Grassi: U.S. Offshoring of Personal Data Grows

[Guest guest]

http://www.federalobserver.com/archive.php?aid=9909

 

Grassi: U.S. Offshoring of Personal Data Grows

 

By Diane M. Grassi

 

According to the Identity Theft Resource Center in San Diego, CA there

have been close to 60 reported security breaches of customer financial

information from United States corporations thus far in 2005,

involving 13.5 million customers' identities. The companies include

Choicepoint, Inc., Bank of America Corp., Wachovia Corp., Ameritrade

Holding Corp., DSW Shoe Warehouse, Time Warner Inc., LexisNexis and

most recently Citbank Financial Group. While most lost data has

involved data storage tapes lost in transit by courier services or

UPS, others involved computer security breaches. And as corporate

America looks for ways to shore up its security problems rather than

face the wrath of Congress, an even more unwieldy problem is brewing

abroad.

 

As holes still exist in protecting the personal information of both

customers and employees of corporations in the United States, many of

these same corporations, which include the largest financial

institutions and two of the three credit reporting agencies, have

offshored information technology units which include-back office

functions from customer service to software development and engineering.

 

Yet American customers or consumers are never informed whether or not

their personal information and credit history is being offshored, as

it is not required by U.S. corporations to do so. Coming to light is

that various U.S. government programs and states are utilizing more

and more offshore subcontractors in addition to those corporate

entities which indirectly do business with the U.S. government. But

unknown to the American consumer or taxpayer is the threat of theft of

an individual's identity and financial resources which remain largely

unprotected without the ability to enforce U.S. law on foreign land.

 

Accounting firms are offshoring IRS tax preparation. The U.S

Department of Agriculture defers to the states to run food stamp

programs, with as many as 43 states offshoring call-centers to India

even though federal law dictates that only U.S. government workers

should handle the job. The Health Insurance Portability &

Accountability Act (HIPAA) which protects the health information of a

patient and prevents healthcare companies from selling such

information to third parties such as telemarketing firms, does not

limit nor prohibit the transfer of information to overseas locations

for third party subcontracted services. And many public and private

hospitals are sending diagnostic radiology work to India with no law

requiring notification to patients that a radiologist in India,

unlicensed in the U.S., is reading x-rays and diagnosing illnesses and

injuries. Known as " ghosting, " U.S. certified radiologists oversee

radiologists in India while x-rays are electronically transmitted.

Initiation of regulatory controls is only now in the beginning stages

to ensure doctors performing such work are properly trained.

 

As overseas contractors and subcontractors are outside the

jurisdiction of U.S. consumer privacy laws that protect medical and

financial information in the U.S., corporations have little recourse

in the outsourced host country if a violation of security or theft

occurs. India's IT Act of 2000 does not address the issue of privacy

protection and regulation of the use of data. It only covers

unauthorized access and data theft directly from computers and

networks. Indian law does not cover data interception and computer

forgery or fraud at all and no legal remedies in India yet exist for

such enforcement.

 

In the U.S., the Gramm-Leach-Bliley Act of 1999 which applies to

financial institutions as well as accounting firms engaged in the

practice of tax preparation requires that firms design, implement and

put safeguards in place in order to maintain protection of customer

information. In addition, such companies must provide their customers

with a privacy notice that details the company's

information-collection and information-sharing practices giving the

customer the right to " opt-out " and limiting the sharing of such

information. Yet to date the Federal Trade Commission has not levied

any punishment or fine on any U.S. accounting firm with regard to

overseas outsourcing practices and the lack of notification of such to

customers. A growing trend in the legal profession is the overseas

outsourcing of paralegal services including legal research. Some of

the country's largest law firms are utilizing such services. According

to John Halvey of New York-based Milbank, Tweed, Hadley & McCoy, " I

can't think of a recent deal we did that didn't have an offshore

component. " But issues of attorney-client privilege create limitations

on what may or may not be outsourced by a law firm, especially without

the consent of law firm clients.

 

While the U.S. federal government invests more resources into

tightening security in a post-9/11 world, multi-national corporations

put the U.S. infrastructure at greater risk through offshoring

maintenance and development. There are very few areas of information

technology which do not impact the operation of infrastructure in the

U.S., which in some ways have direct implications on homeland

security. Financial and accounting institutions have now been joined

by software programmers maintaining operations for U.S. based health

care providers, airlines, railroads, power companies and defense

contractors, all of which subcontract offshore.

 

Outsourcing computer networks offshore creates an immediate liability

as there no longer is direct company control of data due to dependency

on service providers abroad with neither the outsourcing vendor nor

the outsourcing client knowing the exact path the data takes. For

example, AT & T's switched network carries economic, financial and

military communications, which accounts for a great deal of the

foundation of U.S. infrastructure, and relies on programming and

maintenance from engineers offshore. Pacific Gas & Electric of

California, one of the U.S. companies responsible for maintaining and

upgrading the U.S. electrical grid, outsources to a dozen offshore

subcontractors, with the largest one in Thailand.

 

Although there are bills pending in several states that would prohibit

overseas outsourcing, one would be apt to think that such would be

ripe for federal legislation, yet so far there has been little

attention given these issues in either the 108th Congress or the

present 109th Congress. Congressman Edward Markey (D-MA) recently

appealed to the Internal Revenue Service to hold the tax return

preparer responsible when a foreign person hired by a U.S. firm

violates the protections which restrict unauthorized disclosure or

misuse of personal information as contained in Sections 6713 and 7216

of the Internal Revenue Code. And Senator Hillary Rodham Clinton

(D-NY) is calling for federal legislation which gives the " patient the

right to know " that x-rays or other private healthcare information are

being outsourced to countries outside of the U.S.

 

With offshoring by the U.S. showing no signs of slowing down in the

near future, and with no " safe harbor " requirements in existing law

offshore, it remains extremely difficult to prosecute security

breaches within the confines of the U.S. justice system. Approximately

85 percent of U.S. critical infrastructure is owned by private,

non-government businesses which have some component of their business

being outsourced, admittedly with focus on profits and losses more of

a priority than homeland security for these companies. In this respect

lawmakers are behind the curve in protecting the interests of

Americans. Yet it behooves and is incumbent upon the U.S. government,

the legal community and privately held entities to join together in

order to mandate protection for the best interests of the U.S and

preserve the identities and economic health of the American people.

 

Diane Grassi can be reached for comment at dgrassi

 

The Grassi Archive on The Federal Observer