[ISN] Sealing Data Security Breaches Offshore

From: InfoSec News (alerts@private)
Date: Thu Jan 25 2007 - 22:30:20 PST


By Miriam Wugmeister and Alistair Maughan
Accounting & Financial Planning for Law Firms newsletter
January 25, 2007

Editor's note: Outsourcing decisions should be based in part on a 
comparison of data security in-house and at each vendor location; 
generally this is evaluated in terms of staff vetting, physical access 
security, database security, communications security, etc. But another 
vital consideration should be the effectiveness of each candidate 
location's legal preventive measures and remedies for data theft or 
misuse -- and the complexity and cost of securing those protections. 
This article, which surveys the state of data security legal protections 
in India, shows that making such a comparison is no simple matter.


As a growing number of companies seek more centralized and less 
expensive methods of processing information, they are turning to 
offshore outsourcing to fulfill many of their business and human 
resources processes. Given India's success in building a significant 
share of the offshore business process outsourcing (BPO) market, a 
significant portion of the data is now being processed in India.

Recently, there have been allegations that call center employees based 
in India have stolen data outsourced to Indian service providers. 
Regardless of whether these allegations represent a trend or are just 
dramatic headlines, there have been concerns raised about the security 
of data held by Indian service providers, and the remedies that 
non-Indian companies may have in India in the event of a breach, either 
to seek recourse against the offender or to prevent the misuse of data. 
This article describes some of the remedies that are available to 
companies to deal with and prevent the misuse of data in India.


In the wake of concerns around data security and privacy in India, the 
National Association of Software and Services Companies (NASSCOM), one 
of the most recognized and vocal trade organizations in the information 
technology software and services industry in India, has put in place 
several measures to address data security concerns regarding service 
provider employees. Earlier this year, NASSCOM launched a National 
Skills Registry) for information technology professionals to help 
employers conduct better background checks on employees by tracking 
certain information about employees, such as employment history. More 
recently, NASSCOM announced plans to set up an independent, 
self-regulatory organization to set and monitor data security and 
privacy "best practices" by outsourcing service providers in India.

Service providers in India are also increasingly adopting compliance 
programs and comprehensive security audits including personnel and 
equipment audits to put specific checks in place to prevent misuse of 
sensitive information and data. Compliance programs include specific 
training of employees to enhance awareness of confidentiality and 
specific training for computer system managers with regard to securing 
computer systems, common threats to information security, access control 
techniques, risk assessment and management, intrusion detection, 
authentication and other similar issues. Enforcement agencies in India 
also work with BPOs to conduct workshops to enable employees to improve 
knowledge and skills to prevent and prosecute misuse of data.

However, despite the preventive measures, non-Indian companies should 
still be aware of their remedies in the event of a data security breach 
in India.


The Indian legal system is substantially based on the British common law 
system. While there is no omnibus Indian data security law, there are 
several laws that apply to data theft or misuse in India. Typically, 
when an incident involving data occurs, a complaint is filed for theft, 
cheating, criminal breach of trust, dishonest misappropriation of data 
and/or criminal conspiracy under the provisions of the Indian Penal 
Code, 1860 (IPC) and for hacking under the Information Technology Act, 
2000 (ITA). Many of these offenses under the IPC and the ITA allow for 
an arrest without a warrant, are non-bailable and carry penalties that 
range from imprisonment for a year to life imprisonment, as well as 

Moreover, certain offenses carry higher penalties when the offender is 
an employee, a public servant, a merchant, an attorney or an agent. For 
example, misappropriation of data by criminal breach of trust carries a 
penalty of imprisonment for up to three years. However, when an employee 
carries out the criminal breach of trust (i.e. if the data is 
dishonestly misappropriated and converted by an employee for his or her 
own use), the penalty increases to imprisonment for up to seven years. 
Further, when the offender is a public servant, merchant, attorney or 
agent, the penalty can be as high as life imprisonment.

In addition to these criminal affairs, civil proceedings for copyright 
infringement under the provisions of the Copyright Act, 1957 (CA) and 
the Specific Relief Act, 1963 (SRA) are also typically initiated to 
prevent the misuse and dissemination of data. The penalties under the CA 
and the SRA can range from hefty fines and damages to temporary and 
permanent injunctions.

Over and above the laws currently in place, the Indian government is 
currently in the process of amending the Information Technology Act of 
2000 (ITA) to deal with data privacy and security issues. The proposed 
amendments (which are currently being reviewed by the Ministry of Law, 
Justice and Company Affairs before being presented to Indian Parliament) 
include provisions that would empower the Central Government to make 
rules concerning control processes and procedures to ensure adequate 
integrity, security and confidentiality of electronic records and rules 
prescribing modes of encryption for data security.


