[Med-privacy] InformationWeek: Prove It's Secure

Tue, 16 Mar 2004 00:11:18 EST

-------------------------------1079413878
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

Prove It's Secure
Legislators want CIOs and service providers to show that customer data sent 
overseas is as safe as it is at home
By Paul McDougall, InformationWeek
March 15, 2004
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=18400011
Offshore-outsourcing opponents have, for the most part, focused their 
criticism on the number of U.S. jobs lost to overseas workers. Now some people are 
urging limits on the practice because they claim it threatens consumer privacy.
California state Sen. Liz Figueroa last week said she would propose 
legislation prohibiting the movement of Californians' medical and financial data 
overseas unless she receives assurances that strong privacy safeguards are in place. 
Concerns range from overseas call-center workers being able to view or 
manipulate personal records stored in U.S. data centers to having databases of 
information on U.S. citizens physically located in a foreign country and operated 
by a third party. "Outside the U.S., medical privacy doesn't really mean 
anything," Figueroa contends.
Figueroa, who chairs California's Senate Select Committee on International 
Trade Policy and State Legislation, says she's concerned that a growing number 
of U.S. medical and financial-services firms are shifting informationprocessing 
work to lower-wage countries that lack tough privacy laws, leaving consumers 
vulnerable to identity theft and other crimes. Figueroa, who authored 
California's medical-records privacy law, considered by many to be the strongest in 
the nation, also is sponsoring bills to require California employers to notify 
the state and employees if they plan to move 20 or more jobs overseas and to 
prohibit state contracts from being fulfilled offshore.
Figueroa's plan, and similar ones in other states, are evidence that 
politicians are looking closely at the growing practice of sending work offshore. Her 
proposal, if enacted, would be among the first to significantly affect 
businesses' offshore IT practices. Most other efforts to restrict offshore 
outsourcing seek to block federal or state contracts from going overseas. Offshore 
business-process-outsourcing serviceswhich, unlike application development, 
typically require the transfer of personal data-grew 38% last year to just under $2 
billion, according to Gartner. The research firm says most of that work was 
performed in India.
State Sen. Figueroa says she wants to protect Californians' privacy.
At the federal level, Sen. Dianne Feinstein, D-Calif., asked the U.S. 
Comptroller of the Currency earlier this month to investigate whether banks that 
process customers' financial data offshore have safeguards to protect that data 
from unauthorized use. In Arizona, proposed legislation would bar companies from 
shipping financial data outside the country without written permission from 
consumers. A proposal in South Carolina would prevent companies from giving 
"financial, credit, or identifying information" to a call-center representative 
abroad without the individual's written permission.
The legislative efforts worry private-sector executives who are counting on 
offshore operations to lower their costs. "The right balance is to let the 
consumer decide," says Chris Larsen, CEO of E-Loan Inc.
The online lender is testing a program that lets customers choose to have 
their mortgage applications processed here or by a service provider in India, 
which cuts two days off the processing time. Since the test launched March 1, 85% 
of customers who've applied have chosen the offshore option. "People 
understand what they're doing and the consequences in terms of jobs," Larsen says.
Larsen, who testified before Figueroa's committee last week, says consumers 
will trust companies that are up-front about their outsourcing and privacy 
policies. E-Loan uses IPSec and ISO 17799 security standards to protect data lines 
that connect its Pleasanton, Calif., systems to offices of outsourcing vendor 
Wipro Technologies in India. Wipro agreed not to subcontract any of the work, 
and its employees can view customer information but can't access data files 
to make changes or copies.
Some IT executives aren't convinced that privacy can be guaranteed in 
offshore settings. "It's a risk factor," says Tom Tabor, CIO at medical-insurance 
provider Highmark Inc. Tabor says that's one reason his company hasn't outsourced 
much of its business-process work, though he notes that privacy violations 
can happen "anywhere in the world, including the U.S."
At a committee hearing last week, Figueroa cited a highly publicized case 
last year of a Pakistani contract worker upset about back pay who threatened to 
divulge data about patients at a San Francisco hospital that sent its 
transcription work abroad. Officials at the UCSF Medical Center, the target of the 
Pakistani worker, told Figueroa's committee that it has changed its practices in 
order to reduce the potential for similar actions in the future. Among other 
things, the hospital now prohibits vendors from using subcontractors without 
prior agreement.
Privacy advocates contend that contract language and security technology 
aren't enough to protect the confidentiality of personal data that's been moved 
offshore. Beth Givens, director of the Privacy Rights
Clearinghouse, told Figueroa's committee that many of the countries in which 
medical and financial data are processed don't have enforceable privacy laws. 
"It's questionable if even the most ironclad contracts are able to overcome 
the fact that data processing is occurring outside the U.S. legal and regulatory 
infrastructure," Givens said.
The United States actually is far behind many other countries, including 
those in the European Union, in legislating privacy, says William B. Bierce, an 
attorney with Bierce and Kenerson P.C. The EU requires "adequate protection" 
before data can be shipped to an outside country. 
The National Association of Software and Service Companies, a trade group 
that represents Indian services firms, is lobbying for India to provide privacy 
protections that meet EU standards, though a proposal is still being developed. 
But Bierce believes a company that does due diligence to hire a reputable 
service provider can be confident its data is protected.
E-Loan CEO Larsen says consumers will trust companies that explain their 
outsourcing and privacy policies
"Technology allows you to have the same security measures applied independent 
of geography," he says.
Still, the message from lawmakers such as Figueroa to companies that use 
offshore labor is clear-ensure privacy, or expect rules to keep the work at 
home.--with Thomas Claburn

