by Thomas C. Greble, Julian Millstein

The provider's obligations to protect the confidentiality of employee data must be defined in detail.

Privacy is a growing concern for many Americans. When business services are outsourced, outsourcing companies are given access to a variety of confidential company information and employee data. Outsourcing employers should protect employee confidential information by taking steps to maintain the confidentiality and security of employee data when retaining and transferring such data to outsourcing services. Given the sensitive nature of employee-related data, privacy concerns are particularly significant for companies outsourcing human resources functions. HRO providers, on the other hand, should be very aware of these concerns and how to address them.

Security of the outsourcing provider's computer system is one area of concern. Another area of concern is unauthorized access to information, whether such access is by unauthorized personnel or use of the information in an unauthorized manner.

Employees may have concerns about how their information will be transferred and used. Employers contemplating human resources outsourcing should anticipate such concerns and be prepared to address them. Employers should decide what kinds of information will be shared, require the provider to share such information only to the extent necessary to perform its specific services, insist upon appropriate measures to ensure that confidentiality is maintained, and state that such information will be returned or deleted at the end of the agreement.

Privacy Laws and Regulations

While only a few statutes apply to the confidentiality of employee information, common law invasion of privacy suits are also a risk. Employers should be concerned about protecting the confidentiality of employee data, for the employer may ultimately be liable if the outsourcer allows such data to be accessed by unauthorized personnel or to be inappropriately used. In the United States, for example, consider the following federal laws: certain provisions of the Americans with Disabilities Act of 1990 (protecting medical records); Health Insurance Portability and Accountability Act of 1996 (protecting health and medical information); and Financial Modernization Act of 1999 (protecting financial information)-as well as state law requirements. In the European Union, the laws are more stringent.

Employers should focus on how the security and confidentiality of information will be maintained during the term of the outsourcing relationship. To ensure the confidentiality of employee data, the agreement should:

• Identify confidential information and specify the types of security mechanisms the employer expects of the provider.
• List applicable privacy laws and regulations.
• Require the provider to limit access to authorized personnel; keep security patches current; install, maintain, and monitor computer systems that require passwords, use encryption technology, and contain firewalls and similar intrusion detection systems.
• Specify that the provider shall be liable for complying with applicable laws and regulations and the breach of its confidentiality or security obligations.
• Provide employer access to and control over the information; impose restrictions on how information may be used, transferred, or shared; and grant employer audit rights over the provider's security procedures.

Maintaining Security Standards

Employers should determine whether the outsourcer has the proper security mechanisms in place to comply with the relevant privacy laws and employer's security expectations, including: a secure technology infrastructure; data storage and handling procedures; information sharing policies; and staff-training procedures. If additional steps need to be taken to ensure compliance, the outsourcer should be responsible for the cost of implementing such security mechanisms. Further, employers may wish to set forth remedies for security breaches.

An established human resources outsourcer should be familiar with relevant laws and regulations. Further, the outsourcer should be responsible for tracking new legal developments common to its customers and updating security measurers as necessary. Outsourcers should indemnify employers from any acts or omissions by the outsourcer in violation of the law, and for any third-party claims brought as a result of acts or omissions of the outsourcer inconsistent with its obligations. This indemnity should be an exception to any limitation-of-liability clause set out in the agreement.