Data security is a major concern for any business relying on outsourcing services for data entry, document conversion, and other tasks. This is particularly relevant for organizations outsourcing medical data entry, financial data conversion, and data entry for health information and other personally identifiable information. According to a recent Financier Worldwide article, with the increasing number of cyber attacks, data breaches and invasion of private personal data, organizations must recognize the new and evolving international privacy and security regulations. Breach of sensitive information carry civil and criminal penalties and may invite class action law suits. According to the report, a proactive approach is crucial to tackle cyber security problems.
Financierworldwide.com article provides a summary of some of the new data privacy laws, rules and regulations that came into effect recently, outlines cyber security and data protection best practices and compliance programs to help organizations adhere to the evolving new data privacy requirements and touches on the role of new technologies in reducing risks and supporting compliance. The European Union’s (EU) enforcement of the Global Data Protection Regulation (GDPR) which came into force on 25th May 2018 brings about changes in the privacy and data security policies for most of the companies operating in the EU as well as across the globe. In fact, the data breach penalties of the GDPR have been increased to 4 percent of annual global turnover or €20m, whichever is greater.
Some of the techniques used by hackers to achieve their goals include malware, phishing, denial of service (DDoS) attack and man-in-the-middle attack. The United States saw a rise in data breaches in 2018, exposing consumer records across a wide range of companies, universities and government agencies. Here are a few examples of recent data breaches:
- A major healthcare provider based in St. Louis, BJC Healthcare discovered that a misconfigured server exposed the scanned images of documents from 33,420 patients. The hospital server was left unsecured from May 9, 2017 to January 23, 2018 and the information on the server included scans of patients’ driver’s licenses, insurance cards, addresses, Social Security numbers, telephone numbers, treatment records, and other personal information. All these documents were collected from 2003 to 2009.
- St. Peter’s Surgery & Endoscopy Center in New York suffered a data breach affecting about 135,000 patients when an unauthorized party gained access to its servers. The confidential information exposed could include the patient names, dates of birth, addresses, diagnosis codes, procedure codes, insurance information, and Social Security numbers.
- UnityPoint Health, a network of hospitals, clinics and home care services with locations in Iowa, Illinois, and Wisconsin, announced that it was breached and about 16,000 people could be affected in the cyber security attack. As per the company officials, several employees’ email accounts were compromised after a successful phishing attack.
- In a massive hacking campaign targeting hundreds of American universities and government agencies, cyber thieves stole $3.4 billion worth of academic research. They went after 36 private companies and several government entities by using “password spraying”. This is considered one of the largest public cases of cyberespionage.
The regulatory environment in the United States is quite complicated. The patchwork system of federal and state laws governing privacy and data security concerns is developing gradually to address data breaches and unauthorized use of personal data. Companies must have best practices in place to prevent cyber security attacks, or else they will have to face both civil and criminal penalties for compromising sensitive information. Some state and federal laws even provide the right for individual citizens to file class action lawsuits for privacy violations.
Resources are available that can provide guidance and assistance to tackle privacy and data security issues, and to ensure that the practices and programs implemented are compliant with relevant laws and regulations. The EU and some US Federal agencies, including the Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST) are promoting updated guidelines and recommendations for privacy and data security best practices in a variety of industries, which include some of the newer Internet of Things and peer platform (sharing economy) marketplaces. In addition to that, several industry groups have adopted self-regulatory programs and rules, including certification programs to which a company can readily abide.
According to financierworldwide.com, companies should establish internal policies and procedures to ensure compliance:
- Business Policies – These includea top-level information security and privacy policy that expresses a commitment to data security and privacy from the top-level officers of a company, a risk management program, an acceptable use policy, access compartmentalization, communications monitoring, breach reporting, a document retention policy and outsourcing policies.
- Technical Policies – These policies may include different commitments to technical controls to ensure the protection of data, including encryption, passwords, authentication protocols, disaster recovery, intrusion detection, physical security, patching etc.
- Website Privacy Policies – www.opentracker.net defines a website privacy policy as a document telling visitors to your site what information you collect and what you do with that information. Website privacy policies are compulsory for companies with a public-facing website.
- A written incident response plan – It is essential for establishing protocols for initiating a response team, assessing data breach activity, containing the data breach, and providing guidelines for including other parties such as law enforcement and officials that need notification under data breach laws.
- Audit – A company should continue to audit and maintain certification as necessary to ensure that their policies and procedures are enforced and remain current. In order to help companies audit their systems, a variety of enterprise privacy management software and compliance solutions may be used internally.
- New technology implementation – Companies should take measures to maintain privacy and data security when implementing new technology such as blockchain. A variety of solutions proposed for greater control and management of information with blockchain will have to be assessed in view of the evolving regulatory framework.
- Artificial Intelligence (AI) – These techniques can be used in cyber security systems to provide automated processes for the identification of new threats and the implementation of technology controls and protection. However, organizations need to be aware that hackers are also using these tools.
- New outward-facing tools and platforms – To allow users to control how their data is being used, new outward-facing tools and platforms have been developed. For instance, Facebook recently released a set of privacy tools that include a unified privacy dashboard and has announced the launch of a new Clear History tool. Such tools cannot be neglected, as they may be crucial for compliance with the new privacy regulations, such as data portability, right to be forgotten, and withdrawal of consent of the collection of personal data.
Businesses must have proper policies and best practices in place to ensure privacy and data security. Innovation, new technologies and global competition are driving the expansion in the global business process outsourcing industry. Businesses that rely on outsourced solutions must partner only with reliable service providers to ensure security of their data. They should check whether the outsourcing company has proper measures in place to ensure safety and confidentiality of the data they handle. They should make sure that their outsourcing partner is highly proactive and vigilant when it comes to cyber security. For instance, some of the data security measures a reliable document conversion company would have in place include:
- Password-protected computers
- Random checking of systems on a regular basis
- The firewalls and antivirus software on all the computers should be updated with virus definitions daily
- Any spoiled hard copies of notes and copies of personally identifiable information should be destroyed on site
- Monthly back-ups of computer systems must be stored on password protected lockers
- All the employees are required to sign a confidentiality and non-disclosure agreement
- Must maintain up-to-date contractual agreements with all business parties
- All documents uploaded to the outsourcing company’s website should be immediately protected with 256-bit SSL encryption
- Technical evaluations should be performed on a routine basis to ensure all systems meet or exceed specified security requirements
- All staff should be trained on privacy, security, and confidentiality
With the threat of increasing liability and risk with statutory penalties and class action lawsuits, businesses need to recognize new and evolving international privacy and security regulations. Partnering with an outsourcing company that has data security built into their processes, IT infrastructure and network is critical to prevent security breaches and data misuse.