Data Security Breaches Offshore

[Editor's note: Outsourcing decisions should be based in part on a comparison of data security in-house and at each vendor location; generally this is evaluated in terms of staff vetting, physical access security, database security, communications security, etc. But another vital consideration should be the effectiveness of each candidate location's legal preventive measures and remedies for data theft or misuse ' and the complexity and cost of securing those protections. This article, which surveys the state of data security legal protections in India, shows that making such a comparison is no simple matter.]

As a growing number of companies seek more centralized and less expensive methods of processing information, they are turning to offshore outsourcing to fulfill many of their business and human resources processes. Given India's success in building a significant share of the offshore business process outsourcing (BPO) market, a significant portion of the data is now being processed in India. Recently, there have been allegations that call center employees based in India have stolen data outsourced to Indian service providers. Regardless of whether these allegations represent a trend or are just dramatic headlines, there have been concerns raised about the security of data held by Indian service providers, and the remedies that non-Indian companies may have in India in the event of a breach, either to seek recourse against the offender or to prevent the misuse of data. This article describes some of the remedies that are available to companies to deal with and prevent the misuse of data in India.

Preventive Measures

In the wake of concerns around data security and privacy in India, the National Association of Software and Services Companies (NASSCOM) (www.nasscom.in), one of the most recognized and vocal trade organizations in the information technology software and services industry in India, has put in place several measures to address data security concerns regarding service provider employees. Earlier this year, NASSCOM launched a National Skills Registry (www.nationalskillsregistry.com) for information technology professionals to help employers conduct better background checks on employees by tracking certain information about employees, such as employment history. More recently, NASSCOM announced plans to set up an independent, self-regulatory organization to set and monitor data security and privacy 'best practices' by outsourcing service providers in India.

Service providers in India are also increasingly adopting compliance programs and comprehensive security audits including personnel and equipment audits to put specific checks in place to prevent misuse of sensitive information and data. Compliance programs include specific training of employees to enhance awareness of confidentiality and specific training for computer system managers with regard to securing computer systems, common threats to information security, access control techniques, risk assessment and management, intrusion detection, authentication, and other similar issues. Enforcement agencies in India also work with BPOs to conduct workshops to enable employees to improve knowledge and skills to prevent and prosecute misuse of data.

However, despite the preventive measures, non-Indian companies should still be aware of their remedies in the event of a data security breach in India.

Laws Relating to Data Security in India

The Indian legal system is substantially based on the British common law system. While there is no omnibus Indian data security law, there are several laws that apply to data theft or misuse in India. Typically, when an incident involving data occurs, a complaint is filed for theft, cheating, criminal breach of trust, dishonest misappropriation of data, and/or criminal conspiracy under the provisions of the Indian Penal Code, 1860 (IPC), and for hacking under the Information Technology Act, 2000 (ITA). Many of these offenses under the IPC and the ITA allow for an arrest without a warrant, are non-bailable, and carry penalties that range from imprisonment for a year to life imprisonment, as well as fines.

Moreover, certain offenses carry higher penalties when the offender is an employee, a public servant, a merchant, an attorney, or an agent. For example, misappropriation of data by criminal breach of trust carries a penalty of imprisonment for up to three years. However, when an employee carries out the criminal breach of trust (i.e., if the data is dishonestly misappropriated and converted by an employee for his or her own use), the penalty increases to imprisonment for up to seven years. Further, when the offender is a public servant, merchant, attorney, or agent, the penalty can be as high as life imprisonment.

In addition to these criminal affairs, civil proceedings for copyright infringement under the provisions of the Copyright Act, 1957 (CA) and the Specific Relief Act, 1963 (SRA) are also typically initiated to prevent the misuse and dissemination of data. The penalties under the CA and the SRA can range from hefty fines and damages to temporary and permanent injunctions.

Over and above the laws currently in place, the Indian government is currently in the process of amending the Information Technology Act of 2000 (ITA) to deal with data privacy and security issues. The proposed amendments (which are currently being reviewed by the Ministry of Law, Justice and Company Affairs before being presented to Indian Parliament) include provisions that would empower the Central Government to make rules concerning control processes and procedures to ensure adequate integrity, security, and confidentiality of electronic records and rules prescribing modes of encryption for data security.

