Really informative article on the Information Security laws in India

Thanks to Google alerts I came across a really interesting article in law.com that “surveys the state of data security legal protections in India.” Check out the complete article. To whet your appetite, here are a few excerpts:

The Indian legal system is substantially based on the British common law system. While there is no omnibus Indian data security law, there are several laws that apply to data theft or misuse in India. Typically, when an incident involving data occurs, a complaint is filed for theft, cheating, criminal breach of trust, dishonest misappropriation of data and/or criminal conspiracy under the provisions of the Indian Penal Code, 1860 (IPC) and for hacking under the Information Technology Act, 2000 (ITA). Many of these offenses under the IPC and the ITA allow for an arrest without a warrant, are non-bailable and carry penalties that range from imprisonment for a year to life imprisonment, as well as fines.

the criminal complaint can be made to Anti Cybercrime Cells set up by the State Police Departments. These cybercrime cells have been established specifically to investigate and prosecute cases of data theft and copyright infringement, as well as other cybercrime cases. Cybercrime cells of several state police departments (e.g., Delhi) organize training programs to enhance investigators' skills and knowledge concerning data protection, and use advanced equipment to investigate data security incidents. In fact, the U.S. Department of State recently trained Indian cybercrime investigators on investigating techniques. The investigating officers at Anti Cybercrime Cells have the power to seize infringing or stolen data by conducting searches and raids on the premises of the alleged offenders and can also prosecute the offenders in the criminal court that has jurisdiction over the police station where the complaint was registered. The law enforcement agencies also have the power to arrest offenders and keep them in custody during the course of the investigation and prosecution unless bail is granted to the offenders by the court.

While several measures have been put into place to deal with data security issues, some concerns still remain regarding the Indian legal system. Indian courts are overburdened -- in 2005, the lower courts had more than 20 million pending cases, while the high courts had more than three million. Delays in the system are common, and an average case can take several years to be resolved. However, things are changing. Several measures are underway, and the Prime Minister of India, as well as the Chief Justice of the Indian Supreme Court, have committed to dealing with the issues facing the Indian courts. Further, the system itself, while slow, works. More importantly, as previously discussed, the service providers themselves are putting into place several preventive measures to deal with data security and privacy issues.

Reprise: Consumer privacy protection and outsourcing to India

It really is a small world! I was talking to a friend on Sunday and it turns out she is an active volunteer for the Privacy Rights Clearinghouse. She had been a victim of identity fraud and speaking with her gave me a better appreciation for what the Privacy Rights Clearinghouse was talking about in the Statement on Outsourcing and Privacy. For example, my friend had her information stolen by an employee of a hospital she visited. She actually had to privately track down the person who had stolen her information. I can see how this would have been more difficult if the thief had been in a foreign country. However, I do believe that outsourcing if done right would actually improve privacy protection rather than harm it.

For example, a significant part of basic data-entry in the US is done by temporary workers or high school graduates who do not see data-entry as a career path. On the other hand, a BPO in India typically employs people with some or significant college education, who expect to have a career in the BPO industry. Thus, I believe these Indian workers have less of an incentive to break the law. If crime rates are anything to go by, an Indian college graduate is far less likely to commit a crime than a young American earning close to minimum wage.

My friend did raise an interesting argument that an Indian worker earns significantly less than an US worker and thus may be more tempted to carry out identity theft. I actually disagree with this for several reasons:

• We should consider the lifestyle that the salary can purchase, not just the dollar amount. While Americans earning close to minimum wage struggle to feed their families, Indian BPO operators earn enough that they have significant disposable income. In many cases they earn significantly more than their parents did. In general, a young Indian fresh out of college actually sees a BPO job as a somewhat good life and most of them are focused on the prize of being promoted to management and achieving a better life than the vast majority of Indians. An American making close to minimum wage certainly does not see his job as a path to the good life.
  
