Wednesday, August 18, 2004

Your Financial Secrets Are Being Sent Overseas

Your financial secrets are headed overseas
More credit, mortgage and tax files are being handled abroad. Nothing suggests your data are more vulnerable -- but an identity thief 10,000 miles away is virtually untouchable.
By Liz Pulliam Weston

Your best friend may not know how much you made last year or whether you’ve been late with a credit-card payment -- but an office worker in India might.Tax returns, mortgage applications, even credit-bureau files are among the sensitive financial data that cost-conscious American firms are quietly shipping overseas. Consider:
As many as 500,000 U.S. tax returns could be prepared in India next year, says tax outsourcing expert Gary Boomer of Boomer Consulting in Manhattan, Kan. That’s up from about 25,000 in the 2002 tax year and 100,000 for 2003. The individual and business returns come from a wide range of U.S. sources, from single-CPA offices to Big Four accounting firms, including Ernst & Young and Deloitte.
TransUnion, one of the three major credit bureaus, plans to send all consumer disputes to a processing center in India. The company expects a significant increase in such disputes as U.S. consumers take advantage of a new law requiring bureaus to provide free annual credit reports, and says outsourcing the work is its most cost-effective option. Rival bureau Equifax currently outsources some dispute work to Jamaica. Credit-bureau files contain some of your most sensitive financial data, including your Social Security number, credit account numbers, the amounts you owe and your payment history.
U.S. companies are expected to outsource $3 billion this year in such “business processing,” which also includes insurance-claims handling, transcription of personal medical files and credit-card processing, according to research firm Gartner. That total represents a 65% increase from the year before. India, the Philippines and China are among the countries taking on the bulk of this work.
The mighty buck vs. your privacyThe motivator is simple: Money. Overseas processors often can do the work for a fraction of what it would cost domestically.
Check out your options.Find the best ratebefore you borrow.
For example, an accounting graduate who would earn $3,750 a month working for a Big Four firm in the United States earns about $300 a month in India. That allows Indian companies to charge U.S. accountants $75 to $150 per return, Boomer said. The U.S. preparer can turn around and bill the client for two to five times that amount.And there’s no law that requires the U.S. accountant or firm to tell you that your return was prepared by someone else, let alone someone overseas. Likewise, most of the other business processing that’s handled abroad is done without the consumer’s knowledge or consent.Privacy experts are understandably concerned about the risks your data may face overseas. Some of their worst fears were realized last year when a Pakistani medical transcriber threatened to post on the Internet confidential patient files from a San Francisco hospital unless she was paid money she said she was owed. The transcriber quickly rescinded her e-mailed threat, and UCSF Medical Center fired the contractor who hired the subcontractor who was ultimately responsible for the Pakistani woman’s work. But the incident exposed the fact that the hospital wasn’t keeping track of exactly where its medical records were going or who had access to them.Limits to privacy protectionsOf course, whether your financial information is more vulnerable abroad than it is at home is an open question. Some of the foreign data processors have security systems that would put their American counterparts to shame.On a recent visit to Bangalore, New Delhi, Mumbai and other Indian cities, for example, Boomer, the CPA, saw guarded facilities that required fingerprint scans for employees to enter. Briefcases, purses and knapsacks weren’t allowed inside, he said, and the workers had no access to printers or the Internet. The computers they worked on even lacked hard drives, disk drivers or other removable media that could be used to store or transport information.“The places we saw had far more security,” Boomer said, “than any (U.S.) CPA firm you’d see.”But the fact remains that U.S. privacy laws aren’t enforceable overseas, and the few law enforcement resources devoted to identity theft here probably can’t be stretched to cover data-stealing in other countries.“If there is an identity theft case (abroad), there’s virtually no likelihood that there will be any investigation,” said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego.Is the U.S. really any better?Of course, the chances an identity thief will be caught at home aren’t all that great, either. Just one in 700 U.S. identity-theft cases leads to a prosecution, according to a Gartner estimate. By comparison, FBI statistics show nearly half of all violent crimes were "cleared" in 2002 (i.e., someone was arrested and turned over for prosecution in 46.8% of the cases), while the clearance rate for property crimes was 16.5%.Meanwhile, many domestic businesses do a lousy job of protecting your information.Michigan State University professor Judith Collins studied more than 1,000 identity-theft cases where the thief was identified and prosecuted. She found that as many as 70% of those cases started with a crooked, usually low-level employee stealing personal data from a workplace such as a bank or health-care provider.Collins hypothesized that most identity theft is, in fact, an inside job. Of course, another interpretation of her findings is that insiders are easier for law enforcement to track and catch. Dumpster-divers and computer hackers may be much more difficult to find.But either way, her study vividly illustrates how sloppy many domestic firms are with their customers’ data. Dishonest employees often can easily access, copy and walk away with reams of confidential information that can be used to commit identity theft. Companies are frequently unwilling to invest in security measures such as encryption or restricted access based on fingerprint scans or other biometric identification. That’s starting to change, however, partly in response to a new California law that requires companies to tell customers when their private financial data has been illegally accessed. Rather than face public disclosure of hacking and other data theft, security experts say, more companies are now investing in ways to keep the data safe in the first place.Fessing up can be good for businessDisclosure is a solution that could work for offshore outsourcing as well.Instead of banning the practice, lawmakers could simply force companies that outsource to tell their customers and get their consent.Boomer believes accountants could disclose their outsourcing policies without alienating customers by stressing the benefits to those customers, such as faster processing times. (Indian firms processing U.S. tax returns often promise 24-hour turnarounds, even during the peak of tax season.)Honesty certainly has been the best policy for Internet lender E-Loan. Starting in February, the company gave home-equity borrowers the option of shaving two days off their loan-processing times if they would agree to let Indian workers handle their applications. A few borrowers insist on domestic processing, but E-Loan spokeswoman Laurie Azzano said fully 87% have opted for the faster offshore route.Knowing that your customers are going to hear about your outsourcing arrangements also could be a powerful motivator to make sure those arrangements are secure. Givens believes any firm that’s considering outsourcing should visit the country and company handling the contract, so they know exactly what’s happening with their data. U.S. companies need to know if there are safeguards in place -- or if a disgruntled worker in a makeshift home office abroad could cause them a scandal with a single e-mail.“It behooves U.S. companies that outsource to very carefully check out the companies they are outsourcing to,” Givens said. “I think that’s absolutely critical.”