From: InfoSec News (alertsinfosecnews.org)
Date: Fri Jan 26 2007 - 00:30:20 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1169028153553

By Miriam Wugmeister and Alistair Maughan
Accounting & Financial Planning for Law Firms newsletter
January 25, 2007

Editor's note: Outsourcing decisions should be based in part on a
comparison of data security in-house and at each vendor location;
generally this is evaluated in terms of staff vetting, physical access
security, database security, communications security, etc. But another
vital consideration should be the effectiveness of each candidate
location's legal preventive measures and remedies for data theft or
misuse -- and the complexity and cost of securing those protections.
This article, which surveys the state of data security legal protections
in India, shows that making such a comparison is no simple matter.

---

As a growing number of companies seek more centralized and less
expensive methods of processing information, they are turning to
offshore outsourcing to fulfill many of their business and human
resources processes. Given India's success in building a significant
share of the offshore business process outsourcing (BPO) market, a
significant portion of the data is now being processed in India.

Recently, there have been allegations that call center employees based
in India have stolen data outsourced to Indian service providers.
Regardless of whether these allegations represent a trend or are just
dramatic headlines, there have been concerns raised about the security
of data held by Indian service providers, and the remedies that
non-Indian companies may have in India in the event of a breach, either
to seek recourse against the offender or to prevent the misuse of data.
This article describes some of the remedies that are available to
companies to deal with and prevent the misuse of data in India.

PREVENTIVE MEASURES

In the wake of concerns around data security and privacy in India, the
National Association of Software and Services Companies (NASSCOM), one
of the most recognized and vocal trade organizations in the information
technology software and services industry in India, has put in place
several measures to address data security concerns regarding service
provider employees. Earlier this year, NASSCOM launched a National
Skills Registry) for information technology professionals to help
employers conduct better background checks on employees by tracking
certain information about employees, such as employment history. More
recently, NASSCOM announced plans to set up an independent,
self-regulatory organization to set and monitor data security and
privacy "best practices" by outsourcing service providers in India.

Service providers in India are also increasingly adopting compliance
programs and comprehensive security audits including personnel and
equipment audits to put specific checks in place to prevent misuse of
sensitive information and data. Compliance programs include specific
training of employees to enhance awareness of confidentiality and
specific training for computer system managers with regard to securing
computer systems, common threats to information security, access control
techniques, risk assessment and management, intrusion detection,
authentication and other similar issues. Enforcement agencies in India
also work with BPOs to conduct workshops to enable employees to improve
knowledge and skills to prevent and prosecute misuse of data.

However, despite the preventive measures, non-Indian companies should
still be aware of their remedies in the event of a data security breach
in India.

LAWS RELATING TO DATA SECURITY IN INDIA

The Indian legal system is substantially based on the British common law
system. While there is no omnibus Indian data security law, there are
several laws that apply to data theft or misuse in India. Typically,
when an incident involving data occurs, a complaint is filed for theft,
cheating, criminal breach of trust, dishonest misappropriation of data
and/or criminal conspiracy under the provisions of the Indian Penal
Code, 1860 (IPC) and for hacking under the Information Technology Act,
2000 (ITA). Many of these offenses under the IPC and the ITA allow for
an arrest without a warrant, are non-bailable and carry penalties that
range from imprisonment for a year to life imprisonment, as well as
fines.

Moreover, certain offenses carry higher penalties when the offender is
an employee, a public servant, a merchant, an attorney or an agent. For
example, misappropriation of data by criminal breach of trust carries a
penalty of imprisonment for up to three years. However, when an employee
carries out the criminal breach of trust (i.e. if the data is
dishonestly misappropriated and converted by an employee for his or her
own use), the penalty increases to imprisonment for up to seven years.
Further, when the offender is a public servant, merchant, attorney or
agent, the penalty can be as high as life imprisonment.

In addition to these criminal affairs, civil proceedings for copyright
infringement under the provisions of the Copyright Act, 1957 (CA) and
the Specific Relief Act, 1963 (SRA) are also typically initiated to
prevent the misuse and dissemination of data. The penalties under the CA
and the SRA can range from hefty fines and damages to temporary and
permanent injunctions.

Over and above the laws currently in place, the Indian government is
currently in the process of amending the Information Technology Act of
2000 (ITA) to deal with data privacy and security issues. The proposed
amendments (which are currently being reviewed by the Ministry of Law,
Justice and Company Affairs before being presented to Indian Parliament)
include provisions that would empower the Central Government to make
rules concerning control processes and procedures to ensure adequate
integrity, security and confidentiality of electronic records and rules
prescribing modes of encryption for data security.

