Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Data Security Laws in India (A growing BPO Destination)

advertisement 
Data Security Laws in India, the
European Union & the United States
India
European Union
United States
Data Security Laws in
India (A Growing BPO Destination)
INDIA – THE OUTSOURCING
DESTINATION

Key destination to provide information technology (IT), and
now information technology enabled services (ITES) to a
number of Fortune 500 companies.

Over the last decade, the average growth rate of India’s
GDP has been five percent to seven percent, making it one
of the better performers in the world economy.

Purchasing power parity in India relatively high (the fourth
largest in the world).
India --- The Key Information
Data Security Laws
Indian IT Act Of 2000.



Leakage of personal data by a service provider --- A
Criminal Offense.
Companies would be held responsible for protecting data.
Defined Information breaches:
 Unauthorized access to a designated protected
computer system.
 Accessing information without consent.
 Unauthorized copying of data
 Third parties such as internet service providers and
website hosts would not be responsible if their
services were misused by someone else without their
knowledge.
Data Security Laws
Indian IT Act Of 2000 Cont…

The information security issues under the IT Act
are the following:

Section 43:if a person without the permission of the person incharge of the computer system, accesses, downloads any data,
introduces virus or causes denial of access, will be liable for a
penalty of up to rupees 10 million, $250,000(Approx).

Section 65: Tampering with Computer
Source code
Section 66: Hacking
Section 72: Breach of Confidentiality
and Privacy


Security Environment in India:




Indian Service providers agree to be subjected by
global acts and ready to be litigated in the court of the
user’s country.
Companies sign Service Level Agreements (SLA), which
have very strict confidentiality and security clauses built
into them at the network and data level.
Spending on security ranges from 5% to 15% of the IT
budget.
Companies dealing with US clients require compliance
depending upon the industry served. E.g. Healthcare
requires compliance with HIPAA, Financial services require
compliance with GLBA.
Security Environment in India:
Cont…


Many companies in India are undergoing/have undergone
SAS 70 Audit to implement and improve internal controls.
Implementation of international standards for information
security management like the BS7799. Security
safeguards are ensured in many ways like:





Before appointing an employee, his/her background is
checked.
Employees don't have access to internet so as to avoid
Trojan horses infecting systems and monitoring data.
No pencils or mobile phones are permitted in the
processing shop to prevent the data being copied.
The machine gets locked in a minute, if it is left idle.
Systems are protected by multiple-level firewalls, antivirus and encryption software
Data Security Breaches:
NoT EaSy

Laws Relating to Data
There are several laws applicable to data theft or misuse. The Indian
Penal Code, 1860 (IPC) is equipped to deal with theft, cheating
criminal breach of trust, dishonest misappropriation of data and/or
Criminal Conspiracy while Information Technology Act, 2000 can deal
with hacking.

The offenders can be arrested without warrant and the arrest can be a
non–bailable one. The punishment ranges from one year’s
imprisonment to life imprisonment.

In case of employees of a BPO, public servants, merchants, attorneys
or agents the penalties are higher. For example, if any employee
misuses the data for personal gains the punishment is seven year’s
imprisonment and in case of public servants, merchants, etc., it can be
life term.
Lot to Improve……………….

The Indian BPO Industry is expected to grow at a CAGR (Compound Annual
Growth Rate) of 44.7 per cent. The size of the industry is expected to reach $
16 billion by 2007.

Data security and privacy, lack of product expertise and inability to deliver
results are THREATS

Companies would have to invest in building risk assessment systems
and disaster recovery procedure and standard tests.





to provide high standard of security and data protection.
To build capacity to provide security certification.
GAP analysis: Analyzing the existing standards and best practices adopted by
the industry in India and industry at the international level.
Carrying out research in the field of data privacy and protection in the context
of Indian situation.
And To create a WIN-WIN situation for outsourcing companies to start there
setups in India.
Data Security in the European Union
The European Union (EU)





27 member states
Common currency since
1999: €uro
Generates estimated 31%
of world’s GDP (’07)
System of laws  apply to
all member states
National courts are required
to enforce EU treaties, even
if doing so requires them to
ignore national laws
The European Directive 95/46/EC
- Data Protection Directive

Objective: remove obstacles to free movement of data
without diminishing data protection within Member States
of EU

Applies to automated processing…
 Computer database of customers
 as well as non-automated processing
 Traditional paper files

Not applicable to public security, defense or criminal law
enforcement
Principles of Data Controlling
Data must…
 be processed fairly and lawfully
 be collected for explicit + legitimate purposes
 be relevant and not excessive to purpose
 be accurate and kept up-to-date
 not be kept longer than necessary when it identifies an
individual

