5 min read

Prove It's Secure

Legislators want CIOs and service providers to show that customer data sent overseas is as safe as it is at home
Offshore-outsourcing opponents have, for the most part, focused their criticism on the number of U.S. jobs lost to overseas workers. Now some people are urging limits on the practice because they claim it threatens consumer privacy.

California state Sen. Liz Figueroa last week said she would propose legislation prohibiting the movement of Californians' medical and financial data overseas unless she receives assurances that strong privacy safeguards are in place. Concerns range from overseas call-center workers being able to view or manipulate personal records stored in U.S. data centers to having databases of information on U.S. citizens physically located in a foreign country and operated by a third party. "Outside the U.S., medical privacy doesn't really mean anything," Figueroa contends.

California state Sen. Liz Figueroa

State Sen. Figueroa says she wants to protect Californians' privacy
Figueroa, who chairs California's Senate Select Committee on International Trade Policy and State Legislation, says she's concerned that a growing number of U.S. medical and financial-services firms are shifting information-processing work to lower-wage countries that lack tough privacy laws, leaving consumers vulnerable to identity theft and other crimes. Figueroa, who authored California's medical-records privacy law, considered by many to be the strongest in the nation, also is sponsoring bills to require California employers to notify the state and employees if they plan to move 20 or more jobs overseas and to prohibit state contracts from being fulfilled offshore.

Figueroa's plan, and similar ones in other states, are evidence that politicians are looking closely at the growing practice of sending work offshore. Her proposal, if enacted, would be among the first to significantly affect businesses' offshore IT practices. Most other efforts to restrict offshore outsourcing seek to block federal or state contracts from going overseas. Offshore business-process-outsourcing services-which, unlike application development, typically require the transfer of personal data-grew 38% last year to just under $2 billion, according to Gartner. The research firm says most of that work was performed in India.

At the federal level, Sen. Dianne Feinstein, D-Calif., asked the U.S. Comptroller of the Currency earlier this month to investigate whether banks that process customers' financial data offshore have safeguards to protect that data from unauthorized use. In Arizona, proposed legislation would bar companies from shipping financial data outside the country without written permission from consumers. A proposal in South Carolina would prevent companies from giving "financial, credit, or identifying information" to a call-center representative abroad without the individual's written permission.

The legislative efforts worry private-sector executives who are counting on offshore operations to lower their costs. "The right balance is to let the consumer decide," says Chris Larsen, CEO of E-Loan Inc. The online lender is testing a program that lets customers choose to have their mortgage applications processed here or by a service provider in India, which cuts two days off the processing time. Since the test launched March 1, 85% of customers who've applied have chosen the offshore option. "People understand what they're doing and the consequences in terms of jobs," Larsen says.

E-Loan CEO Larsen says consumers will trust companies that explain their outsourcing and privacy policies
Larsen, who testified before Figueroa's committee last week, says consumers will trust companies that are up-front about their outsourcing and privacy policies. E-Loan uses IPSec and ISO 17799 security standards to protect data lines that connect its Pleasanton, Calif., systems to offices of outsourcing vendor Wipro Technologies in India. Wipro agreed not to subcontract any of the work, and its employees can view customer information but can't access data files to make changes or copies.

Some IT executives aren't convinced that privacy can be guaranteed in offshore settings. "It's a risk factor," says Tom Tabor, CIO at medical-insurance provider Highmark Inc. Tabor says that's one reason his company hasn't outsourced much of its business-process work, though he notes that privacy violations can happen "anywhere in the world, including the U.S."

At a committee hearing last week, Figueroa cited a highly publicized case last year of a Pakistani contract worker upset about back pay who threatened to divulge data about patients at a San Francisco hospital that sent its transcription work abroad. Officials at the UCSF Medical Center, the target of the Pakistani worker, told Figueroa's committee that it has changed its practices in order to reduce the potential for similar actions in the future. Among other things, the hospital now prohibits vendors from using subcontractors without prior agreement.

Privacy advocates contend that contract language and security technology aren't enough to protect the confidentiality of personal data that's been moved offshore. Beth Givens, director of the Privacy Rights Clearinghouse, told Figueroa's committee that many of the countries in which medical and financial data are processed don't have enforceable privacy laws. "It's questionable if even the most ironclad contracts are able to overcome the fact that data processing is occurring outside the U.S. legal and regulatory infrastructure," Givens said.

Search the InformationWeek Media Network for more stories about this topic:

The United States actually is far behind many other countries, including those in the European Union, in legislating privacy, says William B. Bierce, an attorney with Bierce and Kenerson P.C. The EU requires "adequate protection" before data can be shipped to an outside country. The National Association of Software and Service Companies, a trade group that represents Indian services firms, is lobbying for India to provide privacy protections that meet EU standards, though a proposal is still being developed. But Bierce believes a company that does due diligence to hire a reputable service provider can be confident its data is protected. "Technology allows you to have the same security measures applied independent of geography," he says.

Still, the message from lawmakers such as Figueroa to companies that use offshore labor is clear-ensure privacy, or expect rules to keep the work at home.

-- with Thomas Claburn

Continue to the sidebar: IEEE Advocates Limits On Offshore Outsourcing