9 February 2005--A woman from halfway around the world e-mails a prominent hospital on the West Coast of the United States, demanding that she be paid hundreds of dollars in overdue wages. The hospital knows nothing about the woman or her paymaster, but it indirectly employs both through a medical transcription firm that gets the work done through subcontractors.
The woman, working overseas at cut rates, cannot get her employer in the United States--a service provider working for a subcontractor--to pay up. So she decides to approach the hospital directly, underscoring her demand with a chilling message.
"Your patient records are out in the open to be exposed," she writes. "So you better track that person and make him pay my dues or otherwise I will expose all the voice files and patient records."
The fever dreams of a hospital administrator? No, this really happened. It was initially reported by the San Francisco Chronicle and continues to be mentioned in discussions in the United States about outsourcing. Stories such as this one involving a transcriber in Pakistan are extremely rare. But they terrify outsourcing firms. Even more terrified are their clients, who are ultimately responsible for protecting the privacy of their customers.
Opponents of outsourcing back-office, customer-service, telemarketing, and other business operations to India--still the top choice for firms looking for skilled workers at a fraction of the wages paid in many countries--used to focus only on job losses. Now, data and privacy protection have emerged as key concerns. Indian firms worry that these concerns could be used to rally support against outsourcing.
While most privacy and security violations are either not reported or relatively minor, there have been a handful of significant departures. Earlier this year, Capital One Financial Corp., a major U.S. credit card company in McLean, Va., decided not to renew a contract with an Indian service provider after discovering that some of the latter's employees were making unauthorized offers to customers.
India's business-process outsourcing, or BPO, industry says its security standards match the best in the world. There has never been a major instance of data theft in India. Nonetheless, companies in the United States do fear such an event, says Richard M. Rossow director of operations at the U.S.-India Business Council in Washington, D.C. The fear is "not because they are at a higher risk of such a thing taking place in India, but rather because public perception of sending work to India is so bad that it will take only one major event for the affected company to 'pull the plug' on their India data service venture."
India's BPO industry grew 54 percent to US $3.6 billion in the fiscal year ending 31 March 2003, according to the National Association of Software and Service Companies (NASSCOM), in New Delhi. Eager to sustain this rapid growth, Indian firms are working with the government to amend existing laws to strengthen privacy protection.
India does not have a specific privacy law. However, privacy is protected through other laws, among them the Information Technology Act and the Indian Penal Code. Courts have upheld the right to privacy, although penalties for violations are minimal. This has led to uncertainty about how overseas clients might seek justice against contract violations by Indian firms.
Pavan Duggal, a cyberlaw expert in New Delhi, says that without stronger laws, foreign companies cannot secure "effective relief" in India. For example, he says, even if a client wins a favorable judgement from a U.S. court against an Indian firm, it is "extremely frustrating" to enforce this under India's current laws.
The government is planning to tighten some of its laws relating to privacy by imposing stiffer penalties, including jail time, for transgressions. This is expected to happen by the middle of this year.
Even without stronger laws, major tech players in India's BPO industry such as Tata Consultancy Services, Wipro Technologies, and Infosys Technologies stress that they already comply with internationally accepted security standards. Employees are made to remove any data storage or transmission devices such as cellphones and PDAs before entering physically secured areas. Access to computers and photocopiers is on a need-only basis. Office machines do not have writable disk drives. Security cameras monitor office activity. Internet access is banned, and notes from telephone conversations are shredded at the end of a shift. Furthermore, clients hide certain customer details from outsourcing details such as social security numbers, telephone numbers, and addresses.
Information sent to India may indeed be safe. But there are signs that concerns over security and privacy are starting to outweigh worries about job losses in the move against outsourcing. The U.S. Congress and various state legislatures have proposed nearly 200 laws that would restrict the practice. Several have provisions that restrict the transfer of personal information.
Is this protectionism? Maybe. But for some clients of outsourcing firms such as financial institutions and hospitals, the concerns are very real. Take the example of a bank, which does not sell a physical product. Rather, the only thing it "sells" is trust, says Rhonda MacLean, chief information security officer at Bank of America Corp., in Charlotte, N.C. "Ultimately, that's the only product we sell, so we have to be very, very good at it."
So whether or not U.S. lawmakers impose security standards, Indian firms will have to answer to their overseas clients for whom consumer confidence is of paramount importance.
Security and privacy regulations are even more stringent in the European Union, which allows companies to send personal data only to countries it has certified as safe. India is not one of these countries.
As legal reforms get under way in India, the country's fast growing BPO industry is trying to do its bit. NASSCOM, which holds its annual meeting in Mumbai this week, plans to audit all its 860 members for data-protection measures, finishing the project by the end of this year.
"Security breaches will occur, security standards will evolve," says NASSCOM vice president Sunil Mehta. "We hope to be significant players driving the development of these standards."