India’s $48 billion (more than Rs2 lakh crore) software and back-office services industry, which has been the target of repeated scams and identity thefts, is setting up a self-regulatory body to promote, monitor and enforce privacy and data protection standards in the sector.
The so-called ‘ self-regulatory organization’ or SRO will be set up in the next six to eight months.
The proposed SRO was designed by trade body National Association of Software and Service Companies (Nasscom) in September last year to identify and enforce a set of security and privacy standards that member companies will be expected to adhere to.
The regulatory body will be independent of Nasscom, the software lobbyist's president Kiran Karnik said.
Non-adherence by companies to meet data-security standards that will prevent data theft, including credit-card frauds, misuse of social security numbers and private information such as bank account numbers, will result in punishment either in the form of an enquiry or a fine.
But SRO membership is voluntary.
Shyamal Ghosh, a retired Union government bureaucrat who headed the department of telecommunications, has been appointed the chairman of the SRO. “We are in the process of setting up the core structure and minimum standards that are to be followed,” said Ghosh.
India’s thriving business- process outsourcing services industry has been hit by dozens of scams, say industry insiders, most of which go unreported.
One of the most high-profile of the incidents made public was in July last year when an employee of HSBC Electronic Data Processing Pvt. Ltd—a Bangalore-based captive back office outfit of HSBC Plc—was arrested after he allegedly siphoned off nearly Rs2 crore from the accounts of 20 bank customers in the UK.
Earlier in 2005, workers at the BPO services division of Mphasis BFL Ltd, which counted Citibank as one of its key clients, defrauded some of the US bank’s customers of nearly half a million dollars.
Same year in June, an undercover reporter from the UK’s The Sun tabloid bought information of 1,000 UK bank account details from an Infinity E-Search employee in Gurgaon.
While the SRO will formulate the basic principles and guidelines, the verification, implementation and certification will be outsourced to expert audit agencies.
“We are in consultation with... law firm Amarchand & Mangaldas (& Suresh A. Shroff & Co.) to help us set up the SRO soon. Education and training will form the basic goals,” Ghosh said.
The immediate focus for the SRO is to set up a panel of experts as well as a working group of standards that will put together a set of global best practices and standards followed by some leading firms. Membership to the SRO will be allowed after the working and the security practices of companies have been verified by independent experts. “ The working group of standards as well as the membership model will be in place within the next six months,” said Nandkumar Saravade, director of cyber security and compliance at Nasscom. The SRO will work on a self-sustaining model funded by membership fees, accreditions and training fees of member companies.
An analyst said the SRO will help allay security-related fears of large financial outsourcers. “This kind of an SRO will be good and go a long way, particularly for the banking and financial services sector, which is most possessive about its data security. User companies will have greater confidence in using the services of their service providers if standards under the SRO become a must-have and mandatory,” said Arup Roy, principal consultant at research firm Gartner.