June 19, 2007
By Poojitha Rao
'Indian companies have become preferred providers of information technology (IT) and business process outsourcing (BPO) services to companies around the world. The Indian IT/BPO industry's ascension to this leading position accelerated in the late 1990s when businesses around the world sought skilled IT professionals to ensure that their data and IT systems would survive the seemingly benign, though potentially crippling, arrival of the year 2000 and the so-called "Y2K bug." Since this initial period of growth of IT outsourcing in India , Indian companies have expanded their service offerings to include a variety of "back-office" business process solutions to companies around the world. Today these BPO services include, among other things, the processing of life, medical and other insurance claims, the handling of customer service telephone queries from bank and credit card account holders by call centers operated in India, human resource administration and payroll management. The latest trend in outsourcing to Indian service providers involves higher-end work requiring increased sophistication and judgment. This has occurred as international professional service firms in fields such as accountancy, law and finance have begun to engage Indian accountants, attorneys and financial analysts to provide a host of services, including tax return preparation, litigation support, patent application preparation and financial analysis services. Indian contractors have demonstrated their ability to deliver these services competitively from both a cost and a quality perspective. Indeed, India has become synonymous with offshore outsourcing and "remains the leading offshore destination by a wide margin, particularly for U.S. and U.K. companies."1
As international consumption of Indian IT and outsourcing services continues to increase, related social, political and public policy issues have become more pronounced. The effect of offshore outsourcing on the domestic labor force in the United States was a significant issue during the 2004 U.S. presidential elections. Likewise, in light of the sensitive medical, financial and other personal data that offshore BPO service providers handle on behalf of their clients, data security and privacy concerns have become increasingly significant issues in the context of offshore outsourcing.
This article will highlight concerns arising from recent incidents of data security breaches involving Indian BPO service providers and will describe the legal landscape with respect to data security and privacy issues, including recent governmental and nongovernmental initiatives to improve the security of sensitive personal and corporate information. This article also will outline drafting strategies that consumers of Indian BPO services should consider in managing the risks associated with the disclosure of sensitive information to Indian BPO service providers.
Recent Incidents of Security Breaches Involving Indian BPOs
In April 2005 four employees of a call center in Pune, India operated by MsourcE, the BPO arm of Mphasis BFL Group, one of India's leading IT services and BPO firms, were arrested for allegedly defrauding Citibank account holders in New York of over $400,000. The employees allegedly collected personal identification numbers (PINs) of the account holders and used them to fraudulently transfer funds to the employees' own bank accounts and other bank accounts established for the purpose of receiving the purloined funds. Although the PINs were disclosed to the call center employees voluntarily by the account holders and, as stated by Mphasis' vice-chairman Jeroen Tas, "there [was] no evidence of a breach or audit failure in the processes or systems employed by Mphasis,"2 the incident was significant because it first brought to light the risks associated with the trend of international financial institutions outsourcing critical customer relationship management functions.
A little over a year later, in June 2006 British financial institution HSBC Bank PLC filed a complaint with the municipal police in Bangalore, India against Nadeem Kashmiri, an employee of its captive back office data processing and customer call center operation. Mr. Kashmiri was accused of accessing personal information of HSBC debit card holders and using the information to defraud the account holders through unauthorized ATM and telephone banking transactions. By the time Kashmiri's activities were discovered, the affected HSBC account holders were defrauded of more than $425,000.3
Britain's Channel 4 investigative journalism program Dispatches conducted a twelve month undercover investigation of the Indian BPO sector in 2005 and 2006 and reported that confidential financial information, including credit card account details, of approximately 100,000 British bank customers obtained from workers at Indian call centers and back office operations were being offered for sale for as little as $9.50 per account. Though the Dispatches investigation did not uncover any specific incidents of actual theft of funds from any of the British account holders, and was criticized in certain circles for its methods and conclusions, the report did prompt Britain 's Information Commissioner's Office to commence a formal investigation into the security of personal financial information at Indian BPO firms.
These incidents are illustrative of security breaches involving Indian BPO firms. While Indian BPO firms and industry groups have responded swiftly and seriously to security breaches, incidents involving Indian BPO firms inevitably will occur in the future, just as data security breaches in the United States and elsewhere will continue to occur, despite concerted efforts by legislatures, corporations and citizens' advocacy groups to curtail such illegal activity. Accordingly, customers of Indian BPO services would be well-served in gaining at least a cursory understanding of the evolving legal landscape of data security and privacy law in India.
