The Rational Outsourcing Blog

Wednesday, January 24, 2007

Reprise: Consumer privacy protection and outsourcing to India

It really is a small world! I was talking to a friend on Sunday and it turns out she is an active volunteer for the Privacy Rights Clearinghouse. She had been a victim of identity fraud and speaking with her gave me a better appreciation for what the Privacy Rights Clearinghouse was talking about in the Statement on Outsourcing and Privacy. For example, my friend had her information stolen by an employee of a hospital she visited. She actually had to privately track down the person who had stolen her information. I can see how this would have been more difficult if the thief had been in a foreign country. However, I do believe that outsourcing if done right would actually improve privacy protection rather than harm it.

For example, a significant part of basic data-entry in the US is done by temporary workers or high school graduates who do not see data-entry as a career path. On the other hand, a BPO in India typically employs people with some or significant college education, who expect to have a career in the BPO industry. Thus, I believe these Indian workers have less of an incentive to break the law. If crime rates are anything to go by, an Indian college graduate is far less likely to commit a crime than a young American earning close to minimum wage.

My friend did raise an interesting argument that an Indian worker earns significantly less than an US worker and thus may be more tempted to carry out identity theft. I actually disagree with this for several reasons:
  • We should consider the lifestyle that the salary can purchase, not just the dollar amount. While Americans earning close to minimum wage struggle to feed their families, Indian BPO operators earn enough that they have significant disposable income. In many cases they earn significantly more than their parents did. In general, a young Indian fresh out of college actually sees a BPO job as a somewhat good life and most of them are focused on the prize of being promoted to management and achieving a better life than the vast majority of Indians. An American making close to minimum wage certainly does not see his job as a path to the good life.
  • In both India and the US identity theft is not prosecuted as aggressively as it should. Many US companies do not conduct sufficient background checks on their employees. Indian companies face a different problem in that it is more difficult to carry out formal background checks in India. However, in India two factors ameliorate this problem. First, most BPO operators are recruited / recommended by an existing employee. In some BPOs I felt like they had recruited away entire classes from certain universities! These strong peer bonds serve as informal background checks as well as a strong inhibitor for illegal activities. Second, Nasscom, the association of Indian BPO vendors, has been aggressively pushing for stricter information security laws and a national database of certified operators.
    The new National Skills Registry (NSR) is backed by Indian IT trade association Nasscom and was set up following a series of customer data breaches at offshore call centres last year. The NSR, set up by Nasscom and the National Securities Depository, is a centralised database that will store information about each IT worker's educational and professional background. Biometric technology will be used to verify the identity of individuals. [from a silicon.com story]
    This database is still in its infancy and only about 30% of the industry’s total workforce registered with it in the first nine months [See this Indian Express story for details] but this is already better than what you would expect in the US where it would be very difficult to set up such a registry.
  • Moreover, generally information security is the lifeblood of a BPO vendor. Even one information security problem could completely ruin its reputation and subject it to severe financial liability to its customer. As such, BPO vendors tend to be far more careful about information security and put in far better safeguards than most US firms. For examples of what Indian BPO vendors are doing to improve data security, see the “Indian BPO providers tighten data security” story from SearchDataManagement.com:
    Take a look inside a typical BPO outfit, "where you will find airport-style frisking at the entrance a routine," said Raghu Iyer, a Bangalore-based call center worker. Agents (BPO workers) are required to surrender everything they carry, like mobile phones, PDAs, pens, notebooks and even tissue papers, which could enable smuggling data.

    Access to personal e-mail accounts is not allowed and firewalls block access to any Web site not necessary for work. At the end of the day, workers have to shred notes of conversation with customers, and workers are forbidden from socializing with non-employees during work hours. Visitors are required to seek permission and are required to sign a document of non-disclosure as well. "Above all these measures, with closed-circuit TV cameras watching your every move, the job of a typical BPO worker has never been so suffocating," Iyer added.

    It may be uncomfortable for many workers, but "BPO firms have little choice but to follow more quality checks and more auditing, and impose more regulations that could be demanded by their customers," said Sudhin Apte, country manager of Forrester Research Inc.

In conclusion, I believe information security is stronger in a leading Indian BPO than in most US companies. As such, organizations such as Privacy Rights Clearinghouse may actually find that their privacy goals are better met when companies outsource their processes to leading Indian BPOs than when they keep these processes in-house. The major caveat here of course is that the BPO contracts have to be structured appropriately, the BPO vendor’s information security procedures have to be carefully evaluated, and the final BPO decision has to be based on Total Cost of Ownership (including expected PR expenses and regulatory risk stemming from potential information security breaches) rather than just labor cost.

Labels: ,

0 Comments:

Post a Comment

<< Home