• United States



sarah d_scalet
Senior Editor

The Offshore Sniff Test

Dec 17, 20044 mins
CSO and CISOData and Information Security

It all started with Dr. Seuss. I was on the phone with my bank, trying to order new checks, and I asked whether they had any Dr. Seuss designs.

Dr. who?

It was a pretty clear tip-off that the party to whom I was speaking, who had access to every intimate detail of my bank accounts, was not in the United States. Feeling a bit sorry for someone who had grown up without the Grinch & Co., I asked him where he was. It was like the teller window slammed shut. He should not, would not tell me where. He could not that small detail share. Corporate policy, you know.

Nobody ever asked me whether I wanted my financial information sent outside the United States. After all, I might have said no. Theres a tremendous amount of concern right now about the risks of having personal information, especially financial information, shipped overseas and processed by the lowest bidder. Sending data offshore introduces cultural, geographical and most of all legal complexities to keeping the information secure and private.

But the real problem, it turns out, isnt that having your data sent offshore is intrinsically any less safe than keeping it in the United States. Its that companies feel the explicit need not to tell you what theyre doing. The privacy theyre most worried about protecting is their own.

E-loan seems to be the one small exception. The Pleasanton, Calif.-based online lending company gives customers not only the knowledge that their loans could be processed offshore, but also the option not to participate.

Starting last March, E-loan began offering some applicants for home equity loans faster processing timeabout 10 days instead of 12-if they agreed to have their applications processed in India rather than in the United States. The company emphasizes that its outsourcing partner is bound by strict privacy and security standards and follows the international ISO 17799 guideline for security.

And you know what? Eighty-nine percent of customers have taken the bait.

Now, the company has instituted a similar policy for auto loan processing being done in the Philippines. This time, theres no incentive, but chief privacy officer Tess Koleczek says the company is discussing ways to pass on savings to customers.

Koleczek says public reactions to the outsourcing options have run the gamut, from, Hey, thats great to pure hostilityyou unpatriotic SOBs. And over the past months, she has reached her own conclusions. Chief among them: Much of the uproar over the privacy problems of offshore outsourcing is nothing but a scare factor.

I think some of the [concern about] data protection is just a smokescreen for the job loss, Koleczek says. What theyre doing [at our outsourcing company] in India is almost unheard of in the United States. as far as the protection of information.

Its a fair point. After all, one of the most infamous database break-ins of the last year was at Data Processors International, which processes credit card transactions in Omaha, Neb.smack dab in the middle of the good ol U.S. of A. Being in the United States hardly makes a company secure.

Mind you, the threat is real. Privacy is a serious risk when it comes to offshore outsourcing, says Chris Jay Hoofnagle, associate director of the Electronic Privacy Information Center, a consumer advocacy group. But I will acknowledge that it has become a Trojan horse for job concerns. Some people are raising privacy concerns for illegitimate reasons, and others are raising it for thoughtful reasons.

Politics are just distracting us from whats most important. As Hoofnagle points out, the question we should be asking from a privacy perspective is not whether information should go overseas. Its which companies will best protect sensitive information, regardless of their location.

But as long as companies insist on keeping customers in the dark about what theyre doing, I dont think well ever get a good answer to that question. In other words, it will not, cannot, turn out right. Unless they all turn on the light.