As a growing number of companies seek more centralized and less expensive methods of processing information, they’re turning to offshore outsourcing to fulfill many of their business and human resources processes. Given India’s success in building a significant share of the offshore business process outsourcing (BPO) market, a significant portion of the data is now being processed in India.
Recently, there have been allegations that call center employees based in India have stolen data outsourced to Indian service providers. Regardless of whether or not these allegations represent a trend or just convenient headlines, there have been concerns raised about the security of data held by Indian service providers, and the remedies that non-Indian companies may have in India in the event of a breach, either to seek recourse against the offender or to prevent the misuse of data.
This article describes some of the remedies that are available to companies to deal with and prevent the misuse of data in India.
In the wake of concerns around data security and privacy in India, the National Association of Software and Service Companies (NASSCOM), one of the most recognized and vocal trade organizations in the information technology (IT) software and services industry in India, has put in place several measures to address data security concerns regarding service provider employees.
Earlier this year, NASSCOM launched a National Skills Registry for IT professionals. This is intended to help employers conduct better background checks on employees by tracking certain information about employees, such as employment history. More recently, NASSCOM announced plans to set up an independent, self-regulatory organization to set and monitor data security and privacy “best practices” by outsourcing service providers in India.
Service providers in India are also increasingly adopting compliance programs and comprehensive security audits, including personnel and equipment audits, to put specific checks in place to prevent misuse of sensitive information and data. Compliance programs include training of employees to enhance awareness of confidentiality and training for computer system managers with regard to securing computer systems, common threats to information security, access control techniques, risk assessment and management, intrusion detection, authentication and other similar issues. Enforcement agencies in India also work with BPOs to conduct workshops to enable employees to improve knowledge and skills to prevent and prosecute misuse of data.
However, despite the preventative measures, non-Indian companies should still be aware of what they can do in the event of a data security breach in India.
Laws Relating to Data Security in India
The Indian legal system is substantially based on the British common law system. While there is no omnibus Indian data security law, there are several laws that apply to data theft or misuse in India. Typically, when an incident involving data occurs, a complaint is filed for theft, cheating, criminal breach of trust, dishonest misappropriation of data and/or criminal conspiracy under the provisions of the Indian Penal Code, 1860 (“IPC”), and for hacking under the Information Technology Act, 2000 (“ITA”). Many of these offenses under the IPC and the ITA allow for an arrest without a warrant, are non-bailable and carry penalties that range from imprisonment for a year to life imprisonment, as well as fines.
Moreover, certain offenses carry higher penalties when the offender is an employee, a public servant, a merchant, an attorney or an agent. For example, misappropriation of data by criminal breach of trust carries a penalty of imprisonment for up to three years. However, when the criminal breach of trust is carried out by an employee (such as in a case where the data is dishonestly misappropriated and converted by an employee for his or her own use), the penalty increases to imprisonment for up to seven years. Further, when the offender is a public servant, merchant, attorney or agent, the penalty can be as high as life imprisonment.
In addition to these criminal affairs, civil proceedings for copyright infringement under the provisions of the Copyright Act, 1957 (“CA”) and the Specific Relief Act, 1963 (“SRA”) are also typically initiated to prevent the misuse and dissemination of data. The penalties under the CA and the SRA can range from hefty fines and damages to temporary and permanent injunctions.
Over and above the laws currently in place, the Indian government is currently in the process of amending the ITA to deal with data privacy and security issues. The proposed amendments are currently under review by the Ministry of Law, Justice and Company Affairs before being presented to the Indian Parliament. .They include provisions that would empower the Central Government to make rules concerning control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records and rules prescribing modes of encryption for data security.
What do you do if you’re in a company that needs to deal with a incident of data misuse or theft in India? In general, you’d start by filing a criminal complaint with the police station that has jurisdiction over the area where the data security breach occurred. This comes under the provisions of the ITA, IPC and CA for theft, misappropriation, or misuse of data and infringement of copyright. The local police station however, may not be in a position to properly investigate a data security incident, as not all officers are adequately trained to deal with cyber-crime cases.