-------------------------------1079413878
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META charset=3DUS-ASCII http-equiv=3DContent-Type content=3D"text/html; cha=
rset=3DUS-ASCII">
<META content=3D"MSHTML 6.00.2800.1276" name=3DGENERATOR></HEAD>
<BODY style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial; BACKGROUND-COLOR: #fffff=
f">
<DIV>Prove It's Secure</DIV>
<DIV>Legislators want CIOs and service pro=
viders to show that customer data sent overseas is as safe as it is at home<=
/FONT></DIV>
By Paul McDougall, Informati=
onWeek
March 15, 2004<FO=
NT face=3DArial,sans-serif>
URL: <A class=3Dmoz-txt-link-freetext title=3Dhtt=
p://www.informationweek.com/story/showArticle.jhtml?articleID=3D18400011 hre=
f=3D"http://www.informationweek.com/story/showArticle.jhtml?articleID=3D1840=
0011">http://www.informationweek.com/story/showArticle.jhtml?articleID=3D184=
00011</A>
Offshore-outsourcing opponents have, for the most part, focu=
sed their criticism on the number of U.S. jobs lost to overseas workers. Now=
 some people are urging limits on the practice because they claim it threate=
ns consumer privacy.
California state Sen. Liz Figueroa last week said she would=20=
propose legislation prohibiting the movement of Californians' medical and fi=
nancial data overseas unless she receives assurances that strong privacy saf=
eguards are in place. Concerns range from overseas call-center workers being=
 able to view or manipulate personal records stored in U.S. data centers to=20=
having databases of information on U.S. citizens physically located in a for=
eign country and operated by a third party. "Outside the U.S., medical priva=
cy doesn't really mean anything," Figueroa contends.
Figueroa, who chairs California's Senate Select Committee on=
 International Trade Policy and State Legislation, says she's concerned that=
 a growing number of U.S. medical and financial-services firms are shifting=20=
informationprocessing work to lower-wage countries that lack tough privacy l=
aws, leaving consumers vulnerable to identity theft and other crimes. Figuer=
oa, who authored California's medical-records privacy law, considered by man=
y to be the strongest in the nation, also is sponsoring bills to require Cal=
ifornia employers to notify the state and employees if they plan to move 20=20=
or more jobs overseas and to prohibit state contracts from being fulfilled o=
ffshore.
Figueroa's plan, and similar ones in other states, are evide=
nce that politicians are looking closely at the growing practice of sending=20=
work offshore. Her proposal, if enacted, would be among the first to signifi=
cantly affect businesses' offshore IT practices. Most other efforts to restr=
ict offshore outsourcing seek to block federal or state contracts from going=
 overseas. Offshore business-process-outsourcing serviceswhich, unlike appli=
cation development, typically require the transfer of personal data-grew 38%=
 last year to just under $2 billion, according to Gartner. The research firm=
 says most of that work was performed in India.
State Sen. Figueroa says she wants to protect Californians'=20=
privacy.
At the federal level, Sen. Dianne Feinstein, D-Calif., asked=
 the U.S. Comptroller of the Currency earlier this month to investigate whet=
her banks that process customers' financial data offshore have safeguards to=
 protect that data from unauthorized use. In Arizona, proposed legislation w=
ould bar companies from shipping financial data outside the country without=20=
written permission from consumers. A proposal in South Carolina would preven=
t companies from giving "financial, credit, or identifying information" to a=
 call-center representative abroad without the individual's written permissi=
on.
