Protecting Privacy and Providing Security: A Case of Sensible Outsourcing

Date: November 08, 2004
Source: The Heritage Foundation
By: by James Jay Carafano, Ph.D., and Paul Rosenzweig

Defending the nation against terrorists, promoting economic growth, and protecting constitutional lib­erties are all prerequisites for a sound homeland security strategy. At one time or another, outsourc­ing[1] has been labeled a threat to all three. These crit­icisms are simply overblown. In fact, if the U.S. partners with nations that share a commitment to the rule of law, transparency, and open competition, it can use sensible outsourcing to enhance the protec­tion of the privacy of American citizens, promote better security practices, and contribute to economic prosperity. Effective outsourcing can provide both cost-effective services and appropriate protections for government and commercial activities supported by overseas vendors.

India is an example of an increasingly important strategic ally that has begun to develop the right capacities in its business process outsourcing (BPO) industry to be a good global economic and security partner. Administration policy should encourage closer cooperation on security issues and encourage India to expand its market reforms of the BPO industry to other economic sectors. Meanwhile, congressional legislation should encourage, not impede, the ability of the govern­ment and the private sector to get the best, most reliable and secure technology and services for the best price. Finally, the U.S.–India relationship should become a model for expanding economic and security cooperation between developed and developing nations.

Outsourcing and Security of Data and Services

The question of outsourcing and security received considerable public attention after the Department of Homeland Security (DHS) awarded a contract for US-VISIT (a project designed to monitor the entries and exits of non-U.S. citizens) to Accenture LLP, a U.S. subsidiary of a Bermuda-based corporation. Among the concerns raised was that data and processes managed by an overseas company might pose greater security risks. In a previous research paper, Heritage Foundation ana­lysts argued that concern was simply unwar­ranted.[2] Outsourcing does not automatically increase the vulnerability of the United States, nor is outsourcing an economic threat.

The federal government and the Department of Homeland Security can and should award con­tracts to the companies that will provide them with the best security for value paid, regardless of where the work will be done. Protectionist policies only stifle innovation and increase costs. “Where the contract is fulfilled—whether in Boston, Brit­ain, or Bermuda—does not necessarily add to or detract from the end goal of protecting America.”[3] Processing the data in the United States does not guarantee that the information will be safe. The proper way to protect privacy and to enhance security for both government and private sector programs is through stringent service and data protection requirements; choosing only companies that can satisfy all of these requirements while also expertly completing projects; and selecting com­panies with good management that operate in countries with strong rule of law. In short, both the public and private sectors can achieve the appro­priate levels of privacy protection and reliability of service if they insist that contract work is con­ducted in countries that have a cooperative rela­tionship with the United States across a broad spectrum of trade security initiatives.

It is particularly important that the U.S. govern­ment insist upon stringent security standards when dealing with sensitive or confidential infor­mation, whether the data regard national security concerns or the privacy of individual citizens. Physical security, data protection systems, robust law enforcement forensic capacity, audit and trace access to information systems, and strong legal protection are all important parts of that security. Any contract award that does not provide for these types of measures could compromise U.S. security, regardless of which company is awarded the con­tract or where the work will be done. On the other hand, engaging in mutually beneficial cooperative business ventures with companies in countries that meet appropriate criteria is simply sensible outsourcing.

India as a “Trusted Provider”

India’s potential as a global security and economic partner illustrates the potential and the challenges of intelligent outsourcing. Indian companies could potentially provide a variety of useful technologies and services. As one industry observer concluded:

The Indian BPO [business process outsourcing] industry has grown at a mind-boggling 60–70 percent annually, with revenues rising from US$565 million in 1999–2000 to almost $2.4 billion in 2002– 2003. The projections look brighter too— employment of over a million people by 2006, up from the current 200,000. Revenues are estimated to increase to well over the current $2.4 billion mark by 2006.[4]

As Indian firms gain both greater expertise and market share in the BPO sector, they will have increasing capacity to meet the full range of U.S. ser­vice needs for both the government and the private sector.

India’s emerging approach to information secu­rity and critical infrastructure protection demon­strates how market forces can help to enhance both economic growth and security. As the market share devoted to offshore work has increased, data security has become a key focus of Indian informa­tion technology (IT) companies.

Information security can be broadly classified under network security (security of storage and transmission infrastructure), physical security (security of work areas, documents), personnel security (security against threat from employees), and business continuity and disaster recovery (contingency plans to retrieve information and prevent loss in the case of emergencies).[5]

Indian companies are increasingly providing all of these.

Because of concerns of companies and govern­ments that are considering outsourcing, Indian businesses are under great pressure to adopt best practices and provide security environments equivalent to that of their competitors. As a result,

Measures taken by companies include complying with international security standards, establishing security policies, making provisions for security spending in the IT budget, among others. Larger companies have dedicated teams responsible for ensuring security, employ latest technologies, conduct security training and awareness programs, and form specific policies for personnel and physical security.[6]

Indian companies tend to allocate between 5 per­cent and 15 percent of their budgets for security.[7]

Indian network security involves basic technol­ogies like antivirus and firewall software. In addi­tion, if client requirements warrant them, advanced technologies such as intrusion detection systems, encryption, authentication, and access controls are used. Physical security at many Indian companies includes multiple-level physical access control systems, 24-hour security guards, and clear desk and clear screen policies.[8] Because most companies believe attacks are generated internally, personnel security involves a three-pronged approach: employee screening with background checks, training, and a robust disciplinary process. In addition, some Indian companies also have continuity and disaster recovery plans. Many industry members also have efficient security mechanisms and policies in place.

Most leading companies have very robust security practices. However, smaller companies have the basic technologies and policies in place, but are constrained by return on investment as far as investing in security is concerned.[9]

In addition to private sector initiatives to become a trusted outsourcing center by using best practices and international security protocols, the Indian legislature is also attempting to make the country more attractive to potential clients. In 2000, the legislature passed the Information Tech­nology Act of 2000, which “covers only unautho­rized access and data theft from computers and networks, with a maximum penalty of about $220,000, and does not have specific provisions relating to privacy of data.”[10] This fall, it is expected to take up legislation amending the 2000 Information Technology Act. The amendments will likely conform to the adequacy norms of the European Union’s Data Protection Directive[11] as well as U.S. Safe Harbor[12] privacy principles.

The EU Data Protection Directive prevents the transfer of personal data to non-EU nations that have not been certified as having adequate privacy protections. This directive relies on comprehensive legislation that requires, for instance, the establish­ment of government data protection agencies and registration of databases with those agencies. Because the United States takes a more segmented approach to privacy protection—relying on a mix of legislation, regulation, and self-policing—it had to develop a means for U.S. companies to comply with the EU directive. U.S. companies that use this Safe Harbor program are not hampered in their European operations. The program, which was approved by the EU in 2000, allows U.S. compa­nies that enroll in the program to avoid delay in business dealings and prosecution under EU pri­vacy laws. The companies are deemed to meet EU privacy standards.[13] If the Indian legislative changes meet the EU standards, India will become an even more significant source of data processing, as information about citizens of the EU countries can then be processed in India.
...

---

Add comment  Email to a Friend