Thus, in the alternative, you can make a criminal complaint to Cyber-Crime Cells set up by the State Police Departments. These Cyber-Crime Cells have been established specifically to investigate and prosecute cases of data theft and copyright infringement, as well as other cyber crime cases. Cyber-Crime Cells of several State Police Departments (such as Delhi) organize training programs to enhance investigators’ skills and knowledge concerning data protection. Plus, they have the know-how to use advanced equipment to investigate data security incidents. In fact, the U.S. Department of State recently trained Indian cyber crime investigators on investigating techniques.
The investigating officers at Cyber-Crime Cells have the power to seize infringing or stolen data by conducting searches and raids on the premises of the alleged offenders and can also prosecute the offenders in the criminal court that has jurisdiction over the police station where the complaint was registered. The law enforcement agencies also have the power to arrest offenders and keep them in custody during the course of the investigation and prosecution (until bail is granted to the offenders by the court).
If a company believes that the local police station and/or the Cyber-Crime Cell lack the requisite expertise to investigate a data security incident, the company may make a formal complaint with the Central Bureau of Investigations (the “CBI”) under the provisions of the ITA, IPC and CA. The CBI is an independent, autonomous investigating agency set up by the Government of India, which has professionally trained the Cyber-Crime Units in various states to investigate data security incidents. If the officer investigating the complaint determines that a prima-facie offence is committed, he or she can register the complaint and file a charge sheet with the competent criminal court.
Additionally, complaints alleging offenses under provisions of the ITA can also be made to the Controller of Certifying Authorities. Upon receipt of a complaint, the Controller of Certifying Authorities investigates allegations and can order punishment of an offender under the provisions of the ITA. As the Controller of Certifying Authorities is a quasi-judicial authority, an appeal against its orders can be made only in the State High Court.
Finally, in addition to, or in lieu of, a criminal complaint, under the provisions of the CA and the SRA, you can file a civil suit seeking damages and an injunction to restrain the misuse and misapplication of data. A civil court can issue an interim temporary injunction pending final adjudication of the civil suit.
Issues in the Indian Legal System
While several measures have been put into place to deal with data security issues, some concerns still remain regarding the Indian legal system. Indian courts are over-burdened — in 2005, the lower courts had over 20 million pending cases, while the high courts had over three million. Delays in the system are common, and an average case can take several years to be resolved.
However, things are changing. Several measures are underway, and the Prime Minister of India, as well as the Chief Justice of the Indian Supreme Court have committed to dealing with the issues facing the Indian courts. Further, the system itself — while slow — works.
Ultimately, though, it’s the preventative measures being put into place by the service providers themselves to deal with data security and privacy issues that will give clients the greatest sense of protection.
Unfortunately, data breaches have occurred and will probably continue to occur in many parts of the world. Fortunately for companies that have sent data to India — whether via offshore outsourcing or otherwise — the Government of India has responded to the concerns raised about data security issues. Plus, proven methodologies have been put into place and refined to minimize the damage, punish the offender and deter the tempted.
Obviously, there are many steps that a non-Indian company can and should undertake to minimize its risk. For example, you need to conduct due diligence and risk assessments when choosing service providers, as well as implement appropriate contractual measures designed to meet your objectives, monitor the service provider’s compliance and make adjustments to reflect modified risks. A combination of all these measures should go a long way towards reducing both the number of incidents and the consequences of data theft and misuse in India.
This article was written with the kind assistance and excellent insights of Alistair Maughan, a partner in Morrison Foerster's London office, and Madhavi Batliboi, an associate in the New York office..
Morrison & Foerster LLP
Central Bureau of Investigations
Controller of Certifying Authorities
Copyright Act, 1957
Indian Penal Code
Information Technology Act 2000 (ITA)
National Association of Software and Service Companies (NASSCOM)
National Skills Registry
Specific Relief Act, 1963