When parents seek out a nanny or baby sitter to care for their children while they are out of the house, surely they go through all reasonable measures to ensure their kids are in the best hands possible. And once they settle on a caretaker, responsible parents will regularly check in to make sure their hired helpers are properly performing the job at hand.
Considering the proliferation and sheer value of information today, perhaps businesses should look at their data with the same loving mind as a mother would her child. That means, ensure the people contracted to maintain that data are properly doing their job because if they aren’t, the organization is the one responsible for explaining what happened to its customers. Customers will not make the distinction between a business and its partner.
Easier said then done, I admit. After all, remember “The Hand that Rocks the Cradle?”
I am again reminded of this need for organizations to deeply scrutinize their contractors – especially the ones handling their data – and establish stringent service-level agreements after Concord Hospital fired its billing company. The company, Verus Inc., managed the New Hampshire hospital’s billing system but publicly exposed the personal data of some 9,000 hospital patients for more than a month.
Reports have not said whether Verus violated its contract with the hospital (I’m guessing it did) or what avenues of retribution are available for the hospital.
To best offer advice, I will pull an excerpt from a story I wrote last summer.
When a company’s critical data is in the hands of a service provider, the hope is that vendor has security controls “at least matching” what the organization is running internally, says Arabella Hallawell, a Gartner analyst who specializes in outsourcing.
But the only way to assure such safeguards is through well-crafted service-level agreements (SLA), experts say.
“Most organizations, at least in the past, haven’t viewed security as important evaluation criteria,” Hallawell says. “I think the onus is very much on the company to negotiate and ask. If you don’t ask, you’ll get very vague security controls in place.”