Tim Wilson, the site editor for Dark Reading, points out that there has been a spate of high-profile incidents in which companies compromised partners' data.
IndyStar.com reports that names, addresses, Social Security numbers and other data of 51,000 patients of St. Vincent Indianapolis Hospital were made vulnerable by Verus, a firm that was working on a medical billing site for the institution.
Verus was implicated in another recent incident. In New Hampshire, personal records of more than 9,000 Concord Hospital patients were viewed eight times while they were posted on the Internet for a month-and-a-half. In a Concord Monitor report, the institution's president and CEO says a search to replace Verus is under way and that a decision hadn't been made on whether to sue the company.
In some cases, the loss clearly was not accidental. In May, an employee for Alta Resources, a company that fulfills orders for the Disney Movie Club, stole sensitive data -- including credit card numbers -- of customers. Disney would not comment to InfoWorld, but a letter reportedly sent to victims by a vice president said that the employee tried to sell the information to law enforcement authorities.
IT departments must pay very careful attention to this. In a sense, a company's image could suffer even more if it is perceived to have blithely trusted third parties. There also probably is very little difference in an organization's legal vulnerability between a direct loss and losses that are its subcontractor's fault.
So, an IT person could easily ask, what are we to do? After all, an acknowledged price of outsourcing is some loss of control. The fact is that there is plenty that can be done. The agreement between the organization and its contractors should very clearly stipulate treatment of the data. Encryption should be part of the deal. In many states, this greatly reduces or even eliminates legal liability. It also makes sense for organizations to perform spot checks of some sort to ensure that the outside organization is treating the data as they promised.
The bottom line is that IT and security executives are kidding themselves if they think their responsibilities end when the data is sent to a partner or subcontractor. Spot checks and strong agreements certainly are good steps. The longer-term approach may be structured environments -- perhaps akin to federated information management -- that enable highly secure collaboration and data sharing across organizational lines.