The Important Issues Of Data Privacy Information Technology Essay

The issue of information security and data privacy is assuming tremendous importance among global organizations, particularly in an environment marked by computer virus and terrorist attacks, hackings and destruction of vital data owing to natural disasters. The worldwide trend towards offshore outsourcing of processes and IT services to remote destinations, leading to the placing of valuable data and information infrastructure in the hands of the service providers, is also creating the need for information security solutions that will protect customers’ information assets. As crucial information of a financial, insurance, medical and personal nature begins to get handled by remotely located offshore outsourcing service providers, there is a growing concern about the manner in which it is being collected, stored and utilized.

Indian IT and ITES-BPO service providers today have the responsibility of not just protecting their own internal information, but also that of their customers, who trust them with crucial organizational data. A service providers own information could include its financial information, proprietary methods for creating and delivering its products, customer lists, or business plans. Customer information might include licensed software and personally identifiable information (such as employee or customer records).

Security requirements of customers

Organizations outsourcing their processes to overseas countries look not just for a robust regulatory/policy framework governing data protection and privacy in the host country, but also expect the service provider to have several security processes in place. Typical customer requirements include:

· The existence of a strong legal framework to deal with data protection and intellectual property rights issues.

· Deployment of international security standards such as ISO 17799 and BS 7799, etc. by vendors.

· The availability of verification and auditing process to track processes such as the development of a software code and authenticity of a telephone call

· Implementation of ethical practices related to client confidentiality, etc., especially in areas such as research

· Deployment of firewalls and data encryption features at the level of the service provider to ensure reliable communication and network security.

· Controlled access to all production sites through electronic ID-card.

· Vigilance over employee dissemination of critical information via emails, discussion groups, etc.

· Strong security policies within ITES-BPO organizations in order to address the issue of client confidentiality related to addresses, phone numbers, credit card information etc.

A typical information security policy framework should encompass the following components:

· A written and realistic security policy.

· Commitment of top management to the information security initiative

· Evidence that security risks have been assessed, legal requirements understood and steps implemented to address the security risks

· A strong operational team that shows understanding of security issues and demonstrates satisfactorily how the service providers deals with those issues.

· The adoption of well-accepted security standards, such as ISO/IEC 17799 Code of Practice for Information Security Management, the US Department of Commerce’ s NIST Special Publication 800 Series, and the ISO/IEC TR 13355 Guidelines for Management of IT Security.

· A disaster recovery arrangement in place, backing up data regularly, requiring keycard to access key facilities, protecting all databases with passwords, and making a background check a condition to hiring employees.

· Services conducted under legal controls that affect the customer. For example, health care institutions in the US are affected by the HIPAA (Health Insurance Privacy and Portability Act) privacy regulations. These are dense and difficult to comply with. Indian service providers to this segment should therefore comply with the HIPAA privacy regulations.

BPO companies need to address many issues as below

Privacy:

Privacy refers to the right of an individual/s to determine when, how and to what extent his or her personal data will be shared with others. Personal information is defined, in general, as any information relating to an identified or identifiable individual. Privacy is concerned with the collection, use storage, access, flow, sharing and destruction of personally identifiable information.

Data Protection:

Data protection refers to national laws drafted to protect the confidentiality of personal data of a country’s citizen or citizens. There is a growing concern amongst countries about unidentified persons having access to sensitive information such as credit card numbers, social security numbers, and medical histories. Incidents of misusing data in the past, has prompted countries to draft strict laws to secure data being sent to other countries. Nations in the EU, United States, Hungary and Switzerland have adopted stringent data protection laws.

Physical Security

Security personnel shall be deployed in all entry and exit points. No one shall be allowed without proper ID.  Biometric or some advanced technologies may be used to track the employee movement.  Policies must be in place to ensure that any movement of material and people.  Any material movement must be authorized by the concerned person and must able to be tracked. Avoid employees in critical areas from carrying mobile phones, with or without cameras. A facility to attend calls from near and dear may be allowed at a spot away from their work desk.

