Profiles
 Interviews
 Case Studies
 Ask our Expert
Columnsmore...
BPO Security: A Legal Viewpoint

"Fraudsters sell personal details of thousands of Australians held on the databases of call centers in India. ATM numbers, passport numbers and credit card details available for 10 Australian dollars per person"-A Report

Security breaches such as the recent Australian Broadcasting Corporation case mentioned above or the Karan Bahree episode and the Mphasis case reported a few months ago expose some of the serious challenges facing the Indian BPO industry. While the authenticity of such reports might be questionable, the industry can not afford to ignore such examples as stray incidents. Business Process Outsourcing is an engine which is expected to power India's future growth. BPO companies must take requisite measures to ensure that the rapid growth in this sector does not get hampered by such roadblocks.

Numerous legal issues brought up by such incidents need to be seriously considered. The Indian Information Technology Act 2000, for instance, has not defined in specific terms the meaning of a business process outsourcing service provider. The law only gives a legal definition to the term "network service provider". This term has been drafted and defined in the widest possible terms to incorporate within its ambit all kinds of intermediaries. Since all the BPO companies are intermediaries who are dealing with third party information or data in their capacity as an intermediary, they would also come within the ambit of the definition of a "network service provider".

Section 79 of the Indian cyberlaw makes network service providers liable for all third party data or information made available by them. It is not that the law does not provide any exit mechanisms for network service providers from such a liability. In fact, the Indian cyberlaw also gives a fair chance to network service providers to come out of the liability if they are able to prove that they had no knowledge of any contravention of the provisions of law. Alternatively, the law provides that if a network service provider proves that despite exercise of all due diligence, he could not prevent the commission of any offence or contravention under the law, he is free from any kind of liability for third party data or information made available by him. Considering the fact that there are extreme difficulties in proving of non-knowledge in the court, the only way forward for any BPO company would be to prove that it had exercised all due diligence. However due diligence as a concept has not been defined in the Indian Cyberlaw.


The BPO operations in India are already complying with various specific relevant laws in different target foreign jurisdictions. But there is an urgent need for added compliance under the Indian Cyberlaw. Indian Cyberlaw is generally perceived as applicable only to IT or Internet companies. However the generic definitions and way of drafting is such that it can be applicable to any entity which uses computers, computer networks, electronic information or data, whether for processing, transmitting or any other purpose.

I am of the opinion that with the passage of time, foreign clients shall increasingly insist that Indian BPO units exercise adequate due diligence as prescribed under the Indian Law to ensure the security of all kind of data or information. In fact, even under some US laws, the CEOs and CFOs of US-based companies have to certify about various information security and accounting practices adopted by them when they outsource data. It will be the best interests of the BPO units to also document all relevant evidence to show that they have exercised all due diligence within the purview of the Information Technology Act 2000.

There is a need to come up with enabling legal mechanisms to deal with financial, personal, health or insurance related data. I am by no means advocating that there is a need for regulation, but I feel that there is need for minimal enablement for the benefit of the BPO sector.

The Indian Laws are not at all adequate to deal with specialized crimes like the ones mentioned above. India not only requires strong data protection laws but also stringent laws for emerging cyber crimes, which have not been covered either by the IT Act, 2000 or the Indian Penal Code.

Outsourcing is a constantly growing phenomenon and it is absolutely imperative to provide the necessary assurance to all foreign clients that their electronic data or information coming to India for back-office operations is not just safe and also is secure and in trusted hands. For that, it will also be prudent for the industry to come with up appropriate best practices, which need to be followed by all players in the sector. It'll be interesting to see as to how the legal response mechanisms to the various challenges emerge in the coming times.

The author Supreme Court Advocate Pavan Duggal can be contacted at pduggal@vsnl.com and pavanduggal@yahoo.com