If it’s important for Americans to know that a cell phone is “Made in China,” shouldn’t the federal government also require companies to disclose to customers that their mortgage-loan application or insurance claims will be “Serviced in India”?
Since the Depression era of the 1930s, the federal government has required, with some exceptions, that products made overseas carry a country-of-origin label (COOL). No one would dispute that the proponents of these rules sought to protect American manufacturers against the onslaught of inexpensive foreign imports. Yet, the Smoot-Hawley Tariff Act not only elicited retaliatory measures, it backfired and prolonged the Depression. While tariffs were discredited, the familiar country labels remain in use to this day. In September, the federal government began requiring COOL stickers on many types of imported meat and seafood, not as a protectionist move but as a consumer protection due to recent scares regarding mad cow disease and mercury poisoning.
A “Serviced in India” label isn’t likely to become a U.S. law during the Bush administration, but that alone shouldn’t prevent U.S. companies from voluntarily disclosing the location of globally delivered services. Studies indicate that American customers, lacking knowledge of offshore data-handling procedures, fear the unknown. A study published in September by Managing Offshore and Call Center Magazine revealed that 56% of consumers and 59% of business customers believe that their personal data is at a higher risk of danger when it is handled by an offshore (rather than an onshore) customer-service center. According to that study, more than one quarter of corporations do not reveal service-delivery locations to customers who ask direct questions about it, while nearly half will only disclose information if asked.
Yet in cyberspace, where there are no tell-tale accents, data management is far less transparent to customers. Offshore business-process outsourcing is no longer sporadic; contact centers that field requests via e-mail, Web forms, or even chat rooms can be located nearly anywhere. A new Managing Offshore study reveals that despite ongoing customer concerns, few leading corporations in America use privacy policies to disclose to their customers or business prospects the details of their offshore services. What are the ramifications of this white lie writ large? There is significant evidence to suggest that this policy of sweeping offshoring under the rug is unsustainable. Here’s why:
Opacity vs. Audacity
In Don Tapscott and David Ticoll’s book, The Naked Corporation, transparency is defined as the “accessibility of information to stakeholders of institutions, regarding matters that affect their interests.” The authors delineate between “active transparency,” where companies disclose information for strategic business purposes, and “forced transparency,” which is “done to corporations by stakeholders or the media.” Still, disclosure is seen as a difficult choice for corporations—like injecting yourself with a slight infection to prevent a more serious disease later. Few companies try a proactive approach to disclosure, even when their firm’s outsourcing providers are located in Bangor rather than Bangalore.
Eschewing the disclosure issue speaks volumes about corporate America’s ambivalence not only toward consumer fear of offshore outsourcing and its impact on jobs but also toward crafting policies that define a company’s role in the global economy. To some extent, U.S. citizens view corporations as creators of American jobs, while U.S. corporations are governed by a different mission: to compete and prosper in global markets. Even the so-called MNCs (multinational corporations)—often the largest or earliest adopters of globally delivered services—are no more likely to disclose offshoring than American start-ups.
Of course, the reasons many corporations keep offshoring quiet are well-documented and far from irrational: avoiding potential pitfalls ranging from bad press to possible consumer or union boycotts, or even damaging worker morale. Wall Street nevertheless encourages transparency; companies that reveal their global-service delivery initiatives are more likely to be rewarded (for cost-cutting zeal) rather than penalized by investors.
Yet the pressure to disclose, stemming from a loose confederacy of Democratic presidential candidates, CNN business anchors, consumer advocates, unions, various industry organizations, legislative bodies, or government agencies, has not been nearly enough to tip corporate policy. The tactics have involved wielding sticks rather than carrots. Sen. John Kerry, who has proposed a call-center-location disclosure law, famously chastised “Benedict Arnold CEOs” for offshoring jobs. Kerry’s attempt to legislate call-center-location disclosure (S 1873) has been referred to the Senate Commerce, Science, and Transportation committee.
“I would say 99.99% of the time there’s no disclosure made about where data is maintained or collected,” says Parry Aftab, a privacy attorney and member of TRUSTe’s board of directors. “The U.S. perspective has always been ‘we have no obligation to tell you anything other than as it impacts kids, cash, and kidneys’--children’s, financial, and health data. Aside from those three major areas in the U.S., we tend not to have legislation that protects privacy rights or information security.”
The privacy statements that financial-services companies are required to send to customers are uniformly vague about identifying globally delivered services. “If a company wants to offshore software maintenance, it’s their privilege; they are taking the risk,” notes Francoise Gilbert, a privacy attorney at the IT Law Group. “But when a company like American Express sends to someone my full American Express [card] number, my personal address, without asking my permission, I have a problem. I would love to see what they will be doing with the data if there is privacy breach and they have to do an SB-1386 (California Breach Notice Law) disclosure.”
American Express, one of the most globally savvy corporations, is careful to disclose in its online privacy policy that it “extends it privacy principles to our business relationships.” (The main idea behind this statement is to say, in essence, “Trust us to protect you. We’re a blue-chip company.”) While it should not come as a surprise to AmEx customers that the company distributes its workload globally, that detail is excluded from its American Web site, www.americanexpress.com. Yet, if you visit www.americanexpress.co.uk, you may peruse an entirely different disclosure, a more comprehensive one tailored to match European regulations.
In a brief section entitled “Information Processing and Global Data Transfer,” tucked inside its UK privacy policy, the company reveals that technical support and processing for its Web sites is conducted in “the United States, a country which does not have data-protection laws that are as comprehensive as the laws in the European Union.” Even more surprising is the simple admission in the next sentence, absent from its American counterpart: “American Express will also disclose to or access our information from other countries outside the European Union ....” In this case, “our information” possibly includes your information if you carry an AmEx card, and the “other countries” most likely include India. Why should Europeans be entitled to any greater disclosure than Americans?