Enforcement Procedures

There are several options open to a company that is dealing with a data misuse or theft incident in India. Generally, a criminal complaint under the provisions of the ITA, the IPC, and the CA for theft, misappropriation, or misuse of data, and infringement of copyright is filed with the police station that has jurisdiction over the area where the data security breach occurred. The officers in the local police station, however, may not be in a position to properly investigate a data security incident, as officers are not adequately trained to deal with cyber-crime cases.

Thus, in the alternative, the criminal complaint can be made to Anti Cyber-Crime Cells set up by the State Police Departments. These Cyber-Crime Cells have been established specifically to investigate and prosecute cases of data theft and copyright infringement, as well as other cyber-crime cases. Cyber-Crime Cells of several State Police Departments (e.g., Delhi) organize training programs to enhance investigators' skills and knowledge concerning data protection, and use advanced equipment to investigate data security incidents. In fact, the U.S. Department of State recently trained Indian cyber-crime investigators on investigating techniques. The investigating officers at Anti Cyber-Crime Cells have the power to seize infringing or stolen data by conducting searches and raids on the premises of the alleged offenders and can also prosecute the offenders in the criminal court that has jurisdiction over the police station where the complaint was registered. The law enforcement agencies also have the power to arrest offenders and keep them in custody during the course of the investigation and prosecution unless bail is granted to the offenders by the court.

If a company believes that the local police station and/or the Anti Cyber-Crime Cell do not have the requisite expertise to investigate a data security incident, the company may make a formal complaint with the Central Bureau of Investigations (CBI) of the government of India under the provisions of the ITA, the IPC, and the CA. The CBI is an independent, autonomous investigating agency set up by the government of India, and has professionally trained the Anti Cyber-Crime Units in various states to investigate data security incidents. If the officer investigating the complaint determines that a prima facie offense has been committed, he or she can register the complaint and file a charge sheet with the competent criminal court.

Additionally, complaints alleging offenses under provisions of the ITA can also be made to the Controller of Certifying Authorities. Upon receipt of a complaint, the Controller of Certifying Authorities investigates allegations and can order punishment of an offender under the provisions of the ITA. As the Controller of Certifying Authorities is a quasi-judicial authority, an appeal against its orders can be made only in the State High Court.

Finally, in addition to, or in lieu of, a criminal complaint, a civil suit seeking damages and an injunction to restrain the misuse and misapplication of data can be filed under the provisions of the CA and the SRA. A civil court can issue an interim temporary injunction pending final adjudication of the civil suit.

Issues in the Indian Legal System

While several measures have been put into place to deal with data security issues, some concerns still remain regarding the Indian legal system. Indian courts are overburdened ' in 2005, the lower courts had more than 20 million pending cases, while the high courts had more than three million. Delays in the system are common, and an average case can take several years to be resolved. However, things are changing. Several measures are underway, and the Prime Minister of India, as well as the Chief Justice of the Indian Supreme Court, have committed to dealing with the issues facing the Indian courts. Further, the system itself, while slow, works. More importantly, as previously discussed, the service providers themselves are putting into place several preventive measures to deal with data security and privacy issues.

Conclusion

Unfortunately, data breaches have occurred and will probably continue to occur in many parts of the world. Fortunately for companies that have sent data to India ' whether via an offshore outsourcing or otherwise ' the government of India has responded to the concerns raised about data security issues, and proven methodologies have been put into place and refined to minimize the damage, punish the offender, and deter the tempted.

Obviously, there are many steps that a non-Indian company can and should undertake to minimize its risk: for example, conducting due diligence and risk assessments when choosing service providers; implementing appropriate contractual measures designed to meet its objectives; and monitoring the service provider's compliance and making adjustments to reflect modified risks. A combination of all these measures should go a long way toward minimizing both the incidence and consequences of data theft and misuse incidents in India.

