[Infowarrior] - Sealing Data Security Breaches Offshore

[Richard Forno]

(c/o Dissent)

Sealing Data Security Breaches Offshore

By Miriam Wugmeister and Alistair Maughan
Accounting & Financial Planning for Law Firms newsletter
January 25, 2007
http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1169028153553

Editor's note: Outsourcing decisions should be based in part on a comparison
of data security in-house and at each vendor location; generally this is
evaluated in terms of staff vetting, physical access security, database
security, communications security, etc. But another vital consideration
should be the effectiveness of each candidate location's legal preventive
measures and remedies for data theft or misuse -- and the complexity and
cost of securing those protections. This article, which surveys the state of
data security legal protections in India, shows that making such a
comparison is no simple matter.

As a growing number of companies seek more centralized and less expensive
methods of processing information, they are turning to offshore outsourcing
to fulfill many of their business and human resources processes. Given
India's success in building a significant share of the offshore business
process outsourcing (BPO) market, a significant portion of the data is now
being processed in India.

Recently, there have been allegations that call center employees based in
India have stolen data outsourced to Indian service providers. Regardless of
whether these allegations represent a trend or are just dramatic headlines,
there have been concerns raised about the security of data held by Indian
service providers, and the remedies that non-Indian companies may have in
India in the event of a breach, either to seek recourse against the offender
or to prevent the misuse of data. This article describes some of the
remedies that are available to companies to deal with and prevent the misuse
of data in India.

PREVENTIVE MEASURES

In the wake of concerns around data security and privacy in India, the
National Association of Software and Services Companies (NASSCOM), one of
the most recognized and vocal trade organizations in the information
technology software and services industry in India, has put in place several
measures to address data security concerns regarding service provider
employees. Earlier this year, NASSCOM launched a National Skills Registry)
for information technology professionals to help employers conduct better
background checks on employees by tracking certain information about
employees, such as employment history. More recently, NASSCOM announced
plans to set up an independent, self-regulatory organization to set and
monitor data security and privacy "best practices" by outsourcing service
providers in India.

Service providers in India are also increasingly adopting compliance
programs and comprehensive security audits including personnel and equipment
audits to put specific checks in place to prevent misuse of sensitive
information and data. Compliance programs include specific training of
employees to enhance awareness of confidentiality and specific training for
computer system managers with regard to securing computer systems, common
threats to information security, access control techniques, risk assessment
and management, intrusion detection, authentication and other similar
issues. Enforcement agencies in India also work with BPOs to conduct
workshops to enable employees to improve knowledge and skills to prevent and
prosecute misuse of data.

However, despite the preventive measures, non-Indian companies should still
be aware of their remedies in the event of a data security breach in India.

LAWS RELATING TO DATA SECURITY IN INDIA

The Indian legal system is substantially based on the British common law
system. While there is no omnibus Indian data security law, there are
several laws that apply to data theft or misuse in India. Typically, when an
incident involving data occurs, a complaint is filed for theft, cheating,
criminal breach of trust, dishonest misappropriation of data and/or criminal
conspiracy under the provisions of the Indian Penal Code, 1860 (IPC) and for
hacking under the Information Technology Act, 2000 (ITA). Many of these
offenses under the IPC and the ITA allow for an arrest without a warrant,
are non-bailable and carry penalties that range from imprisonment for a year
to life imprisonment, as well as fines.

Moreover, certain offenses carry higher penalties when the offender is an
employee, a public servant, a merchant, an attorney or an agent. For
example, misappropriation of data by criminal breach of trust carries a
penalty of imprisonment for up to three years. However, when an employee
carries out the criminal breach of trust (i.e. if the data is dishonestly
misappropriated and converted by an employee for his or her own use), the
penalty increases to imprisonment for up to seven years. Further, when the
offender is a public servant, merchant, attorney or agent, the penalty can
be as high as life imprisonment.

In addition to these criminal affairs, civil proceedings for copyright
infringement under the provisions of the Copyright Act, 1957 (CA) and the
Specific Relief Act, 1963 (SRA) are also typically initiated to prevent the
misuse and dissemination of data. The penalties under the CA and the SRA can
range from hefty fines and damages to temporary and permanent injunctions.

Over and above the laws currently in place, the Indian government is
currently in the process of amending the Information Technology Act of 2000
(ITA) to deal with data privacy and security issues. The proposed amendments
(which are currently being reviewed by the Ministry of Law, Justice and
Company Affairs before being presented to Indian Parliament) include
provisions that would empower the Central Government to make rules
concerning control processes and procedures to ensure adequate integrity,
security and confidentiality of electronic records and rules prescribing
modes of encryption for data security.

