Upload
allison-ross
View
226
Download
0
Tags:
Embed Size (px)
Citation preview
Data Security Laws in India, the European Union & the United States
India European Union United States
Data Security Laws in India (A Growing BPO Destination)
INDIA – THE OUTSOURCING DESTINATION
Key destination to provide information technology (IT), and now information technology enabled services (ITES) to a number of Fortune 500 companies.
Over the last decade, the average growth rate of India’s GDP has been five percent to seven percent, making it one of the better performers in the world economy.
Purchasing power parity in India relatively high (the
fourth largest in the world).
India --- The Key Information
Data Security LawsIndian IT Act Of 2000.
Leakage of personal data by a service provider --- A Criminal Offense.
Companies would be held responsible for protecting data.
Defined Information breaches: Unauthorized access to a designated protected
computer system. Accessing information without consent. Unauthorized copying of data Third parties such as internet service providers
and website hosts would not be responsible if their services were misused by someone else without their knowledge.
Data Security LawsIndian IT Act Of 2000 Cont…
The information security issues under the IT Act are the following:
Section 43:if a person without the permission of the person in-charge of the computer system, accesses, downloads any data, introduces virus or causes denial of access, will be liable for a penalty of up to rupees 10 million, $250,000(Approx).
Section 65: Tampering with Computer Source code
Section 66: Hacking Section 72: Breach of Confidentiality
and Privacy
Security Environment in India:
Indian Service providers agree to be subjected by global acts and ready to be litigated in the court of the user’s country.
Companies sign Service Level Agreements (SLA), which have very strict confidentiality and security clauses built into them at the network and data level.
Spending on security ranges from 5% to 15% of the IT budget.
Companies dealing with US clients require compliance depending upon the industry served. E.g. Healthcare requires compliance with HIPAA, Financial services require compliance with GLBA.
Security Environment in India: Cont…
Many companies in India are undergoing/have undergone SAS 70 Audit to implement and improve internal controls.
Implementation of international standards for information security management like the BS7799. Security safeguards are ensured in many ways like:
Before appointing an employee, his/her background is checked.
Employees don't have access to internet so as to avoid Trojan horses infecting systems and monitoring data.
No pencils or mobile phones are permitted in the processing shop to prevent the data being copied.
The machine gets locked in a minute, if it is left idle. Systems are protected by multiple-level firewalls,
anti-virus and encryption software
Data Security Breaches:NoT EaSy Laws Relating to Data
There are several laws applicable to data theft or misuse. The Indian Penal Code, 1860 (IPC) is equipped to deal with theft, cheating criminal breach of trust, dishonest misappropriation of data and/or Criminal Conspiracy while Information Technology Act, 2000 can deal with hacking.
The offenders can be arrested without warrant and the arrest can be a non–bailable one. The punishment ranges from one year’s imprisonment to life imprisonment.
In case of employees of a BPO, public servants, merchants, attorneys or agents the penalties are higher. For example, if any employee misuses the data for personal gains the punishment is seven year’s imprisonment and in case of public servants, merchants, etc., it can be life term.
Lot to Improve……………….
The Indian BPO Industry is expected to grow at a CAGR (Compound Annual Growth Rate) of 44.7 per cent. The size of the industry is expected to reach $ 16 billion by 2007.
Data security and privacy, lack of product expertise and inability to deliver results are THREATS
Companies would have to invest in building risk assessment systems and disaster recovery procedure and standard tests.
to provide high standard of security and data protection. To build capacity to provide security certification. GAP analysis: Analyzing the existing standards and best practices
adopted by the industry in India and industry at the international level.
Carrying out research in the field of data privacy and protection in the context of Indian situation.
And To create a WIN-WIN situation for outsourcing companies to start there setups in India.
Data Security in the European Union
The European Union (EU) 27 member states Common currency since
1999: €uro Generates estimated
31% of world’s GDP (’07)
System of laws apply to all member states
National courts are required to enforce EU treaties, even if doing so requires them to ignore national laws
The European Directive 95/46/EC- Data Protection Directive Objective: remove obstacles to free movement of
data without diminishing data protection within Member States of EU
Applies to automated processing… Computer database of customers as well as non-automated processing Traditional paper files
Not applicable to public security, defense or criminal law enforcement
Principles of Data Controlling
Data must… be processed fairly and lawfully be collected for explicit + legitimate purposes be relevant and not excessive to purpose be accurate and kept up-to-date not be kept longer than necessary when it identifies
an individual
Each Member State must provide supervisory authority that must be notified when data is processed
Data Processing… is any operation performed upon personal data
Collection Organization Storage Alteration
Use Disclosure Combining Erasure
Photo Fingerprints
Personal data is any information relating to an identified or identifiable person such as
Name Telephone #
Personal data can be processed if…
unambiguous consent is given it is necessary for performance of contract involving
data subject required by legal obligation it is necessary to protect interest that is essential
for data subject’s life it is necessary for tasks carried out by official
authorities
Processing Sensitive Data Sensitive Data is data relating to
Racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Data concerning health or sexual preference
In principle such data cannot be processed Derogation is tolerated under very specific
circumstances
Data Transfers to non-EU countries Personal data can only be transferred to countries
outside the EU that have ‘adequate’ level of protection. So far these are only: Switzerland Canada Argentina Save Harbor Privacy Principles of U.S.
