Data Security Laws in India, the European Union & the United States

India European Union United States

Data Security Laws in India (A Growing BPO Destination)

INDIA – THE OUTSOURCING DESTINATION

Key destination to provide information technology (IT), and now information technology enabled services (ITES) to a number of Fortune 500 companies.

Over the last decade, the average growth rate of India’s GDP has been five percent to seven percent, making it one of the better performers in the world economy.

Purchasing power parity in India relatively high (the

fourth largest in the world).

India --- The Key Information

Data Security LawsIndian IT Act Of 2000.

Leakage of personal data by a service provider --- A Criminal Offense.

Companies would be held responsible for protecting data.

Defined Information breaches: Unauthorized access to a designated protected

computer system. Accessing information without consent. Unauthorized copying of data Third parties such as internet service providers

and website hosts would not be responsible if their services were misused by someone else without their knowledge.

Data Security LawsIndian IT Act Of 2000 Cont…

The information security issues under the IT Act are the following:

Section 43:if a person without the permission of the person in-charge of the computer system, accesses, downloads any data, introduces virus or causes denial of access, will be liable for a penalty of up to rupees 10 million, $250,000(Approx).

Section 65: Tampering with Computer Source code

Section 66: Hacking Section 72: Breach of Confidentiality

and Privacy

Security Environment in India:

Indian Service providers agree to be subjected by global acts and ready to be litigated in the court of the user’s country.

Companies sign Service Level Agreements (SLA), which have very strict confidentiality and security clauses built into them at the network and data level.

Spending on security ranges from 5% to 15% of the IT budget.

Companies dealing with US clients require compliance depending upon the industry served. E.g. Healthcare requires compliance with HIPAA, Financial services require compliance with GLBA.

Security Environment in India: Cont…

Many companies in India are undergoing/have undergone SAS 70 Audit to implement and improve internal controls.

Implementation of international standards for information security management like the BS7799. Security safeguards are ensured in many ways like:

Before appointing an employee, his/her background is checked.

Employees don't have access to internet so as to avoid Trojan horses infecting systems and monitoring data.

No pencils or mobile phones are permitted in the processing shop to prevent the data being copied.

The machine gets locked in a minute, if it is left idle. Systems are protected by multiple-level firewalls,

anti-virus and encryption software

Data Security Breaches:NoT EaSy Laws Relating to Data

There are several laws applicable to data theft or misuse. The Indian Penal Code, 1860 (IPC) is equipped to deal with theft, cheating criminal breach of trust, dishonest misappropriation of data and/or Criminal Conspiracy while Information Technology Act, 2000 can deal with hacking.

The offenders can be arrested without warrant and the arrest can be a non–bailable one. The punishment ranges from one year’s imprisonment to life imprisonment.

In case of employees of a BPO, public servants, merchants, attorneys or agents the penalties are higher. For example, if any employee misuses the data for personal gains the punishment is seven year’s imprisonment and in case of public servants, merchants, etc., it can be life term.

Lot to Improve……………….

The Indian BPO Industry is expected to grow at a CAGR (Compound Annual Growth Rate) of 44.7 per cent. The size of the industry is expected to reach $ 16 billion by 2007.

Data security and privacy, lack of product expertise and inability to deliver results are THREATS

Companies would have to invest in building risk assessment systems and disaster recovery procedure and standard tests.

to provide high standard of security and data protection. To build capacity to provide security certification. GAP analysis: Analyzing the existing standards and best practices

adopted by the industry in India and industry at the international level.

Carrying out research in the field of data privacy and protection in the context of Indian situation.

And To create a WIN-WIN situation for outsourcing companies to start there setups in India.

Data Security in the European Union

The European Union (EU) 27 member states Common currency since

1999: €uro Generates estimated

31% of world’s GDP (’07)

System of laws apply to all member states

National courts are required to enforce EU treaties, even if doing so requires them to ignore national laws

The European Directive 95/46/EC- Data Protection Directive Objective: remove obstacles to free movement of

data without diminishing data protection within Member States of EU

Applies to automated processing… Computer database of customers as well as non-automated processing Traditional paper files

Not applicable to public security, defense or criminal law enforcement

Principles of Data Controlling

Data must… be processed fairly and lawfully be collected for explicit + legitimate purposes be relevant and not excessive to purpose be accurate and kept up-to-date not be kept longer than necessary when it identifies

an individual

Each Member State must provide supervisory authority that must be notified when data is processed

Data Processing… is any operation performed upon personal data

Collection Organization Storage Alteration

Use Disclosure Combining Erasure

Photo Fingerprints

Personal data is any information relating to an identified or identifiable person such as