• In both India and the US identity theft is not prosecuted as aggressively as it should. Many US companies do not conduct sufficient background checks on their employees. Indian companies face a different problem in that it is more difficult to carry out formal background checks in India. However, in India two factors ameliorate this problem. First, most BPO operators are recruited / recommended by an existing employee. In some BPOs I felt like they had recruited away entire classes from certain universities! These strong peer bonds serve as informal background checks as well as a strong inhibitor for illegal activities. Second, Nasscom, the association of Indian BPO vendors, has been aggressively pushing for stricter information security laws and a national database of certified operators.

  The new National Skills Registry (NSR) is backed by Indian IT trade association Nasscom and was set up following a series of customer data breaches at offshore call centres last year. The NSR, set up by Nasscom and the National Securities Depository, is a centralised database that will store information about each IT worker's educational and professional background. Biometric technology will be used to verify the identity of individuals. [from a silicon.com story]

  This database is still in its infancy and only about 30% of the industry’s total workforce registered with it in the first nine months [See this Indian Express story for details] but this is already better than what you would expect in the US where it would be very difficult to set up such a registry.
  
• Moreover, generally information security is the lifeblood of a BPO vendor. Even one information security problem could completely ruin its reputation and subject it to severe financial liability to its customer. As such, BPO vendors tend to be far more careful about information security and put in far better safeguards than most US firms. For examples of what Indian BPO vendors are doing to improve data security, see the “Indian BPO providers tighten data security” story from SearchDataManagement.com:

  Take a look inside a typical BPO outfit, "where you will find airport-style frisking at the entrance a routine," said Raghu Iyer, a Bangalore-based call center worker. Agents (BPO workers) are required to surrender everything they carry, like mobile phones, PDAs, pens, notebooks and even tissue papers, which could enable smuggling data.
  
  Access to personal e-mail accounts is not allowed and firewalls block access to any Web site not necessary for work. At the end of the day, workers have to shred notes of conversation with customers, and workers are forbidden from socializing with non-employees during work hours. Visitors are required to seek permission and are required to sign a document of non-disclosure as well. "Above all these measures, with closed-circuit TV cameras watching your every move, the job of a typical BPO worker has never been so suffocating," Iyer added.
  
  It may be uncomfortable for many workers, but "BPO firms have little choice but to follow more quality checks and more auditing, and impose more regulations that could be demanded by their customers," said Sudhin Apte, country manager of Forrester Research Inc.

In conclusion, I believe information security is stronger in a leading Indian BPO than in most US companies. As such, organizations such as Privacy Rights Clearinghouse may actually find that their privacy goals are better met when companies outsource their processes to leading Indian BPOs than when they keep these processes in-house. The major caveat here of course is that the BPO contracts have to be structured appropriately, the BPO vendor’s information security procedures have to be carefully evaluated, and the final BPO decision has to be based on Total Cost of Ownership (including expected PR expenses and regulatory risk stemming from potential information security breaches) rather than just labor cost.

Consumer privacy protection and outsourcing to India

I recently came across a Statement on Outsourcing and Privacy to two California Senate committees by an organization called the Privacy Rights Clearinghouse. The statement starts with:

I do not want to infer that companies outside the U.S. are less capable of protecting records containing personal information. On the contrary, news accounts of several such offshore companies describe security practices that far exceed the privacy protection strategies of many U.S. businesses.

However, it then goes on to list several consumer protection concerns with offshore outsourcing. Generally, most people don’t realize that outsourcing contracts are rarely signed directly with an Indian company. Almost every outsourcing contract I have seen is set up with an US or UK domiciled company which is backed up by significant insurance coverage from a major insurer. In most privacy / information security situations, the real recourse is financial compensation via legal action. Because of the structure of these outsourcing relationships, there are sufficient assets that a litigant could go after in US courts even when the delivery happened from India.

However, let me comment on each of the concerns raised by the Privacy Rights Clearinghouse in order. [Please note that I am most comfortable talking about offshore outsourcing to India, but several of my comments are probably generally applicable. Disclaimer: I am not a legal expert and these are just my personal opinion.]

What recourse does an individual have if his/her personal information is handled improperly by an overseas company? Most countries to which data is being transmitted have no data protection laws on the books.

