Protecting Privacy and Providing Security: A Case of Sensible Outsourcing
Date: November 08, 2004Source: The Heritage Foundation
By:
... the EU countries can then be processed in India.
In addition, the National Association of Software and Service Companies (NASSCOM), a major representative of software and service companies in India, has been advocating that Indian regulations should also meet U.S. industry specific requirements (e.g., the Health Insurance Portability and Accountability Act) as well as state laws. To improve the perception of security and the willingness to prosecute computer crimes, NASSCOM has also helped to establish designated cybercrime sections within police departments in which specially trained investigators focus solely on computer crimes.
In the absence of a stronger protections regime, foreign outsourcing customers have had to incorporate their privacy and data security requirements into a legally binding contract with Indian vendors. Contracts with U.S. outsourcers frequently specify New York as the controlling jurisdiction and require insurance, which is usually provided by a U.S. carrier. Contract remedies for breaches may be problematic, however, because determining an appropriate remedy or damage amount is frequently difficult.
The Next Steps
India’s current laws regarding electronic commerce, copyright and patent protection, identity theft, privacy, and cyberterrorism must be strengthened. Revising the Information Technology Act of 2000 must be a priority, but more also needs to be done.
As promising as the growth of the Indian BPO sector and the effort of IT companies to perform due diligence in protecting information and ensuring continuity of service has been, more needs to be done for India to fulfill its potential as a global economic and security partner. According to the Financial Times, direct foreign investment in India is “anaemic,”—$4 billion compared to $50 billion for China.[14] The lack of foreign investment has hamstrung India’s efforts to expand and update its infrastructure, modernization that is critical to spurring further economic expansion. In large part, the lack of investment reflects the absence of reform in the Indian economy outside the IT sector. According to the 2004 Index of Economic Freedom, “the government continues to restrict 700 sectors to small-scale industries, preventing larger companies from taking advantage of economies of scale.”[15] Trade barriers and excessive regulation discourage overseas private investment. Additionally, artificial barriers that keep U.S. goods and services out of Indian markets have slowed the growth of robust U.S.–Indian partnerships. India should adopt reforms to reduce government regulations and liberalize its protectionist trade polices to encourage more foreign investments. A wave of bold reforms on the part of India would do much to strengthen U.S.–Indian economic ties, undercut unwarranted criticisms about outsourcing, and reduce concerns about potential security risks from BPO activities.
In turn, the United States should put in place the right framework to take full advantage of opportunities offered by Indian BPO companies. In particular, Congress should facilitate a predictable business environment that will ensure that overseas companies will not be unfairly discriminated against based on unwarranted security concerns. For example, Congress should remove Section 835 “Prohibition on Contracts with Corporate Expatriates” from the Homeland Security Act.[16] DHS should have the power to award contracts to any company that can perform services effectively, efficiently, and securely. Meanwhile, DHS and other federal agencies that may wish to outsource homeland security work overseas should establish programs similar to the Department of Defense’s National Industrial Security Program, in order to provide BPO companies with clear guidance about the requirements and standards for performing security-related services.[17]
What the U.S. Government Should Do
India’s efforts to become a “trusted provider” of IT services are laudable. They have established the foundation for mutually beneficial economic and security partnership, one that could serve as a model for U.S. cooperation with other developing nations. More must be done, however, to fully exploit the potential of U.S.–Indian cooperation. While India should continue its efforts to create a strong privacy regime for all information being processed within the country, the U.S. government should:
* Consider outsourcing data processing where possible, but also be careful to choose companies (and countries) that will provide the most security value for the money spent;
* Outsource data processing where appropriate, but ensure that the BPO vendor and the country meet stringent privacy standards; and
* Eliminate regulatory barriers that impose unwarranted prohibitions against outsourcing.
Conclusion
The goal of increasing domestic security and protecting the privacy of U.S. citizens should not be an obstacle to strengthening economic ties with the developing world. Rather, market forces and sensible outsourcing can be used both to promote better global security practices and to encourage economic growth.
Add comment
Email to a Friend
