CYBER LAW - THEFT OF PERSONAL DATA AND SAFEGUARDS

CYBER LAW

THEFT OF PERSONAL DATA AND SAFEGUARDS

                Many security breaches and data thefts have recently occurred at companies and government agencies all over the world. The most worrisome data security problem: Thefts of personal data that occur overseas or "offshore," as major corporations outsource their data processing and customer service operations to other countries to cut costs. Threats can emerge from technology, people, and process shortcomings. Broadly, security has two parts-security of system and security with respect to people. On the technological front it has to be ensured that data is secure in the system and access to the system is restricted. As discussed earlier, IT can provide high degree of Info-sec cover for operations through policies, prevention, and detection. This should be followed up with rigorous audits and certifications-BS7799 and SAS70 for IT processes and safeguards. Document classification, clean desk policies, clean printer, and printing regulation policies, data encryption for storage and transmission, access control restrictions, sophisticated event correlation identification, regular penetration testing (to prevent internal and external hacking) and ensuring compliance with data security laws of the land (whether it is India IT Act, HIPAA, BASEL2 etc) are some of the technological measures to secure the data

               According to a recent news report, in late June, an Indian employee working for an outsourcing firm in Bangalore -- India's high-tech capital -- allegedly stole $420,000 from the bank accounts of 20 customers of the British bank HSBC. The theft was brought to light when English customers complained about unauthorized money transfers made from their accounts between March and May 2006. An arrest was made after HSBC Electronic Data Processing India , the outsourcing firm which handles the bank's "back-office" processing in India, discovered that one of its employees had improperly transferred "personal, security and debit card information'' to his co-conspirators.  This is at least the second major bank fraud reported by an outsourcing firm in India in less than a year. In August 2005, police in Pune arrested three former employees of Mphasis Ltd. for allegedly stealing approximately $350,000 from four Citibank customers in the United States. Mphasis is currently owned by a U.S. company, Electronic Data Systems (EDS).

                Are these only two isolated instances? It seems not. In June 2005, an undercover reporter from the English tabloid newspaper The Sun offered to buy confidential customer data regarding thousands of bank accounts from an engineer employed at an Indian call center. The engineer promised him the data. The incident led to a police investigation. In the end, several banks including Lloyds, Barclays, and HSBC were publicly embarrassed by this fiasco. The ease with which the reporter was able to procure supposedly confidential data indicated that reports of the HSBC and EDS thefts may be just the tip of the iceberg.

                That shouldn't be surprising: The practical and legal backdrop here may lend itself to just this kind of incident. As customer data is transferred to computers and networks halfway around the world, it may be more difficult for companies to monitor what happens to that data. Moreover, in the countries where the data is processed or kept, data protection laws may be weak, and law enforcement may not have the resources to investigate instances of security breaches or data theft.

                There may be ways to ensure that companies are vigilant when contracting with external companies to manage their data. In particular, companies to ensure that they provide adequate safeguards when data is transferred offshore.

                Current U.S.-law protections derive from customers' form contracts with companies. They also derive from the Federal Trade Commission (FTC)'s ability to initiate an enforcement action against a company that does not use adequate privacy or security measures when it outsources any of its data-related services. The FTC is empowered to act to address fraudulent or deceptive trade practices, and when companies claim to keep data secure as part of a privacy or security policy, but in fact do not, that may well count as deceptive, or even fraudulent, in the FTC's eyes.

                 In addition, the law imposes on a few industries -- such as health care and financial services - the duty to adequately maintain their computer security. But how this duty applies to offshore companies has yet to be determined. And many other industries that store customer data and may outsource data processing or customer service remain unregulated in this respect.

                 Finally, many states have laws in place that require companies to notify consumers in the event of a security breach. The problem, though, is that the company itself may not know of the breach until after the damage has been done - or may never learn of it. When customers learn of the breach, moreover, they may not know how far their information has traveled or when they may find themselves harmed because of identity theft.

                 By contrast, the European Union has a comprehensive data protection scheme in place. Under the EU Data Protection Directive, companies that handle data are prohibited from transferring it to another country that does not have "adequate" privacy laws in place.

                     In the U.S., however, there is no such broad legislative mandate. Because we believe in the free flow of information, companies can therefore choose to export our data wherever they choose. Would it be better if we adopted the European framework? Perhaps - but enforcement difficulties remain. Thus, even the European framework may not work in practice. We provide customer acquisition, customer retention and customer service solutions for global companies in the banking and financial services, utilities, telecom and media industries. That means we process credit card numbers, social security details, loan information, status of receivables to mortgage companies, etc.

                    The work nature involves authentication of customer information like medical records, financial records and other data at the simplest level to verification of encrypted data at the high end. All of this means that unless the Companies technology provides the highest level of data security and confidentiality, companies and their customers will not trust them. So how does our technology ensure this? As a safeguard, this personal information is split into separate databases so that sensitive data and customer names are not linked on the same table. This linking happens only through a software programme. In most cases, this type of information doesn't even pass through our system. Instead, it remains on the client's own database servers, where the company can use 'thin client technology' to access it remotely. 

