Offshoring privacy: when companies offshore business processes, they are putting consumers' most sensitive personal information at risk--and there's little consumers can do about it.
Offshoring also poses risks to the security and privacy of consumers' personal data because when companies offshore business processes they also send their customers' most sensitive information overseas. Once sent abroad, the information is at risk because U.S. federal laws do not apply to foreign companies operating overseas. In fact, many countries that contract for offshore work with U.S. companies have far weaker security and privacy laws than the United States. For example, India has no laws to protect personal and private data. The situation is made more complex by the fact that it is extremely difficult for Americans to use foreign courts to sue foreign companies that misuse American data.
These factors leave the most sensitive details of the lives of millions of consumers vulnerable to lax security and malicious identity thieves. And the problem is growing. Consider the following examples:
* Tax returns for about 200,000 Americans were prepared in India in 2004. Indian workers processed only about 1,000 U.S. tax returns two years ago. Tax returns include Americans' names, Social Security numbers, income, employers, addresses, and other personal details.
* The American Association of Medical Transcription estimates that 10 percent of all transcription of doctors' notes is done abroad.
* An executive from Trans Union, one of the major U.S. credit agencies, told the San Francisco Chronicle that 100 percent of the company's mail regarding customer disputes is sent to India at some point,
A few recent incidents illustrate the risk that international offshoring poses to consumers. In one case, a low-paid transcriber in Pakistan working as a subcontractor to the University of California Medical Center in San Francisco threatened to post confidential patient information on the Internet unless the university coaxed her boss into paying her bills. In Noida, India, an employee working at a call center used an American's credit card information to buy electronics equipment from Sony. In some areas, a thriving black market for personal identity information exists. According to one report, stolen names, addresses, phone numbers, and bank account information--including account numbers--are sold on Indian streets for pennies.
"It's not merely that Americans' identities are vulnerable when sent abroad. The problem is that American companies obscure how much outsourcing they do, and when they are doing it," Sen. Dianne Feinstein (D-Calif.) recently told the U.S. Congress.
Few Regulations, Fewer Restrictions
More and more companies are sending work overseas to achieve cost savings and competitive advantage, and there is little federal oversight. The problem is so bad that U.S. regulatory agencies, despite their oversight of U.S. industries, have not been able to determine how many security breaches have taken place or how much they have cost consumers.
According to John D. Hawke Jr., who heads the Office of the Comptroller of the Currency (OCC), one of the agencies that regulates U,S. financial institutions and banks, the OCC does not directly regulate whether banks have adequate privacy procedures in place for foreign servicing. The OCC does suggest certain safeguards for U.S. banks to use when they hire foreign information processors. The agency also asks U.S. banks to use contract provisions to ensure that foreign companies use secure methods to process data and to let U.S. companies audit the foreign companies. But the OCC does not require that companies adopt these safeguards.
Rep. Edward J. Markey (D-Mass.), co-chair of the Congressional Privacy Caucus, recently requested clarification about the breadth of HIPAA's (Health Insurance Portability and Accountability Act) protection of consumer data when it is sent overseas for processing. In a letter to Markey, Department of Health and Human Services (HHS) Secretary Tommy Thompson revealed that "Neither HIPAA nor the HHS Privacy Rule require covered entities or business associates to register with the department to report on the nature or content of their contractual relationships."
Thompson noted that if a consumer's medical records are offshored to an entity and that entity compromises the confidentiality of the consumer's private information, he or she has no right under HIPAA to sue either the U.S. company that transferred the data or the offshore company that misused it. Thompson indicated that. HHS' enforcement efforts are driven entirely by consumer complaints or press reports about potential privacy violations, and that the department does not conduct routine compliance oversight to determine whether HIPAA privacy rules are being complied with.
Markey also questioned the Federal Deposit Insurance Corp. (FDIC) about the level of protection existing FDIC regulations provide to consumers when their data is offshored. A June FDIC study on the consumer privacy risks of offshoring personal data by FDIC-insured banks revealed that "The more complicated chain of control incurred when offshoring financial services and related data may create new risks when compared to domestic outsourcing."
The study also found that "geographic distance from the function and timing lags in reporting heighten the potential risk exposures" and "few legal restrictions exist on financial services companies sending consumer data to foreign countries." Most ominous, the study noted that "customers may not opt out of these information transfers to nonaffiliated service providers" under loopholes contained in the Gramm-Leach-Bliley Act for data transfers to service providers.
In response to these risks, the FDIC made two recommendations: 1) that financial institutions be required to identify currently undisclosed contracting arrangements that their third-party contractors may enter into; and 2) that financial institutions should he required by federal regulation to create a central database of information about all their outsourcing arrangements so that regulators can better monitor them.
