http://www.thefreelibrary.com/Offshorin ... 0122579443

Offshoring privacy: when companies offshore business processes, they are putting consumers' most sensitive personal information at risk--and there's little consumers can do about it.


Ads by Google

BPO - Quality Outsourcing
Award Winning BPO Outsourcing Services in Finance and Accounting
www.ConseroGlobal.com

Offshore Outsourcing
Complex Software?Release pressures? Increase ROI, Contact Trigent!
www.trigent.com

BPO Services
World Class Payables Processing Low risk, High Gain outsourcing
www.sourcenetsolutions.com


While Americans are concerned about offshoring taking away jobs from U.S. workers, many do not realize that there is a bigger, more insidious, problem associated with the practice.

Offshoring also poses risks to the security and privacy of consumers' personal data because when companies offshore business processes they also send their customers' most sensitive information overseas. Once sent abroad, the information is at risk because U.S. federal laws do not apply to foreign companies operating overseas. In fact, many countries that contract for offshore work with U.S. companies have far weaker security and privacy laws than the United States. For example, India has no laws to protect personal and private data. The situation is made more complex by the fact that it is extremely difficult for Americans to use foreign courts to sue foreign companies that misuse American data.


Ads by Google

Dedicated Staff - $5/Hr
US Managed, Philippines, 466 Seats Customer Svcs, Virtual Asst, H Desk
www.SupportSave.com

IT Outsourcing - USA
ISO certified Offshore Developement Centre in India
www.usain.com


These factors leave the most sensitive details of the lives of millions of consumers vulnerable to lax security and malicious identity thieves. And the problem is growing. Consider the following examples:

* Tax returns for about 200,000 Americans were prepared in India in 2004. Indian workers processed only about 1,000 U.S. tax returns two years ago. Tax returns include Americans' names, Social Security numbers, income, employers, addresses, and other personal details

A few recent incidents illustrate the risk that international offshoring poses to consumers. In one case, a low-paid transcriber in Pakistan working as a subcontractor to the University of California threatened to post confidential patient information on the Internet unless the university coaxed her boss into paying her bills. In Noida, India, an employee working at a call center used an American's credit card information to buy electronics equipment from Sony. In some areas, a thriving black market for personal identity information exists.

"It's not merely that Americans' identities are vulnerable when sent abroad. The problem is that American companies obscure how much outsourcing they do, and when they are doing it," Sen. Dianne Feinstein Dianne Goldman Berman Feinstein (born June 22, 1933) is the senior U.S. Senator from California, having held office as a senator since 1992. She is a member of the Democratic Party. (D-Calif.) recently told the U.S. Congress.

Few Regulations, Fewer Restrictions

More and more companies are sending work overseas to achieve cost savings and competitive advantage, and there is little federal oversight. The problem is so bad that U.S. regulatory agencies, despite their oversight of U.S. industries, have not been able to determine how many security breaches have taken place or how much they have cost consumers.

According to John D. Hawke Jr., who heads the Office of the Comptroller of the Currency The Office of the Comptroller of the Currency (or OCC) was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the United States. (OCC OCC

Rep. Edward J. Markey (D-Mass.), co-chair of the Congressional Privacy Caucus, recently requested clarification about the breadth of HIPAA's (Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996.

Thompson noted that if a consumer's medical records are offshored to an entity and that entity compromises the confidentiality of the consumer's private information, he or she has no right under HIPAA to sue either the U.S. company that transferred the data or the offshore company that misused it. Thompson indicated that. HHS' enforcement efforts are driven entirely by consumer complaints or press reports about potential privacy violations, and that the department does not conduct routine compliance oversight to determine whether HIPAA privacy rules are being complied with.

The study also found that "geographic distance from the function and timing lags in reporting heighten the potential risk exposures" and "few legal restrictions exist on financial services companies sending consumer data to foreign countries." Most ominous, the study noted that "customers may not opt out of these information transfers to nonaffiliated service providers" under loopholes contained in the Gramm-Leach-Bliley Act

In response to these risks, the FDIC made two recommendations: 1) that financial institutions be required to identify currently undisclosed contracting arrangements that their third-party contractors may enter into; and 2) that financial institutions should he required by federal regulation to create a central database of information about all their outsourcing arrangements so that regulators can better monitor them.

