Risky Business? How Multinationals' Outsourcing Involving Customer Data Can Lead to Identity Theft and Other Fraud

By ANITA RAMASASTRY
Monday, Jul. 10, 2006

As I have detailed in several columns for this site, many security breaches and data thefts have recently occurred at companies and government agencies within the United States. In this column, I'll turn to another related, and also worrisome data security problem: Thefts of personal data that occur overseas or "offshore," as major American corporations outsource their data processing and customer service operations to other countries to cut costs.

I'll inquire whether U.S. customers have any legal recourse if they are victims of identity theft resulting from these security breaches. In addition, I'll argue that Congress should take a hard look at this problem - but I'll also suggest that, in the end, self-regulation by the multinationals that are outsourcing the data may be the best solution.

Recent Instances of Data Theft Relating to Outsourcing

According to a recent news report, in late June, an Indian employee working for an outsourcing firm in Bangalore -- India's high-tech capital -- allegedly stole $420,000 from the bank accounts of 20 customers of the British bank HSBC. The theft was brought to light when English customers complained about unauthorized money transfers made from their accounts between March and May 2006. An arrest was made after

HSBC Electronic Data Processing India , the outsourcing firm which handles the bank's "back-office" processing in India, discovered that one of its employees had improperly transferred "personal, security and debit card information'' to his co-conspirators.

This is at least the second major bank fraud reported by an outsourcing firm in India in less than a year. In August 2005, police in Pune arrested three former employees of Mphasis Ltd. for allegedly stealing approximately $350,000 from four Citibank customers in the United States. Mphasis is currently owned by a U.S. company, Electronic Data Systems (EDS).

Are these only two isolated instances? It seems not. In June 2005, an undercover reporter from the English tabloid newspaper The Sun offered to buy confidential customer data regarding thousands of bank accounts from an engineer employed at an Indian call center. The engineer promised him the data.

The incident led to a police investigation. In the end, several banks including Lloyds, Barclays, and HSBC were publicly embarrassed by this fiasco. The ease with which the reporter was able to procure supposedly confidential data indicated that reports of the HSBC and EDS thefts may be just the tip of the iceberg.

That shouldn't be surprising: The practical and legal backdrop here may lend itself to just this kind of incident. As customer data is transferred to computers and networks halfway around the world, it may be more difficult for companies to monitor what happens to that data. Moreover, in the countries where the data is processed or kept, data protection laws may be weak, and law enforcement may not have the resources to investigate instances of security breaches or data theft.

Why Congress Should Look at the Problem of Outsourcing and Data Theft

At this point, it is only prudent for Congress to examine the risks associated with the outsourcing of personal data. There may be ways to ensure that companies are vigilant when contracting with external companies to manage their data. In particular, Congress may wish to consider expressly requiring companies to ensure that they provide adequate safeguards when data is transferred offshore.

Current U.S.-law protections derive from customers' form contracts with companies. They also derive from the Federal Trade Commission (FTC)'s ability to initiate an enforcement action against a company that does not use adequate privacy or security measures when it outsources any of its data-related services. The FTC is empowered to act to address fraudulent or deceptive trade practices, and when companies claim to keep data secure as part of a privacy or security policy, but in fact do not, that may well count as deceptive, or even fraudulent, in the FTC's eyes.

In addition, the law imposes on a few industries -- such as health care and financial services - the duty to adequately maintain their computer security. But how this duty applies to offshore companies has yet to be determined. And many other industries that store customer data and may outsource data processing or customer service remain unregulated in this respect.

Finally, many states have laws in place that require companies to notify consumers in the event of a security breach. The problem, though, is that the company itself may not know of the breach until after the damage has been done - or may never learn of it. When customers learn of the breach, moreover, they may not know how far their information has traveled or when they may find themselves harmed because of identity theft.

By contrast, the European Union has a comprehensive data protection scheme in place. Under the EU Data Protection Directive, companies that handle data are prohibited from transferring it to another country that does not have "adequate" privacy laws in place.

In the U.S., however, there is no such broad legislative mandate. Because we believe in the free flow of information, companies can therefore choose to export our data wherever they choose. Would it be better if we adopted the European framework? Perhaps - but enforcement difficulties remain. Thus, even the European framework may not work in practice.

Why Self-regulation May Be the Best Answer

Ultimately, given the difficulty of policing activity offshore, companies' and countries' self-regulation and customer vigilance may be a more realistic (if not optimal) approach to the risks posed by outsourcing, than an attempt at a legislative solution.

This is an area in which an ounce of prevention is truly worth a pound of cure. With difficulties at every stage - detection, investigation, and punishment - the best way to address identity and data theft is to prevent them from happening in the first place.

Thus, companies may want to self-regulate. And countries that wish to attract outsourcing business may want to develop new security and privacy practices that are attractive to America businesses. In India, for example, so-called "business process outsourcing" (BPO) companies are reportedly developing their own data security certifying authority. This is being done at the initiative of an IT trade association, Nasscom. Fearing India would get a reputation for lax data security, Nasscom and the BPO companies are taking action so they can affirmatively promote the region as a safe place for data outsourcing. They are wisely working in the security area to turn a vulnerability into an asset and an advantage.

The body Nasscom is planning will set privacy and security standards for BPS companies that become members of the organization. Members will then be monitored to ensure they adhere to them. If the body discovers breaches, it will consider various sanctions including expulsion or referral to law enforcement.

American companies, on the other hand, may gain market advantage by either advertising themselves as companies who keep their data in the United States, or touting the fact that they work exclusively with offshore affiliates that have been certified by organizations such as Nasscom in India.

More generally, customers and investors need to demand that companies who hold their data keep it safe - even when it leaves U.S. cyberspace. Though self-regulation appears to be the best solution, it costs money, and companies may be loath to do it unless consumers and investors stress that, to them, it's a priority.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, and other legal issues for this site, which contains an archive of her columns.

Ads by FindLaw