Overseas Outsourcing Leads To Identity Theft Risks
By Antone Gonsalves
As business process outsourcing to low-wage countries increase, so does the concern over protecting data.
Personal information contained in patient medical records and income tax documents heading to India or Pakistan must be protected against thieves who would use it to fraudulently obtain credit, merchandise and services under someone else's name.
Identity theft is expected to cost consumers, businesses and government organizations $221 billion in losses worldwide in 2003, according to market researcher Aberdeen Group. Worse yet, those losses are escalating at a jaw dropping 300 percent compound annual growth rate, and could reach $2 trillion by the end of 2005.
Call centers comprise a large portion of the business process outsourcing market. By 2007, 5 percent of estimated 4.78 million agent positions worldwide will be located in countries outside a company's home, according to a recent study by analyst firm Datamonitor.
Increasingly, however, companies with facilities overseas are contracting with U.S. hospitals, accounting firms and insurance companies. The services these outsourcers provide include tax preparation, processing of insurance and medical claims and transcribing dictation from doctors relating to all areas of the health-care process, from patient visits to surgical procedures.
Such activities involve sending personal information to foreign countries, which add to the difficulty of guarding against identity theft. After all, most experts agree that security in protecting data is only as strong as the weakest link.
"The weakest point in the chain -- and that can be anything from a human problem, to a data problem, to an encryption problem, to a policy problem, to a customer service problem -- can jeopardize the security of your system," said Benjamin Jun, vice president of Cryptography Research, a San Francisco security consulting firm.
Contractors to the financial, insurance and medical industries insist that their foreign operations are as secure as in the U.S.
"If the processes and systems are identical, then the security should be identical," David Wyle, chief executive of tax preparer SurePrep LLC in Newport Beach, Calif., said.
In general, overseas facilities in countries where cut-rate work enables outsourcers to offer services at half the cost of similar work in the U.S. are often referred to as "paperless environments." This means workers enter the office without any writing materials, or handbags and briefcases that could be used to sneak out documents.
"Basically, they walk in to the office with the clothes on their back, and that's it," Mark Albrecht, chief executive of Xpitax LLC in Braintree, Mass., said. Xpitax contracts with a third party for facilities in Chennai, India.
Computers used within these offices do not have hard drives or the ability to copy information to floppy disks or CDs. There are no printers, and workers often use dual screens, particularly in tax preparation, where they call up the source material on one screen, and fill out the forms on the other. Source material is view-only, and filled-out forms can only be filed into the facilities' central servers, or sometimes to data centers located in the U.S.
Clients usually are provided the software to encrypt and upload their data the contractor's server via file transfer protocol. Information moving between the U.S. and overseas facilities is usually over virtual private networks.
Despite these precautions, which have become commonplace in the industry, problems can occur.
A Pakistani medical transcriber last year threatened University of California, San Francisco, Medical Center with posting patient's medical records online. The home worker was upset over money she claimed was owed to her by a man who was a subcontractor of the subcontractor who worked for Transcription Stat, the Sausalito, Calif., firm hired by the hospital.
UCSF Medical Center, which has a "practice" of not sending transcription work to offshore companies, was unaware that patients' records were going overseas, a spokeswoman said. The Pakistani woman was paid some of what she claimed she was owed and no patient records were compromised.
David Stephens, vice president of sales and marketing for BPO Frontline Inc., Saratoga, Calif., insists that no reputable company with overseas facilities serving the financial and medical industries would use people working out of their houses.
"Once that data reaches someone's home, then they can do virtually anything they want with it," Stephens said. BPO, which provides medical transcription services, insurance claims processing and call centers, has facilities in the Philippines, Jamaica and India.
Nevertheless, Cryptography's Jun says the best protection against misuse of data sent overseas is a clear description of which company in the chain is liable for fraud that occurs in the process.
"If you recognize that a certain portion of the transaction is your responsibility and you're going to be left holding the bag if there's a problem, then you're going to do what you can to minimize that risk," Jun said.
Illegal recording of new films in movie houses is an example of the kind of problems that can occur when there is no liability, Jun said. Theater owners are not held accountable for movies recorded in their businesses, so there's no incentive to spend more money on security to catch people with video recorders in the back of the theater.
Before doing business with an offshore outsourcer, chief information officers should scrutinize processes ensure the outsourcer is able to meet the same quality standards as if the work was done in-house.
In addition, the contractor has to prove it can protect data against unexpected disasters, such as earthquakes, power outages and major computer failures.
Finally, its data protection policies must encompass technology, people and facilities, because security is only as strong as its weakest link.
|