India does have several laws that address data protection and several more are in the works. Moreover, even “Undisclosed information and trade secrets” are protected under WTO-TRIPS (see Understanding the WTO for details) and India has to comply with TRIPS. Finally, the outsourcing industry is a powerful lobby in India and they have been pushing hard for stringent data protection laws to be enacted. In general, over time, a country like India which has a significant portion of its GDP and growth tied to information security is more likely to adopt stringent laws than even the United States.

If a U.S. law or regulation is violated, will the appropriate U.S. regulatory agency, such as the Federal Trade Commission or the Office of the Comptroller of the Currency, send investigators to the offshore company to conduct an investigation? Probably not likely.

If an US agency really needed to, they could probably collaborate with the appropriate Indian agencies and conduct such an investigation. For example, the US Food and Drug Administration (FDA) inspects medicine factories in India. Far more likely, US regulatory agencies could leverage India’s enforcement obligations under WTO-TRIPS, the 1999 US-India mutual extradition treaty and their 2001 Treaty on Mutual Legal Assistance in Criminal Matters to pursue the matter.

If an employee of an overseas company observes improprieties and wants to blow the whistle, who can he or she contact to file a complaint? And will that individual be protected by U.S. whistleblower laws? Again, not likely.

This is an excellent question and we should also consider the broader question of whether US style whistleblower protection is sufficient to promote the transparency we seek.
First, India does have an interim whistleblower protection mechanism in place and the government is under pressure from the Indian Supreme Court to rapidly enact a more extensive whistleblower protection law. [Note: Whistleblower laws are particularly American and they can actually run afoul of European privacy laws. See the Tip-line bind: Follow the law in U.S. or EU? story for an excellent example.]
Second, in general whistleblowers face severe harassment even when they are protected from being fired due to the US whistleblower laws. Data center employees earn so little each month that just protecting their jobs may not be sufficient incentive/protection for them to come forth and provide information against their employers. Anonymous tip lines on the other hand can easily become a medium for harassing people you don’t like and has a flavor of Soviet era anonymous tips that I don’t particularly like. Perhaps Indian outsourcing vendors and US outsourcing customers can set up a whistleblower fund for rewarding outsourcing employees who report problems that are eventually independently confirmed. Even a small financial incentive of a few thousand dollars would probably compensate these workers for lost wages and harassment due to their whistleblowing and would be more effective than US style whistleblower laws.

If an individual becomes a victim of identity theft and is able to trace the illegitimate access to his or her personal information back to an overseas company, can that individual attempt to take legal action against that company for its negligence? Technically perhaps, but realistically probably not. A bigger question is if the victim of identity theft would even be able to trace back to the source of the data breach. Not likely.

I am not sure I quite understand the premise of this question. Because of the focus on outsourcing, I am assuming the statement is referring to a situation when individual A shares private information with US firm B who outsources the processing of this information to Indian outsourcing vendor C. Whether or not firm B outsources the processing of this information, it would be almost impossible for individual A “to trace back to the source of the data breach” as they would violate information security and industrial espionage laws if they tried to do so independently. More likely, they would compel firm B to divulge the source of the data breach as part of a legal action. In any such legal action, they would merely sue firm B and gain compensation from them; why does it matter whether or not firm B outsourced to a vendor C? Remember, the only real remedy for the victim of identity theft is to sue for compensation. You would usually go after the US firm as that has the deeper pockets and was directly responsible for protecting your information.

How would California's law requiring that individuals be notified of security breaches involving sensitive personal information be promulgated and enforced if the illegitimate access to computer files were to occur in an offshore company? (California Civil Code section 1798.82-1798.84)

Outsourcing vendors have to comply with a raft of US laws such as GLB, HIPAA, etc. They are enforced via contractual agreements between the customer and the vendor.

How will U.S. companies be able to prevent overseas firms from subcontracting the work to other companies who then subcontract it to yet others? In a widely reported incident, a subcontractor in Pakistan threatened to expose the personal information contained in the medical records she was transcribing if she were not paid what she was due. (David Lazarus, "A tough lesson on medical privacy: Pakistani transcriber threatens UCSF over back pay," San Francisco Chronicle, October 22, 2003.)

Once again, subcontracting is preventable with proper contract design. Moreover, as discussed earlier, local authorities would prosecute such a person exactly the same way as US authorities.