Monday, March 24, 2003 |
|
Feature |
|
All it takes is a
weak link
Peeyush Agnihotri
THAT
the call centre industry in India is as unsteady as a ship sailing in
choppy waters, navigated by a drunk sailor, is no secret. As if global
recession, intense competition and the New Jersey Bill were not enough,
the latest issue is of data protection. It has come to fore after the
recent conviction of a call centre employee for stealing credit card
number. Barring the cyber state of Andhra Pradesh, no other government
(Centre or state) is making an attempt to enact data protection laws. So
much for clients’ confidentiality.
Incident
The debate gathered
momentum after the recent conviction of a call centre employee by a
Delhi court in what is being described as the first conviction for cyber
crime. A local court in Delhi convicted Asif Azim, a Noida-based call
centre employee, for using an American citizen’s credit card to make
online purchase from Sony. This 24-year old engineer smooth-talked a
client, Barbara Campa, at his call centre, to reveal her credit card
number and key details on the pretext of setting right her billing
records. Using this information, the call centre executive made nearly $
575 worth of purchase from a Sony portal for NRIs. Barbara was shocked
to get the bill and predictably, refused to pay, saying she hadn’t
authorised the transaction. Sony then lodged a complaint and the CBI
officials traced Azim through the call centre’s IP address. After a
seven-month trial, Azim confessed.
According to the IT Act,
Sony would have been entitled for compensation and no more. Since the
case was also covered under IPC for cheating, imprisonment was possible.
However, taking the culprit’s educational qualifications into
consideration, the court put him on probation.
Impact
Can such incidents have a
far-reaching consequence on call centre industry in India?
Vikram, head of operations
at Kalldesk, a Chandigarh-based call centre, says such incidences at
call centres may have a direct bearing on the centres credibility. He
also agrees that most of the time such issues go unreported as the
matter is amicably settled between the call centre, the erring
executive, the client and the enterprise at whom the fraud is targeted.
A Wharton Business School
study found that security concerns and vendor viability were the key
reasons why only 5 per cent of the US companies with $100 million to $ 4
billion in revenue outsourced offshore. Many Indian outsourcers
underestimate the complexities of operating a centre themselves. As it
is, the Indian call centres’ billable costs have dropped
substantially. At low price levels, quality is compromised sometimes.
A noted cyber expert and
Supreme Court lawyer Pavan Duggal avers: "I think these kinds of
instances may have bearing upon outsourcing business to India. Companies
and entities outside India will soon realise that India does not have a
data protection law. Coupled with this is also the fact that India does
not have a law on privacy as yet. A perusal of the IT Act clearly shows
that its provisions are not adequate for dealing, even indirectly, with
the issue of compromise of data and unless India comes across with the
distinct law on data protection, we would not only be losing time but
also foreign clients and assignments. Companies would not be comfortable
granting projects and assignments concerning data in India."
Nasscom officials say that
it is too early to relate an isolated case to have far fetching effect
on the outsourcing business to India. "There are specific terms and
conditions to ensure highest level of care on the confidentiality of the
client’s sensitive information and other data privacy issues under
SLAs (Service Level Agreement). Nasscom is already working with the
Ministry of Communication and Information Technology on introducing data
protection laws for the country and would take few more months to be
finalised," an executive discloses.
IT Act
Barring Philippines, which
is the only country with a fully updated law that covers all aspects of
cyber crime, no other country has its IT laws in place. Substantially
updated law has been implemented in India, but unfortunately, the Indian
IT Act, 2000, is silent on the issues of privacy, protection and
regulated use of data. Data protection issues primarily remain in an
unregulated environment. The Indian law doesn’t cover data
interception and computer forgery.
"The person whose
service has been hired in call centre is bound by service contract.
Confidentiality and privacy is the part of the contract. Hence for any
breach, he is liable under the IT Act, Indian Contract Act and Indian
Penal Code. To protect confidential information and privacy the best
safeguard is law on data protection. UK, for example, has the Data
Protection Act, 1998, in place. There is no such law, or its equivalent,
in India," Geeta Gulati, a cyber lawyer points out.
Credit card fraud is a big
business that takes in nearly $1.5 billion a year and experts point out
that the present case is just a tip of the iceberg.
"Stealing of data is
in call centres is an area of increasing concern due to its increasing
volumes. This is by no means an isolated case. However, this is one case
that has been reported. It is pertinent to understand that cases
relating to stealing of data are generally not being reported.
Unfortunately, at the time of writing, India does not have any law on
data protection and in the absence of any specific law on data
protection, no remedies under the same can be exercised," Duggal
asserts.
There is no doubt that
outsourcing by the USA and other European countries have contributed
substantially in making the IT sector recover. However, foreign capital
and work can be fickle unless security concerns are adequately
addressed. It’s high time that some legislation or act is put in place
to protect data at call centres. Till then, various businesses will have
to take measures to protect the data of their customers.
|