 | |
| |
TechnologyDaily Mobile
The Privacy Risks Of 'Outsourcing'
by Chloe Albanesius
The "outsourcing" of U.S. jobs to other countries has become a political hot potato primarily because of the trend's impact on the U.S. labor market. But in the states where people are losing their jobs, some observers also are concerned about the privacy implications of moving jobs that involve customer service to nations whose privacy laws may not be as strict.
At least 16 states have introduced legislation on privacy issues in other countries, said Michael Kerr of the Information Technology Association of America (ITAA), and many of the bills address consumers' right to know about how their personal information is used. Yet he added that he has seen minimal momentum on many of those and other outsourcing-related bills largely because "small angles [don't] really address what is a new, global competitive reality."
While labor and privacy experts agree that concerns about foreign access to Americans' personal information are legitimate, they also note that in most instances companies take the necessary steps to ensure that there are no breaches of privacy. "The state of security of technology and cyber security [overseas] ... is just as advanced, if not more, [as in] the United States," Kerr said.
Consumer Rights: Lost In Translation?
The Tennessee House on Thursday unanimously passed a right-to-know measure, H.B. 2340. It originally included a provision that would have required companies to get written consent from customers before foreign workers could view their personal information, but as amended, it would demand that foreign workers obey U.S. rules on financial privacy and on telemarketing sales. The bill is on the Senate calendar for Tuesday.
Consumer protection under the law is the most pressing issue regarding privacy and outsourcing, said Beth Givens, director of the California-based Privacy Rights Clearinghouse. She acknowledged that the security safeguards in many companies "are very rigorous and I think they probably exceed the security practices of many of the companies here in the United States," but she added that if a U.S. citizen is a victim of identity theft at the hands of a foreign worker, the American may have little legal recourse.
Unless the ID theft is a matter of national security, Givens said, "I think it's very doubtful that you could get any law enforcement agency to take a look at the matter." She said U.S. laws should be toughened to hold companies and their subcontractors responsible for privacy breaches.
California has a law requiring companies to notify residents if their personal information has been accessed or compromised; a statute that could get muddled as companies contract and subcontract to various international locations.
"From a responsibilities point of view ... there's really not a difference between an outsourced contractor" and the originating company in the law, said Joanne McNab, chief of the California Office of Privacy Protection. But in state-issued privacy practices, she said, "one of the things we are recommending is that [companies] contractually bind ... suppliers and service providers with immediate notice" of any breaches.
"Most companies haven't seriously considered privacy and data-protection risks when deciding to outsource data-management activities, including those activities that rely upon highly sensitive personal information," said Larry Ponemon, chairman and founder of the Ponemon Institute think tank. "To make matters worse, there are numerous situations observed by us where the vendor selected to perform outsourced activity is an IT sweatshop," which he said creates an "enormous opportunity ... for the would-be cyber criminal ... to acquire very sensitive information that can be used to steal assets and identities."
"Most of the procurement folks in the benchmark sample admit to very limited site visits," he added. "This can be especially risky for companies that transact Social Security and credit-card information."
Part Legitimate Issue, Part Political Football
Ponemon stressed, however, that there is no need for policymakers to overreact because many "offshore vendors have superior controls and practices. While the privacy and information security issues are an actual, legitimate business risk ... it is also a political football," he said.
ITAA's Kerr agreed. "A lot of it has been driven by the political atmosphere [of an] election year," he said. "It's kind of a good issue for proponents of these bills to find ... additional support among legislators [because it] certainly plays well to consumer concerns."
"Companies actually hold the false belief that because privacy laws in certain countries are less rigorous than our laws, the transfer of data-management functions to these countries actually lessens the compliance burden," Ponemon added.
If right-to-know legislation in implemented in the states, he added, it could cause "a great deal of administrative burden" for companies that would have to partition their operations into customers who must be legally notified of corporate privacy policies and others. The rules could be a logistical nightmare that could cause some to simply abandon their operations, he said.
Kerr also noted that countries with major customer-service call centers consider those industries "their most important asset" and that if there were breaches of privacy, American companies no longer would use their services. India, a country where many U.S. call-center jobs have been transferred, has a solid legal regime and enforcement mechanism for privacy issues, he said, and later this year ITAA will participate in a meeting to discuss that nation's progress.
"The U.S. policy should be to continue along the path of free trade and at the same time make sure that the checks and balances are in place to business overseas," Kerr said.
A Technological Solution At Hand
The Ponemon Institute currently is studying the security of vendor relations, and the study includes a "fair number" of technology companies and two telecommunications firms, Ponemon said. Of the companies studied so far, 43 percent currently send work overseas, while 90 percent have plans to outsource work to overseas vendors in the future. Sixty-two percent view security as an increasing risk, and 52 percent think location poses a risk factor.
A company's main concern at this point "is reputation risk resulting from a data security or privacy breach by offshore partners," Ponemon said. "These companies are exploring technologies that allow for remote monitoring of data use and sharing," such as Vontu or IBM's new audit-manager tool.
NEW FEATURE
-Advertisement-
-Advertisement-
-Advertisement-