                  Ultimately, given the difficulty of policing activity offshore, companies' and countries' self-regulation and customer vigilance may be a more realistic (if not optimal) approach to the risks posed by outsourcing, than an attempt at a legislative solution. A Company  can have a full time security team dedicated to the task of monitoring hacker sites, scanning the horizon, collecting and analysing intelligence and taking preventative action. Having this in-house security team that conducts much of its own detective work is unique in itself.

                    In addition to gathering intelligence, this team has to regularly tests the internal procedures by mounting simulated attacks and seeing how the systems respond. The internal safeguards aside, team must also audits client security at installations to verify their effectiveness of controls. This has to be done as part of Workforce Pvt Ltd. systematic Plan, Do, Check, Act, template to ensure security of data at all times and we have discovered that even the most experienced and vigilant systems can be improved upon. Intrusion management in most companies including clients is limited to detection.  Intrusion Detection Systems (IDS) a step further with the deployment of Intrusion Prevention Systems (IPS) will be added advantage. The Company must also maintain a thorough audit trail for forensic purposes. Every time an Workforce employee log an event into the company’s database, a timestamp is created, and a chronology of events is stored in a database. In the event of a suspected security breach, the team can go back to this database and derive the timeline of activities with great precision. They can then use this data as electronic evidence for forensic purposes, should it be required.

                         Continuity plans must form an integral part of the business strategy and are inherent to all  service offerings to clients. The Company can take a three-tiered approach to our business continuity planning (BCP) strategy. At the core of our BCP solution is the Center BCP approach. A thorough risk assessment using CRAMM (a state-of-the-art risk assessment tool recommended by NATO) forms the basis for developing our Center BCP. The plan addresses all possible threats to physical assets under the CIA. An example of this would be a four level power redundancy plan to ensure continual power supply even, if there were to be a power blackout. The Center BCP ensures that our infrastructure is up and running 24X7

                           The second tier of our BCP solution is the Enterprise BCP wherein as a service provider we have taken a provisioning approach with investments in additional bandwidth and the decision to invest in a self-healing network.

                        What this essentially means is that the network can independently and judiciously take care of re-routing traffic from higher points of congestion to lower points of congestion and counter the threat of link failures and point-of-presence failures.

                         This is possible; given the virtual clouds the company has formed to link multiple points of presence in the United States and the Untied Kingdom and the multiple delivery centers in India (Figure 01).

                         The last tier of our BCP strategy is the Client BCP -- wherein the client undertakes a business impact analysis for each process assigning criticality to each process and specifies the RTO's & RPO's. For the uninitiated, RTO's are Recovery Time Objectives, while RPO's are Recovery Point Objectives, outlined, prioritised and specified for each process by our clients.

For example the client would specify that in the case of a denial of premise scenario, due to a natural disaster or fire a particular process would need to be recovered within 'x' hours. Sometimes the client RTO's require zero downtime in which case the same process would need to be run from two parallel locations. The RPO's would similarly refer to data retention requirements.

                           Based on the RTO's & RPO's we customise the BCP for each client. We have always managed to execute these BCP's for our client's faultlessly on demand and at the time of the internal audits.

To quote an actual example, one of our clients had specified an RTO of four hours and then surprised us one day with a request to execute. He actually traveled from the operational site to the BCP site with our employees and was pleasantly surprised to note that we had managed to recover operations of the processes within an hour of his request, effectively meeting the client RTO outlined in the his business continuity plan.

Another strategic technology initiative that ensures a high degree of availability across the end-to-end network is our Network Operations Centre (NOC). A centralised monitoring and control system, the NOC reduces the involvement of multiple contact points for problem resolution and ensures seamless integration and 24/7 monitoring of all critical WAN devices and links.

                This is an area in which an ounce of prevention is truly worth a pound of cure. With difficulties at every stage - detection, investigation, and punishment - the best way to address identity and data theft is to prevent them from happening in the first place.

               Thus, companies may want to self-regulate. And countries that wish to attract outsourcing business may want to develop new security and privacy practices that are attractive to America businesses. In India, for example, so-called "business process outsourcing" (BPO) companies are reportedly developing their own data security certifying authority. This is being done at the initiative of an IT trade association, Nasscom. Fearing India would get a reputation for lax data security, Nasscom and the BPO companies are taking action so they can affirmatively promote the region as a safe place for data outsourcing. They are wisely working in the security area to turn a vulnerability into an asset and an advantage.

                The body Nasscom is planning will set privacy and security standards for BPS companies that become members of the organization. Members will then be monitored to ensure they adhere to them. If the body discovers breaches, it will consider various sanctions including expulsion or referral to law enforcement. American companies, on the other hand, may gain market advantage by either advertising themselves as companies who keep their data in the United States, or touting the fact that they work exclusively with offshore affiliates that have been certified by organizations such as Nasscom in India.

              More generally, customers and investors need to demand that companies who hold their data keep it safe - even when it leaves U.S. cyberspace. Though self-regulation appears to be the best solution, it costs money, and companies may be loath to do it unless consumers and investors stress that, to them, it's a priority.