Sucheta Dalal :Implications of Pune's cyber security fraud
Sucheta Dalal

Click here for FREE MEMBERSHIP to Moneylife Foundation which entitles you to:
• Access to information on investment issues

• Invitations to attend free workshops on financial literacy
• Grievance redressal


You are here: Home » Column Topics » Indian Express - Cheques & Balances » Implications of Pune's cyber security fraud
                       Previous           Next

Implications of Pune's cyber security fraud  

Apr 18, 2005


For a while last week, the Mphasis-Citibank fraud seemed in danger of being blown out of proportion by the anti-outsourcing lobby and its political backers in the US to clamp down on outsourcing to India. There is still a danger that information sent outside the US will be considered especially vulnerable to abuse; but sensible US commentators are already drawing attention to certain positives that failed to find mention in the Indian press.


For instance, Rich Smith, writing for The Motley Fool says, ‘‘Exaggerating the dangers of outsourcing and sending data abroad won’t make our data any more secure. On the contrary, the facts of the Mphasis case suggest that in some cases, data may be safer once sent abroad. Reflect for a moment on how quickly the alleged criminals in Pune were caught. Consider for a second the fact that they were caught by the ‘cybercrime unit’ of the Pune police force. Ponder for a minute the fact that a place most of us have never even heard of before (really? ‘Pune?’) even has something called a ‘cybercrime unit’. I know my hometown doesn’t.’’


Others have pointed out that Indian BPOs have already put in place elaborate precautions to prevent data theft and fraud. One international report describes how BPO employees at a Bangalore outfit swipe ID cards, ‘‘empty their pockets and bags and stuff cell phones, PDAs, and even pens and notebooks into lockers as a dour security guard watches’’. Staffers ending their shifts have to shred notes of conversations with customers. Even visitors have to sign a four-page non-disclosure agreement.


Additionally, India’s Nasscom has come up with the idea of creating a list of all BPO employees, called Fortress India, to track their whereabouts through various job changes.


All these are important measures, even if their efficacy is doubtful. As Rich Smith points out in the Mphasis case: ‘‘Outsourcing wasn’t the problem here. The problem was criminals, plain and simple. And those can be found the world over.’’


Cyber crime and identity theft are worrying regulators around the world. Last week, Hong Kong Bank (HSBC) asked 180,000 credit card holders in North America to replace their GM Mastercards after a computer security breach at Polo Ralph Lauren Corporation. The case also affects Visa US.


A Florida-based businessman Joe Lopez has reportedly sued Bank of America seeking the return of $90,000 that he claims was stolen from his online banking account when he fell victim to a computer virus.


The industry, in turn, is reacting to the threat of such claims. Alan Jebson, Group Chief Operating Officer at HSBC Holdings reportedly said, ‘‘The bank’s busiest day last year was when it was hit by 100,000 attacks’’ on its systems. Jebson said, ‘‘Industry as a whole may have to adopt a firmer line with customers’’ and voiced the radical view that ‘‘at some point we may not allow customers without a firewall to use HSBC online services.’’


The Boston Globe reports that two American legislators, Edward Markey and Hilary Clinton have proposed the ‘Safeguarding Americans From Exporting Identification Data Act’, or SAFE-ID Act, to guard against fraud and identity theft when customers’ personal information is processed overseas. It proposes that US businesses would be permitted to send customer data to countries with strong privacy protection and consumers will have the right to demand that their data be processed domestically. American companies would not be allowed to send customer information to a country with weak privacy laws without his/her permission. Consumers would have the right to sue companies that violate the law.


Such legislation is bound to affect Indian BPO operations. After all, Practical Accountant magazine estimates that 200,000 US tax returns will be sent to India for processing this year. This is a 10 fold jump in just one tiny business opportunity.


A survey by the NHTCU estimated high-tech crime had cost UK companies with more than 1,000 employees around Euro 2.45 billion (US$4.61 billion). Of two hundred large and medium-size companies who were surveyed, 89 per cent said they had experienced some form of high-tech crime in 2004. Of those, 90 per cent suffered from unauthorised access to their company systems, while 89 per cent suffered data theft.


Clearly, the world is worried at the sheer opportunity for the proliferation of cyber crime. And India, as one of the leading player in the IT business needs to watch international developments and beef up its legislation to avoid nasty surprises emanating from international legislation.


For starters, although the Pune police have done us proud, we need to check if our cyber security legislation and privacy laws are demonstrably adequate to deal with cybercrime on an international level.


The answer is negative. Sanjay Pandey, a former Police DCP, qualified software engineer and leading computer security expert who heads I-Sec Service Pvt Ltd., says: ‘‘Computer security has never been addressed in a comprehensive manner in India. India has no law to prevent privacy of data and the Indian Information Technology Act, which deals with computer crime does not define ‘‘computer security’’. It confines itself to Internet transactions, digital certification and some ‘‘minuscule offences’’. Pandey says, ‘‘In fact, the whole IT Act appears only to facilitate CCA (Comptroller of certifying authority) infrastructure.’’


Further, the enforceability of the Act has been diluted by bringing in appellate bodies to deal with offences of a criminal nature and treating them like civil complaints, which are subject to fines rather than criminal punishment.


He argues that although Nasscom’s initiative is a commendable, ‘‘Screening by private agencies whatever be their constitution has no legal sanctity under the Indian Penal Code, IT Act or the Constitution. Enforcement, prevention and R&D in the area of computer security should remain in the domain of state, which, as of now has the constitutional mandate to enforce it.’’


On the one hand, his view seems vindicated by the fact that the quick action of the Pune cyber crime police has been noted internationally. At the same time the ham-handed arrest of then Bazee CEO (now e-Bay) in the Delhi porn scandal raises doubts about the police handling cyber crime without specialised training and awareness. Clearly, the solution lies in defining computer security and having a specific act to address all issues connected with cyber crime that have cross border ramifications.


[email protected]

-- Sucheta Dalal