Indian BPO units address security concerns

Before entering the facilities of Wipro Spectramind, the business process outsourcing (BPO) unit of Wipro Ltd. in Bangalore, India, employees are frisked, mobile phone use is prohibited and technology is used to monitor and record data records accessed through employee computers.

“All our facilities are also fully monitored by electronic surveillance, and we have access controls as well,” said Raman Roy, chairman and managing director of Wipro Spectramind in Delhi.

In an effort to increase information security, Indian BPO companies now conduct thorough background employee checks, often even looking at school and college records. “We also do a lot of our hiring through referrals by our current employees, which helps us in getting people whose credentials are easily verified,” said Shanmugan Nagarajan, founder and chief operating officer of 24/7 Customer, a Bangalore-based BPO company. The BPO industry also circulates privately among members a “black list” of employees who were fired on disciplinary grounds, Nagarajan added.

Intrusive and draconian as these measures may appear, they reflect the determination of Indian BPO companies to prevent data security and privacy breaches. “If one instance of a data security breach should happen, then it will impact the entire Indian BPO industry,” said Ashish Gupta, country head and chief operating officer of Pvt Ltd in Gurgaon near Delhi, on the sidelines of a BPO conference in Bangalore last week.

U.S. and U.K. worker unions, opposed to outsourcing, have questioned the judiciousness of having personal data processed in India. The U.K.’s Amicus trade union warned earlier this year that offshore outsourcing is “an accident waiting to happen.”

To allay such concerns, Indian BPO companies have stepped up security measures, and in the process have impressed some customers.

“We have been very pleased with Wipro’s performance and attention to security and privacy,” said Chris Larsen, chief executive officer (CEO) of E-Loan Inc., a consumer direct lender in Pleasanton, California, which outsources back-office underwriting functions for its home equity applications to Wipro Spectramind.

]Companies outsourcing to India, however, also have to put in work at their end to ensure data security and privacy, Larsen notes. “In making the decision to outsource some of our back office home equity processing to India, we vetted potential partners very carefully,” said Larsen. “We chose Wipro, based on their strong reputation and experience in the industry, and perhaps most importantly, based on the fact that they have their own employees working directly on behalf of E-Loan. Some offshore outsourcers subcontract other outsourcers to do the work on their behalf, which makes it difficult to know and control who has access to customer information.”

Both to meet regulations in their own countries and also to protect data, companies outsourcing to India keep their data in servers outside of India. “For example, all customer data resides and is stored in E-Loan’s domestic databases,” Larsen says. “Our partner only has the ability to view that data, and they do not have the ability to store, share, print or retain data in their computers or systems in India.”

Norwich Union, a Norwich, U.K.-based insurance group that outsources call centre and back-office processes to about five companies in India, also does not transfer data to its Indian contractors. “We have a ‘no data in India’ rule, and the information is only available in India while the transaction is being processed,” said John Hodgson, offshore program director at Norwich Union. Hodgson added that the his company incorporated provisions of the U.K.’s Data Protection Act and the European Union’s (E.U.’s) Data Protection Directive into contracts with its Indian suppliers.

Although the data may reside on the client’s servers rather than in India, staff in Indian BPO companies have access to that data. To that extent it is very important that the data is protected at the India end as well, said Vikram Talwar, CEO of Exlservice Inc., a BPO company with its front-end marketing in New York and operations in Noida, near Delhi.

“There are technologies that protect the flow of data, and it is no less secure to send data electronically to India than say within the U.K. or the U.S.,” Talwar said. “I think the bigger focus has to be on the physical security and people-related security issues.”

India’s BPO industry posted revenues of US$3.6 billion in the year to March 31, and employs about 245,500 staff. Because of increased competition for employees, attrition rates are high, with attrition at call centres the highest. “As the industry scales in size, and staff attrition goes up, the issues of management of data and protecting privacy become all the tougher,” said Muralidharan Ramachandran, chief security officer of TransWorks Information Services Ltd., a Mumbai-based BPO company.

Compliance with information security standards such as the ISO17799 and the BS7799 standard for information security management of the London-based British Standards Institution are now essential for BPO companies, according to Exlservice’sTalwar.

Even as Indian BPO companies boost facility security, the absence of stringent federal data protection laws is a major drawback. “As India becomes a bigger base for BPO, specially for financial transactions like credit card and insurance transactions, it becomes important for us to have a law that fully protects the privacy of individuals and the data about them,” said Nandan Nilekani, chief executive officer of Infosys Technologies Ltd, a software services and BPO company in Bangalore.

The government is expected to introduce this year amendments to the Information Technology Act of 2000 that will fill these gaps and strengthen data protection and privacy rules, according to Mehta. After adding the amendments, the Indian government will approach the E.U. and request an agreement similar to the Safe Harbor agreement between the U.S. and the E.U., Mehta said. The Safe Harbor agreement allows data transfers from the E.U. to the U.S.

To further reassure customers, Indian BPO companies are implementing disaster recovery and business continuity management plans. In most cases, these plans include setting up facilities outside India, besides having facilities at multiple locations within the country. Wipro Spectramind, for example, is planning a disaster recovery facility in the Philippines, in addition to its six Indian disaster recovery facilities.

While some customers rely on their supplier to implement a disaster recovery plan, others have their own disaster recovery and business continuity plans, according to Wipro Spectramind’s Roy.

Norwich Union, for example, outsources to various companies in multiple locations within India. “In the event of a failure, companies we outsource to in the U.K. will only get busier,” said Hodgson, who added that the work done at the Indian operation is mainly an extension of work already being done in the U.K.

Despite the security measures adopted by Indian outsourcers, many foreign multinational companies have opted to establish their own BPO subsidiaries in India.

Norwich Union has a Build, Operate and Transfer model with its suppliers. “We decided on this model because we didn’t think any of the companies in India were at the level of maturity that we could simply outsource the work, with no ability to control any subsequent events,” said Hodgson. The idea is that in one to three years, Norwich Union will have its own managers on the ground in India, he said.

Related Download
Virtualization: For Victory Over IT Complexity Sponsor: HPE
Virtualization: For Victory Over IT Complexity
Download this white paper to learn how to effectively deploy virtualization and create your own high-performance infrastructures
Register Now