Each Member State must provide supervisory authority
that must be notified when data is processed
Data Processing…


is any operation performed upon personal data
 Use
 Collection
 Disclosure
 Organization
 Combining
 Storage
 Erasure
 Alteration
Personal data is any information relating to an identified or
identifiable person such as
 Photo
 Name
 Fingerprints
 Telephone #
Personal data can be processed if…





unambiguous consent is given
it is necessary for performance of contract involving data
subject
required by legal obligation
it is necessary to protect interest that is essential for data
subject’s life
it is necessary for tasks carried out by official authorities
Processing Sensitive Data

Sensitive Data is data relating to
 Racial or ethnic origin
 Political opinions
 Religious or philosophical beliefs
 Trade union membership
 Data concerning health or sexual preference

In principle such data cannot be processed
 Derogation is tolerated under very specific
circumstances
Data Transfers to non-EU countries

Personal data can only be transferred to countries outside
the EU that have ‘adequate’ level of protection. So far
these are only:
 Switzerland
 Canada
 Argentina
 Save Harbor Privacy Principles of U.S. Department of
Commerce
 Air Passenger Name record to U.S. Bureau of Customs
and Border Protection
EU - US Airline Passenger
Data Disclosure

By March 5. 2003 all international airlines must provide
U.S. government full electronic access to detailed airline
passenger data

Collides with EU protection law which allows access to data
only on case-to-case basis upon particular suspicion

June 28, 2007  agreement
 Reduces collected data from 34 collected up to now to
19 data fields
Data Security in the United States of
America
USA Data Security – The Early Years

Who cares?





Needed expensive equipment to work with data
No way of really using it
No way of tracking users taking data
Hard drives were very expensive and small
Along came Windows






Working from home
GUI allowed users to view, manage, and easily store data
Led to VPN – Virtual Private Networks
Firewalls
Security focused on external attacks
Started tracking users who access data
®
USA Data Security – Early Legislation

1960s

Proposal for Federal Data Center
 IRS
information
 Census information
 Social Security
Call out for security
 Thomas J. Watson Jr. – Chairman of the Board
of IBM


1970s

1974 – Federal Privacy Act
USA Data Security – More Early
Legislation

1980s
Legislation passed concerning Emails, personal
records, etc.
 1986 - Electronic Communications Privacy Act


1990s

1996 - International Conference on Privacy and
Data Protection
 Sally

Katzen – CIO? Not quite but close enough
Administrator of the White Houses Office of Information and
Regulatory Affairs of the Office of Management and Budget
USA Data Security – Present

Internal attacks

Accountability – users can be monitored about
what data they look at
 Audit

trail
Personal computing devices
 PDAs,
laptops
 60,000 lost globally in last six months of 2004
 Lets be honest, most were probably in United States

Have you heard about Ohio University?
USA Data Security – Present

CERT
Carnegie Mellon University’s Software
Engineering Institute
 Security experts
 Reports security incidents

 Mail
messages
 Hotline messages
 Incident reports received
®
USA Data Security – What should we
do?
 Establish
detailed policies for the
security of data
 Assess value of data being
protected
 Transparent security solutions
 View as process and not product
 Realize security is ongoing process
USA Data Security - Future

Known for 40 years that data security is important
and we still can’t get it right
Sources









CERT Statistics: Historical. Apr. 30, 2007. CERT. Nov. 28, 2007.
http://www.cert.org/stats/historical.html.
Madsen, Wayne. “United States Remains Adamantly Opposed to Data
Protection.” Computer Fraud & Security. December 1996. 6-10.
Bigelow, Robert. “Legal Issues in Computer Security: Report from the United
States – Part 2.” Computer Law & Security Report. Vol 13, no 2, 1997. 87-95.
Levine, Richard. “Technology Evolution Drives Need for Greater Information
Technology Security.” Computers & Security. Vol 24, 2005. 359-361.
Page about data privacy in the EU: http://www.datenschutzberlin.de/ueber/europa.htm
Lecture notes on 'Internetrecht' (Internet Law) from summer term class of Dr.
Michael Schmidl at the University of Augsburg
Website of the European Commission:
http://ec.europa.eu/justice_home/fsj/privacy/index_de.htm
Website of the German Federal Agency of Supervisory Authorities for Data
Protection:
http://www.bfdi.bund.de/cln_029/nn_532044/DE/GesetzeUndRechtsprechung/
Gesetze__node.html__nnn=true
http://www.epic.org/privacy/intl/
Sources cont’d







Indian BPO structure: http://www.bpoindia.org/knowledgeBase/
BPO – Destination India: A paper presented by Patni Computers.
http://www.patni.com/resource-center/collateral/businessprocessoutsourcing/tp_bpodestination.pdf
Introduction to BPO: http://www.indobase.com/bpo/competitors-of-india.html
Source: U.S Department of Labour and Forrester Research, Inc.
Data Security Laws: http://www.quality-web-solutions.com/offshoreoutsourcing-to-India-article.php
Information Security in India’s IT Industry
http://www.indembassyathens.gr/Business/IT%20industry/Information_securit
y_in_Indias_IT_industry.htm
THANK YOU
Related documents
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Download
advertisement