How to keep data safe when outsourcing offshore

Computerworld - As U.S. businesses, policy-makers and security experts work to stem the tide of data thefts, an equal or greater vulnerability lurks overseas -- the level of network and physical security at outsourced operations of U.S. corporations.
Cheap labor and increased efficiencies continue to drive major U.S. companies to open and expand offshore operations throughout India, Southeast Asia and Europe. India's National Association of Software and Service Companies reported recently that India's outsourcing industry is creating jobs at the rate of nearly 100,000 a year, and its revenue is growing at more than 40% annually. Analyst firm Gartner Inc. estimates that global spending on offshore outsourcing services will top $50 billion by 2007.
Many of these outsourced operations involve handling and processing customer transactions and sensitive personal information, exposing outsourcing facilities to the same risk of data theft occurring domestically. As U.S. companies increase operations abroad, many aren't ramping up IT or physical security measures at these locations to manage that growth.
In order to prevent data breaches on the magnitude of what has occurred in the U.S., companies must implement strategies to ensure that the same security standards that they place on their corporate data are being required of companies they partner with across the globe to process their customers' financial and personal information.
Several factors magnify the risk of data thefts occurring at outsourcing locations. First, when it comes to outsourcing, U.S. privacy legislation is quite lax relative to European Union regulations. Here, U.S. privacy protections effectively end at the border, placing the onus squarely on the shoulders of the U.S. company if a data breach occurs offshore.
In sharp contrast, European consumers are afforded considerably greater protection by an EU law that permits personal data to be sent offshore only to countries whose privacy laws have been deemed to provide equivalent privacy protection and that have been found to have strong enforcement capabilities.
Similarly, some of the leading outsourcing destinations, such as India, China, the Philippines, Malaysia and Pakistan, lack sufficient privacy legislation. For example, the University of California, San Francisco, Medical Center had a contract with an in-state company to transcribe the dictated notes of doctors and other health care providers. The company, Transcription Stat in Sausalito, Calif., subcontracted the work to a Florida firm that then subcontracted it to a Texas outfit that ultimately hired someone in Pakistan to transcribe the notes, according to the university. Last fall, the medical center received an e-mail from the Pakistani transcriber claiming that she had not been paid and