Outsourcing: Fortress India?

Call centers and credit-card processors are tightening security to ease U.S. and European fears of identity theft

A line of neatly dressed workers files into the Golden Millennium, a shimmering glass-and-steel building in central Bangalore. One by one, they swipe ID cards through a reader, then empty their pockets and bags and stuff cell phones, PDAs, and even pens and notebooks into lockers as a dour security guard watches. Staffers ending their shifts, meanwhile, are busy shredding notes of conversations with customers. At the reception desk, visitors sign a daunting four-page form promising not to divulge anything they see inside -- and even then are only allowed to peer into the workspace through thick windows.

A top-secret military contractor? Hardly. This is one of four call centers run by ICICI OneSource, which employs 4,000 young Indians to process credit-card bills and make telemarketing calls for big U.S. and European banks, insurers, and retailers. And ICICI isn't the only outsourcing company worried about security. Call center operators such as Mphasis BFL, Wipro Spectramind, and 24/7 Customer, as well as back-office subsidiaries of companies such as General Electric, are quickly adding state-of-the-art systems to monitor phone conversations, guard data, and watch workers' every move.

Why the extreme caution? After rushing to shift telemarketing and back-office work to India in recent years to tap low wages, U.S. and European companies are under growing pressure from regulators and legislators to guarantee the privacy of their customers' financial and health-care data. India's $3.6 billion business-process services industry is eager to defuse the issue. When the backlash against offshore outsourcing erupted last year, opponents first focused on curbing government contracts and temporary U.S. work visas for foreign tech workers. Now security and privacy fears have become the hot excuses "for new barriers to trade in services and information technology," says Jerry Rao, chairman of the National Association of Service & Software Cos. (Nasscom), India's IT trade group.


Today 186 bills that aim to limit offshore outsourcing are pending in the U.S. Congress and 40 state legislatures. Dozens of those involve restrictions on transmission of data. For example, the SAFE ID Act, sponsored by Senator Hillary Clinton (D-N.Y.), and a similar House bill by Representative Edward J. Markey (D-Mass.), would require businesses to notify U.S. consumers before sending personal information overseas -- and would bar companies from denying service or charging a higher price if customers balk. Although no such bills have been enacted so far, "next year I think all of this legislation will be back and spike up again as a huge issue," especially if the U.S. recovery stalls, says R. Bruce Josten, a U.S. Chamber of Commerce executive vice-president who helped industry fight the legislation.

Identity theft and credit-card fraud are huge problems globally. There's little evidence, though, to suggest consumer data are at any greater risk in India than in the U.S. Sure, India's privacy laws aren't as stringent as in the West. But most highly sensitive data belonging to U.S. or European companies are stored on their own servers at home, with access from India tightly controlled. If an American is defrauded, the U.S. company that farmed out the work is legally responsible. Indian call centers, meanwhile, sign their contracts in the U.S. and can thus be sued there by their corporate customers. What's more, there is only one known case of fraud. Last year a programmer for India's Geometric Software Solutions Co. tried to sell a U.S. client's intellectual property. He was arrested and is awaiting trial in India.

Still, given the charged emotions over outsourcing, India's IT industry knows even a few incidents will generate devastating publicity. So call centers like Mphasis BFL Ltd., which employs 6,000 workers performing sensitive tasks such as processing personal tax returns and credit-card statements for U.S. clients, are leaving little to chance. If the U.S. company prefers, consumers' names, Social Security numbers, and credit-card numbers can be masked. Computer terminals at Mphasis lack hard drives, e-mail, CD-ROM drives, or other ways to store, copy, or forward data. Indian accountants only view data from U.S. servers for specific tasks. Video cameras watch over the sea of cubicles. Every phone conversation is recorded and can be monitored on a system installed by Melville (N.Y.)-based Verint Systems Inc. And since data theft is often committed by disgruntled former employees, Mphasis can lock a staffer out and cut access to PCs and phones three minutes after a resignation. A year ago that process took three days. "Fears about identity theft can be aggravated when people learn their data are in a foreign country," says Mphasis Vice-Chairman Jeroen Tas. "So we feel it is better to address these concerns up front."

Such precautions don't come cheap. It costs about $1,000 per worker to install the Verint system that records, stores, and analyzes voice conversations. Yet Verint has signed up 100 local and multinational centers in India. "There has been a big push in the past year or so as the competition focuses more on quality," says Mariann McDonagh, Verint's vice-president for global marketing. Indian centers also pay up to $300 per worker for background checks, a big expense given their explosive growth and high attrition rates. It's also cumbersome: Due to India's lack of online databases, verifying education and work experience can take weeks.

But while security practices in India now match or surpass those at most U.S. call centers, the legal system still needs work. Indian law on computer hacking inside companies is fuzzy, and privacy enforcement is weak. India's IT industry is addressing those vulnerabilities. Nasscom is working with the government to bring India's data-privacy laws more in line with the U.S. And it intends to have the security practices of all its 860 members audited by international accounting firms. Nasscom has helped Bombay's police department set up a cybercrime unit, training officers to investigate data theft. Similar units are planned in nine other cities. India's goal, says Nasscom Vice-President Sunil Mehta, is "to have the best data-security provisions and be a trusted sourcing destination."

Given the ingenuity of today's cyberscammers, some embarrassing incident seems inevitable. But India's IT-services industry is determined to show that the world's financial and health secrets are as safe in Bangalore as they are anywhere.

By Pete Engardio in New York, with Josey Puliyenthuruthel in Bangalore and Manjeet Kripalani in Bombay

    Before it's here, it's on the Bloomberg Terminal.