ENFORCEMMENT PROCEDURES

There are several options open to a company that is dealing with a data
misuse or theft incident in India. Generally, a criminal complaint under the
provisions of the ITA, the IPC and the CA for theft, misappropriation or
misuse of data and infringement of copyright is filed with the police
station that has jurisdiction over the area where the data security breach
occurred. The officers in the local police station, however, may not be in a
position to properly investigate a data security incident, as officers are
not adequately trained to deal with cybercrime cases.

Thus, in the alternative, the criminal complaint can be made to Anti
Cybercrime Cells set up by the State Police Departments. These cybercrime
cells have been established specifically to investigate and prosecute cases
of data theft and copyright infringement, as well as other cybercrime cases.
Cybercrime cells of several state police departments (e.g., Delhi) organize
training programs to enhance investigators' skills and knowledge concerning
data protection, and use advanced equipment to investigate data security
incidents. In fact, the U.S. Department of State recently trained Indian
cybercrime investigators on investigating techniques. The investigating
officers at Anti Cybercrime Cells have the power to seize infringing or
stolen data by conducting searches and raids on the premises of the alleged
offenders and can also prosecute the offenders in the criminal court that
has jurisdiction over the police station where the complaint was registered.
The law enforcement agencies also have the power to arrest offenders and
keep them in custody during the course of the investigation and prosecution
unless bail is granted to the offenders by the court.

If a company believes that the local police station and/or the Anti
Cybercrime Cell do not have the requisite expertise to investigate a data
security incident, the company may make a formal complaint with the Central
Bureau of Investigations (CBI) of the government of India under the
provisions of the ITA, the IPC and the CA. The CBI is an independent,
autonomous investigating agency set up by the government of India, and has
professionally trained the Anti Cybercrime Units in various states to
investigate data security incidents. If the officer investigating the
complaint determines that a prima facie offense has been committed, he or
she can register the complaint and file a charge sheet with the competent
criminal court.

Additionally, complaints alleging offenses under provisions of the ITA can
also be made to the Controller of Certifying Authorities. Upon receipt of a
complaint, the controller of certifying authorities investigates allegations
and can order punishment of an offender under the provisions of the ITA. As
the controller of certifying authorities is a quasi-judicial authority, an
appeal against its orders can be made only in the state high court.

Finally, in addition to, or in lieu of, a criminal complaint, a civil suit
seeking damages and an injunction to restrain the misuse and misapplication
of data can be filed under the provisions of the CA and the SRA. A civil
court can issue an interim temporary injunction pending final adjudication
of the civil suit.

ISSUES IN THE INDIAN LEGAL SYSTEM

While several measures have been put into place to deal with data security
issues, some concerns still remain regarding the Indian legal system. Indian
courts are overburdened -- in 2005, the lower courts had more than 20
million pending cases, while the high courts had more than three million.
Delays in the system are common, and an average case can take several years
to be resolved. However, things are changing. Several measures are underway,
and the Prime Minister of India, as well as the Chief Justice of the Indian
Supreme Court, have committed to dealing with the issues facing the Indian
courts. Further, the system itself, while slow, works. More importantly, as
previously discussed, the service providers themselves are putting into
place several preventive measures to deal with data security and privacy
issues.

CONCLUSION

Unfortunately, data breaches have occurred and will probably continue to
occur in many parts of the world. Fortunately for companies that have sent
data to India -- whether via an offshore outsourcing or otherwise -- the
government of India has responded to the concerns raised about data security
issues, and proven methodologies have been put into place and refined to
minimize the damage, punish the offender and deter the tempted.

Obviously, there are many steps that a non-Indian company can and should
undertake to minimize its risk: for example, conducting due diligence and
risk assessments when choosing service providers; implementing appropriate
contractual measures designed to meet its objectives; and monitoring the
service provider's compliance and making adjustments to reflect modified
risks. A combination of all these measures should go a long way toward
minimizing both the incidence and consequences of data theft and misuse
incidents in India.

Miriam Wugmeister is a partner at Morrison & Foerster, where she counsels
clients on U.S. and international data protection laws. She represents the
Coalition for Global Information Flows. Alistair Maughan, also a partner at
Morrison & Foerster, focuses on outsourcing and technology projects,
e-commerce and other technology contract work for major organizations. He
also counsels on the UK government's Private Finance Initiative. Dijeet
Titus, a partner at Titus, contributed to the preparation of this article.