Outsourcing jobs a security risk: US intelligence

Indian Express Newspapers (Bombay) Ltd ^ | March 20, 2004

[sarcasm]

ping

[GregoryFul]

I wonder how many back-doors are being inserted into computer software by our offshore programmers?

[angkor]

Not to mention that whenever customer data goes offshore, it's by statute no longer subject to the privacy and security laws of the United States, e.g., HIPAA regs no longer apply.

BTW, had a very frustrating discussion yesterday with my bank's customer service representative in (I suppose) Bangalore. The telltale Indian accent, overseas hiss on the line, slight delay in voice transmission.

She insisted I'd made an error in validating my account info (I hadn't) but refused to tell me what the problem was, and that "changes" had been made to my account but she couldn't discuss those either. When we finally got to the actual reason for my call, she couldn't explain the transaction in question nor where it came from.

Very helpful people. Not.

[HarryCaul]

Remember, the official line is 'there is no problem with outsourcing!'

[1rudeboy]

Not to mention that whenever customer data goes offshore, it's by statute no longer subject to the privacy and security laws of the United States, e.g., HIPAA regs no longer apply.

Source?

[tomball]

It is even worse when foreign conglomerates are allowed to buy up American businesses. There is one case where a foreign conglomerate bought an American company (building contractor). The American company changed its name 3 times over the course of a two year period. It bought over $100k worth of materials from a small business - then refused to pay for the goods - even tho there were signed contracts in agreement for the company to make their purchase. The American small business who had been around for more than 18 years was put out of business - completely.

A foreign company bought an American company only to put another small American company out of business. And they did it while working on American government contracts.

You would think that our government would find this to be a form of economic terrorism.

[neutrino]

How's this for starters? SOURCE

One can hardly expect U.S. statutes to apply to citizens and business entities of another sovereign nation, now, can they?

[neutrino]

Good article!

Gee, I wonder if our buddies the pakies would engage in a little corporate espionage? Nah, not them! They love us! (/intense sarcasm)

[1rudeboy]

One can hardly expect U.S. statutes to apply to citizens and business entities of another sovereign nation, now, can they?

Does the company do business in the U.S.? Back to Civil Procedure class, my friend.

[angkor]

Source?

I've posted a link to the exact, specific HIPAA subsection in previous threads, don't have the time to look for it again. Do a Google on "HIPAA outsourcing" and poke around, you'll find it.

HIPAA specifically and by statute allows "Covered Entities" (e.g., HMOs) to outsource medical records (for example), and the "Covered Entity" is thereafter not liable for privacy or security breaches made by the outsourcing vendor.

[neutrino]

Does the company do business in the U.S.?

The rules of civil procedure apply to civil cases. As I recall, the rules of venue specify that civil actions much be initiated in the same venue as the defendant. Which might be just the least bit problematic for one located in India.

And then we have to remember that the really big teeth are available through criminal prosecution. I wonder (even more) how one proposes to file criminal charges against an outsourcing company in New Delhi.

[1rudeboy]

Thanks for nothing.

[A. Pole]

While technology now allows companies to have their most sensitive proprietary computer code written overseas, he said the inability of companies to sufficiently vet the personnel involved in these activities can create a "significant vulnerability."

I am sure Chinese and Indian governments can do security clearances if asked.

Pointing out that collectors last year employed a wide variety of techniques in their quest to circumvent US restrictions in the acquisition of sensitive manufacturing processes

No problem. We are so creative that we will invent new technologies faster than they can steal. No need to cry over buggy whips.

[1rudeboy]

Likewise, a criminal act in the U.S. is prosecuted in the U.S. You might be able to argue that the crime itself did not occur in the U.S., but I suspect you'd rather do it here, instead of in front of a judge.

[neutrino]

Likewise, a criminal act in the U.S. is prosecuted in the U.S.

So, you suppose that India or China will let us extradite some local on the basis of a HIPAA violation? My, you are an optimist!

[angkor]

Thanks for nothing.

Gimme' a break.

[1rudeboy]

So, you suppose that India or China will let us extradite some local on the basis of a HIPAA violation?

Earlier, someone argued that the HIPAA cannot be "violated" overseas . . . I'd like to figure that out before getting into an argument with you.

Incidentally, if your medical records are stolen, do you think your lawyer will go after the medical-provider, or simply consult you to let the state prosecutor's office handle the case?

[1rudeboy]

No, I will not. I expect, on a discussion forum such as this one, that folks back-up their assertions . . . instead of giving me the on-line version of "the dog ate my homework."

[angkor]

So, you suppose that India or China will let us extradite some local on the basis of a HIPAA violation?

Not possible in any case since HIPAA specifically exempts third-party outsourcers and Covered Entities from breaches by the third-party outsourcer (unless the outsourcer is itself a Covered Entity, which most would not be).

In other words, there is no law under which an outsourcer can be prosecuted either here or abroad.