www.sfgate.com Return to regular view
Clinton bill to regulate export of data overseas
David Lazarus
Wednesday, May 19, 2004
©2004 San Francisco Chronicle | Feedback | FAQ
URL: sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/05/19/BUGKO6MU1R34.DTL
A pair of bills has been introduced in Congress that should give hope to all those concerned about their personal information being exported abroad.
On the Senate side, Hillary Rodham Clinton, D-N.Y., has emerged as a leading champion of privacy rights. Her bill, an amendment to S1637, would require U.S. companies to notify customers about any personal info going overseas and to allow customers to "opt out" from the practice.
Clinton's bill also would hold U.S. companies liable for the actions of their overseas contractors, thus providing consumers with a much-needed avenue of recourse should data go astray.
"I'm particularly concerned about medical and financial information," Clinton told me. "We are in danger of ceding much of our privacy."
In the House of Representatives, meanwhile, Ed Markey, D-Mass., has introduced legislation that also requires companies to notify customers about any personal info heading abroad. But Markey's bill goes a step further than Clinton's.
It too would give consumers an opt-out privilege for data going to any nation deemed by the Federal Trade Commission to provide "adequate and enforceable privacy protections."
At the same time, though, Markey's bill, HR4366, would require companies to seek customers' permission -- to ask them to opt in -- before sending data to any nation lacking the FTC's seal of privacy approval.
"Offshoring is like a Trojan horse that will ultimately devastate the privacy of American consumers," he said (and, yes, he saw "Troy" just the other day).
Both Clinton's and Markey's bills were prompted by worst-case scenarios that originally came to light in this column.
One involved a clerical worker in Pakistan who threatened to post UC San Francisco Medical Center's patient records online unless she received more money. She withdrew her threat last October after being paid off by another subcontractor handling UCSF's confidential files.
Another case that same month involved an Ohio medical-transcription company that received an extortion threat from workers in India. The workers were quickly arrested by Indian authorities, but the U.S. firm, Heartland Information Services, never bothered to inform clients about the incident.
Clinton said she frequently uses the example of the Pakistani transcriptionist when she speaks in public on privacy issues. "Every time I tell people what happened," she said, "they're appalled."
Her interest in this issue represents a particularly formidable challenge to all those who are keen to see outsourcing expand, no matter what the implications for U.S. consumers.
"I've already been the recipient of objections from some foreign countries," Clinton said. She declined to name the countries but acknowledged that these are places with a vested interest in the outsourcing boom.
Clinton also said her bill is fiercely opposed by the financial services industry, which knows that informing customers about personal data going abroad, not to mention being liable for the actions of overseas partners, would make such outsourcing all but untenable as a business practice.
Some companies, she said, "have been quite vocal in their opposition." Again, she declined to name names.
Markey said both his and Clinton's bills stand a good chance of becoming law -- but not until an even more horrific security breach occurs, causing consumers to demand greater protection of their personal info.
"We're only one scandal away from a vote," he said. "That's all it will take."
A titular win: Speaking of outsourcing, my recent column on an SBC vice president who was actually an employee of a major public-relations firm generated a lot of hand wringing in PR circles.
Are PR officials crossing the line when they accept executive titles from corporate clients? Apparently so.
In response to my column, PR powerhouse Fleishman-Hillard, which holds a major contract with SBC, now forbids employees from holding titles at clients' firms and requires all such workers to identify themselves as consultants on business cards.
"It was never our intent to confuse people about the representation Fleishman-Hillard has with SBC," said Ed Presberg, a Fleishman spokesman.
Be that as it may, the issue arose after I interviewed SBC Vice President Marc Bien about the telecom giant's use of outside contractors. He neglected to mention that he was an outside consultant himself, working for Fleishman --
a fact I learned only after seeing Bien listed as a "nonemployee" in internal SBC documents.
Kathy Cripps, president of the Council of Public Relations Firms, a leading industry organization, concluded that Bien's omission was misleading but not unethical.
While Fleishman's Presberg said at the time that Bien was under no obligation to proactively identify himself as an outside consultant, the PR firm has since decided that Bien holding an SBC executive title "was clearly confusing some people externally."
From now on, he said, Bien and a half-dozen other Fleishman employees who'd been presenting themselves as SBC vice presidents will simply call themselves company spokespeople.
David Lazarus' column appears Wednesdays, Fridays and Sundays. He also can be seen regularly on KTVU's "Mornings on 2." Send tips or feedback to dlazarus@sfchronicle.com.
©2004 San Francisco Chronicle | Feedback | FAQ