Name Telephone #

Personal data can be processed if…

unambiguous consent is given it is necessary for performance of contract involving

data subject required by legal obligation it is necessary to protect interest that is essential

for data subject’s life it is necessary for tasks carried out by official

authorities

Processing Sensitive Data Sensitive Data is data relating to

Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Data concerning health or sexual preference

In principle such data cannot be processed Derogation is tolerated under very specific

circumstances

Data Transfers to non-EU countries Personal data can only be transferred to countries

outside the EU that have ‘adequate’ level of protection. So far these are only: Switzerland Canada Argentina Save Harbor Privacy Principles of U.S.

Department of Commerce Air Passenger Name record to U.S. Bureau of

Customs and Border Protection

EU - US Airline PassengerData Disclosure By March 5. 2003 all international airlines must

provide U.S. government full electronic access to detailed airline passenger data

Collides with EU protection law which allows access to data only on case-to-case basis upon particular suspicion

June 28, 2007 agreement Reduces collected data from 34 collected up to

now to 19 data fields

Data Security in the United States of America

USA Data Security – The Early Years

Who cares? Needed expensive equipment to work with data No way of really using it No way of tracking users taking data Hard drives were very expensive and small

Along came Windows Working from home GUI allowed users to view, manage, and easily store data Led to VPN – Virtual Private Networks Firewalls Security focused on external attacks Started tracking users who access data

®

USA Data Security – Early Legislation

1960s Proposal for Federal Data Center

IRS information Census information Social Security

Call out for security Thomas J. Watson Jr. – Chairman of the

Board of IBM 1970s

1974 – Federal Privacy Act

USA Data Security – More Early Legislation

1980s Legislation passed concerning Emails,

personal records, etc. 1986 - Electronic Communications Privacy

Act 1990s

1996 - International Conference on Privacy and Data Protection

Sally Katzen – CIO? Not quite but close enough Administrator of the White Houses Office of

Information and Regulatory Affairs of the Office of Management and Budget

USA Data Security – Present

Internal attacks Accountability – users can be monitored

about what data they look at Audit trail

Personal computing devices PDAs, laptops 60,000 lost globally in last six months of 2004 Lets be honest, most were probably in United

States Have you heard about Ohio University?

USA Data Security – Present

CERT Carnegie Mellon University’s Software

Engineering Institute Security experts Reports security incidents

Mail messages Hotline messages Incident reports received

®

USA Data Security – What should we do?

Establish detailed policies for the security of data

Assess value of data being protected

Transparent security solutionsView as process and not productRealize security is ongoing

process

USA Data Security - Future

Known for 40 years that data security is important and we still can’t get it right

Sources CERT Statistics: Historical. Apr. 30, 2007. CERT. Nov. 28, 2007.

http://www.cert.org/stats/historical.html. Madsen, Wayne. “United States Remains Adamantly Opposed to

Data Protection.” Computer Fraud & Security. December 1996. 6-10.

Bigelow, Robert. “Legal Issues in Computer Security: Report from the United States – Part 2.” Computer Law & Security Report. Vol 13, no 2, 1997. 87-95.

Levine, Richard. “Technology Evolution Drives Need for Greater Information Technology Security.” Computers & Security. Vol 24, 2005. 359-361.

Page about data privacy in the EU: http://www.datenschutz-berlin.de/ueber/europa.htm

Lecture notes on 'Internetrecht' (Internet Law) from summer term class of Dr. Michael Schmidl at the University of Augsburg

Website of the European Commission: http://ec.europa.eu/justice_home/fsj/privacy/index_de.htm

Website of the German Federal Agency of Supervisory Authorities for Data Protection: http://www.bfdi.bund.de/cln_029/nn_532044/DE/GesetzeUndRechtsprechung/Gesetze__node.html__nnn=true

http://www.epic.org/privacy/intl/

Sources cont’d Indian BPO structure: http://www.bpoindia.org/knowledgeBase/ BPO – Destination India: A paper presented by Patni Computers. http://www.patni.com/resource-center/collateral/business-

processoutsourcing/tp_bpodestination.pdf Introduction to BPO: http://www.indobase.com/bpo/competitors-of-

india.html Source: U.S Department of Labour and Forrester Research, Inc. Data Security Laws: http://www.quality-web-solutions.com/offshore-

outsourcing-to-India-article.php Information Security in India’s IT Industry

http://www.indembassyathens.gr/Business/IT%20industry/Information_security_in_Indias_IT_industry.htm

THANK YOU