Indian BPO and the ongoing struggle with data security issues

While data leaks in Indian BPOs are the exception than the rule, it's imperative that the BPO sector takes more proactive steps for data protection.

Recently, a British TV channel's sting operation revealed that confidential medical records sent to India for computerization were being offered for sale. The files procured under this sting operation were of patients of London Clinic, one of Britain's top private hospitals. Apparently, the data was being sold from an Indian transcription center based out of Pune. This and many such earlier incidents have raised serious concerns about the data security practices of Indian business process outsourcing (BPO) companies.

"Organizations need to inculcate an "information security culture" amongst employees — more so in smaller companies. In the medical transcription segment, there are a number of very small companies where the security implementation can be termed unsatisfactory," says Na Vijayashankar (Naavi), an independent cyber law consultant based out of Bangalore. To this end, the Data Security Council of India (DSCI) set up by Nasscom with the sole mission of promoting India as a secure outsourcing destination has begun enquiries into the Pune-based BPO in question, and is expected to take action. Although he calls the incident unfortunate, Dr. Kamlesh Bajaj, the CEO of DSCI, feels that such issues are often blown out of proportion by international media. "It's essential to dispel the notion that India does not have a proper data protection regime. The new IT (Amendment) Act 2008 provides adequate protection against data security and privacy," claims Bajaj.

While a couple of such incidents do not reflect the industry in general, it is important that the Indian BPO industry wakes up to such incidents. The first thing to contemplate is the seriousness of IT BPOs about privacy and security of the data that they control. "Many units are only cost and functionality conscious — in their scheme of things, security is not a priority. Many of these small units work as outsourced agents of other BPOs, and are not directly exposed to the foreign vendor. Hence they try to cut costs at the expense of security," says Naavi. Larger BPO units are comparatively more proactive to thwart security incidents.

Most BPOs with clients from U.K. and the U.S. are required to follow highest security standards like ISO 27001. These BPOs also need to comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA) (in case of medical and health related data) and Sarbanes-Oxley Act (in case of financial data). Despite this, security shortfalls seem rampant in the country. "While many of the companies do conduct ISO 27001 audits, there could be inadequate follow-ups, resulting in dilution of security after the audit," says Naavi. Besides, the typical small and medium-sized business (SMB) does not conduct ISO 27001 or other such audits. "Some of the small medical transcription companies are not even aware about HIPAA compliance."

In some cases, Indian organizations lack a strong data protection policy to prevent such incidents. "The matter becomes serious when pilferage is committed by employees dealing in confidential data," says Rajendra Sawant, the chief information officer of Adventity Global Services Pvt Ltd.

Most BPOs with clients from U.K. and the U.S. are required to follow security standards like ISO 27001. These BPOs also need to comply with regulations like HIPAA and Sarbanes-Oxley Act.

Addressing the data security challenge

As data security is a complex and serious concern, it must be addressed at all three levels, i.e. process (policy), people, and technology. The CISO of a leading BPO organization says on condition of anonymity that it's possible only if BPOs thoroughly understand their information assets. Every BPO should identify all possible channels through which data can go out. BPOs must also have effective and regular monitoring, control and audit practices in place.

Real-time monitoring and analysis of security logs, as well as designing limited Internet and email access for a few approved users is necessary, suggests Sawant. To achieve this, Adventity uses a Chinese Wall Security Policy approach for some of its customers. "The basis of our Chinese wall policy is that people are allowed access to information which does not conflict with any other information that they already possess. This is the basic model used to provide both privacy and integrity for data," Sawant explains.

The high employee attrition rate in the BPO industry also escalates data protection risks. According to Naavi, it is wrong to impose security as a technical measure. One can introduce security software and declare policies, but it is not easy to make people adopt the same. The rationale behind security controls must be explained to employees. Getting employees to sign non-disclosure agreements are now a common feature in BPOs.

Leading BPO companies understand the significance of implementing the latest technologies. "Our IT professionals have security controls in place at various levels right from servers to firewalls, IPS and endpoint data protection along with content filter solutions. Client data transfers are usually in encrypted and secured forms. Apart from this, electronic access control is used to secure the premises and restrict unauthorized entry," says Sawant.

Data loss prevention (DLP) technology tools are the latest in the security market. "DLP is still on the path to becoming a mature technology. At the moment, DLP is being implemented only by large BPOs. SMBs cannot afford such solutions, and hence DSCI has come up with its Data Security and Privacy framework for BPOs. This will help BPOs strengthen their data protection regime," says Bajaj.

Naavi suggests that SMBs should come together to form an 'Information Security Consortium' and adopt a voluntary information security standard (on the lines of LIPS 1008, a standard suggested for legal process outsourcing units in India). "We need to make it mandatory for all medical transcription companies (as well as other similar units) to incorporate "cyber ethics" training to employees. Though the DSCI already functions as a self regulatory agency for BPOs, it may not be possible for DSCI to cater to the SMB sector's requirements. Hence I advocate an industry-led initiative at the SMB level, which works along with other bodies such as DSCI," says Navi.

Read more on IT risk management