Call Centre Information Site.
THE FACTS ABOUT DATA SECURITY IN INDIAN CALL CENTRES
After our recent article on data theft in Indian call centres, we were inundated with emails from individuals presenting a number of arguments on the issue.
There was a mixed reaction ranging from people in the industry with some seeing it as a reason to bring offshore centres back home and others believing it was a sting operation. The media friendly story is that this is a widespread problem exclusively amongst Indian outsourced call centres. However, the truth is that this is an isolated problem which is not unique to India, to outsourced facilities or to call centres. However, it is important to note that there is a problem and one which is important to the end customer so in this article, we pinpoint the main cause of the problem and what is already being done and what needs to be done to eradicate it.
So what exactly is the problem?
Firstly, it's important to distinguish between data theft and data negligence. Data negligence is where companies allow loopholes in their data security strategy to enable data to be stolen. Without data negligence, data theft is almost impossible. Despite public perception to the contrary, data negligence is actually rare among professionally run call centres compared with other areas of business. Last week, here in The Midlands, Central News ran an article where they asked a security expert to go through the bins in a high street of a small town. In the bins of a lawyer, they found copies of wills, shareholder agreements and divorce settlements. This is a prime example of data negligence which would enable anyone to easily steal consumer data. With consumer data being central to the role of our industry, procedures are generally in place which would prevent this kind of thing happening in a call centre environment.
If you take the example of 247 Customer, a professionally run contact centre operation in Bangalore which has invested significant time, money and resource to ensure that their centres are amongst the most data secure in the world. Their centres have strategically positioned cameras / video recorders. Data is stored remotely and access to customer data is strictly regulated. In addition, mobile phones, cameras and any other related data storage devices are strictly prohibited on the operation floor. Vigilant physical security guards at turnstiles and restricted access for employees at specific locations have made them sensitive and responsible for the need to adhere to stringent data security measures and privacy. 247 Customer also conduct both internal and external audits. Employees are constantly educated during induction, specific sessions, during periodic audits about compliance procedures of data protection, privacy principles and related policies and also about consequences of data misuse. Customers are periodically communicated about the audit findings and also on any additional measures implemented. Prior to joining 24/7 Customer, candidates are verified for their credentials in education, work experience, personal background and passport authenticity. Police verification is conducted, for any criminal activity on a client need basis. Gap verification between education and first employment or between employments spanning more than 6 months is conducted. 24/7 Customer has been stringently following the employee background verification program from 2004. Early this year, the background verification has also been extended to include support staff like the security personnel, transport providers and other related vendors. For many companies, this may sound like a standard data security procedures but there are now so many poor quality centres that are tarnishing the reputation of the entire industry.
However, companies like 24/7 Customer are not part of the problem. The problem lies with unprofessional outfits who don't understand the necessity behind data security. And herein lies the problem not just for data security but for the offshore industry as a whole. In countries like India and The Philippines, local entrepreneurs have seen the huge growth in call centres and would like a piece of the action. With limited funding and knowledge, they approach their venture believing that it can't be too difficult to make or receive a few phone calls. Despite their lack of knowledge, they fail to bring in expertise in any areas of call centre operations. Their operations don't know how to recruit people with the required skills, train them to adequate standard or put in place performance management systems which should be standard in any call centre operation. They also fail to put in place effective data management procedures and so the fact that Channel 4 were able to buy data so easily is nothing more than a symptom of badly managed companies. With limited marketing budgets, these companies take on projects such as selling mobile phones where the clients are often at fault themselves. Their clients are typically small companies in The UK or USA who see an opportunity to make quick money out of offshoring. They pay call centres on commission only and don't conduct any due diligence on the centres who will manage their data. These companies have no brand, no assets and minimal desire to protect the telemarketing industry. They have sold everything from insurance to mobile phones. While we don't seek to undermine entrepreneurial creativity, it is important that these companies are aware and liable for their actions and inactions. Quite simply, these brokers and the poor quality offshore centres they outsource to are the reasons why the offshore industry has achieved a reputation it does not deserve. I know a number of people who tell their friends what line of business they are in and they immediately come back with a negative response about someone who they couldn't understand and pestered them to sell them a mobile phone. I believe that these brokers have an obligation to ensure that the centres they outsource to have agents with adequate English (understandable), competent management and effective data security and should be legally liable if they fail to address these issues.
And what exactly is being done about it
When I first read the responses which have come from NASSCOM and some senior people in the offshoring industry, I was somewhat bemused. Their attitude seemed to be that data theft wasn't happening and that this was hyped journalism. On a newsgroup, I read an article from Ganesh Natarajan who is the deputy chairman & MD, Zensar Technologies Ltd. He claimed that this was a sting operation. However, the use of the word "sting" would suggest that this would not have happened had it not been for Channel 4's documentary. Ironically, the previous posting on the forum was from someone offering to sell leads with financial information. The truth is that there is an issue and it needs to be eradicated.
When I continued to read NASSCOM's statement, it was clear that there is action already being undertaken in India. Certain states are bringing in legislation to ensure companies are properly registered and that staff are effectively vetted. Existing laws for data theft are being enhanced and let's not forget that a number of people have already been convicted for previous high profiles crimes in this area. Unfortunately, the convictions received far less publicity than the crimes themselves. NASSCOM were also keen to have received evidence from Channel 4 in order that they can assist with the prosecutions of the individuals involved.
Conclusion
There is an isolated problem with data theft in Indian call centres but it is not dissimilar from other countries or industries and the issues that do exist are almost exclusively in low-level telemarketing. Channel 4 had attempted to imply that this was an issue with the banking industry. They had shown an example of a flaw in the voice recording system of the vendor used by Abbey. However, it is clear that this was an isolated incident which was quickly rectified. Consumers using Lloyds, Barclays or HSBC (who all have offshore centres) are no more at risk at than customers of RBS, Natwest or HBOS (who don't have offshore centres) of their financial information being stolen. The professionally run centres in India are actually doing more than most domestic centres in this area in order to counter the consumer perception of the issue. Back in The UK, our Government needs to tighten and implement existing data protection laws and hold those companies accountable that fail to ensure their offshore providers comply with legislation.
Maybe when these poor quality clients and centres are out of the picture, consumers will be able to start to see the true quality that exists in offshore locations such as India.