ENFORCEMMENT PROCEDURES

There are several options open to a company that is dealing with a data
misuse or theft incident in India. Generally, a criminal complaint under
the provisions of the ITA, the IPC and the CA for theft,
misappropriation or misuse of data and infringement of copyright is
filed with the police station that has jurisdiction over the area where
the data security breach occurred. The officers in the local police
station, however, may not be in a position to properly investigate a
data security incident, as officers are not adequately trained to deal
with cybercrime cases.

Thus, in the alternative, the criminal complaint can be made to Anti
Cybercrime Cells set up by the State Police Departments. These
cybercrime cells have been established specifically to investigate and
prosecute cases of data theft and copyright infringement, as well as
other cybercrime cases. Cybercrime cells of several state police
departments (e.g., Delhi) organize training programs to enhance
investigators' skills and knowledge concerning data protection, and use
advanced equipment to investigate data security incidents. In fact, the
U.S. Department of State recently trained Indian cybercrime
investigators on investigating techniques. The investigating officers at
Anti Cybercrime Cells have the power to seize infringing or stolen data
by conducting searches and raids on the premises of the alleged
offenders and can also prosecute the offenders in the criminal court
that has jurisdiction over the police station where the complaint was
registered. The law enforcement agencies also have the power to arrest
offenders and keep them in custody during the course of the
investigation and prosecution unless bail is granted to the offenders by
the court.

If a company believes that the local police station and/or the Anti
Cybercrime Cell do not have the requisite expertise to investigate a
data security incident, the company may make a formal complaint with the
Central Bureau of Investigations (CBI) of the government of India under
the provisions of the ITA, the IPC and the CA. The CBI is an
independent, autonomous investigating agency set up by the government of
India, and has professionally trained the Anti Cybercrime Units in
various states to investigate data security incidents. If the officer
investigating the complaint determines that a prima facie offense has
been committed, he or she can register the complaint and file a charge
sheet with the competent criminal court.

Additionally, complaints alleging offenses under provisions of the ITA
can also be made to the Controller of Certifying Authorities. Upon
receipt of a complaint, the controller of certifying authorities
investigates allegations and can order punishment of an offender under
the provisions of the ITA. As the controller of certifying authorities
is a quasi-judicial authority, an appeal against its orders can be made
only in the state high court.

Finally, in addition to, or in lieu of, a criminal complaint, a civil
suit seeking damages and an injunction to restrain the misuse and
misapplication of data can be filed under the provisions of the CA and
the SRA. A civil court can issue an interim temporary injunction pending
final adjudication of the civil suit.

ISSUES IN THE INDIAN LEGAL SYSTEM

While several measures have been put into place to deal with data
security issues, some concerns still remain regarding the Indian legal
system. Indian courts are overburdened -- in 2005, the lower courts had
more than 20 million pending cases, while the high courts had more than
three million. Delays in the system are common, and an average case can
take several years to be resolved. However, things are changing. Several
measures are underway, and the Prime Minister of India, as well as the
Chief Justice of the Indian Supreme Court, have committed to dealing
with the issues facing the Indian courts. Further, the system itself,
while slow, works. More importantly, as previously discussed, the
service providers themselves are putting into place several preventive
measures to deal with data security and privacy issues.

CONCLUSION

Unfortunately, data breaches have occurred and will probably continue to
occur in many parts of the world. Fortunately for companies that have
sent data to India -- whether via an offshore outsourcing or otherwise
-- the government of India has responded to the concerns raised about
data security issues, and proven methodologies have been put into place
and refined to minimize the damage, punish the offender and deter the
tempted.

Obviously, there are many steps that a non-Indian company can and should
undertake to minimize its risk: for example, conducting due diligence
and risk assessments when choosing service providers; implementing
appropriate contractual measures designed to meet its objectives; and
monitoring the service provider's compliance and making adjustments to
reflect modified risks. A combination of all these measures should go a
long way toward minimizing both the incidence and consequences of data
theft and misuse incidents in India.

-=-

Miriam Wugmeister is a partner at Morrison & Foerster, where she
counsels clients on U.S. and international data protection laws. She
represents the Coalition for Global Information Flows. Alistair Maughan,
also a partner at Morrison & Foerster, focuses on outsourcing and
technology projects, e-commerce and other technology contract work for
major organizations. He also counsels on the UK government's Private
Finance Initiative. Dijeet Titus, a partner at Titus, contributed to the
preparation of this article.

Copyright 2007 ALM Properties, Inc. All rights reserved.

_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]