Consumer privacy protection and outsourcing to India

I recently came across a Statement on Outsourcing and Privacy to two California Senate committees by an organization called the Privacy Rights Clearinghouse. The statement starts with:

I do not want to infer that companies outside the U.S. are less capable of protecting records containing personal information. On the contrary, news accounts of several such offshore companies describe security practices that far exceed the privacy protection strategies of many U.S. businesses.

However, it then goes on to list several consumer protection concerns with offshore outsourcing. Generally, most people don’t realize that outsourcing contracts are rarely signed directly with an Indian company. Almost every outsourcing contract I have seen is set up with an US or UK domiciled company which is backed up by significant insurance coverage from a major insurer. In most privacy / information security situations, the real recourse is financial compensation via legal action. Because of the structure of these outsourcing relationships, there are sufficient assets that a litigant could go after in US courts even when the delivery happened from India.

However, let me comment on each of the concerns raised by the Privacy Rights Clearinghouse in order. [Please note that I am most comfortable talking about offshore outsourcing to India, but several of my comments are probably generally applicable. Disclaimer: I am not a legal expert and these are just my personal opinion.]

What recourse does an individual have if his/her personal information is handled improperly by an overseas company? Most countries to which data is being transmitted have no data protection laws on the books.

India does have several laws that address data protection and several more are in the works. Moreover, even “Undisclosed information and trade secrets” are protected under WTO-TRIPS (see Understanding the WTO for details) and India has to comply with TRIPS. Finally, the outsourcing industry is a powerful lobby in India and they have been pushing hard for stringent data protection laws to be enacted. In general, over time, a country like India which has a significant portion of its GDP and growth tied to information security is more likely to adopt stringent laws than even the United States.

If a U.S. law or regulation is violated, will the appropriate U.S. regulatory agency, such as the Federal Trade Commission or the Office of the Comptroller of the Currency, send investigators to the offshore company to conduct an investigation? Probably not likely.

If an US agency really needed to, they could probably collaborate with the appropriate Indian agencies and conduct such an investigation. For example, the US Food and Drug Administration (FDA) inspects medicine factories in India. Far more likely, US regulatory agencies could leverage India’s enforcement obligations under WTO-TRIPS, the 1999 US-India mutual extradition treaty and their 2001 Treaty on Mutual Legal Assistance in Criminal Matters to pursue the matter.

If an employee of an overseas company observes improprieties and wants to blow the whistle, who can he or she contact to file a complaint? And will that individual be protected by U.S. whistleblower laws? Again, not likely.

This is an excellent question and we should also consider the broader question of whether US style whistleblower protection is sufficient to promote the transparency we seek.
First, India does have an interim whistleblower protection mechanism in place and the government is under pressure from the Indian Supreme Court to rapidly enact a more extensive whistleblower protection law. [Note: Whistleblower laws are particularly American and they can actually run afoul of European privacy laws. See the Tip-line bind: Follow the law in U.S. or EU? story for an excellent example.]
Second, in general whistleblowers face severe harassment even when they are protected from being fired due to the US whistleblower laws. Data center employees earn so little each month that just protecting their jobs may not be sufficient incentive/protection for them to come forth and provide information against their employers. Anonymous tip lines on the other hand can easily become a medium for harassing people you don’t like and has a flavor of Soviet era anonymous tips that I don’t particularly like. Perhaps Indian outsourcing vendors and US outsourcing customers can set up a whistleblower fund for rewarding outsourcing employees who report problems that are eventually independently confirmed. Even a small financial incentive of a few thousand dollars would probably compensate these workers for lost wages and harassment due to their whistleblowing and would be more effective than US style whistleblower laws.

If an individual becomes a victim of identity theft and is able to trace the illegitimate access to his or her personal information back to an overseas company, can that individual attempt to take legal action against that company for its negligence? Technically perhaps, but realistically probably not. A bigger question is if the victim of identity theft would even be able to trace back to the source of the data breach. Not likely.

I am not sure I quite understand the premise of this question. Because of the focus on outsourcing, I am assuming the statement is referring to a situation when individual A shares private information with US firm B who outsources the processing of this information to Indian outsourcing vendor C. Whether or not firm B outsources the processing of this information, it would be almost impossible for individual A “to trace back to the source of the data breach” as they would violate information security and industrial espionage laws if they tried to do so independently. More likely, they would compel firm B to divulge the source of the data breach as part of a legal action. In any such legal action, they would merely sue firm B and gain compensation from them; why does it matter whether or not firm B outsourced to a vendor C? Remember, the only real remedy for the victim of identity theft is to sue for compensation. You would usually go after the US firm as that has the deeper pockets and was directly responsible for protecting your information.

How would California's law requiring that individuals be notified of security breaches involving sensitive personal information be promulgated and enforced if the illegitimate access to computer files were to occur in an offshore company? (California Civil Code section 1798.82-1798.84)

Outsourcing vendors have to comply with a raft of US laws such as GLB, HIPAA, etc. They are enforced via contractual agreements between the customer and the vendor.

How will U.S. companies be able to prevent overseas firms from subcontracting the work to other companies who then subcontract it to yet others? In a widely reported incident, a subcontractor in Pakistan threatened to expose the personal information contained in the medical records she was transcribing if she were not paid what she was due. (David Lazarus, "A tough lesson on medical privacy: Pakistani transcriber threatens UCSF over back pay," San Francisco Chronicle, October 22, 2003.)

Once again, subcontracting is preventable with proper contract design. Moreover, as discussed earlier, local authorities would prosecute such a person exactly the same way as US authorities.