There are several options open to a company that is dealing with a data 
misuse or theft incident in India. Generally, a criminal complaint under 
the provisions of the ITA, the IPC and the CA for theft, 
misappropriation or misuse of data and infringement of copyright is 
filed with the police station that has jurisdiction over the area where 
the data security breach occurred. The officers in the local police 
station, however, may not be in a position to properly investigate a 
data security incident, as officers are not adequately trained to deal 
with cybercrime cases.

Thus, in the alternative, the criminal complaint can be made to Anti 
Cybercrime Cells set up by the State Police Departments. These 
cybercrime cells have been established specifically to investigate and 
prosecute cases of data theft and copyright infringement, as well as 
other cybercrime cases. Cybercrime cells of several state police 
departments (e.g., Delhi) organize training programs to enhance 
investigators' skills and knowledge concerning data protection, and use 
advanced equipment to investigate data security incidents. In fact, the 
U.S. Department of State recently trained Indian cybercrime 
investigators on investigating techniques. The investigating officers at 
Anti Cybercrime Cells have the power to seize infringing or stolen data 
by conducting searches and raids on the premises of the alleged 
offenders and can also prosecute the offenders in the criminal court 
that has jurisdiction over the police station where the complaint was 
registered. The law enforcement agencies also have the power to arrest 
offenders and keep them in custody during the course of the 
investigation and prosecution unless bail is granted to the offenders by 
the court.

If a company believes that the local police station and/or the Anti 
Cybercrime Cell do not have the requisite expertise to investigate a 
data security incident, the company may make a formal complaint with the 
Central Bureau of Investigations (CBI) of the government of India under 
the provisions of the ITA, the IPC and the CA. The CBI is an 
independent, autonomous investigating agency set up by the government of 
India, and has professionally trained the Anti Cybercrime Units in 
various states to investigate data security incidents. If the officer 
investigating the complaint determines that a prima facie offense has 
been committed, he or she can register the complaint and file a charge 
sheet with the competent criminal court.

Additionally, complaints alleging offenses under provisions of the ITA 
can also be made to the Controller of Certifying Authorities. Upon 
receipt of a complaint, the controller of certifying authorities 
investigates allegations and can order punishment of an offender under 
the provisions of the ITA. As the controller of certifying authorities 
is a quasi-judicial authority, an appeal against its orders can be made 
only in the state high court.

Finally, in addition to, or in lieu of, a criminal complaint, a civil 
suit seeking damages and an injunction to restrain the misuse and 
misapplication of data can be filed under the provisions of the CA and 
the SRA. A civil court can issue an interim temporary injunction pending 
final adjudication of the civil suit.


While several measures have been put into place to deal with data 
security issues, some concerns still remain regarding the Indian legal 
system. Indian courts are overburdened -- in 2005, the lower courts had 
more than 20 million pending cases, while the high courts had more than 
three million. Delays in the system are common, and an average case can 
take several years to be resolved. However, things are changing. Several 
measures are underway, and the Prime Minister of India, as well as the 
Chief Justice of the Indian Supreme Court, have committed to dealing 
with the issues facing the Indian courts. Further, the system itself, 
while slow, works. More importantly, as previously discussed, the 
service providers themselves are putting into place several preventive 
measures to deal with data security and privacy issues.


Unfortunately, data breaches have occurred and will probably continue to 
occur in many parts of the world. Fortunately for companies that have 
sent data to India -- whether via an offshore outsourcing or otherwise 
-- the government of India has responded to the concerns raised about 
data security issues, and proven methodologies have been put into place 
and refined to minimize the damage, punish the offender and deter the 

Obviously, there are many steps that a non-Indian company can and should 
undertake to minimize its risk: for example, conducting due diligence 
and risk assessments when choosing service providers; implementing 
appropriate contractual measures designed to meet its objectives; and 
monitoring the service provider's compliance and making adjustments to 
reflect modified risks. A combination of all these measures should go a 
long way toward minimizing both the incidence and consequences of data 
theft and misuse incidents in India.


Miriam Wugmeister is a partner at Morrison & Foerster, where she 
counsels clients on U.S. and international data protection laws. She 
represents the Coalition for Global Information Flows. Alistair Maughan, 
also a partner at Morrison & Foerster, focuses on outsourcing and 
technology projects, e-commerce and other technology contract work for 
major organizations. He also counsels on the UK government's Private 
Finance Initiative. Dijeet Titus, a partner at Titus, contributed to the 
preparation of this article.

Copyright 2007 ALM Properties, Inc. All rights reserved.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Jan 25 2007 - 22:50:16 PST