Call center data leak doesn't augur 
well for the BPO industry

When a highly charged up campaign against ‘outsourcing to India’ was taking place in the US during the last presidential elections, the NASSCOM president Kiran Karnik had exclaimed, “US cannot stop outsourcing unless we stop providing them quality services.” Mr. Karnik’s statement stemmed from his strong faith in the fundamental strengths of our BPO industry, which, he thought couldn’t go wrong. However, recent incidents of data theft and fraud by some Indian call centers employees doesn’t augur well for the stability of this sector which, according to Gartner, is poised to contribute as much as $13.8 billion to the already booming Indian Economy. 

The recent controversy over British tabloid Sun's purchase of confidential bank account details of some 2000 Britons from an employee of Gurgaon based BPO company Infinity E-Search has generated a lot of concern in the western countries over the data-protection issue. This comes close on the heels of the arrest of three former employees of Pune’s MphasiS BPO on allegations of siphoning off $350,000 from the Citibank accounts of four New York based account holders has sent shock waves across the Indian BPO industry. Some time ago, an Aligarh resident and employee of a Gurgaon based call centre, Arif Azim, was also taken into custody after he purchased a television set and a cordless phone using credit card data stolen from US customer Barbara Campa’s records. Although such isolated incidents are not specific to India and are not uncommon even in the US, they may just have given the dying US anti-outsourcing lobby a new lease of life. 

India’s BPO success story is not entirely a fairy tale. The number of complaints received from the outsourcing western companies is growing especially with regard to the accent of Indian call centre employees, their not-so-humble attitude while dealing with customer queries and a laid-back attitude in solving their problems. The accusation that can have a far reaching impact for the stability and future of Indian BPO industry, however, is that private customer data is not safe in the hands of Indian BPO operators. This is indeed a serious development since the very foundation of the BPO industry is based on customer credibility and faith. If the bond of faith between the outsourcing companies and the service providers dwindles, it could well turn out to be the beginning of the industry’s downfall. China, Philippines and now even Pakistan would be happy enough to grab the BPO opportunity if India falters on this count. Our BPO companies are already feeling heat due to a stiff competition put up by a few aspiring IT powers and a rising attrition rate. We must, therefore, be pro-active in dealing with the new challenge before the data security issue takes a threatening dimension.

According to Forrester Research, the Pune incident could cut Indian BPO industry’s growth rate by up to 30 per cent. Experts believe India may already be losing some 20 per cent business in the absence of a strong safety mechanism to keep private data fully safe. Privacy and safety of personal data is a highly sensitive issue in the west, especially the US where people are not so willing to let executives sitting thousands of miles away from them handle their personal information. The issue becomes even more complex in the age of e-commerce when hacked personal data can be used rather easily to cause wide ranging financial and social losses to the persons it belongs.

A couple of months ago, a Miami resident sued Bank of America for an alleged transfer of $90,000 from his account after a hacker got hold of his computer and stole his bank data. In a similar case, a Los Angeles women claiming to represent ‘all Microsoft software users’ filed a lawsuit against the IT bigwig just because someone had hacked her bank data to access her account and other services, and the computer from which the data was lifted ran on Microsoft Windows operating system. On the contrary, we Indians still remain indifferent to the issue of personal data protection. It is very common for customers applying for mobile phones to be flooded with calls from different service providers who access, use and transfer their personal data with impunity. 

Considering the sensitive nature of the data safety issue in the west, however, the companies there leave nothing to chance in ensuring absolute protection of customer data. According to Reserve Bank of Dallas, the US spends nearly $100 billion on keeping personal data private and protected. Companies in the country spend roughly 10 percent of their IT budgets on this count. According to a senior official in a Gurgaon based BPO outfit, a contract that his company signed with an outsourcing US giant had as much as 75 per cent part of the document dedicated to the data safety issue. Exult, another outsourcing company, conducted a vigourous exercise spending two full years to evaluate the level of data protection available at more than three dozen Indian firms before reluctantly deciding to set up its own BPO operations in the country. 

The US has a series of laws to enforce strict protection of personal data including the famous Gramm-Leach-Bliley Act (GLBA), which has a provision for fines up to $1 million or 1% of the assets of the offending company in cases of data misuse. Right to Financial Privacy Act, Computer Fraud and Abuse Act, and Electronic Communication Privacy Act also come handy in ensuring stern action in such cases. The UK too, has a Data Safety Act in place with similar strict provisions. India however, doesn’t have a law to specifically deal with data protection issues. The infamous IT Act 2000, the sole weapon in our legal armour against such data attacks, is rather soft on the issue and needs to be urgently modified.

In the absence of a solid legal framework, Indian companies take the standards-compliance root to assure their clients, and in turn their customers, that private data is fully safe in their hands. Many Indian companies implement international data protection standards such as BS 7799, SAS 70, ISO 17799 etc, which ensure use of safe software, techniques such as data encryption, copy protection, intrusion detection systems, firewalls, anti-virus tools, network security, system security systems and monitoring systems and provide a well defined framework of dos and don’ts. Even then accidents do happen every now and then. Take the example of ISO 9000 certified MphasiS itself that has implemented a safety standard called SEI CMMI Level 5, hitherto considered as ‘invincible.’

It is high time that the government, Nasscom and the industry came together in taking solid, authentic steps to guarantee complete data protection to those it matters most. The sensitive issue cannot be handled by any of them in isolation. If the Indians are still not able to prove our credibility and trustworthiness to the outside world after being in such a dominant position in the BPO space for almost a decade, it would be highly unprofessional, unjustified, unfortunate and should I say disastrous.