Sources of Data Security and Privacy Law in India
As is the case with the United States Constitution, the Indian Constitution does not enumerate an express right of privacy. In Griswold v. Connecticut, the United States Supreme Court interpreted the Constitution to include an implied fundamental right of privacy emanating from the "penumbra" of various expressly enumerated fundamental rights.4 Similarly, just one year prior to the Griswold decision, the Supreme Court of India recognized an implied right of privacy under Article 21 of the Indian Constitution,5 which provides that "No person shall be deprived of his life or personal liberty except according to procedure established by law."6 It must be remembered, though, that constitutional rights protect citizens from encroachment of those rights by the government but, outside of certain narrow instances, generally do not provide protections against violations by private citizens or entities.
The Indian government has addressed legal issues pertaining to the use of information technology in commerce and government through the enactment of the Information Technology Act of 2000 (ITA 2000). The ITA 2000 contains a variety of provisions that, among other things, give recognition to electronic signatures in commercial transactions to enable e-commerce,7 allow for the recognition of digital signatures and electronic filings of governmental forms or applications, and the satisfaction of governmental publication requirements by such publication being made in electronic form to facilitate e-governance.8 The ITA 2000 also gives recognition to "cyber crimes," making, among other things, hacking, tampering with computer source documents, unauthorized access to computer systems, publication of obscene information in electronic form, and the introduction of "computer contaminant or computer virus" into a computer, computer system or computer network," a crime under the statute.9 Notwithstanding the Indian government's efforts to recalibrate Indian law to address advances in information technology, it is yet to be seen if the ITA 2000, even after its proposed amendments as described below, will provide adequate privacy protections.
The Indian government recently has proposed a series of amendments to the ITA 2000 that specifically address data security and privacy issues. These amendments have been introduced in the form of the Information Technology (Amendment) Bill of 2006 (the ITA Amendments), which have been approved by Indian Prime Minister Manmohan Singh's cabinet and are expected to be introduced to the Lokh Sabha, India's lower house parliament, for debate and approval. Section 20 of the ITA Amendments amends Section 43 of the ITA 2000 by including the following provision:
Where a body corporate, possessing, dealing or handling sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected.
This provision introduces a significant financial penalty (five crore rupees is roughly equivalent to $1.1 million) payable to persons affected by negligent security practices of corporations handing personal information. However, the legal standard for determining negligence in "implementing and maintaining reasonable security practices and procedures" has yet to be defined. Further, the ITA Amendments loosely define "sensitive personal data or information" as "such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit."10 Thus, while the ITA Amendments introduce statutory coverage of data security and privacy issues, its loosely drafted character likely will require additional refinement or judicial clarification in order to clearly establish its scope and meaning.
Another provision of the ITA Amendments specifically addresses the liability of web hosting services, internet service providers, online payment sites, online auction sites and other entities that "receive, store or transmit" information (such entities are referred to as "intermediaries" in the ITA Amendments). This particular amendment provides that:
any person including an intermediary who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to two years, or with a fine which may extend to five lakh rupees,11 or with both.
In addition to addressing issues of data security, the ITA Amendments also address privacy issues that have emerged as a result of the changing nature of digital media. The proliferation of user-generated content on the Internet and of viral distribution of content through e-mail and mobile phones also has been addressed in the context of the unauthorized publication or distribution of compromising images of individuals. The ITA Amendments propose to amend Section 502A of the Indian Penal Code to add the following provision:
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with simple imprisonment for a term which may extend to two years or with a fine not exceeding two lakh rupees, or with both.
Other sections of the Indian Penal Code may also apply in the context of data security and privacy. Section 405 of the Indian Penal Code describes the crime of a breach of trust as having occurred if a person who "being in any manner entrusted with property. . . dishonestly misappropriates or converts for his own use that property, or dishonestly disposes of that property in violation of any direction of law. . . or of any legal contract. . . commits 'criminal breach of trust.'" Section 407 of the Indian Penal Code prescribes the punishment for a criminal breach of trust as imprisonment of up to three years, or a fine, or both. The Indian Penal Code also describes "cheating" as the crime of causing damage to someone by fraudulently inducing him or her to deliver property to someone else or to omit to do something he or she would not otherwise omit to do12 and makes the crime of cheating punishable by up to seven years of imprisonment or fine or both.13
Data security also is addressed tangentially by the Indian Copyright Act of 1957, which was amended in 1999 to comply with provisions of Trade Related Aspects of Intellectual Property Rights treaty negotiated at the end of the Uruguay Round of the General Agreement on Tariffs and Trade negotiations in 1994. As amended, the Indian Copyright Act specifically includes computer databases within the definition of "literary works," thus treating computer databases similar to other works protected by copyright.
