Is Outsourced Data Secure
The CPA Journal
There has been considerable debate over whether companies can ensure data security and privacy when they outsource services to offshore providers. U.S. laws that protect information and safe-guard privacy do not have extraterritorial jurisdiction, which means that, as off-shoring proliferates, U.S. corporations are becoming increasingly dependent on foreign laws to protect their interests. The out-sourcing and offshoring of financial and professional services have raised ethical questions regarding integrity, objectivity, disclosure, and client confidentiality; for example, as laid out by Steven Mintz in "The Ethical Dilemmas of Outsourcing" (The CPA Journal, March 2004). The security of outsourcing is relevant to an increasing number of corporations. NelsonHall's study, "Global BPO Market Forecast: 2008–2012," predicts that business process outsourcing (BPO) will generate $450 billion in revenue globally by 2012. The financial services and government sectors are expected to continue to be the leading sectors for BPO services, followed by defense, healthcare, pharmaceutical, and transportation. While industry-specific middle-office BPO and finance and accounting (F&A) outsourcing services are expected to dominate the field, recruitment process outsourcing, HR services, and customer management services are expanding within the BPO domain. Specifically, of all finance and accounting domains outsourced, few are as complex or comprehensive as tax management. Professional services such as tax return preparation have been widely offshored to foreign locations such as India, raising questions about the security of confidential client information (Robert W. McGee, "Ethical Issues in Outsourcing Accounting and Tax Services," working paper, 2005, ssrn.com/abstract=648766). Critics of offshoring express concerns about the risk of posting confidential client information such as Social Security numbers to an overseas provider's website (Some AICPA members have argued, however, that concerns regarding the confidentiality of data are unfounded, insisting that reputable third-party service providers use security measures that far exceed those applied by many U.S. accounting firms (AICPA, "Comment Letters in Response to Ethics Division Exposure Draft on Outsourcing," 2004). Outsourcing service providers claim that their facilities can provide high levels of protection, operating in a secure, paper-less environment. Service providers say they greatly minimize the risk of data tampering and identity theft through measures such as prohibiting personal documents or effects in production facilities, banning removable media devices on staff computers, limiting the storage of client data on hard drives, restricting employee access to the Internet, and signing nondisclosure agreements (AICPA 2004). To explore the validity of these claims, the authors interviewed managers of three leading service providers of finance and accounting outsourcing services based in India. The interviewees provided detailed accounts of the systems and procedures their companies have in place to ensure the security of client data.
Desai, Renu and McGee, Robert W., "Is Outsourced Data Secure" (2010). HCBE Faculty Articles. 744.