"The letters I have received from HHS and the banking regulators only serve to underscore how weak current federal privacy protections are," Markey said.

At the very least, privacy advocates say consumers should have a right to know if their personal information is being transferred abroad and a right to say "no" to this practice if they object.

FDIC Predicts Increased Offshoring

The Federal Deposit Insurance Corp.(FDIC) released a report in June warning that consumer privacy could be compromised by sending customer data overseas if companies do not adhere to strict rules for data processing. The report also predicts that more information processing jobs will be sent overseas in the next five years, motivated by cost savings and competitive pressures.

"Typically, financial institutions offshore non-core job functions, such as IT (specifically, software development and maintenance), administration, human resources, contact centers, call centers, and telemarketing," says the report. The report also estimates that financial institutions that offshore achieve average cost savings of 39 percent, with one in four institutions surveyed achieving savings of more than 50 percent.

The report further reveals that "the range and number of offshored job functions within individual institutions is expected to increase, with the average number growing from two to four functions per institution. In particular, the traditional focus on IT alone, which accounts for 70 percent of current offshore activity, will change to a business-process emphasis."

Information Offshoring Receives Increased Attention on Capitol Hill

Several bills addressing the issue of information offshoring have been introduced in the 108th Congress. While offshoring has received media attention associated with the issue of lost American jobs, Congress has not held hearings or markups on specific legislation. It is expected, however, that legislation on the issue will see increased attention when the 109th Congress convenes in 2005. Three principal bills are now pending in Congress:

* Increasing Notice of Foreign Outsourcing Act (INFO Act)--This legislation, introduced by Senators Dianne Feinstein (D-Calif.) and Bill Nelson (D-Fla.), requires U.S. health and financial companies to notify consumers when sending their information abroad and to certify the safeguards associated with the overseas processing. It would require U.S. companies processing health and financial data to include clauses in contracts with their overseas partners to enforce U.S. privacy standards and to allow audits of their information processors. The bill would create a system to inform U.S. companies and federal regulators of any security breaches involving American health or financial information at facilities operated outside the United States. The bill also gives consumers the right to know where overseas call centers are located. It also gives federal agencies the power to enforce these provisions. "The bill will ensure that American companies notify consumers of a business' outsourcing practices. And it will require American companies to hold their foreign business partners accountable for protecting American data," Feinstein said.

* Safeguarding Americans from Exporting Identification Data Act (SAFE-ID Act)--Introduced by Senators Hillary Rodham Clinton (D-N.Y.) and Mark Dayton (D-Minn.), this legislation would prohibit organizations from disclosing personally identifiable information (In information security and privacy, personally identifiable information or personally identifying information (PII) is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person.) regarding U.S. residents to any branch, affiliate, subcontractor, or unaffiliated third party located in a foreign country unless the business provides notice and the consumer is given the opportunity to object prior to the disclosure. The bill would prohibit healthcare and financial businesses from terminating existing relationships with consumers to avoid objections to disclosure. The bill also would make businesses liable for mishandling personally identifiable information and would require the Secretary of Health and Human Services to revise existing regulations to require covered entities that outsource protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the to a foreign country to include certain information relating to outsourcing in their privacy protection notices. The bill also amends the Gramm-Leach-Bliley Act to require the inclusion of similar information in privacy protection notices for financial services consumers.

* Personal Data Offshoring Protection Act of 2004--Introduced by Rep. Edward J. Markey (D-Mass.), this measure also would require businesses to give consumers notice before transmitting personally identifiable information overseas. It would prohibit offshoring where adequate privacy protections are lacking unless: 1) the business discloses the lack of protections and obtains the consumer's prior consent for transmittal; and 2) such consent is renewed by the consumer within one year before the offshoring. The bill would also create a private right of action in state court for violations and authorize states, on behalf of their residents, to bring civil actions in federal court for such violations. The bill requires prior notice to the Federal Trade Commission (FTC) of state actions, authorizes the FTC's intervention, and directs the FTC to certify those countries that have legal systems providing adequate privacy protections. Markey's bill also would create a presumption of inadequacy for foreign laws that are less protective of privacy than U.S. law, the law of any U.S. state, or where the FTC determines that enforcement is lacking. The bill would require certification of countries whose laws meet the requirements of the European Union Data Protection Directive, unless such laws are not adequately enforced.

Source: SmithBucklin Corp.