A recent judgment by the Delhi State Consumer Disputes Redressal Commission (the "Commission"), a quasi-judicial tribunal mandated to address violations of the Consumer Protection Act of 1986, has drawn attention to privacy concerns related to unsolicited telephone calls and short messaging service (SMS) text messages to cellular telephone users. Relying on Section 427 of the Indian Telegraph Rules, 1951 (the Rules) which states that "No telephone shall be used to disturb or irritate any persons or for the transmission of any message or communication which is of an indecent or obscene nature or is calculated to annoy any person . . ." and Section 513 of the Rules, which includes the same restriction with respect to telex communications, the Commission fined mobile service provider Airtel and the Cellular Operators Association of India 5 Million Rupees (approximately US $117,000) and ICICI and American Express banks 1.25 Million Rupees (approximately US $30,000) each for making unsolicited commercial communications at odd hours even after the recipients had objected to similar communications in the past.
While some statutory data security and privacy provisions are in place or presently are being contemplated in India , the Indian IT and BPO industry has been particularly proactive in developing processes to impose self-regulatory measures and adopt best practices with respect to data security and privacy concerns. In 2006, NASSCOM announced the formation of a self-regulatory organization. This SRO will be managed by a chief executive officer and board of directors who will be charged with setting standards for data security and privacy among its member companies and with developing audit procedures to evaluate the data security practices and procedures of its member companies. The SRO also will be authorized to impose fines for non-compliance with security practices and procedures that it adopts. Further, the SRO has created a National Skills Registry (NSR), a voluntary database of BPO employees who submit to fingerprinting and background checks. As of April 2007, NSR had completed registrations of over 100,000 IT professionals.14
Contractual Considerations
Since Indian data security and privacy laws continue to develop, it is particularly important for U.S. customers of Indian BPO services to conscientiously address these issues in their contracts with Indian BPO vendors. The specific nature of contractual provisions covering data security and privacy may vary depending on the nature of the business processes being outsourced and the customer's industry. In general, when negotiating contract terms for BPO services, customers should consider the following best practices:
Vendor Security Commitments. In an effort to secure business, a vendor often will make various representations about its data security practices and infrastructure. For example, vendors should be required to represent that their networks are protected with particular firewall technology, that customer data is stored on dedicated servers or otherwise stored in a manner that restricts access to customer data and that a particular encryption technology will be utilized to encrypt customer data. Prospective customers and vendors also may agree that the vendor adopt and maintain specific technical and physical security measures. These commitments and agreements should be memorialized in a definitive services agreement.
In response to some of the security breach incidents described above, many Indian BPO service providers have adopted strict procedures and policies that prohibit employees from bringing mobile phones, cameras or storage devices into the workplace in an effort to prevent employees from improperly removing customer data from the service location. Indian BPO service providers also have been proactive in adopting tighter physical security at service locations, including restricting access to service locations by using secure electromagnetic or RFID-enabled access cards or biometric technology to regulate access to service locations. Rather than relying on a vendor's adherence to its stated security policies, customers should ensure that vendors are contractually bound to employ and maintain certain minimum security practices with respect to their electronic and physical infrastructure and include contractual restrictions stating that any change in such policies will not compromise the level of security afforded to a customer's information.
Pass Through Compliance Obligations. If a customer of BPO services belongs to an industry that is regulated by specific security and privacy compliance obligations, such compliance obligations should be contractually passed through to the BPO service provider. For example, public companies in the United States must satisfy certain requirements with respect to internal financial controls under Sarbanes-Oxley; companies that handle or process personal health information such as hospital groups or medical practices and health and life insurance companies have specific data security and privacy obligations under the Health Insurance Portability and Accountability Act; and financial institutions that handle personal financial information must comply with data security and privacy obligations under Gramm-Leach- Bliley. The obligation to comply with these and other statutory data security and privacy compliance requirements should be contractually passed through to the BPO service provider with strong indemnity provisions (to the extent allowable under applicable law) should the customer be exposed to liability as a result of a BPO service provider's failure to comply with them.
Other Contractual Considerations. Customers of BPO service providers from India can attain greater contractual protections from data security and privacy breaches by including personnel selection provisions in their service agreements, specific representations and warranties from the BPO service provider and carefully crafted jurisdictional provisions. Specific provisions giving a customer of BPO services rights to select the specific personnel that will be assigned to their accounts, rights to interview personnel and rights to replace personnel provide customers some degree of control over who is actually rendering services and accessing sensitive data. Further, a services agreement also may include provisions requiring criminal background checks of the service provider's employees or a requirement that the service provider only assign personnel who are already registered on NASSCOM's National Skills Registry or will register with the NSR within a stated period of time after their assignment to the customer's account.
