BPO firms carry the can

A year-long sting operation by a BBC channel into data theft involving BPO work offshored to India, has created public anxiety. In three separate actions, those conducting the operation have been able to buy sensitive information from middle-men. The well-documented nature of the investigation lends credence to the allegations. The operation has established that personal financial data offshored to India can and do get compromised. However, if the matter is seen in perspective, it has been no one's case that such fraudulent activity does not take place in India. This is neither the first reported instance of data theft in cyber space, nor the first sting operation. Data theft and cyber crime take place everywhere, including on the premises of the financial institutions themselves. Just as data are offshored to India, larger volumes of those are outsourced to operations within western countries. These too have been victims of data theft.

The critical point is that data theft involving operations offshored to India has been negligible till now, given the volumes involved. This highly satisfactory record has prompted more and more work of greater complexity and criticality to be offshored to India. Thus the public anxiety over the incident is not shared either by the clients of Indian BPO vendors or the vendors themselves. It is like plain old burglary; these things happen and the Indian geography is, if anything, a lot safer than many other locations. UK trade unions have already made a noise about the danger of offshoring but that again is to be expected. The Indian IT-BPO industry and its clients believe that offshoring in general, and in particular to India, is now so mainstream and so successful, despite the occasional glitches, that nothing can turn the tide back.

The confidence that clients have in offshoring work to India is the result of the pains taken by the Indian industry to set up secure systems that satisfy everybody. In an earlier instance, a fraud at Wipro Spectramind was detected by the internal checks of the firm itself. In all this, unfortunately, the industry has had no help from the government. In its over two years in office, the UPA government has not been able to bring proper legislation to give legal backing to the work that the industry has been doing on its own. This is when substantial work on the matter had already been done by the previous NDA government. The information technology ministry has woken up after the latest developments and promised to bring new legislation in the winter session of Parliament. However, the experts doubt whether the amendments to the IT Act to be proposed will be adequate; in particular, they question the wisdom of the government in choosing to amend the existing IT law instead of bringing in a new law on data security. Their contention is that amending the IT Act with the traditional anti-burglary approach of the policeman will not address the compromise of confidential data, which is a fiduciary failure. Bangalore policemen investigating the data security breach at an HSBC operation have gone on record saying they find the existing law inadequate. Some experts even fear that the promised cure (amendment of the Act) will be worse than the disease. They are, in particular, alarmed by the move to introduce compounding of offences, which can remove the fear of going to jail.