By ANITA RAMASASTRY
July 10, 2006
As I have detailed in several columns for this site, many security
breaches and data thefts have recently occurred at companies and
government agencies within the United States. In this column, I'll turn to
another related, and also worrisome data security problem: Thefts of
personal data that occur overseas or "offshore," as major American
corporations outsource their data processing and customer service
operations to other countries to cut costs.
I'll inquire whether U.S. customers have any legal recourse if they are
victims of identity theft resulting from these security breaches. In
addition, I'll argue that Congress should take a hard look at this problem
- but I'll also suggest that, in the end, self-regulation by the
multinationals that are outsourcing the data may be the best solution.
Recent Instances of Data Theft
Relating to Outsourcing
According to a recent news report, in late June, an Indian employee
working for an outsourcing firm in Bangalore -- India's high-tech capital
-- allegedly stole $420,000 from the bank accounts of 20 customers of the
British bank HSBC. The theft was brought to light when English customers
complained about unauthorized money transfers made from their accounts
between March and May 2006. An arrest was made after
HSBC Electronic Data Processing India , the outsourcing firm which handles
the bank's "back-office" processing in India, discovered that one of its
employees had improperly transferred "personal, security and debit card
information'' to his co-conspirators.
This is at least the second major bank fraud reported by an outsourcing
firm in India in less than a year. In August 2005, police in Pune arrested
three former employees of Mphasis Ltd. for allegedly stealing
approximately $350,000 from four Citibank customers in the United States.
Mphasis is currently owned by a U.S. company, Electronic Data Systems
Are these only two isolated instances? It seems not. In June 2005, an
undercover reporter from the English tabloid newspaper The Sun offered to
buy confidential customer data regarding thousands of bank accounts from
an engineer employed at an Indian call center. The engineer promised him
The incident led to a police investigation. In the end, several banks
including Lloyds, Barclays, and HSBC were publicly embarrassed by this
fiasco. The ease with which the reporter was able to procure supposedly
confidential data indicated that reports of the HSBC and EDS thefts may be
just the tip of the iceberg.
That shouldn't be surprising: The practical and legal backdrop here may
lend itself to just this kind of incident. As customer data is transferred
to computers and networks halfway around the world, it may be more
difficult for companies to monitor what happens to that data. Moreover, in
the countries where the data is processed or kept, data protection laws
may be weak, and law enforcement may not have the resources to investigate
instances of security breaches or data theft.
Why Congress Should Look at the Problem of Outsourcing and Data Theft
At this point, it is only prudent for Congress to examine the risks
associated with the outsourcing of personal data. There may be ways to
ensure that companies are vigilant when contracting with external
companies to manage their data. In particular, Congress may wish to
consider expressly requiring companies to ensure that they provide
adequate safeguards when data is transferred offshore.
Current U.S.-law protections derive from customers' form contracts with
companies. They also derive from the Federal Trade Commission (FTC)'s
ability to initiate an enforcement action against a company that does not
use adequate privacy or security measures when it outsources any of its
data-related services. The FTC is empowered to act to address fraudulent
or deceptive trade practices, and when companies claim to keep data secure
as part of a privacy or security policy, but in fact do not, that may well
count as deceptive, or even fraudulent, in the FTC's eyes.
In addition, the law imposes on a few industries -- such as health care
and financial services - the duty to adequately maintain their computer
security. But how this duty applies to offshore companies has yet to be
determined. And many other industries that store customer data and may
outsource data processing or customer service remain unregulated in this
Finally, many states have laws in place that require companies to notify
consumers in the event of a security breach. The problem, though, is that
the company itself may not know of the breach until after the damage has
been done - or may never learn of it. When customers learn of the breach,
moreover, they may not know how far their information has traveled or when
they may find themselves harmed because of identity theft.
By contrast, the European Union has a comprehensive data protection scheme
in place. Under the EU Data Protection Directive, companies that handle
data are prohibited from transferring it to another country that does not
have "adequate" privacy laws in place.
In the U.S., however, there is no such broad legislative mandate. Because
we believe in the free flow of information, companies can therefore choose
to export our data wherever they choose. Would it be better if we adopted
the European framework? Perhaps - but enforcement difficulties remain.
Thus, even the European framework may not work in practice.
Why Self-regulation May Be the Best Answer
Ultimately, given the difficulty of policing activity offshore, companies'
and countries' self-regulation and customer vigilance may be a more
realistic (if not optimal) approach to the risks posed by outsourcing,
than an attempt at a legislative solution.
This is an area in which an ounce of prevention is truly worth a pound of
cure. With difficulties at every stage - detection, investigation, and
punishment - the best way to address identity and data theft is to prevent
them from happening in the first place.
Thus, companies may want to self-regulate. And countries that wish to
attract outsourcing business may want to develop new security and privacy
practices that are attractive to America businesses. In India, for
example, so-called "business process outsourcing" (BPO) companies are
reportedly developing their own data security certifying authority. This
is being done at the initiative of an IT trade association, Nasscom.
Fearing India would get a reputation for lax data security, Nasscom and
the BPO companies are taking action so they can affirmatively promote the
region as a safe place for data outsourcing. They are wisely working in
the security area to turn a vulnerability into an asset and an advantage.
The body Nasscom is planning will set privacy and security standards for
BPS companies that become members of the organization. Members will then
be monitored to ensure they adhere to them. If the body discovers
breaches, it will consider various sanctions including expulsion or
referral to law enforcement.
American companies, on the other hand, may gain market advantage by either
advertising themselves as companies who keep their data in the United
States, or touting the fact that they work exclusively with offshore
affiliates that have been certified by organizations such as Nasscom in
More generally, customers and investors need to demand that companies who
hold their data keep it safe - even when it leaves U.S. cyberspace. Though
self-regulation appears to be the best solution, it costs money, and
companies may be loath to do it unless consumers and investors stress
that, to them, it's a priority.
Anita Ramasastry is an Associate Professor of Law at the University of
Washington School of Law in Seattle and a Director of the Shidler Center
for Law, Commerce & Technology. She has previously written on business
law, cyberlaw, and other legal issues for this site, which contains an
archive of her columns.
Copyright 1994-2006 FindLaw
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.