[Editor's note: Outsourcing decisions should be based in part on a comparison of data security in-house and at each vendor location; generally this is evaluated in terms of staff vetting, physical access security, database security, communications security, etc. But another vital consideration should be the effectiveness of each candidate location's legal preventive measures and remedies for data theft or misuse ' and the complexity and cost of securing those protections. This article, which surveys the state of data security legal protections in India, shows that making such a comparison is no simple matter.]

As a growing number of companies seek more centralized and less expensive methods of processing information, they are turning to offshore outsourcing to fulfill many of their business and human resources processes. Given India's success in building a significant share of the offshore business process outsourcing (BPO) market, a significant portion of the data is now being processed in India. Recently, there have been allegations that call center employees based in India have stolen data outsourced to Indian service providers. Regardless of whether these allegations represent a trend or are just dramatic headlines, there have been concerns raised about the security of data held by Indian service providers, and the remedies that non-Indian companies may have in India in the event of a breach, either to seek recourse against the offender or to prevent the misuse of data. This article describes some of the remedies that are available to companies to deal with and prevent the misuse of data in India.

Preventive Measures

In the wake of concerns around data security and privacy in India, the National Association of Software and Services Companies (NASSCOM) (www.nasscom.in), one of the most recognized and vocal trade organizations in the information technology software and services industry in India, has put in place several measures to address data security concerns regarding service provider employees. Earlier this year, NASSCOM launched a National Skills Registry (www.nationalskillsregistry.com) for information technology professionals to help employers conduct better background checks on employees by tracking certain information about employees, such as employment history. More recently, NASSCOM announced plans to set up an independent, self-regulatory organization to set and monitor data security and privacy 'best practices' by outsourcing service providers in India.

Service providers in India are also increasingly adopting compliance programs and comprehensive security audits including personnel and equipment audits to put specific checks in place to prevent misuse of sensitive information and data. Compliance programs include specific training of employees to enhance awareness of confidentiality and specific training for computer system managers with regard to securing computer systems, common threats to information security, access control techniques, risk assessment and management, intrusion detection, authentication, and other similar issues. Enforcement agencies in India also work with BPOs to conduct workshops to enable employees to improve knowledge and skills to prevent and prosecute misuse of data.

However, despite the preventive measures, non-Indian companies should still be aware of their remedies in the event of a data security breach in India.

Laws Relating to Data Security in India

The Indian legal system is substantially based on the British common law system. While there is no omnibus Indian data security law, there are several laws that apply to data theft or misuse in India. Typically, when an incident involving data occurs, a complaint is filed for theft, cheating, criminal breach of trust, dishonest misappropriation of data, and/or criminal conspiracy under the provisions of the Indian Penal Code, 1860 (IPC), and for hacking under the Information Technology Act, 2000 (ITA). Many of these offenses under the IPC and the ITA allow for an arrest without a warrant, are non-bailable, and carry penalties that range from imprisonment for a year to life imprisonment, as well as fines.

Moreover, certain offenses carry higher penalties when the offender is an employee, a public servant, a merchant, an attorney, or an agent. For example, misappropriation of data by criminal breach of trust carries a penalty of imprisonment for up to three years. However, when an employee carries out the criminal breach of trust (i.e., if the data is dishonestly misappropriated and converted by an employee for his or her own use), the penalty increases to imprisonment for up to seven years. Further, when the offender is a public servant, merchant, attorney, or agent, the penalty can be as high as life imprisonment.

In addition to these criminal affairs, civil proceedings for copyright infringement under the provisions of the Copyright Act, 1957 (CA) and the Specific Relief Act, 1963 (SRA) are also typically initiated to prevent the misuse and dissemination of data. The penalties under the CA and the SRA can range from hefty fines and damages to temporary and permanent injunctions.

Over and above the laws currently in place, the Indian government is currently in the process of amending the Information Technology Act of 2000 (ITA) to deal with data privacy and security issues. The proposed amendments (which are currently being reviewed by the Ministry of Law, Justice and Company Affairs before being presented to Indian Parliament) include provisions that would empower the Central Government to make rules concerning control processes and procedures to ensure adequate integrity, security, and confidentiality of electronic records and rules prescribing modes of encryption for data security.

