Sealing Data Security Breaches Offshore

[RAVI BHASIN]

Sealing Data Security Breaches Offshore

Accounting & Financial Planning for Law Firms newsletter
January 25, 2007

Recently, there have been allegations that call center employees based in India have stolen data outsourced to Indian service providers. Regardless of whether these allegations represent a trend or are just dramatic headlines, there have been concerns raised about the security of data held by Indian service providers, and the remedies that non-Indian companies may have in India in the event of a breach, either to seek recourse against the offender or to prevent the misuse of data.

PREVENTIVE MEASURES

Service providers in India are also increasingly adopting compliance programs and comprehensive security audits including personnel and equipment audits to put specific checks in place to prevent misuse of sensitive information and data. Compliance programs include specific training of employees to enhance awareness of confidentiality and specific training for computer system managers with regard to securing computer systems, common threats to information security, access control techniques, risk assessment and management, intrusion detection, authentication and other similar issues. Enforcement agencies in India also work with BPOs to conduct workshops to enable employees to improve knowledge and skills to prevent and prosecute misuse of data.

LAWS RELATING TO DATA SECURITY IN INDIA

While there is no omnibus Indian data security law, there are several laws that apply to data theft or misuse in India. Typically, when an incident involving data occurs, a complaint is filed for theft, cheating, criminal breach of trust, dishonest misappropriation of data and/or criminal conspiracy under the provisions of the Indian Penal Code, 1860 (IPC) and for hacking under the Information Technology Act, 2000 (ITA). Many of these offenses under the IPC and the ITA allow for an arrest without a warrant, are non-bailable and carry penalties that range from imprisonment for a year to life imprisonment, as well as fines.

In addition to these criminal affairs, civil proceedings for copyright infringement under the provisions of the Copyright Act, 1957 (CA) and the Specific Relief Act, 1963 (SRA) are also typically initiated to prevent the misuse and dissemination of data. The penalties under the CA and the SRA can range from hefty fines and damages to temporary and permanent injunctions.

The proposed amendments (which are currently being reviewed by the Ministry of Law, Justice and Company Affairs before being presented to Indian Parliament) include provisions that would empower the Central Government to make rules concerning control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records and rules prescribing modes of encryption for data security.

ENFORCEMMENT PROCEDURES

Generally, a criminal complaint under the provisions of the ITA, the IPC and the CA for theft, misappropriation or misuse of data and infringement of copyright is filed with the police station that has jurisdiction over the area where the data security breach occurred. The officers in the local police station, however, may not be in a position to properly investigate a data security incident, as officers are not adequately trained to deal with cybercrime cases.

Thus, in the alternative, the criminal complaint can be made to Anti Cybercrime Cells set up by the State Police Departments. These cybercrime cells have been established specifically to investigate and prosecute cases of data theft and copyright infringement, as well as other cybercrime cases.

If a company believes that the local police station and/or the Anti Cybercrime Cell do not have the requisite expertise to investigate a data security incident, the company may make a formal complaint with the Central Bureau of Investigations (CBI) of the government of India under the provisions of the ITA, the IPC and the CA.

Additionally, complaints alleging offenses under provisions of the ITA can also be made to the Controller of Certifying Authorities. Upon receipt of a complaint, the controller of certifying authorities investigates allegations and can order punishment of an offender under the provisions of the ITA. As the controller of certifying authorities is a quasi-judicial authority, an appeal against its orders can be made only in the state high court.

Finally, in addition to, or in lieu of, a criminal complaint, a civil suit seeking damages and an injunction to restrain the misuse and misapplication of data can be filed under the provisions of the CA and the SRA. A civil court can issue an interim temporary injunction pending final adjudication of the civil suit.

ISSUES IN THE INDIAN LEGAL SYSTEM

While several measures have been put into place to deal with data security issues, some concerns still remain regarding the Indian legal system. Indian courts are overburdened -- in 2005, the lower courts had more than 20 million pending cases, while the high courts had more than three million. Delays in the system are common, and an average case can take several years to be resolved. However, things are changing. Several measures are underway, and the Prime Minister of India, as well as the Chief Justice of the Indian Supreme Court, have committed to dealing with the issues facing the Indian courts. Further, the system itself, while slow, works. More importantly, as previously discussed, the service providers themselves are putting into place several preventive measures to deal with data security and privacy issues.

CONCLUSION

Unfortunately, data breaches have occurred and will probably continue to occur in many parts of the world. Fortunately for companies that have sent data to India -- whether via an offshore outsourcing or otherwise -- the government of India has responded to the concerns raised about data security issues, and proven methodologies have been put into place and refined to minimize the damage, punish the offender and deter the tempted.

Obviously, there are many steps that a non-Indian company can and should undertake to minimize its risk: for example, conducting due diligence and risk assessments when choosing service providers; implementing appropriate contractual measures designed to meet its objectives; and monitoring the service provider's compliance and making adjustments to reflect modified risks. A combination of all these measures should go a long way toward minimizing both the incidence and consequences of data theft and misuse incidents in India.

http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1169028153553