By Alistair Maughan and Miriam Wugmeister of Morrison & Foerster and Mr. Diljeet Titus of Titus & Co. This article was written with the kind assistance of Madhavi Batliboi, Morrison & Foerster
India has successfully claimed a significant share of the offshore business process outsourcing (BPO) market, but recently, there have been allegations that call center employees there have stolen data entrusted to their employers. As a result, concerns have risen about the security of data held by Indian service providers, and companies that outsource to India are seeking out the remedies that are available to them to deal with and prevent the misuse of data in India.
The National Association of Software and Service Companies (Nasscom), one of the most recognized and vocal trade organizations in the IT software and services industry in India, has established several measures to address data security concerns regarding service-provider employees. Earlier this year, Nasscom launched a National Skills Registry for IT professionals to help employers conduct background checks by tracking certain information about employees, such as employment history. More recently, Nasscom announced plans to set up an independent, self-regulatory organization to set and monitor data security and privacy best practices by outsourcing service providers in India.
Service providers in India are also increasingly adopting compliance programs and comprehensive security audits, including personnel and equipment audits to prevent misuse of sensitive information and data. Compliance programs include training of employees to enhance awareness of confidentiality and of managers with regard to securing computer systems, common threats to information security, access-control techniques, risk assessment and management, intrusion detection, authentication and other issues. Enforcement agencies in India also work with business process outsourcers to conduct workshops aimed at improving employees’ knowledge and skills in the area of the misuse of data.
However, despite the preventative measures, non-Indian companies should still be aware of their remedies in the event of a data security breach in India.
Laws Relating to Data Security in India
The Indian legal system is substantially based on the British common law system. While there is no omnibus Indian data security law, there are several laws that apply to data theft or misuse in India. Typically, when an incident involving data occurs, a complaint is filed for theft, cheating, criminal breach of trust, dishonest misappropriation of data and/or criminal conspiracy under the provisions of the Indian Penal Code (IPC) of 1846 and for hacking under the Information Technology Act (ITA) of 2000. Many of these offenses under the IPC and the ITA allow for an arrest without a warrant, are nonbailable and carry penalties that range from one year to life imprisonment, as well as fines.
Moreover, certain offenses carry higher penalties when the offender is an employee, a public servant, a merchant, an attorney or an agent. For example, misappropriation of data by criminal breach of trust could lead to imprisonment for up to three years. However, when the criminal breach of trust is carried out by an employee -- i.e., if the data is dishonestly misappropriated and converted by an employee for his own use -- the penalty increases to imprisonment for up to seven years. Further, when the offender is a public servant, merchant, attorney or agent, the penalty can be as high as life imprisonment.
In addition to these criminal affairs, civil proceedings for copyright infringement under the provisions of the Copyright Act (CA) of 1957 and the Specific Relief Act (SRA) of 1963 are also typically initiated to prevent the misuse and dissemination of data. The penalties under the CA and the SRA can range from hefty fines and damages to temporary and permanent injunctions.
Over and above the laws currently in place, the Indian government is in the process of amending the ITA to deal with data privacy and security issues. The proposed amendments are currently being reviewed by the Ministry of Law, Justice and Company Affairs before being presented to the Indian Parliament. They include provisions that would empower the central government to make rules concerning control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records and rules prescribing modes of encryption for data security.
There are several options open to a company that is dealing with a data misuse or theft incident in India. Generally, a criminal complaint under the provisions of the ITA, the IPC and the CA for theft, misappropriation or misuse of data and infringement of copyright is filed with the police station that has jurisdiction over the area where the security breach occurred. The local police officers, however, may not be in a position to properly investigate a data security incident, since not all officers are adequately trained to deal with cybercrime cases.
Thus, in the alternative, the criminal complaint can be made to Anti Cyber-Crime Cells set up by the state police departments. These Anti Cyber-Crime Cells have been established to investigate and prosecute cases of data theft and copyright infringement, as well as other cybercrime cases. Anti Cyber-Crime Cells of several state police departments organize training programs for investigators concerning data protection and use of advanced equipment to investigate data security incidents. In fact, the U.S. Department of State recently trained Indian cybercrime investigators on investigating techniques. The officers at Anti Cyber-Crime Cells have the power to seize infringing or stolen data by conducting searches and raids on the premises of the alleged offenders and can also prosecute the offenders in the criminal court that has jurisdiction over the police station where the complaint was registered. The law enforcement agencies also have the power to arrest offenders and keep them in custody during the course of the investigation and prosecution unless bail is granted to the offenders by the court.
If a company believes that the local police station and/or the Anti Cyber-Crime Cell do not have the requisite expertise to investigate a data security incident, the company may make a formal complaint with the Central Bureau of Investigations (the CBI) of the government of India under the provisions of the ITA, the IPC and the CA. The CBI is an autonomous agency and has professionally trained the Anti Cyber-Crime Units in various states to investigate data security incidents. If the officer investigating the complaint determines that a prima facie offense has been committed, he can register the complaint and file a charge sheet with the criminal court.
In addition, complaints alleging offenses under provisions of the ITA can also be made to the controller of certifying authorities. Upon receipt of a complaint, the controller of certifying authorities investigates allegations and can order punishment of an offender under the provisions of the ITA. Since the controller of certifying authorities is a quasi judicial authority, an appeal against its orders can be made only in the State High Court.
Finally, in addition to or in lieu of a criminal complaint, a civil suit seeking damages and an injunction to restrain the misuse and misapplication of data can be filed under the provisions of the CA and the SRA. A civil court can issue an interim temporary injunction pending final adjudication of the civil suit.
Issues in the Indian Legal System
While several measures have been put in place to deal with data security issues, some concerns still remain regarding the Indian legal system. Indian courts are overburdened – in 2005, the lower courts had over 20 million pending cases, while the high courts had over 3 million. Delays in the system are common, and an average case can take several years to be resolved. However, things are changing. Several measures are under way, and the prime minister and chief justice of the Indian Supreme Court have committed to dealing with the issues facing the Indian courts. Further, the system itself, while slow, works. More importantly, as previously discussed, several preventative measures are being put into place by the service providers themselves to deal with data security and privacy issues.
Unfortunately, data breaches have occurred and will probably continue to occur in many parts of the world. Fortunately for companies that have sent data to India -- whether via an offshore outsourcing or otherwise -- the government of India has responded to the concerns raised about data security issues, and proven methodologies have been used and refined to minimize the damage, punish the offender and deter the tempted. Obviously, there are many steps that a non-Indian company can and should undertake to minimize its risk. For example, it can conduct due diligence and risk assessments when choosing service providers, implement appropriate contractual measures designed to meet its objectives, monitor the service provider’s compliance and make adjustments to reflect modified risks. A combination of all these measures should go a long way toward minimizing both the incidence and consequences of data theft and misuse incidents in India.