The last few years have seen alarming rise in demand for security products and services within India especially related to data security. Be it firewalls, VPN boxes and encryption solutions, or ISO 27001 and SOX consulting, the demand has only increased. There is not one reason amounting to this growth. Contractual clauses for BPO segment have become harsher. Fear of data breach within companies has increased. Salesmen (or Pre-Sales consultant as they are known these days) have mastered the art of selling expensive yet ineffective solutions. And so on. But do the solutions protect private data of consumers better than before? Probably not to the extent it should be protected. And yet, there are not as many cases of privacy violation in cyberlaw courts in India as one thinks there would be. The problem with Indian way of securing information and assuring privacy is many folds.
First, the casual attitude infecting our system day after day seems to have spread to our use of technology. Walk into a transport department office and you will find servers containing sensitive personal information about license holders lying next to dustbins, under the table as a foot rest and if better, under a heap of files. It is not difficult to steal such information. It is just that this information has been made public through so many channels that its not even worth stealing it anymore. The hospitals do not feel responsible for protecting personal and sensitive information about its patients. Information that is supposed to be confidential, is conveniently passed on to the media for few minutes of fame.
Second, we, as Indians, take great pleasure in enjoying personal lives of fellow country men/women. Be it Mr Pandher or Mr Telgi, we all have enjoyed their sub-conscious talks. For no other reason, the media, rebuking all social norms of privacy of individuals, takes great pride in showing the tapes which are ideally supposed to be classified. Now this has nothing to do with data security in general, but does hint at the possible privacy violations in India going untouched. Infact, What Mr Pandher did in Noida did not demand his psycho-analysis test to be aired on national television. Similarly, Mr Telgi’s status of HIV+ had nothing to do with his stamp paper scam.
Third, the biggest challenge in India yet remains “people”. Each of the data breaches, barring one, that have occurred in the past 5 years in India has an element of social engineering. With an open, multi-cultural society, people have started trusting others with information a bit more than the acceptable level. So much so, that it is a routine for most of us to share our personally identifiable information with unauthorized individuals. Stand outside a call centre with a bunch of fancy credit card forms, and 25 year olds will throng the place carrying their salary slip, driving license and just about every other personal information. Most of them would not know the name of the agent who is collecting the forms. All of them actually wouldn’t care.
Not too behind in the “private information made public” race are the DSA agents for telecom companies that companies appoint to collect information and feed into their system for various legitimate purposes such as new connections, up-selling/cross-selling, retention and collections.
As a bonus, we are also blessed with sharing of out personal information with 250 odd domestic call centres in and around Delhi at no extra cost. I haven’t really come across a descent chap who hasn’t got a grudge against telemarketers. Initiatives such as Do Not Call registry are bound to fail in absence of strict penalties. The regulatory bodies have clearly not come down on telemarketers for implementing Do Not Call. If that was not enough, the database propagation of a number into Do Not Call registry takes about 30-45 days - another example of redundant technology.
As our country grows and generates electronic information, the demands for security and privacy increase. Regulatory bodies and law enforcement bodies need to be brought up to the mark for information security acts. A comprehensive data protection law is required at the least to safeguard privacy of individuals. And last, each one of us needs to understand repercussions before sharing sensitive information online, and get ready for information age.
0 Responses to “Learnings from India: How not to secure personal data”
Leave a Reply