As India continuously asserts itself by being the most preferred destination for outsourcing, it also had to bear the brunt from critics, for loss of jobs and data security. But, how far is this hullabaloo justified?

Surveys suggest that the loss of jobs is not necessarily true, but even benefits the economies of the offshoring countries in the long run. It is the data security that we will examine here.

It is true that cases of data leakage have come to light and questions are being raised on the wisdom of offshoring, particularly to India, which has no specific data protection law.

So, has such an obvious lacuna been ignored to save costs? Surely, businesses cannot be that naïve if they are to survive. And naïve they have not been; the situation is salvaged to some extent by a few other measures.

Mercifully, there are ‘proxy laws’, which provide some measure of security to the offshorer, the primary of these being the Information Technology Act, 2000 (IT Act). The Act creates liability for: -
l. Unauthorized access and data theft from computers and networks (damages up to $230,000)

2. Tampering with computer source codes (imprisonment up to three years and/or fine up to $4,610)

3. Hacking (imprisonment up to three years and/or fine up to $4,610)

4. Breach of confidentiality and privacy (imprisonment up to two years and/or fine up to $23,000).

However, specific provisions for data protection are called for. The Patents Act, 1970 protects both product and process inventions. An application for grant of patent in India is protected by the Act. However, patent protection of computer programs per se, except its technical application to industry or a combination with hardware, is not granted and this would require consideration by the legislature.

The Copyright Act, 1957 includes a computer program as a copyright and anyone copying computer program may face imprisonment of up to 3 years and monetary fines approximately between $1,100 and $4,500. Foreign work is given similar protection as work produced in India.

Another measure, which provides data protection, is the contract between the parties. Foreign companies normally execute a Service Level Agreement with their service provider addressing data security and confidentiality issues. Under the Contract Act, 1872, violation of contract under the Contract Act entitles the non-defaulting party to recover damages.

Again, for criminal breach of trust, the Indian Penal Code, 1860 provides for imprisonment up to three years and/or fine. Temporary and permanent injunctions against unauthorized disclosure of confidential information may be claimed under the Specific Relief Act, 1963.
Additionally, Indian companies implement global standards such as the BS 7799 and ISO17799 for information security management which restrict the quantity of data that can be made available to employees of the offshore centers.

So, there seems to be adequate safeguards, then, why such a hue and cry over information security?
Well, because despite all the above safeguards, breaches do occur. This is not to say that there are no breaches in countries with specific data protection laws. Then, where are the lacunae?

Though NASSCOM and software industry officials term the incidents like MphasiS and Infinity eSearch over-hyped and do not predict any adverse reactions, such recurrences could create data insecurity fears and undermine the credibility of the Indian outsourcing industry.

First, of course, a specific data protection law is necessary, not only to address specific security concerns, but also to build confidence in the outsourcing countries.
Then, having laws on paper cannot be the end in itself; enforceability has to be a necessary concomitant. The choice of law, provisions of contracts and enforcement of foreign regulations is a hindrance. Indian companies are binding themselves to a great extent as per the U.S. and EU regulations; however, in case of a possible infringement, the applicability of these regulations is questionable because of the fact that enforcement of foreign judgments in India is largely based on bilateral treaties or reciprocal arrangements.

In the absence of such a treaty, a fresh suit would need to be filed and the court would then decide the validity of the judgment, which is time-consuming. From the perspective of foreign companies, the problem with these foreign regulations is that they do not hold much ground before the Indian courts and are thereby self-defeating in situations where there is any leakage of data.

But how do countries like the U.S., which have no specific data protection law, get by? The U.S. has sector-specific laws for safety of proprietary data. American companies complying with the Safe Harbor legislation are deemed to have adequate security and are compliant with the EU Data Protection Directive. Nevertheless, according to NASSCOM, most Indian companies provide comparable and at times better security environment to their clients.

But, by failing to provide adequate legislation, India could lose its credibility, thereby the opportunity to sustain the niche it has carved for itself and pave the way for its competitors. A fall out seems to be in the quality of work that is offshored to India. It is notable that jobs in the higher end of the value chain like financial, medical, engineering, research and development and biotechnology are not getting outsourced to India as work like billing, insurance claims processing and transcription.

Information security involves assessing risk and putting controls for risk mitigation. Companies could introduce frequent periodic reviews of technical and organizational measures taken to prevent unauthorized processing or accidental destruction of data in addition to the conventional ways like banning pen and paper in the office, disabling floppy and CD drives and installing close circuit cameras. Data encryption is also advised where data need not be seen by the Indian company. However, this may not be possible for small companies with limited funds.

Organizations, along with the procedures/principles for data security, must also have readily available and affordable independent recourse mechanisms to investigate and resolve complaints. In addition, employment contracts could be more stringent; better organizational policies and awareness training programs for employees; identification and classification of data that leads to a privacy framework could be done at the outset; a database of workers and third party check for verification of workers’ details – are measures which are perhaps already being implemented by companies.

An IT Review Expert panel was established in January this year to consider inter alia suitable data protection provisions. NASSCOM and the industry have been expressing the necessity of appropriate legislation; perhaps the industry should simultaneously take on a more proactive role in adopting adequate data protection to avoid restrictions from EU/U.S. regulators, share views/policies amongst each other and help build a security policy framework so that India does not lag behind due to bureaucratic delays. Latest reports suggest, the amendments to the IT Act dealing with tougher cyber law and its enforcement is in the offing.

Aprajaya Makkar and Pooja Yadava of Priti Suri & Associates, Legal Counselors, New Delhi, India.