Prove It's Secure
Legislators want CIOs and service providers to show that customer data sent overseas is as safe as it is at home
Offshore-outsourcing opponents have, for the most part, focused their criticism on the number of U.S. jobs lost to overseas workers. Now some people are urging limits on the practice because they claim it threatens consumer privacy.
California state Sen. Liz Figueroa last week said she would propose legislation prohibiting the movement of Californians' medical and financial data overseas unless she receives assurances that strong privacy safeguards are in place. Concerns range from overseas call-center workers being able to view or manipulate personal records stored in U.S. data centers to having databases of information on U.S. citizens physically located in a foreign country and operated by a third party. "Outside the U.S., medical privacy doesn't really mean anything," Figueroa contends.
- A Smarter Approach: Inside IBM Business Analytics Solutions for Mid-Size Businesses
- Managing Threats in the Digital Age
State Sen. Figueroa says she wants to protect Californians' privacy
Figueroa's plan, and similar ones in other states, are evidence that politicians are looking closely at the growing practice of sending work offshore. Her proposal, if enacted, would be among the first to significantly affect businesses' offshore IT practices. Most other efforts to restrict offshore outsourcing seek to block federal or state contracts from going overseas. Offshore business-process-outsourcing services-which, unlike application development, typically require the transfer of personal data-grew 38% last year to just under $2 billion, according to Gartner. The research firm says most of that work was performed in India.
At the federal level, Sen. Dianne Feinstein, D-Calif., asked the U.S. Comptroller of the Currency earlier this month to investigate whether banks that process customers' financial data offshore have safeguards to protect that data from unauthorized use. In Arizona, proposed legislation would bar companies from shipping financial data outside the country without written permission from consumers. A proposal in South Carolina would prevent companies from giving "financial, credit, or identifying information" to a call-center representative abroad without the individual's written permission.
The legislative efforts worry private-sector executives who are counting on offshore operations to lower their costs. "The right balance is to let the consumer decide," says Chris Larsen, CEO of E-Loan Inc. The online lender is testing a program that lets customers choose to have their mortgage applications processed here or by a service provider in India, which cuts two days off the processing time. Since the test launched March 1, 85% of customers who've applied have chosen the offshore option. "People understand what they're doing and the consequences in terms of jobs," Larsen says.
E-Loan CEO Larsen says consumers will trust companies that explain their outsourcing and privacy policies
Some IT executives aren't convinced that privacy can be guaranteed in offshore settings. "It's a risk factor," says Tom Tabor, CIO at medical-insurance provider Highmark Inc. Tabor says that's one reason his company hasn't outsourced much of its business-process work, though he notes that privacy violations can happen "anywhere in the world, including the U.S."
At a committee hearing last week, Figueroa cited a highly publicized case last year of a Pakistani contract worker upset about back pay who threatened to divulge data about patients at a San Francisco hospital that sent its transcription work abroad. Officials at the UCSF Medical Center, the target of the Pakistani worker, told Figueroa's committee that it has changed its practices in order to reduce the potential for similar actions in the future. Among other things, the hospital now prohibits vendors from using subcontractors without prior agreement.
Privacy advocates contend that contract language and security technology aren't enough to protect the confidentiality of personal data that's been moved offshore. Beth Givens, director of the Privacy Rights Clearinghouse, told Figueroa's committee that many of the countries in which medical and financial data are processed don't have enforceable privacy laws. "It's questionable if even the most ironclad contracts are able to overcome the fact that data processing is occurring outside the U.S. legal and regulatory infrastructure," Givens said.
Still, the message from lawmakers such as Figueroa to companies that use offshore labor is clear-ensure privacy, or expect rules to keep the work at home.
-- with Thomas Claburn