Privacy

Privacy is the right of individuals to determine how much data can be shared and to what extent. For a BPO, privacy includes all the data of the client and its’ customers. Hence BPO company has to maintain the confidentiality of data through physical security, Technology, policies etc and shall use this data only for the purposes by its owner. This may include non disclosure of Social security numbers, passport details, bank details, PAN (of Income tax), Health information, financial/loan details etc

Web Security

Generally the BPO may not need a web page through public domain for a client. Virtual Private Network between the supplier-customer enables better secure communication. Ensure that any transaction/ communication are logged and tracked.

LAN/WAN Security

Provide a Firewall of repute. Do not compromise. The firewall to be configured to the servers & ports identified with the customer. Intranet server and the data server handling client information shall not be on the same server.

Security against Malicious Programs/ Virus/Worms/Trojans

Strong anti virus procedure shall be implemented. While the virus may or may not steal information, they may corrupt the database or the server itself. Ensure that the servers and client machines are protected properly.

Secure Login and Logout of Resources with tracking

Attendance recording system must be in place. Every employee logs in to their systems. Email system shall take care of all SPAM and open port issues to stop others exploiting your open SMTP ports, if any.

 Irrespective of security breaches, every BPO must have a Security policy and ethics policy. Go through Service Level Agreements (SLA) and define the required security policy, if required, a different one for each client.

Almost all the security breaches happen due to the people. Machines are not so intelligent today to originate the fraud. And more often the security breaches are due to the own employee mischief.  Hence have a good screening mechanism while recruiting people. HR is burdened with getting more people on board. We can understand the pressure, but any laxity in checking the credentials of the candidate may become more expensive for the company.

Some Security breaches

Karan Bahree, an employee of Infinity e-Search sold information on 1,000 accounts and number of passports and credit cards for about £2,750 to an undercover reporter. And this hit the roof and everyone talks about lack of Security in Indian BPOS.

Mphasis people were caught playing around with others bank accounts! This never happened earlier? This happens as long as people are greedy – either for money or just for the kick of cheating the system.

In 2005, a laptop containing the names and credit card numbers of about 80,000 employees U.S. Department of Justice was stolen from the Fairfax , Va. , headquarters of Omega World Travel, a travel agency handling the DOJ account. 

In the same year, the largest U.S. banking security breach in history came to light where 676,000 consumer accounts involving New Jersey residents who were clients at four different banks were attacked.

Orazio Lembo, 35, has been charged with one count of racketeering and eight counts of disclosing data from a database for his alleged role in the crime ring. The suspects manually built a database of the 676,000 accounts using names and Social Security numbers obtained by the bank employees while they were at work. The information was then allegedly sold to more than 40 collection agencies and law firms. Lembo used his home as an office for DRL Associates and that he hired the upper level bank employees to access data, including names, account numbers and balances, from the banks. The bank employees worked for Wachovia Corp., Bank of America Corp., Commerce Bancorp Inc. and PNC Bank NA. Lembo, who was also charged with narcotics, forgery and theft counts, faces up to 130 years in prison and $1.47 million in fines

Microsoft suffered a $400 million loss due to a two-month delay in releasing Windows 2003 due to attacks from viruses ‘Nimda’ and ‘Code Red’,

In the US , thieves hacked into a DSW Shoe Warehouse database and stole card details of 1.4m credit cards.

UK ‘s fraud prevention service, reported 18,900 identity fraud in the first quarter of current year

The NASSCOM-Evalueserve study on the Indian Information Security environment It is becoming clear that Indian IT and ITES-BPO companies and the Indian Government are beginning to focus on providing a secure offshoring environment for global customers. The issue of information security in fact, has gradually moved from the back-burner to occupy center stage in the Indian market. Even leading industry associations such as NASSCOM have placed the issue of information security at the top of its agenda. As part of its recent Trusted Sourcing initiative, NASSCOM recent undertook a study on the Indian Information Security (regulatory environment and security practices) in India. Conducted jointly with Evalueserve, the study benchmarked Indian IT and ITES-BPO companies with their counterparts in the US and UK with regards to practices followed in the areas of data security, confidentiality and privacy laws.

