[ISN] Risky Business? How Multinationals' Outsourcing Involving Customer Data Can Lead to Identity Theft and Other Fraud

From: InfoSec News (alerts@private)
Date: Tue Jul 11 2006 - 01:09:07 PDT


July 10, 2006

As I have detailed in several columns for this site, many security 
breaches and data thefts have recently occurred at companies and 
government agencies within the United States. In this column, I'll turn to 
another related, and also worrisome data security problem: Thefts of 
personal data that occur overseas or "offshore," as major American 
corporations outsource their data processing and customer service 
operations to other countries to cut costs.

I'll inquire whether U.S. customers have any legal recourse if they are 
victims of identity theft resulting from these security breaches. In 
addition, I'll argue that Congress should take a hard look at this problem 
- but I'll also suggest that, in the end, self-regulation by the 
multinationals that are outsourcing the data may be the best solution.
Recent Instances of Data Theft 
Relating to Outsourcing

According to a recent news report, in late June, an Indian employee 
working for an outsourcing firm in Bangalore -- India's high-tech capital 
-- allegedly stole $420,000 from the bank accounts of 20 customers of the 
British bank HSBC. The theft was brought to light when English customers 
complained about unauthorized money transfers made from their accounts 
between March and May 2006. An arrest was made after

HSBC Electronic Data Processing India , the outsourcing firm which handles 
the bank's "back-office" processing in India, discovered that one of its 
employees had improperly transferred "personal, security and debit card 
information'' to his co-conspirators.

This is at least the second major bank fraud reported by an outsourcing 
firm in India in less than a year. In August 2005, police in Pune arrested 
three former employees of Mphasis Ltd. for allegedly stealing 
approximately $350,000 from four Citibank customers in the United States. 
Mphasis is currently owned by a U.S. company, Electronic Data Systems 

Are these only two isolated instances? It seems not. In June 2005, an 
undercover reporter from the English tabloid newspaper The Sun offered to 
buy confidential customer data regarding thousands of bank accounts from 
an engineer employed at an Indian call center. The engineer promised him 
the data.

The incident led to a police investigation. In the end, several banks 
including Lloyds, Barclays, and HSBC were publicly embarrassed by this 
fiasco. The ease with which the reporter was able to procure supposedly 
confidential data indicated that reports of the HSBC and EDS thefts may be 
just the tip of the iceberg.

That shouldn't be surprising: The practical and legal backdrop here may 
lend itself to just this kind of incident. As customer data is transferred 
to computers and networks halfway around the world, it may be more 
difficult for companies to monitor what happens to that data. Moreover, in 
the countries where the data is processed or kept, data protection laws 
may be weak, and law enforcement may not have the resources to investigate 
instances of security breaches or data theft.

Why Congress Should Look at the Problem of Outsourcing and Data Theft

At this point, it is only prudent for Congress to examine the risks 
associated with the outsourcing of personal data. There may be ways to 
ensure that companies are vigilant when contracting with external 
companies to manage their data. In particular, Congress may wish to 
consider expressly requiring companies to ensure that they provide 
adequate safeguards when data is transferred offshore.

Current U.S.-law protections derive from customers' form contracts with 
companies. They also derive from the Federal Trade Commission (FTC)'s 
ability to initiate an enforcement action against a company that does not 
use adequate privacy or security measures when it outsources any of its 
data-related services. The FTC is empowered to act to address fraudulent 
or deceptive trade practices, and when companies claim to keep data secure 
as part of a privacy or security policy, but in fact do not, that may well 
count as deceptive, or even fraudulent, in the FTC's eyes.

In addition, the law imposes on a few industries -- such as health care 
and financial services - the duty to adequately maintain their computer 
security. But how this duty applies to offshore companies has yet to be 
determined. And many other industries that store customer data and may 
outsource data processing or customer service remain unregulated in this 

Finally, many states have laws in place that require companies to notify 
consumers in the event of a security breach. The problem, though, is that 
the company itself may not know of the breach until after the damage has 
been done - or may never learn of it. When customers learn of the breach, 
moreover, they may not know how far their information has traveled or when 
they may find themselves harmed because of identity theft.

By contrast, the European Union has a comprehensive data protection scheme 
in place. Under the EU Data Protection Directive, companies that handle 
data are prohibited from transferring it to another country that does not 
have "adequate" privacy laws in place.

In the U.S., however, there is no such broad legislative mandate. Because 
we believe in the free flow of information, companies can therefore choose 
to export our data wherever they choose. Would it be better if we adopted 
the European framework? Perhaps - but enforcement difficulties remain. 
Thus, even the European framework may not work in practice.

Why Self-regulation May Be the Best Answer

Ultimately, given the difficulty of policing activity offshore, companies' 
and countries' self-regulation and customer vigilance may be a more 
realistic (if not optimal) approach to the risks posed by outsourcing, 
than an attempt at a legislative solution.

This is an area in which an ounce of prevention is truly worth a pound of 
cure. With difficulties at every stage - detection, investigation, and 
punishment - the best way to address identity and data theft is to prevent 
them from happening in the first place.

Thus, companies may want to self-regulate. And countries that wish to 
attract outsourcing business may want to develop new security and privacy 
practices that are attractive to America businesses. In India, for 
example, so-called "business process outsourcing" (BPO) companies are 
reportedly developing their own data security certifying authority. This 
is being done at the initiative of an IT trade association, Nasscom. 
Fearing India would get a reputation for lax data security, Nasscom and 
the BPO companies are taking action so they can affirmatively promote the 
region as a safe place for data outsourcing. They are wisely working in 
the security area to turn a vulnerability into an asset and an advantage.

The body Nasscom is planning will set privacy and security standards for 
BPS companies that become members of the organization. Members will then 
be monitored to ensure they adhere to them. If the body discovers 
breaches, it will consider various sanctions including expulsion or 
referral to law enforcement.

American companies, on the other hand, may gain market advantage by either 
advertising themselves as companies who keep their data in the United 
States, or touting the fact that they work exclusively with offshore 
affiliates that have been certified by organizations such as Nasscom in 

More generally, customers and investors need to demand that companies who 
hold their data keep it safe - even when it leaves U.S. cyberspace. Though 
self-regulation appears to be the best solution, it costs money, and 
companies may be loath to do it unless consumers and investors stress 
that, to them, it's a priority.


Anita Ramasastry is an Associate Professor of Law at the University of 
Washington School of Law in Seattle and a Director of the Shidler Center 
for Law, Commerce & Technology. She has previously written on business 
law, cyberlaw, and other legal issues for this site, which contains an 
archive of her columns.

Copyright 1994-2006 FindLaw

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 01:29:04 PDT