|
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] Legal Maze
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
Click here for an overview showing a dizzying array of data protection laws and regulatory authorities around the world (PDF).
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
Cross-Border Complications
While outsourcing has fueled globalization and corporate competitiveness, it has significantly complicated cross-border data flows and privacy compliance obligations. Although functions and processes can be outsourced, compliance requirements cannot. Therefore, it is crucial that companies ensure that their compliance obligations are not jeopardized in the outsourced environment.
"Even those of us who don't necessarily have international business, most have international outsourcing of one function or another," says Kirk Herath, chief privacy officer and associate general counsel at Nationwide Insurance Companies. "Outsourcers even outsource. The data can end up being in some far-flung places. It could be unprotected or more protected."
The two largest compliance hurdles associated with outsourcing are inadequate legal frameworks in outsourcing jurisdictions and the inability of their law enforcement agencies to cooperate and investigate cyber incidents.
The three primary outsourcing jurisdictions--India, China and the Philippines--have ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
no data protection laws. Thus, privacy protections accorded to client data may have no statutory protection in the country where the processing is taking place. Even though a provider may have a contractual obligation to protect data, the lack of a statutory right to privacy can raise serious issues in the prosecution of privacy breaches and other cybercrimes.
Breaches in outsourced operations can also invite regulatory action. For example, the Australian Privacy Commissioner has initiated investigations into breaches of protected personal information through an Indian call center. Likewise, the United Kingdom's Information Commissioner's Office responded to an Indian call center worker's sale of British consumer financial data by notifying U.K. banks that they could face prosecution under the U.K. Data Protection Act for such breaches.
Even if there is a data protection law in the outsourced jurisdiction, there may not be a criminal law such as the U.S. Computer Fraud and Abuse Act, which covers cybercrime and the unauthorized disclosure of confidential data. Many countries also have dual criminality requirements--the activity must be unlawful in both the country requesting the assistance and the country from which assistance is sought.
Additionally, although cyberspace has no borders, law enforcement, prosecutors and government officials do; they must stop at national borders and formally request assistance from other countries when tracking and tracing cybercrime, which can be cumbersome.
If the country does have a multilateral assistance treaty (MLAT) with the country requesting assistance, the requesting country must use the Letters Rogatory process to apply for assistance through the other country's courts. Even if assistance is granted, often the law enforcement officials don't have enough training on investigating and seizing electronic evidence.
Multilateral efforts in addressing some of these issues have fallen short. In 1997, the G8 established a network of around-the-clock contacts to assist with cybercrimes investigations. According to the U.S. Department of Justice, membership in the network is 45 nations--hardly enough to impact the security of an Internet connected to 240 countries.
|