Customers of BPO services from India also should pay close attention to how jurisdiction and venue provisions are drafted. If an Indian BPO service provider is in breach of confidentiality or data security obligations, a United States based customer should avoid being contractually precluded from seeking an injunction directly in Indian courts as a result of an exclusive venue provision that, for example, states that all claims or controversies arising out of or relating to the agreement between the customer and Indian BPO service provider will be settled by state and federal courts located in a particular United States state and county.
Conclusion
Though the legal landscape of data security and privacy in India continues to develop, proactive measures taken by individual service providers in India and the industry in general suggest that Indian BPO service providers are serious about data security and privacy issues. Though some incidents of security breaches have occurred with Indian BPO service providers, the number and magnitude of such incidents is still relatively small when compared to such incidents in the United States . According to the Privacy Rights Clearinghouse, a non-profit consumer information and advocacy group that maintains a database of breaches in data security and personal information, in the first three months of 2007 there have been over eighty recorded incidents of security breaches involving sensitive personal information, notably including an unauthorized intrusion into the computer systems of the TJX Companies, Inc., an operator of national retail outlets, that resulted in unauthorized access to the credit and debit card numbers of over 45 million customers.15 Data security and privacy risks are global and inevitable concerns when sensitive information is stored and transmitted electronically. While customers of BPO services from India may not be exposing themselves to particularly higher levels of risks, understanding the data security and privacy landscape in India and adopting certain contractual protections is a prudent course of action for U.S. based customer of BPO services from India.
Endnotes
1 Stephanie Overby, Offshore Outsourcing Guide - 2006 Global Outsourcing Guide, (July 15, 2006), http://www.cio.com/article/22989/Offshore_Outsourcing_Guide_Global_Outsourcing_Guide.
2 Abhay Vaidya, India 's first BPO scam unraveled, The Times of India (Apr. 23, 2005), http://www.timesofindia.indiatimes.com/articleshow/msid-1086438,prtpage-1cms.
3 John Ribeiro, HSBC customer claims fraud in Indian services center, Network World (June 27, 2006), http://www.networkworld.com/news/2006/062706-hsbc-claims-customer-fraud-in.html?fsrc=rss-sbc.
4 See Griswold v. Connecticut, 381 U.S. 479 (1965).
5 Kharak Singh v. State of UP, 1 SCR 322 (1964); see also Govind v. State of MP, AIR 1975 SC 1378.
6 INDIA CONST. art. 21.
7 See Information Technology Act of 2000, Ch. II, §3.
8 Id., Ch. II, §§ 4-10.
9 Id. Ch. XI, §43 and Ch. XI § 65-67.
10 Information Technology (Amendment) Bill 2006, §20(iii).
11 Five lakh rupees is approximately equivalent to USD $11,200 (1 USD = 42.87 Indian Rupees (April 12, 2007)).
12 See Indian Penal Code § 415.
13 See Indian Penal Code §410.
14 NSR - Milestones, https://nationalskillsregistry.com/MILESTONE.html.
15 A Chronology of Data Breaches, Privacy Rights Clearinghouse, http://www.privacyrights.org/ar/ChronDataBreaches.htm (Accessed Apr. 4, 2007).
Click here for more information about Thelen's Privacy and Data Security practice.
©Copyright 2007 American Bar Association. All Rights Reserved. This article originally appeared in the Volume 2, No. 2, Spring/Summer 2007 edition of The Secure Times, which is published by the American Bar Association Section of Antitrust Law's Privacy and Information Security Committee, and is here republished with permission.
This article has been published as an information service for clients and friends. Please recognize that the information is general in nature and must not be relied upon as legal advice. The authors, or your Thelen attorney contact(s), would be happy to discuss the information in this article in greater detail and its application to your specific situation. We welcome your comments and suggestions.
About Thelen LLP
Thelen LLP is an international law firm with approximately 600 attorneys, and offices in New York, San Francisco, Washington, DC, Los Angeles, Silicon Valley, Hartford, Northern New Jersey, Shanghai, and London. The firm provides superior legal services in complex commercial litigation; corporate and capital markets transactions; project and asset finance; construction; labor and employment; intellectual property; information technology; domestic and international tax; employee benefits; government affairs; and real estate.
Hartford Los Angeles New York Northern NJ San Francisco Shanghai Silicon Valley Washington, DC
Affiliated Sites
www.constructionweblinks.com |
www.technologylawupdate.com |
www.climatelawupdate.com
Copyright ©
