and credit-card processors are tightening security to ease U.S.
and European fears of identity theft
A line of neatly dressed workers files into the Golden Millennium,
a shimmering glass-and-steel building in central Bangalore. One
by one, they swipe ID cards through a reader, then empty their pockets
and bags and stuff cell phones, PDAs, and even pens and notebooks
into lockers as a dour security guard watches. Staffers ending their
shifts, meanwhile, are busy shredding notes of conversations with
customers. At the reception desk, visitors sign a daunting four-page
form promising not to divulge anything they see inside -- and even
then are only allowed to peer into the workspace through thick windows.
A top-secret military contractor? Hardly. This is one of four call
centers run by ICICI OneSource, which employs 4,000 young Indians
to process credit-card bills and make telemarketing calls for big
U.S. and European banks, insurers, and retailers. And ICICI isn't
the only outsourcing company worried about security. Call center
operators such as Mphasis BFL, Wipro Spectramind, and 24/7 Customer,
as well as back-office subsidiaries of companies such as General
Electric, are quickly adding state-of-the-art systems to monitor
phone conversations, guard data, and watch workers' every move.
Why the extreme caution? After rushing to shift telemarketing and
back-office work to India in recent years to tap low wages, U.S.
and European companies are under growing pressure from regulators
and legislators to guarantee the privacy of their customers' financial
and health-care data. India's $3.6 billion business-process services
industry is eager to defuse the issue. When the backlash against
offshore outsourcing erupted last year, opponents first focused
on curbing government contracts and temporary U.S. work visas for
foreign tech workers. Now security and privacy fears have become
the hot excuses "for new barriers to trade in services and
information technology," says Jerry Rao, chairman of the National
Association of Service & Software Cos. (Nasscom), India's IT
Today 186 bills that aim to limit offshore outsourcing are pending
in the U.S. Congress and 40 state legislatures. Dozens of those
involve restrictions on transmission of data. For example, the SAFE
ID Act, sponsored by Senator Hillary Clinton (D-N.Y.), and a similar
House bill by Representative Edward J. Markey (D-Mass.), would require
businesses to notify U.S. consumers before sending personal information
overseas -- and would bar companies from denying service or charging
a higher price if customers balk. Although no such bills have been
enacted so far, "next year I think all of this legislation
will be back and spike up again as a huge issue," especially
if the U.S. recovery stalls, says R. Bruce Josten, a U.S. Chamber
of Commerce executive vice-president who helped industry fight the
Identity theft and credit-card fraud are huge problems globally.
There's little evidence, though, to suggest consumer data are at
any greater risk in India than in the U.S. Sure, India's privacy
laws aren't as stringent as in the West. But most highly sensitive
data belonging to U.S. or European companies are stored on their
own servers at home, with access from India tightly controlled.
If an American is defrauded, the U.S. company that farmed out the
work is legally responsible. Indian call centers, meanwhile, sign
their contracts in the U.S. and can thus be sued there by their
corporate customers. What's more, there is only one known case of
fraud. Last year a programmer for India's Geometric Software Solutions
Co. tried to sell a U.S. client's intellectual property. He was
arrested and is awaiting trial in India.
Still, given the charged emotions over outsourcing, India's IT
industry knows even a few incidents will generate devastating publicity.
So call centers like Mphasis BFL Ltd., which employs 6,000 workers
performing sensitive tasks such as processing personal tax returns
and credit-card statements for U.S. clients, are leaving little
to chance. If the U.S. company prefers, consumers' names, Social
Security numbers, and credit-card numbers can be masked. Computer
terminals at Mphasis lack hard drives, e-mail, CD-ROM drives, or
other ways to store, copy, or forward data. Indian accountants only
view data from U.S. servers for specific tasks. Video cameras watch
over the sea of cubicles. Every phone conversation is recorded and
can be monitored on a system installed by Melville (N.Y.)-based
Verint Systems Inc. And since data theft is often committed by disgruntled
former employees, Mphasis can lock a staffer out and cut access
to PCs and phones three minutes after a resignation. A year ago
that process took three days. "Fears about identity theft can
be aggravated when people learn their data are in a foreign country,"
says Mphasis Vice-Chairman Jeroen Tas. "So we feel it is better
to address these concerns up front."
Such precautions don't come cheap. It costs about $1,000 per worker
to install the Verint system that records, stores, and analyzes
voice conversations. Yet Verint has signed up 100 local and multinational
centers in India. "There has been a big push in the past year
or so as the competition focuses more on quality," says Mariann
McDonagh, Verint's vice-president for global marketing. Indian centers
also pay up to $300 per worker for background checks, a big expense
given their explosive growth and high attrition rates. It's also
cumbersome: Due to India's lack of online databases, verifying education
and work experience can take weeks.
But while security practices in India now match or surpass those
at most U.S. call centers, the legal system still needs work. Indian
law on computer hacking inside companies is fuzzy, and privacy enforcement
is weak. India's IT industry is addressing those vulnerabilities.
Nasscom is working with the government to bring India's data-privacy
laws more in line with the U.S. And it intends to have the security
practices of all its 860 members audited by international accounting
firms. Nasscom has helped Bombay's police department set up a cybercrime
unit, training officers to investigate data theft. Similar units
are planned in nine other cities. India's goal, says Nasscom Vice-President
Sunil Mehta, is "to have the best data-security provisions
and be a trusted sourcing destination."
Given the ingenuity of today's cyberscammers, some embarrassing
incident seems inevitable. But India's IT-services industry is determined
to show that the world's financial and health secrets are as safe
in Bangalore as they are anywhere.
By Pete Engardio in New York, with Josey Puliyenthuruthel in Bangalore
and Manjeet Kripalani in Bombay