Tuesday, May 31, 2005

Offshore Firms Handling US Privacy Data

(Picture credit http://www.esecretary.net)
Excel-web sharing of spreadsheetsIn early May, I noted Northwestern Mutual's new policy of shipping customer data overseas. The announcement, made at Gartner's Outsourcing Conference, noted that offshore contractors would have access to sensitive customer data in order to facilitate greater cost savings.

Security measures?

...Beyond secure lines and dumb terminals, the company insisted that Infosys put additional physical security measures in place. A guard is posted on the floor of the Infosys facility where Northwestern Mutual's work is performed, and employees aren't allowed to take any documents or media with them after they clock out...

Offshoring Management notes, as we did, that Northwestern Mutual has not notified customers of their new data-sharing practices:

...Northwestern’s terminals are even more restrictive than the terminals of yesteryear. They do not allow users to alter, record, or print the data they see on their monitors. The Indian workers are connected to Northwestern’s servers in Milwaukee via high-speed lines. They can monitor and test the company’s applications and perform maintenance operations but they can’t record or manipulate sensitive client data. Northwestern’s CIO Barbara Piehler told TechWeb that the company came up with the plan because it was not maximizing its savings from offshoring. As part of the plan, IT service workers are not allowed to take any documents or media with them at the completion of their shift, so the company also requires its contractor, Infosys, to post guards on the floors where its sensitive applications are serviced. Northwestern does not inform its customers that their personal information is being viewed by IT workers a world away. “It’s just the way we do business now,” Ms Piehler told the publication.

Northwestern Mutual still teeters on the precipice of a major security debacle. Consider a malicious employee at the offshore firm who is able to record U.S. identity data (SSN, name, birth date, etc.) using pen and paper, secrete it on their person and then sell it.

Short of cavity searches for all of the outsourcers, identity theft from these venues is all but certain.

No comments: