Offshoring
Question: Does Business Information Group offshore personally identifiable information? What are the dangers of doing so?
Response & Analysis:
Business Information Group does not store or process Personally Identifiable Information (“PII”) outside of the United States. PII is generally defined as any information that allows the identity of an individual to be directly or indirectly inferred, including any information that is linked or is linkable to that individual. Examples of PII used in applicant screening services include name, date of birth, Social Security number (SSN) and employment and/or educational history. If PII is lost, compromised or disclosed without permission, it could result in substantial harm, including financial loss and legal liability.
We may transfer PII to third parties outside of the United States or its territories only when it is necessary to obtain or verify information from international sources. This only occurs in cases where applicant/consumer has resided or has been employed internationally and only takes place when you request that we obtain or verify this information. In such instances, we send only the minimum PII necessary to complete the verification. We are committed to data security and the prevention of unauthorized access to PII, and have put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information we collect.
But the release of PII to locations outside the United States greatly increases security risks and the potential for identity theft. Data is not typically offshored to countries with strong laws and extended data protections in place, like the United Kingdom, France or Switzerland. Instead, it is more likely to be sent to countries with less developed concepts of security that lack data protection. In 2011, the number of countries hosting organizations that fell victim to a data compromise increased by 50% from the prior year.1 And when it comes to the type of data compromised, a recent study shows that personal information comprised 95% of the records lost in data breaches, an enormous uptick from previous years.2
While data breaches and identity theft can occur in the United States, there are numerous laws and protections in place to mitigate the risks and provide recourse to an aggrieved consumer. Sending PII offshore, however, may negate the protections of our privacy, security, consumer protection and identity theft laws. There are numerous examples of data breaches and identity theft occurring in call centers in India, the Philippines and other countries commonly outsourced to and of PII being easily sold and used illegally. These risks exist even if the outsourced facility is a subsidiary of a U.S. company, as once data leaves the United States, many of the legal protections of U.S. laws disappear.
In addition, once data is in a foreign country, it may become subject to that country’s access and use. For example, intellectual property or trade secrets that are offshored may be subject to a foreign government’s reach and control; once the data leaves the United States, it may be out of the U.S. government’s jurisdiction and control. For decades, China has been accused by Western businesses and governments of not properly protecting foreign intellectual property and, in fact, of allowing it to be copied and claimed as Chinese intellectual property. China’s “weak legal environment” has been seen as permitting its government to intervene in the intellectual property rights (IPR) of others and helping its “own companies ‘re-innovate’ competing IPR as a substitute for foreign technologies.”3
1 Verizon RISK Team, “2012 Data Breach Investigations Report,” (2012), p. 12.
2 Verizon RISK Team, p. 42.
3 Adam Segal, “China’s Innovation Wall: Beijing’s Push for Homegrown Technology,” Foreign Affairs (published by the Council on Foreign Relations), September 28, 2010.
All Rights Reserved © 2017 Business Information Group, Inc.
This document and/or presentation is provided as a service to our customers. Its contents are designed solely for informational purposes, and should not be inferred or understood as legal advice or binding case law, nor shared with any third parties. Persons in need of legal assistance should seek the advice of competent legal counsel. Although care has been taken in preparation of these materials, we cannot guarantee the accuracy, currency or completeness of the information contained within it. Anyone using this information does so at his or her own risk.