I've Been Mugged Blog

Yesterday's post discussed the problems Laurie is having with her TransUnion credit monitoring service, and the related questions about legal protections when credit companies perform offshore outsourcing. I'd promised Laurie that I'd try to find some answers to her questions.

Meanwhile, Laurie contacted me again:

"I continue to call TransUnion (TrueCredit) and I leave messages for somebody in a managerial position to contact me but I never get a domestic employee. When I ask the phone associates where they are located they tell me they are prohibited from telling me. It's a vicious cycle because there's no mailing address and the potential for online help abuse is the same as telephone support. This is sensitive information I'm disclosing and all my alarms are going off like bells and buzzers."

Yesterday's post covered news reports from 2003 and 2004 about the credit bureaus' offshore outsourcing activities. In 2003, the bureaus promised more openness about their outsourcing plans, but the call center representatives' answer above does not show any openness.

So, I decided to look more closely at TransUnion, since that company was the source of Laurie's difficulties. Like most companies, TransUnion publishes its Corporate Privacy Policy on its main Web site. This seemed like a good starting point, since this document usually discloses what the company does with any sensitive consumer data collected within the site:

"Please carefully read our privacy policy to understand how we will treat the information you provide while visiting this web site or the web sites of most of our domestic subsidiaries and affiliates ("Web Site")... This privacy policy applies to TransUnion and its domestic subsidiaries and affiliates, except for TransUnion Consumer Solutions and TrueLink, Inc., who maintain their own privacy policies."

Note the emphasis on domestic subsidiaries. That refers to TransUnion divisions, companies, or business units within the USA. It implies that divisions, companies, or business units elsewhere are not subject to this Privacy Policy, a different Privacy Policy, or none at all. That should be unsettling to consumers. Why? TransUnion's approach to privacy policies forces users to wade through several documents that aren't that easy to read nor find. TransUnion has operations in 25 countries on 5 continents. So far, no explicit mentions about outsourcing in this TransUnion Privacy Policy.

Next, I checked the Privacy Policy at TrueCredit, TransUnion's credit monitoring service, since Laurie is a subscriber. The TrueCredit Privacy Policy is more detailed and more comprehensive. It contains details about several subjects: what data the company archives, what happens when users opt-in to e-mail updates, how its web site works with the user's Web browser, the company's approach to online advertising, what situations TransUnion shares data with contractors, and so forth.

I'd like to give TransUnion and TrueCredit at least one "attaboy" for sharing this amount of detail in the TrueCredit Privacy Policy. However, this document didn't mention outsourcing either.

I also checked the Public Policies pages within the TransUnion site. No mentions of outsourcing there, either. Sadly, this site section was very thin regarding content. The little bit of copy on three pages could have easily been presented on a single page. Whatever promises TransUnion made in 2003 about more openness about its outsourcing activities, weren't being fulfilled in 2008.

Next, I looked for TransUnion's Annual Report and 10K filings; documents by publicly owned companies within the USA. TransUnion is privately held, so it is not required to provide these filings which the U.S. Securities & Exchange Commission requires of publicly-traded companies. Hence, it is more difficult to obtain detailed information about a privately-owned company... and any offshore outsourcing activities it might be engaged in.

Difficult, but not impossible. More about this tomorrow.