The legislative efforts worry private-sector executives who=20=
are counting on offshore operations to lower their costs. "The right balance=
 is to let the consumer decide," says Chris Larsen, CEO of E-Loan Inc.
The online lender is testing a program that lets customers c=
hoose to have their mortgage applications processed here or by a service pro=
vider in India, which cuts two days off the processing time. Since the test=20=
launched March 1, 85% of customers who've applied have chosen the offshore o=
ption. "People understand what they're doing and the consequences in terms o=
f jobs," Larsen says.
Larsen, who testified before Figueroa's committee last week,=
 says consumers will trust companies that are up-front about their outsourci=
ng and privacy policies. E-Loan uses IPSec and ISO 17799 security standards=20=
to protect data lines that connect its Pleasanton, Calif., systems to office=
s of outsourcing vendor Wipro Technologies in India. Wipro agreed not to sub=
contract any of the work, and its employees can view customer information bu=
t can't access data files to make changes or copies.
Some IT executives aren't convinced that privacy can be guar=
anteed in offshore settings. "It's a risk factor," says Tom Tabor, CIO at me=
dical-insurance provider Highmark Inc. Tabor says that's one reason his comp=
any hasn't outsourced much of its business-process work, though he notes tha=
t privacy violations can happen "anywhere in the world, including the U.S."<=
/P>
At a committee hearing last week, Figueroa cited a highly pu=
blicized case last year of a Pakistani contract worker upset about back pay=20=
who threatened to divulge data about patients at a San Francisco hospital th=
at sent its transcription work abroad. Officials at the UCSF Medical Center,=
 the target of the Pakistani worker, told Figueroa's committee that it has c=
hanged its practices in order to reduce the potential for similar actions in=
 the future. Among other things, the hospital now prohibits vendors from usi=
ng subcontractors without prior agreement.
Privacy advocates contend that contract language and securit=
y technology aren't enough to protect the confidentiality of personal data t=
hat's been moved offshore. Beth Givens, director of the Privacy Rights
Clearinghouse, told Figueroa's committee that many of the co=
untries in which medical and financial data are processed don't have enforce=
able privacy laws. "It's questionable if even the most ironclad contracts ar=
e able to overcome the fact that data processing is occurring outside the U.=
S. legal and regulatory infrastructure," Givens said.
The United States actually is far behind many other countrie=
s, including those in the European Union, in legislating privacy, says Willi=
am B. Bierce, an attorney with Bierce and Kenerson P.C. The EU requires "ade=
quate protection" before data can be shipped to an outside country. 
The National Association of Software and Service Companies,=20=
a trade group that represents Indian services firms, is lobbying for India t=
o provide privacy protections that meet EU standards, though a proposal is s=
till being developed. But Bierce believes a company that does due diligence=20=
to hire a reputable service provider can be confident its data is protected.=

E-Loan CEO Larsen says consumers will trust companies that e=
xplain their outsourcing and privacy policies<=
/B>
"Technology allows you to=20=
have the same security measures applied independent of geography," he says.<=
/FONT>
Still, the message from la=
wmakers such as Figueroa to companies that use offshore labor is clear-ensur=
e privacy, or expect rules to keep the work at home.--with Thomas Claburn</FO=
NT></BODY></HTML>

-------------------------------1079413878--