Enforcement Procedures

There are several options open to a company that is dealing with a data misuse or theft incident in India. Generally, a criminal complaint under the provisions of the ITA, the IPC, and the CA for theft, misappropriation, or misuse of data, and infringement of copyright is filed with the police station that has jurisdiction over the area where the data security breach occurred. The officers in the local police station, however, may not be in a position to properly investigate a data security incident, as officers are not adequately trained to deal with cyber-crime cases.

Thus, in the alternative, the criminal complaint can be made to Anti Cyber-Crime Cells set up by the State Police Departments. These Cyber-Crime Cells have been established specifically to investigate and prosecute cases of data theft and copyright infringement, as well as other cyber-crime cases. Cyber-Crime Cells of several State Police Departments (e.g., Delhi) organize training programs to enhance investigators' skills and knowledge concerning data protection, and use advanced equipment to investigate data security incidents. In fact, the U.S. Department of State recently trained Indian cyber-crime investigators on investigating techniques. The investigating officers at Anti Cyber-Crime Cells have the power to seize infringing or stolen data by conducting searches and raids on the premises of the alleged offenders and can also prosecute the offenders in the criminal court that has jurisdiction over the police station where the complaint was registered. The law enforcement agencies also have the power to arrest offenders and keep them in custody during the course of the investigation and prosecution unless bail is granted to the offenders by the court.

If a company believes that the local police station and/or the Anti Cyber-Crime Cell do not have the requisite expertise to investigate a data security incident, the company may make a formal complaint with the Central Bureau of Investigations (CBI) of the government of India under the provisions of the ITA, the IPC, and the CA. The CBI is an independent, autonomous investigating agency set up by the government of India, and has professionally trained the Anti Cyber-Crime Units in various states to investigate data security incidents. If the officer investigating the complaint determines that a prima facie offense has been committed, he or she can register the complaint and file a charge sheet with the competent criminal court.

Additionally, complaints alleging offenses under provisions of the ITA can also be made to the Controller of Certifying Authorities. Upon receipt of a complaint, the Controller of Certifying Authorities investigates allegations and can order punishment of an offender under the provisions of the ITA. As the Controller of Certifying Authorities is a quasi-judicial authority, an appeal against its orders can be made only in the State High Court.

Finally, in addition to, or in lieu of, a criminal complaint, a civil suit seeking damages and an injunction to restrain the misuse and misapplication of data can be filed under the provisions of the CA and the SRA. A civil court can issue an interim temporary injunction pending final adjudication of the civil suit.

Issues in the Indian Legal System

While several measures have been put into place to deal with data security issues, some concerns still remain regarding the Indian legal system. Indian courts are overburdened ' in 2005, the lower courts had more than 20 million pending cases, while the high courts had more than three million. Delays in the system are common, and an average case can take several years to be resolved. However, things are changing. Several measures are underway, and the Prime Minister of India, as well as the Chief Justice of the Indian Supreme Court, have committed to dealing with the issues facing the Indian courts. Further, the system itself, while slow, works. More importantly, as previously discussed, the service providers themselves are putting into place several preventive measures to deal with data security and privacy issues.

Conclusion

Unfortunately, data breaches have occurred and will probably continue to occur in many parts of the world. Fortunately for companies that have sent data to India ' whether via an offshore outsourcing or otherwise ' the government of India has responded to the concerns raised about data security issues, and proven methodologies have been put into place and refined to minimize the damage, punish the offender, and deter the tempted.

Obviously, there are many steps that a non-Indian company can and should undertake to minimize its risk: for example, conducting due diligence and risk assessments when choosing service providers; implementing appropriate contractual measures designed to meet its objectives; and monitoring the service provider's compliance and making adjustments to reflect modified risks. A combination of all these measures should go a long way toward minimizing both the incidence and consequences of data theft and misuse incidents in India.