Security of information is a major concern for companies outsourcing their jobs and they are insisting BPOs to get certified under international certification standards such as BS 7799, SAS 70, HIPAA standards because compared to the laws in the US and the UK, the Indian IT Act 2000 offers woefully inadequate protection, says Mandeep Garewal, director, Force Tech Security, a consultant to BPOs on data security related matters.
An estimated 20 per cent more work would have come India's way if a data protection law was in place, says Garewal.
Given that the BPO industry had a turnover of $3.6 billion in 2003-04, that translates into business worth about $720 million, about $1 billion worth of more BPO work would have come here if stringent security norms and suitable laws were in place in India," says Garewal.
Because of ongoing concerns on security, it has become a critical bugaboo and companies look for providing limited access to their applications thus minimising the scope of misuse, says Alok Shinde, director of information communication and technology practice, Frost and Sullivan, market consultants on emerging high-technology.
"They have a clause in the selection process that makes it mandatory for BPOs to have security certifications such as BS 7799 before they can bid. They also ensure that BPOs in India are conducting security audit and penetration testing to ensure compliance," says Shende.
Companies would also be taking up the issue in a big way at the forthcoming Communic Asia conference in Singapore next month.
Companies outsource services such as health, land records, which are important data and therefore they maintain stringent security specifications, which are based on requirements of their own onshore compliances to various laws, says Garewal.
Though BPO firms have addressed their client concerns by investing in security equipment and following procedures and practices that ensure internal security, experts feel that absence of proper data security and cyber laws in India is hurting the industry.
The Indian regulatory environment is covered by laws such as the IT Act 2000, the Indian Copyright Act, and the Indian Contract Act 1972, to safeguard the interests of companies off-shoring work.
"Owing to the rapid evolution of the security threats, law makers have a challenge to ensure that laws evolve so as to remain relevant with the changing security landscape and also avoid wide sweeping interpretation that may be subject to misuse," says Shinde.
The National Association of Software and Service Companies, the premier trade body of the IT software and services industry in India has suggested changes to the Indian IT Act 2000, to conform to legal provisions in the US.
"These changes in law relate to tampering with electronic records, unauthorised access of computer systems, hacking, disclosure and dissemination of privileged information and rights that employees may have within an organisation," says Garewal.
More importantly, it is critical to train enforcers like the police force in intricacies of security since that's an area that has been found to be most wanting, says Shinde.