Businesses and individuals in the United States have long been aware of Internet privacy and security issues. While we struggle with the complexity of 45 different state privacy regulations as well as federal regulations that include HIPAA and Graham-Leach Bliley, we still prize privacy. Corporate IT security is also a major concern and any CIO who has not prepared his or her company for the potential of a data breach has little job security.
Ironically, companies doing business in the two high growth markets of China and India will find tighter privacy regulations, but far more lax Internet security.
According to CBS News, the Chinese government is promoting strict rules that include explicit consent for the release of personal data. Under the draft rules, there would also be restrictions on the use and transfer of personal data which would significantly effect e-commerce and perhaps the transfer of employee information between joint venture partners.
India, a major outsourced call center location, already has strong privacy restrictions that affect all personal information passing through an Indian network, regardless of the citizenship of the owner of that information. Thus e-commerce or other transactions that occur on an Indian network are subject to explicit consent, and individuals have the right to withdraw that consent at any time.
For many U.S. businesses, the Indian regulations and potential Chinese restrictions are a kind of tariff, leading to companies reconsidering the use of processing centers in India and China. Businesses that find North American privacy regulations easier to deal with may return these activities to their own continent or low wage locations in Latin America.
At the same time, network insecurity in Asia is epidemic. ChinaDaily, a national news source, cited Beijing Rising Information Technology’s report that 740 million Chinese Internet users were attacked in just the first half of this year. China is also home to more than 3 million phishing sites, including faked banking and shopping websites.
Asia is the source of 49.7% of the world’s spam, making it the most spammed continent. The computer security news site NakedSecurity points out that like phishing, much of Asian spam comes from home computers that have been hijacked by hackers. In a country like India where half of emails are junk, corporations and smaller business will find dealing with spam mail extremely costly.
For Indians, this concerns not only desktop computers, but portable devices as well. Many developing countries have the culture of BYOD or Bring Your Own Device since businesses may not provide office equipment. Such unsecured mobility brings an even greater risk of hacking and spamming.
Foreign businesses in China who purchase computing equipment locally should also beware. In May 2012, the Chinese manufacturer of ZTE admitted that its mobile phones contained “back door” engineering vulnerabilities. The U.S. House Intelligence Committee is investigating ZTE over worries about its and other companies’ ties to the People’s Liberation Army.
Engineered vulnerabilities in hardware, software, and even chips are just part of the digital environment that corporate risk managers must consider in the 21st century. It’s no longer enough to secure buildings against perils such as fire and windstorm or to provide voluntary workers compensation for expatriates.
Fortunately, this digital enterprise risk can be transferred through Internet security and privacy insurance, even though achieving jurisdiction requirements may be difficult.
Policies issued in the United States have universal territories, but U.S. jurisdiction. Still this is a growing area of global risk management and the insurance marketplace is expanding to meet the need.