Insecurities over Indian outsourcing

A case of bank fraud involving an India-based outsourcer has rekindled a debate about using overseas contractors for tasks involving sensitive data.

Some say there's little risk, while others warn of serious hazards, including a threat to America's national sovereignty.

In the incident, former call center employees of Mphasis are accused of taking part in a theft of $350,000 from U.S. consumers' bank accounts.

In the wake of the theft, some observers have voiced concerns about the security of data being handled by outsourcers in India, including worries about weak procedures for checking employee backgrounds. According to this school of thought, the Mphasis breach could dramatically dent the amount of call center work shipped to outsourcers operating offshore.

"This was not a lapse of judgment or an issue of poor customer service: The incident was an organized and systematic plot to steal customers' money," John McCarthy, an analyst at Forrester Research, wrote recently. "Forrester believes that this breach, coupled with recent onshore disclosures of sensitive customer data, will have far-reaching negative connotations for the offshore BPO (business process outsourcing) space."

Not everyone shares this view. But even the perception of danger could hurt the market.

A report from rival researcher Gartner played down the security risks but made no bones about the seriousness of the situation. "The entire Indian offshore industry ecosystem--including...the Indian government--must act quickly and decisively to counter the perception that Indian BPO poses a severe security risk," the report said.

Business process outsourcing, or BPO in industry parlance, refers to farming out tasks such as customer service and transaction processing to a separate company. The work could be done in the United States, or completed in lower-wage countries such as India or Mexico. In addition, some organizations have set up their own operations offshore. Shipping tasks offshore has become a controversial issue for U.S. labor advocates.

At the moment, U.S. organizations devote only a small fraction of their budgets for information technology services--including BPO--to low-cost countries, according to a recent Merrill Lynch survey of chief information officers. But that share of the budget is expected to grow over time, from 0.9 percent in 2004 to 1.6 percent in two-to-three years.

According to the Merrill Lynch report, security fears are the main reason CIOs aren't moving IT work offshore faster: The "key inhibitor preventing companies (from using) offshore outsourcing remains data security," the report said.

Earlier this month, news broke that police in India arrested three former Mphasis call center employees who allegedly stole U.S. customers' personal account information and transferred about $350,000 to fake accounts in Pune. Among other people arrested in the case was a

current Mphasis call center worker, said Mphasis Vice Chairman Jeroen Tas. He said the perpetrators may have persuaded bank customers to disclose their account passwords.

A Times of India story cited unnamed sources in pegging Citibank as the bank in question. Citibank did not return a call requesting comment. Mphasis declined to comment on the identity of the bank. Mphasis, which has operations in India, China and Mexico, is led by former Citibank executives.

"What you did in Bangalore might not as easily follow you to Mumbai."

--Vail Dutto
Chief executive, InTelegy

The Indian arrests come during a period of heightened anxiety about data security and identity theft.

In one of the latest examples, LexisNexis revealed that an intrusion into its Seisint databases may have compromised personal information on about 310,000 Americans, a tenfold increase on a previous estimate.

In 2003, the San Francisco Chronicle reported allegations that a woman in Pakistan doing clerical work for the University of California at San Francisco Medical Center had threatened to post patients' confidential files online unless she was paid more money.

But most of the criticism of so-called offshoring has focused on other matters, such as service quality and communication problems.

Data security at companies providing call center services offshore is indeed an issue, however, according to industry observers. Checking into the credit and criminal backgrounds of employees is not as reliable in India as it is in the United States, said Vail Dutto, chief executive of InTelegy, a California-based consulting firm. Among other services, InTelegy helps clients choose call center outsourcers in India. Dutto said Indian methods for tracking a person's past are not as mature as those in the United States, where an individual's misdeeds in one state are likely to turn up when the person applies for a job in another.

"What you did in Bangalore might not as easily follow you to Mumbai," Dutto said.

Mphasis' Tas agreed that checking the backgrounds of employees in India is more difficult than in the United States. "It is harder to track that," he said. But the background-checking process for call center employees and other BPO workers in India could improve, Tas said, thanks to plans by the country's National Association of Software and Service Companies, or Nasscom, to set up a national registry of BPO workers.

Another concern is employee attrition. Thanks partly to the perception that BPO work amounts to a dead-end job, attrition rates have been increasing in India. Higher turnover works against efforts by call center companies to run a tight ship, argues Forrester Research analyst McCarthy.

"Forrester expects that the rising attrition rates in the call center space--50 percent to 100 percent--undermine suppliers' ability to adhere to processes and sufficiently check backgrounds," McCarthy wrote in his report earlier this month.

McCarthy also suggested the Mphasis breach will seriously hurt the offshore BPO business. "Call center BPO growth could drop by as much as 30 percent," he wrote.

Tas called the Forrester report "sensational." He said Mphasis' annual turnover among BPO employees was in the range of 30 percent to 40 percent, and he said that level is not unusual for call centers worldwide.

In a statement made on April 13, Mphasis said it "highly values data protection and data security of its clients. It has proactively instituted

elaborate systems which are constantly reviewed, to ensure and protect client confidentiality."

Among its rules, Tas said, are that cell phones aren't allowed in call centers, given the ability of some of them to take pictures. In addition, between 2 percent and 5 percent of calls are monitored at Mphasis BPO facilities. This is consistent with the norms in the industry, according to the company.

Tas said the alleged fraud is not a sign of security problems specific to shipping call center work overseas. "We believe this is something that can happen anywhere," he said.

But losing control of sensitive data abroad is particularly worrisome, argues Peter Gregory, chief security strategist at consulting firm VantagePoint Security.

"Outsourcing America's corporate business processes to overseas countries not only makes accountability difficult to enforce, but it puts our national sovereignty at risk," Gregory said in a statement. "In this, the Information Age, a country like India could disconnect itself from the Internet and hold America hostage--a provocative action that would be tantamount to an act of war."

In its report earlier this month, Gartner offered a much less grave assessment. The idea that offshore business process outsourcing presents special risks is a "largely incorrect perception," the firm said.

But Gartner and others seem concerned the perception alone could torpedo the industry. In a statement earlier this month, Mphasis appeared to acknowledge the fraud could have a potentially large impact on India's BPO industry.

"We have instituted our own internal inquiry and taken necessary short-term and long-term measures in consultation with Nasscom and the bank concerned, to protect our clients and their customers, and safeguard the security and integrity of the BPO business in India," an Mphasis representative said in the statement.

Some see a silver lining for offshoring in the fraud case. Tas said the response by police in India shows that the system of laws and law enforcement in India "works well, and it works swiftly."

"India is fast becoming the outsourcing capital of the world, and this kind of incident, while unfortunate in itself, when successfully dealt with, highlights and reaffirms the existence of an effective framework of laws and a commitment to enforcing them in India," Nasscom President Kiran Karnik said in a statement.

Nasscom has set up an Indo-U.S. security forum to make its members aware of security and privacy issues when they handle sensitive information from foreign companies. Nasscom also recently launched a security initiative in Pune with local IT companies and police.

That may not be enough to satisfy the public, however. Earlier this month, Sen. Dianne Feinstein, a California Democrat, introduced legislation to ensure that Americans are notified when their most sensitive personal information is part of a data breach that puts them at risk of identity theft.

Politicians in India as well would be wise to act, McCarthy argues. "To bolster its offshore credibility, India will also have to tighten its data protection and privacy laws," he wrote in his report.

He also suggests that companies sending tasks offshore take an active role in managing their remote work, even going so far as to mandate pencil-free offices: "Customers are going to have to implement their own aggressive requirements, such as eliminating writing instruments in their offshore centers."