Department of Commerce Air Passenger Name record to U.S. Bureau of
Customs and Border Protection
EU - US Airline PassengerData Disclosure By March 5. 2003 all international airlines must
provide U.S. government full electronic access to detailed airline passenger data
Collides with EU protection law which allows access to data only on case-to-case basis upon particular suspicion
June 28, 2007 agreement Reduces collected data from 34 collected up to
now to 19 data fields
Data Security in the United States of America
USA Data Security – The Early Years
Who cares? Needed expensive equipment to work with data No way of really using it No way of tracking users taking data Hard drives were very expensive and small
Along came Windows Working from home GUI allowed users to view, manage, and easily store data Led to VPN – Virtual Private Networks Firewalls Security focused on external attacks Started tracking users who access data
®
USA Data Security – Early Legislation
1960s Proposal for Federal Data Center
IRS information Census information Social Security
Call out for security Thomas J. Watson Jr. – Chairman of the
Board of IBM 1970s
1974 – Federal Privacy Act
USA Data Security – More Early Legislation
1980s Legislation passed concerning Emails,
personal records, etc. 1986 - Electronic Communications Privacy
Act 1990s
1996 - International Conference on Privacy and Data Protection
Sally Katzen – CIO? Not quite but close enough Administrator of the White Houses Office of
Information and Regulatory Affairs of the Office of Management and Budget
USA Data Security – Present
Internal attacks Accountability – users can be monitored
about what data they look at Audit trail
Personal computing devices PDAs, laptops 60,000 lost globally in last six months of 2004 Lets be honest, most were probably in United
States Have you heard about Ohio University?
USA Data Security – Present
CERT Carnegie Mellon University’s Software
Engineering Institute Security experts Reports security incidents
Mail messages Hotline messages Incident reports received
®
USA Data Security – What should we do?
Establish detailed policies for the security of data
Assess value of data being protected
Transparent security solutionsView as process and not productRealize security is ongoing
process
USA Data Security - Future
Known for 40 years that data security is important and we still can’t get it right
Sources CERT Statistics: Historical. Apr. 30, 2007. CERT. Nov. 28, 2007.
http://www.cert.org/stats/historical.html. Madsen, Wayne. “United States Remains Adamantly Opposed to
Data Protection.” Computer Fraud & Security. December 1996. 6-10.
Bigelow, Robert. “Legal Issues in Computer Security: Report from the United States – Part 2.” Computer Law & Security Report. Vol 13, no 2, 1997. 87-95.
Levine, Richard. “Technology Evolution Drives Need for Greater Information Technology Security.” Computers & Security. Vol 24, 2005. 359-361.
Page about data privacy in the EU: http://www.datenschutz-berlin.de/ueber/europa.htm
Lecture notes on 'Internetrecht' (Internet Law) from summer term class of Dr. Michael Schmidl at the University of Augsburg
Website of the European Commission: http://ec.europa.eu/justice_home/fsj/privacy/index_de.htm
Website of the German Federal Agency of Supervisory Authorities for Data Protection: http://www.bfdi.bund.de/cln_029/nn_532044/DE/GesetzeUndRechtsprechung/Gesetze__node.html__nnn=true
http://www.epic.org/privacy/intl/
Sources cont’d Indian BPO structure: http://www.bpoindia.org/knowledgeBase/ BPO – Destination India: A paper presented by Patni Computers. http://www.patni.com/resource-center/collateral/business-
processoutsourcing/tp_bpodestination.pdf Introduction to BPO: http://www.indobase.com/bpo/competitors-of-
india.html Source: U.S Department of Labour and Forrester Research, Inc. Data Security Laws: http://www.quality-web-solutions.com/offshore-
outsourcing-to-India-article.php Information Security in India’s IT Industry
http://www.indembassyathens.gr/Business/IT%20industry/Information_security_in_Indias_IT_industry.htm
THANK YOU