Do you know where your X-rays, medical files, tax returns, police records, birth records, credit card numbers, bank account numbers, and social security number are?
Companies claim that they would never outsource their own data security operations, but they don't bother asking us what we think of the outsourcing of personal security information. Any time sensitive data is shipped outside an organization—whether it's outsourced within the U.S. or sent abroad—there is necessarily an elevated risk of accident or mischief.
- Employees working for vendors have fewer incentives to value the relationship with the customer.
- Criminal gangs in offshoring countries have attempted to bribe employees to divulge customer information.
- The incidence of corruption is significantly higher in many low-wage offshoring countries than in the U.S.
- The security of offshore computer networks has been found to be weak.
Concerns about security breaches aren't hypothetical:
- A subcontractor from Pakistan, hired to perform medical transcription, threatened to post private medical records from the Medical Center at the University of California-San Francisco on the Internet if the contractor that hired her initially did not pay her what she was owed.1
- In another case, Indian workers tried to extort money from a U.S. medical transcription company.2
Of course, non-American employees are neither more nor less trustworthy than their U.S. counterparts. Rather, American laws covering privacy do not extend beyond our borders, and many of the countries receiving sensitive data have weaker laws or less stringent law enforcement. And while companies are in principle responsible for any misuse of data by a contractor, making a legal case could be virtually impossible.
So, what can we do about it?
>> Ahead to "Your Approximate Wait Time Is . . . Forever"
1David Lazarus, “Looking Offshore: Outsourced UCSF Notes Highlight Privacy Risk,” San Francisco Chronicle, 3/28/04.
2David Lazarus, “Extortion Threat to Patients’ Records,” San Francisco Chronicle, 4/2/04.
