ALARMED: The Offshore Sniff Test

It all started with Dr. Seuss. I was on the phone with my bank, trying to order new checks, and I asked whether they had any Dr. Seuss designs.

Dr. who?

It was a pretty clear tip-off that the party to whom I was speaking, who had access to every intimate detail of my bank accounts, was not in the United States. Feeling a bit sorry for someone who had grown up without the Grinch & Co, I asked him where he was. It was like the teller window slammed shut. He should not, would not tell me where. He could not that small detail share. Corporate policy, you know.

Nobody ever asked me whether I wanted my financial information sent outside the United States. After all, I might have said no. There's a tremendous amount of concern right now about the risks of having personal information, especially financial information, shipped overseas and processed by the lowest bidder. Sending data offshore introduces cultural, geographical and most of all legal complexities to keeping the information secure and private.

But the real problem, it turns out, isn't that having your data sent offshore is intrinsically any less safe than keeping it in the United States. It's that companies feel the explicit need not to tell you what they're doing. The privacy they're most worried about protecting is their own.

E-loan seems to be the one small exception. The Pleasanton, California-based online lending company gives customers not only the knowledge that their loans could be processed offshore, but also the option not to participate.

Starting last March, E-loan began offering some applicants for home equity loans faster processing time - about 10 days instead of 12- - if they agreed to have their applications processed in India rather than in the United States. The company emphasizes that its outsourcing partner is "bound by strict privacy and security standards" and follows the international ISO 17799 guideline for security.

And you know what? Eighty-nine percent of customers have taken the bait.

Now, the company has instituted a similar policy for auto loan processing being done in the Philippines. This time, there's no incentive, but chief privacy officer Tess Koleczek says the company is discussing ways to pass on savings to customers.

Koleczek says public reactions to the outsourcing options have run the gamut, from, "'Hey, that's great'" to "pure hostility - 'you unpatriotic SOBs.'" And over the past months, she has reached her own conclusions. Chief among them: Much of the uproar over the privacy problems of offshore outsourcing is nothing but a "scare factor."

"I think some of the [concern about] data protection is just a smokescreen for the job loss," Koleczek says. "What they're doing [at our outsourcing company] in India is almost unheard of in the United States. as far as the protection of information."

It's a fair point. After all, one of the most infamous database break-ins of the last year was at Data Processors International, which processes credit card transactions in Omaha, Nebraska - smack dab in the middle of the good ol' US of A. Being in the United States hardly makes a company secure.

Mind you, the threat is real. "Privacy is a serious risk" when it comes to offshore outsourcing, says Chris Jay Hoofnagle, associate director of the Electronic Privacy Information Center, a consumer advocacy group. "But I will acknowledge that it has become a Trojan horse for job concerns. Some people are raising privacy concerns for illegitimate reasons, and others are raising it for thoughtful reasons."

Politics are just distracting us from what's most important. As Hoofnagle points out, the question we should be asking from a privacy perspective is not whether information should go overseas. It's which companies will best protect sensitive information, regardless of their location.

But as long as companies insist on keeping customers in the dark about what they're doing, I don't think we'll ever get a good answer to that question. In other words, it will not, cannot, turn out right. Unless they all turn on the light.

"Alarmed" is a semi-regular column about security and privacy.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about DABElectronic Privacy Information CenterE-LoanINSISOTess

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sarah D. Scalet

Latest Videos

More videos

Blog Posts