated with enforcement of legislation.

Outsourcing will require better communication and collaboration between client and vendor. The security functionality must be integrated into the service level agreements and agreed to by all parties involved.

Outsourced workers become “insiders” and gain access to personal data, systems, and networks. Outsider threats are not as likely to impact an organization as insider threats. (Colwill, 2010, p. 188).“Critical national infrastructure (CNI) must also be considered, particularly where a CNI organization’s information is in the hands of third party foreign nationals.” (Colwill, 2010, p. 188).

- 82% of respondents responsible for security decisions were unclear on the source of their company’s insider risk;
- In the past year, contractors and temporary employees posed the greatest source of insider threat and outsourcing
- companies lost nearly $800k because of insider breaches;
- 5830 malware/spyware attacks originated from the inside;
- 5794 incidents were from abuse of privilege and access control rights;
- 19% of the attacks were believed deliberate.

Organizations have good reason to be concerned about insider crime. “While outsiders (those without authorized access to network systems and data) are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders (employees or contractors with authorized access).” (Software Engineering, 2010, p. 1).

However, the employees who, historically, caused the most damage to organizations are still not being monitored. “…, the disasters of Barrings, BCCI, World-Com, Enron, Satyam, Stanford, and Madoff, have all been the result of failure in internal controls and abuse and illegal activity of a small number of employees with legitimate authority: trusted insiders, usually in senior positions. (Colwill, 2010, p. 188).

The Stuxnet Worm is believed to have brought down Iran’s Bushehr nuclear power plant. This worm exploits Window’s weaknesses and is able to take over components that control critical infrastructure such as oil pipelines, electrical power grids, or nuclear power plants. (Greengard, 2010, p. 20).

Also, the People’s Republic of China is active in the use of hacking techniques to gather intelligence from other countries. “Because China manufacturers many components, obtaining spare parts during a conflict could prove difficult if not impossible. In addition some analysts worry that electricity generators and other components imported from China could contain hidden software that allows hackers to access systems through a back door or execute a malicious software program on command.” (Greengard, 2010, p. 22). “Already, many nations have developed sophisticated hacking and intrusion capabilities, including planting Trojan horses, rootkits, and other nefarious tools on targeted systems.”


Colwill, Carl. (2010). Human factors in information security: The insider threat - Who can you trust these days? Information Security Technical Report, 14(4), 186-196. doi:10.1016/j.istr.2010.04.004

Doomun, M. R. (2008). Multi-level information system security in outsourcing domain. Business Process Management Journal,, 14(6), 849-857. Retrieved from ABI/INFORM Global. (Document ID: 1596445511)

Greengard, Samuel. (2010). The new face of war. Communications of the Acm, 53(12), 20-22. doi:10.1145/1859204.1859212

Hall, J. A., Liedtka, S. L., Gupta, P., Liedtka, J., & Tompkins, S. (2007). The Sarbanes-Oxley Act: IMPLICATIONS FOR LARGE-SCALE IT OUTSOURCING. Communications of the Acm, 50(3), 95-100. Retrieved from Retrieved from EBSCOhost.

Herrod, Chrisan. (2006). The Role of Information Security and Its Relationship to Information Technolgy Risk Management. In Whitman & Herbert. Mattord (Eds.), Readings and Cases in the Management of Information Security (pp. 45-61). Mason, Ohio: Course Technology. (Original work published 2005)

Hoffman, S., & Podgurski. (2007). SECURING THE HIPAA SECURITY RULE. Journal of Internet Law, 10(8), 1-16. Retrieved from EBSCOhost.

Lafferty, L. (2007). Medical Identity Theft: The Future Threat of Health Care Fraud Is Now. Journal of Health Care Compliance, 9(1), 11-20. Retrieved from EBSCOhost.

Rustad, M. L., & Koenig, T. H. (2007). NEGLIGENT ENTRUSTMENT LIABILITY FOR OUT SOURCED DATA. Journal of Internet Law, 10, 10. Retrieved from Retrieved from EBSCOhost.

Singh, S. (2009). THE SECURITY OF DATA EXPORT TO INDIA. Journal of Internet Law, 13(5), 9-17. Retrieved from ABI/INFORM Global. (Document ID: 1897918491)

Software Engineering Institute - CERT/​Carnegie Mellon. (January 25, 2010). 2010 CYBERSECURITY WATCH SURVEY: CYBERCRIME INCREASING FASTER THAN SOME COMPANY DEFENSES. In CSO, Software Engineering Institute CERT® Program at Carnegie Mellon University, & Deloitte’s Center for Security & Privacy Solutions (Eds.), Insider Threat Research (2010 CYBERSECURITY WATCH SURVEY, pp. 1 -17). Retrieved February 20, 2011, from Insider Threat Research - SEI/​CERT Web site: http:/​/​www.cert.org/​insider_threat/​

ValueNotes Sourcing Practice. (Ed.). (2011, February 17). Offshoring Tax Returns Preparation To India. Retrieved February 17, 2011, from Outsourcing Research by ValueNotes Web site: http://www.sourcingnotes.com/content/view/197/54/

Wei, J., O'Connell, J., & Loho-Noya, M. (2010). Information Technology Offshore Outsourcing Security Risks and Safeguards. Journal of Information Privacy & Security, 6(3), 29-46. Retrieved from ABI/INFORM Global. (Document ID: 2217839551)
Related articles