A federal banking regulators' letter signed by the heads of the Federal Reserve, the FDIC, the National Credit Union Administration, the OCC, and the Office of Thrift Supervision revealed that none of them collect information on the customer data that U.S. banks currently transfer to foreign companies, who they transfer it to, the purpose of the transfer, or whether the consumer is given the right to opt-out of such transfers. In addition, the regulators were unable to report on how many examinations they had conducted to determine whether outsourcing of consumer information may have resulted in unauthorized disclosure of data. The regulators also confirmed that U.S. consumers currently have no legal right under federal law to sue a bank for transferring their personal financial information to an offshore entity that releases this information.
"The letters I have received from HHS and the banking regulators only serve to underscore how weak current federal privacy protections are," Markey said.
At the very least, privacy advocates say consumers should have a right to know if their personal information is being transferred abroad and a right to say "no" to this practice if they object.
FDIC Predicts Increased Offshoring
The Federal Deposit Insurance Corp.(FDIC) released a report in June warning that consumer privacy could be compromised by sending customer data overseas if companies do not adhere to strict rules for data processing. The report also predicts that more information processing jobs will be sent overseas in the next five years, motivated by cost savings and competitive pressures.
"Typically, financial institutions offshore non-core job functions, such as IT (specifically, software development and maintenance), administration, human resources, contact centers, call centers, and telemarketing," says the report. The report also estimates that financial institutions that offshore achieve average cost savings of 39 percent, with one in four institutions surveyed achieving savings of more than 50 percent.
The report further reveals that "the range and number of offshored job functions within individual institutions is expected to increase, with the average number growing from two to four functions per institution. In particular, the traditional focus on IT alone, which accounts for 70 percent of current offshore activity, will change to a business-process emphasis."
Information Offshoring Receives Increased Attention on Capitol Hill
Several bills addressing the issue of information offshoring have been introduced in the 108th Congress. While offshoring has received media attention associated with the issue of lost American jobs, Congress has not held hearings or markups on specific legislation. It is expected, however, that legislation on the issue will see increased attention when the 109th Congress convenes in 2005. Three principal bills are now pending in Congress:
* Increasing Notice of Foreign Outsourcing Act (INFO Act)--This legislation, introduced by Senators Dianne Feinstein (D-Calif.) and Bill Nelson (D-Fla.), requires U.S. health and financial companies to notify consumers when sending their information abroad and to certify the safeguards associated with the overseas processing. It would require U.S. companies processing health and financial data to include clauses in contracts with their overseas partners to enforce U.S. privacy standards and to allow audits of their information processors. The bill would create a system to inform U.S. companies and federal regulators of any security breaches involving American health or financial information at facilities operated outside the United States. The bill also gives consumers the right to know where overseas call centers are located. It also gives federal agencies the power to enforce these provisions. "The bill will ensure that American companies notify consumers of a business' outsourcing practices. And it will require American companies to hold their foreign business partners accountable for protecting American data," Feinstein said.
* Safeguarding Americans from Exporting Identification Data Act (SAFE-ID Act)--Introduced by Senators Hillary Rodham Clinton (D-N.Y.) and Mark Dayton (D-Minn.), this legislation would prohibit organizations from disclosing personally identifiable information regarding U.S. residents to any branch, affiliate, subcontractor, or unaffiliated third party located in a foreign country unless the business provides notice and the consumer is given the opportunity to object prior to the disclosure. The bill would prohibit healthcare and financial businesses from terminating existing relationships with consumers to avoid objections to disclosure. The bill also would make businesses liable for mishandling personally identifiable information and would require the Secretary of Health and Human Services to revise existing regulations to require covered entities that outsource protected health information to a foreign country to include certain information relating to outsourcing in their privacy protection notices. The bill also amends the Gramm-Leach-Bliley Act to require the inclusion of similar information in privacy protection notices for financial services consumers.
* Personal Data Offshoring Protection Act of 2004--Introduced by Rep. Edward J. Markey (D-Mass.),this measure also would require businesses to give consumers notice before transmitting personally identifiable information overseas. It would prohibit offshoring where adequate privacy protections are lacking unless: 1) the business discloses the lack of protections and obtains the consumer's prior consent for transmittal; and 2) such consent is renewed by the consumer within one year before the offshoring. The bill would also create a private right of action in state court for violations and authorize states, on behalf of their residents, to bring civil actions in federal court for such violations. The bill requires prior notice to the Federal Trade Commission (FTC) of state actions, authorizes the FTC's intervention, and directs the FTC to certify those countries that have legal systems providing adequate privacy protections. Markey's bill also would create a presumption of inadequacy for foreign laws that are less protective of privacy than U.S. law, the law of any U.S. state, or where the FTC determines that enforcement is lacking. The bill would require certification of countries whose laws meet the requirements of the European Union Data Protection Directive, unless such laws are not adequately enforced.
Source: SmithBucklin Corp.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||On the edge: the use & misuse of information|
|Publication:||Information Management Journal|
|Date:||Sep 1, 2004|
|Previous Article:||Tagging toothpaste and toddlers.|
|Next Article:||Stellent offers integrated e-mail records management.|