Log in ....Tribune

Monday, March 24, 2003
Feature

All it takes is a weak link
Peeyush AgnihotriIllustration by Sandeep Joshi

THAT the call centre industry in India is as unsteady as a ship sailing in choppy waters, navigated by a drunk sailor, is no secret. As if global recession, intense competition and the New Jersey Bill were not enough, the latest issue is of data protection. It has come to fore after the recent conviction of a call centre employee for stealing credit card number. Barring the cyber state of Andhra Pradesh, no other government (Centre or state) is making an attempt to enact data protection laws. So much for clients’ confidentiality.

Incident

The debate gathered momentum after the recent conviction of a call centre employee by a Delhi court in what is being described as the first conviction for cyber crime. A local court in Delhi convicted Asif Azim, a Noida-based call centre employee, for using an American citizen’s credit card to make online purchase from Sony. This 24-year old engineer smooth-talked a client, Barbara Campa, at his call centre, to reveal her credit card number and key details on the pretext of setting right her billing records. Using this information, the call centre executive made nearly $ 575 worth of purchase from a Sony portal for NRIs. Barbara was shocked to get the bill and predictably, refused to pay, saying she hadn’t authorised the transaction. Sony then lodged a complaint and the CBI officials traced Azim through the call centre’s IP address. After a seven-month trial, Azim confessed.

According to the IT Act, Sony would have been entitled for compensation and no more. Since the case was also covered under IPC for cheating, imprisonment was possible. However, taking the culprit’s educational qualifications into consideration, the court put him on probation.

Impact

Can such incidents have a far-reaching consequence on call centre industry in India?

Vikram, head of operations at Kalldesk, a Chandigarh-based call centre, says such incidences at call centres may have a direct bearing on the centres credibility. He also agrees that most of the time such issues go unreported as the matter is amicably settled between the call centre, the erring executive, the client and the enterprise at whom the fraud is targeted.

A Wharton Business School study found that security concerns and vendor viability were the key reasons why only 5 per cent of the US companies with $100 million to $ 4 billion in revenue outsourced offshore. Many Indian outsourcers underestimate the complexities of operating a centre themselves. As it is, the Indian call centres’ billable costs have dropped substantially. At low price levels, quality is compromised sometimes.

A noted cyber expert and Supreme Court lawyer Pavan Duggal avers: "I think these kinds of instances may have bearing upon outsourcing business to India. Companies and entities outside India will soon realise that India does not have a data protection law. Coupled with this is also the fact that India does not have a law on privacy as yet. A perusal of the IT Act clearly shows that its provisions are not adequate for dealing, even indirectly, with the issue of compromise of data and unless India comes across with the distinct law on data protection, we would not only be losing time but also foreign clients and assignments. Companies would not be comfortable granting projects and assignments concerning data in India."

Nasscom officials say that it is too early to relate an isolated case to have far fetching effect on the outsourcing business to India. "There are specific terms and conditions to ensure highest level of care on the confidentiality of the client’s sensitive information and other data privacy issues under SLAs (Service Level Agreement). Nasscom is already working with the Ministry of Communication and Information Technology on introducing data protection laws for the country and would take few more months to be finalised," an executive discloses.

IT Act

Barring Philippines, which is the only country with a fully updated law that covers all aspects of cyber crime, no other country has its IT laws in place. Substantially updated law has been implemented in India, but unfortunately, the Indian IT Act, 2000, is silent on the issues of privacy, protection and regulated use of data. Data protection issues primarily remain in an unregulated environment. The Indian law doesn’t cover data interception and computer forgery.

"The person whose service has been hired in call centre is bound by service contract. Confidentiality and privacy is the part of the contract. Hence for any breach, he is liable under the IT Act, Indian Contract Act and Indian Penal Code. To protect confidential information and privacy the best safeguard is law on data protection. UK, for example, has the Data Protection Act, 1998, in place. There is no such law, or its equivalent, in India," Geeta Gulati, a cyber lawyer points out.

Credit card fraud is a big business that takes in nearly $1.5 billion a year and experts point out that the present case is just a tip of the iceberg.

"Stealing of data is in call centres is an area of increasing concern due to its increasing volumes. This is by no means an isolated case. However, this is one case that has been reported. It is pertinent to understand that cases relating to stealing of data are generally not being reported. Unfortunately, at the time of writing, India does not have any law on data protection and in the absence of any specific law on data protection, no remedies under the same can be exercised," Duggal asserts.

There is no doubt that outsourcing by the USA and other European countries have contributed substantially in making the IT sector recover. However, foreign capital and work can be fickle unless security concerns are adequately addressed. It’s high time that some legislation or act is put in place to protect data at call centres. Till then, various businesses will have to take measures to protect the data of their customers.