View

Surveys of US consumers show that they have deep concern about their privacy and personal information security. Anecdotes abound of the cost of identity theft to innocent consumers with dramatic losses of time, credit worthiness, money and other secondary things such as sleep, relationships, etc., described. The Internet has the ability to span the world and deliver data in seconds to any location. In this environment, consumers often can only conduct after-the-fact damage control in the face of determined fraudulent attacks. While much attention has been paid to the web as an open field upon which consumers and criminals operate virtually shoulder-to-shoulder, another area of risk exists within the business community.

The availability of trained IT professionals in foreign countries with significantly lower compensation requirements has accelerated outsourced, offshore IT activities in the last few years. The recent US economic recession, increased business competition, perceived past IT failures/inefficiencies and higher IT costs relative to other organizational areas have motivated organizations to consider and use these off shore resources for a range of IT projects including software development, testing, maintenance and administration. Generally these activities require local or remote access to data upon which these applications will operate. This access provides offshore IT personnel with the information necessary to do their jobs. Access can be either remote over the internet or local to copies of data shipped to the offshore IT site.

Research into various leading public companies have surfaced anecdotal cases whereby remote data access and remote data replication of sensitive data warehouse information is done. In some cases, those IT representatives interviewed claimed the data was encrypted. In other cases, the data was not encrypted. In all cases, a certain amount of trust concerning security between a corporation and its offshore IT development partner was required for a successful relationship.

Organizations intent on utilizing these resources need to carefully evaluate the security and associated risk management plans and operations necessary to mitigate any additional data security risk, especially to their customers. Not doing so, places unfair and likely unexpected risk on the organization's customers. All aspects of the offshore IT site must be considered including the security of computer systems, data development and management processes, management, development and administrative personnel, organization, facilities, international law, local law enforcement and political backdrop.

Recommendation

The guidance from Ventana Research on this topic is: (1) Organizations must take steps to assure data security in offshore locations present no greater risk than that of on-shore, in-country locations, and (2) customers of organizations that actively ship customer data offshore should know the whereabouts of their personal information and the associated risks.

Assuring secure offshore access of confidential information is not just a technical challenge. It is also a legal and business challenge because information is more than likely mission critical to the corporation from which it comes. Organizations should recognize US laws on data privacy (i.e. HIPAA) are not necessarily supported by other countries' governments.