India fortifies its data security

• Article
• Comments ()
• Click-2-Listen
• Videos

By

NEW DELHI -- Employees of an outsourced call center in India coaxed Citibank account holders in the United States to reveal their personal identification numbers -- and then siphoned $426,000 from their accounts, Indian police said.

In the biggest scandal to hit the Indian outsourcing industry, 16 arrests have been made since April, and more are expected.

The case, which began at the MphasiS call center in Pune, 77 miles from Bombay, has raised fears of a backlash in an industry that received revenue of more than $3.4 billion from the United States in 2004.

With global outsourcing contracts totaling $163 billion in 2004, according to research firm Datamonitor, security is an increasing concern for companies that choose to outsource work, especially those that move work overseas.

Although outsourcing contracts are full of security provisions, companies have to put faith in foreign laws and police to catch and punish criminals.

In a country where the first data security and cybercrime act was passed only in 2000, the MphasiS case has been regarded as a test of India's laws as well as its enforcement.

The verdict, it seems, has been largely positive. Citibank does not plan to change its business relationship with MphasiS, and the Indian authorities' response to the crime was seen as quick and effective.

Yet, with the United States accounting for two-thirds of India's technology and outsourcing-industries' revenue, the Indian information-technology association, National Association of Software and Service Companies (NASSCOM), is on its toes.

Harris Miller, president of Information Technology Association of America, said, "If companies that are using or considering India for global sourcing lose confidence ... then the Indian IT industry will be severely harmed."

The private sector's concern is evident in the fact that roughly 25 percent of every outsourcing agreement is used to establish detailed security measures. Surprise audits by clients are frequent, and outsourcing companies spend hundreds of thousands of dollars on security.

At Wipro Spectramind, one of the largest outsourcing firms here, all the computer terminals are "dumb," meaning they have no hard disks, so no information can be saved. Staff members are watched on camera.

Cell phones, IPods and even pen and paper are not allowed inside. It is strict rules such as these, combined with graveyard shifts and a young, restless work force that keep attrition in the industry between 25 percent and 40 percent, a NASSCOM study says.

To help keep track of employees, NASSCOM is setting up a voluntary database in which skilled workers can register their resumes and personal data.

While NASSCOM Vice President Sunil Mehta insists that the database is not for security purposes, MphasiS's Jeroen Tas said that it would be coordinated with police and enable faster, more accurate screening.

Mr. Miller is positive about India's security measures. "During my visits to numerous firms, I have found [security] very high, frankly, often somewhat higher than some companies in the United States and in other more developed economies," he said.

Still, shaky ground remains. A NASSCOM survey on information security, done jointly with Evalueserve, noted that almost 50 percent of the technology and business outsourcing companies studied did not have certified information-security personnel on staff.

A PricewaterhouseCoopers study found that 83 percent of 150 Indian companies surveyed had information-security breaches in 2004.