Info, Law, IP & Ethics

With the advance of web and telecommunication technologies, outsourcing or offshoring IT and Information systems became a popular business practice. Companies that used to have their offices and partners only in a single country suddenly started having IT and trade partners thousands of miles away in a different continent. Cost saving and cheap manual labor were one of the prime motivation behind this trend of outsourcing becoming a common business practice. Destinations like India, China, Philippines and so on became popular as IT outsourcing hubs. While outsourcing IT did have its cost benefits for the companies, it also meant that the organizations would have to send all the customer data and company’s private information to those outsourcing destinations. The information shipped to the workers at these outsourcing vendors included things like sensitive medical information, bank account numbers, social security numbers, stock holdings, credit card numbers and so on. Consequently, it became essential for companies with an offshore outsourcing strategy to ensure that their overseas outsourcing partners are contractually tied to safeguarding data security.

Some of the interesting laws regulating outsourcing deals of business processes

Different nations have taken different approaches to data privacy. The European Union has laws that strictly limit the processing and transfer of all personal data. The USA has laws that limit a company’s ability to process data when that processing might create the possibility of harm to personal information. When data is transferred to another country for processing, such as to an outsourcing vendor, the company must consider how the laws (or lack of laws) in the other country may affect the processing and its rights with respect to the information.

C-level executives and privacy audits

To take care of privacy issues in outsourcing, many companies have started having a C-level executive (Chief Privacy Officer) for developing policies, educating staff and ensuring compliance with privacy laws in an outsourcing agreement. These CPOs are very highly paid by the corporations and they have a unique set of legal, marketing and IT skills. In addition to just hiring CPOs, organizations hire auditors to audit the privacy practices in the outsourcing contract as well as at the vendor side. Typically, a privacy audit involves an outside firm reviewing a company’s policies and procedures for handling sensitive data. Since a good amount of company data these days is stored electronically, the responsibility of enforcing the privacy audits falls onto the shoulders of a CIO. Auditors generally check how and where the data gets stored, how the data transfer takes place from the outsourcing vendor to the client and back, if the data is vulnerable to any leaks or thefts and if the practices of vendor employees in handling the data are according to the client company’s privacy policies or industry standards.

Generally Accepted Privacy Principles (GAPP)

Generally Accepted Privacy Principles (GAPP) provides criteria and related information for protecting the privacy of personal information. The GAPP can be used by CPAs in USA and chartered accountants in Canada, both in private and the industry practices. The GAPP is a way to guide and assist the organizations they serve in implementing privacy programs in business processes. GAPP has been developed from a more business perspective and takes into account some, but by no means all, significant local, national, and international privacy regulations. GAPP contains guidance that any organization can use to develop good third-party management policies and procedures.

Analysis of the Satyam Computer Services (SCS) fraud case

There have been many cases where the privacy of the data has been threatened by certain situation that arose at the outsourcing vendor side. One such recent example is that of Satyam Computer Services (SCS), one of the top IT outsourcing vendors in India. In early 2009, SCS crashed after the company’s chairman Raju resigned and committed a financial fraud of $1.5 billion. During its peak, SCS had over 650 global companies as its clients (185 of which were “Fortune 500” corporations) from variety of industries, such as automotive, banking and finance, insurance, healthcare, manufacturing and telecommunications. As soon as the fraud was declared, many US companies who were the clients of SCS started withdrawing their outsourcing contracts with Satyam due to the fear that Satyam would not continue serving its IT systems thus possessing a threat of loss of critical customer information as well as a complete cease of the company’s IT operations. Some of the major companies that decided to withdraw their contracts included Coca-Cola, State Farm Insurance, World Bank and so on.

The interesting aspect of the case of SCS was that SCS used to follow (or at least claimed to follow) all kinds of privacy auditing policies to ensure that even after being in India, they could show to their global customers that they are taking care of privacy issues. To make sure high standard of audits are followed, SCS had hired Price WaterHouse Coopers (PwC) as their auditor. However, it was later found during the investigation of the Satyam fraud, that the auditors of PwC were not only able to detect the flaws in the financial sheets of SCS but were also not following the US standard of auditing. The privacy audits conducted by PwC were based on the laws and regulations followed in India and not really the standards like say GAPP followed in USA. This posed as a serious threat to US and UK companies who had Satyam as their outsourcing vendor. Due to the fear that their critical customer and other information might be under threat, the US clients of Satyam decided to end their contracts with SCS immediately after they came to know about the fraud.

In my opinion, outsourcing deals and contracts need to be framed with utmost care by the companies. It is better if the client has its own auditing firm appointed instead of leaving the responsibility of audits to the vendor. The interesting thing in the Satyam fraud case is that even the auditing firm was in India. So, it might be that the auditors at that firm might not be aware of the GAPP that are followed in the USA or Canada. If the clients would have send their own auditors to conduct privacy audits at SCS, then they might have been more sure about the security of their data and may be the fraud would have been detected much earlier than it actually was.  Another important observation from the SCS fraud case is that when a client decides to abruptly end its deal with an outsourcing vendor, it not only incurs serious financial losses due to the sudden cease of the IT operations, but the client also has to deal with the cost of finding another vendor. If the client decides to adopt a non-outsourcing business model, then the client has to deal with the costs of building up its own IT infrastructure, the cost of bringing back all the critical data from the previous outsourcing vendor and also the cost of hiring new IT employees.

References:

Gilbert, F. (2008). Outsourcing: Privacy and Security Risks. Retrieved from: http://www.itlawgroup.com/Resources/Publications/OutsourcingPrivacySecurity.html.

Kinetz, E. (2009). Satyam clients find that breaking up is hard to do. 2009: iStock Analyst. Retrieved from: http://www.istockanalyst.com/article/viewnewspaged/articleid/3002095/pageid/1.

Prosch, M. (2006). Outsourcing and Privacy: 10 Critical Questions Top Management Should Ask. Retrieved from: http://infotech.aicpa.org/Resources/Privacy/Privacy+Outsourcing/Outsourcing+and+Privacy+10+Critical+Questions+Top+Management+Should+Ask.htm#applying.

The Times of India. (2009). Parekh, Karnik & Achutan join Satyam board. Retrieved from: http://timesofindia.indiatimes.com/Business/India_Business/Parekh_Karnik_join_Satyam_board/rssarticleshow/3963267.cms.

Vijayan, J. (2004). Offshore Outsourcing Poses Privacy Perils. Retrieved from: http://www.computerworld.com/s/article/90354/Offshore_Outsourcing_Poses_Privacy_Perils.

Zetter, K. (2004). Outsourcing: Danger to Privacy. Retrieved from: http://www.wired.com/techbiz/media/news/2004/02/62356.

Image Sources:

http://www.nicasiodesign.com/blog/wp-content/uploads/2008/12/outsourcing-it.gif

http://balasrini.files.wordpress.com/2009/01/satyam.jpg

http://www.qualityimprovementconsulting.com/files/3258201/uploaded/audit-Cartoon.jpg