The role of the Indian Government in the area of Information Security

The Ministry of Information Technology in India has undertaken has implemented various initiatives to place the nation at par with other countries in the area of Information Security. Listed below are some of the key steps that have been taken:

The Standardization, Testing and Quality Certification (STQC) Directorate, set up by the Government of India has launched an independent third-party certification scheme for Information Security Management Systems

The Indian Computer Emergency Response Team (CERT) has been set up to protect India’s assets against viruses and other security threats. CERT’s activities will be supported by advanced research in the field of information security at the CERT at IISc Bangalore

The Indian Government has recently set up the Information Security Technology Development Council (ISTDC), with experts drawn from the user, industry and R&D agencies to facilitate, coordinate and promote technological advancements, and to respond to information security incidents, threats and attacks at the national level

Several R&D projects that have been initiated by the Indian Government to address current and future security needs in areas such as information security and management training and certification, futuristic technologies in secure computer infrastructure, core network security technologies, development of validated security process, protocols and standards for e-cheque clearing, among others NASSCOM recommendations While India offers a secure environment for offshore services, in order to further enhance the country’s security management practices, NASSCOM recommends the following:

Companies need to hire certified security professionals to take care of security issues and leverage their knowledge and expertise

With a view to educating and increasing awareness on security related issues, companies should share best practices

Spending on security should not be on an ad hoc basis and companies need to make adequate investments for security purposes

The Indian Government should reach an agreement (such as Safe Harbor Agreement with the US) with other countries and ensure that compliance on data protection is equivalent to complying with other international laws

The Government should draft simple compliance guidelines so that laws can act as an accelerator for conducting business and do not provide to be a hindrance

The IT Act should be tuned to meet global trends and should be revised on a regular basis. Data theft should be made a criminal offence under the IT Act.

Examples

In an effort to increase information security, Indian BPO companies now conduct thorough background employee checks, often even looking at school and college records. “We also do a lot of our hiring through referrals by our current employees, which helps us in getting people whose credentials are easily verified,” said Shanmugan Nagarajan, founder and chief operating officer of 24/7 Customer, a Bangalore-based BPO company. The BPO industry also circulates privately among members a “black list” of employees who were fired on disciplinary grounds, Nagarajan added.

U.S. and U.K. worker unions, opposed to outsourcing, have questioned the judiciousness of having personal data processed in India. The U.K.’s Amicus trade union warned earlier this year that offshore outsourcing is “an accident waiting to happen.”To allay such concerns, Indian BPO companies have stepped up security measures, and in the process have impressed some customers.”We have been very pleased with Wipro’s performance and attention to security and privacy,” said Chris Larsen, chief executive officer (CEO) of E-Loan Inc., a consumer direct lender in Pleasanton, California.

Norwich Union, a Norwich, U.K.-based insurance group that outsources call center and back-office processes to about five companies in India, does not transfer data to its Indian contractors. “We have a ‘no data in India’ rule, and the information is only available in India while the transaction is being processed,” said John Hodgson, offshore program director at Norwich Union. Hodgson added that the his company incorporated provisions of the U.K.’s Data Protection Act and the European Union’s (E.U.’s) Data Protection Directive into contracts with its Indian suppliers.

The study revealed the following about the information security scenario in the country:

Indian companies have robust security practices comparable and at times better than those followed by western companies. Indian IT and ITES-BPO players comply with BS 7799, a global standard that covers all domains of security. They also have an established Information Security Management System (ISMS) policy for ensuring information security on various aspects such as acceptable usage policy, information classification policy, mobile computing policy, risk management policy, third party access policy, etc.

Indian IT and ITES-BPO service providers were also aware of and implementing other international security standards such as ISO 17799, COBIT, and ITSM

Spending on security among Indian IT and ITES-BPO companies ranges from five to 15 percent of the IT budget

4. The Indian legal system and proxy laws provide adequate safeguards to companies off shoring work despite no explicit data protection laws. Laws such as the IT Act 2000 and the Indian Penal Code Act and the Indian Contract Act, 1972 provide adequate safeguards to companies off shoring work to India

5. India is in the process of reviewing the clauses of the IT Act 2000 to address the issue of misuse of personal information/data. The idea is to insert to meet the adequacy norms specified by EU, as well as those given in the US-EU Safe Harbor Agreement including breach of contractual arrangements between the contracting parties.

6. The country has a strong Copyright Act, one of the most modern copyright protection laws in the world, which is fully compatible with the provisions of the TRIPS Agreement and extends the provisions of the Copyright Act to nationals of all World Trade Organization (WTO) member countries.

7. The Indian government is proactively strengthening the Indian legal system to provide appropriate data protection cover