Disuk Co-Founder Paul Howard on Protecting Data From Outsourcers

Companies that outsource IT and business processes to Bangalore, Delhi and other Indian cities are losing productivity.

A recent investigative report by Channel 4 News in London revealed the results of a yearlong study of Indian call centers representing British banks such as NatWest, HSBC, Barclays Bank, Halifax, Alliance & Leicester and Bank of Ireland. Journalists found that credit and debit card details of British consumers are available at a price, being sold illegally in India for as little as 8 pounds (US$15.26) per contact. That 8 pounds buys the consumer’s name, address, account number, PIN (on debit cards), expiration date, security code from the card back and date of birth.

Paul Howard, co-founder and managing director of data storage and encryption firm Disuk in Silverstone, England, talked with CRM Buyer about the breach of UK privacy law being perpetrated by Indian outsourcing agencies and the responsibility for reversing this activity.

CRM Buyer: Is the problem of a “wholesale disregard for” privacy law as reported by Channel 4 News one of outsourcing? How long has this problem existed? Is it getting worse?

I tend to think it is really outsourcing that is the main issue here. It’s been visible for at least 18 months. We’ve seen it coming. Whether it’s getting worse, I don’t know. It’s written up a lot in the media. I’m talking UK [media] here. It’s not as bad in America, I don’t think.

CRM: Whose responsibility is the solution? Outsourcing vendors? Banks?

The responsibility goes to the primary data owner. If you give your personal information to the bank, you expect them to protect it. Banks need to audit the full chain of outsourced customer service. Regulations [of the UK Data Protection Act 1998] are quite clear. It is the organization’s responsibility.

CRM: Will there be government sanctions on the British banking industry against outsourcing? Or is this too extreme a response to the trade of sensitive data?

There will be no sanctions against outsourcing, but we hope for government requirements in disclosure of data privacy breaches.

It is quite clear that most people in the UK understand that our banks’ call centers are outsourced. But we would like to see regulations similar to those in California brought into the UK, requiring banks whose data has been exposed to notify all affected customers immediately (even if their accounts haven’t been used fraudulently).

It’s going to take time, just like it has in the U.S. Some states have passed regulations. Now Congress is trying to enact something broader. I don’t think it will happen, but at least the states can pass laws to protect their consumers.

I’m not convinced our government will try to push anything through. The only thing we’ll get will be watered down. The simplest thing is disclosure. It’s something that can’t be watered down, and consumers get an awful lot more power from it.

CRM: Do you see financial institutions fearing what is to come, expressing concern about sanctions and working to pre-empt them with new industry-enacted safeguards?

Some banks say, “We’re doing things on our own. We don’t need to both worry about government regulations.” Others are in denial. Those that have picked up on the problem are trying to do something themselves to solve this.

CRM: What are Indian and British authorities doing about this?

Indian authorities are very aware of this problem. Outsourcing is a big business in India, and if many reports like Channel 4 News’ get out, they can cause problems for them. One of the guys identified in the Channel 4 story was arrested and is behind bars now. Indian authorities are serious about this.

The call center industry is a big revenue generator for India, and Indian leaders are very concerned that the world will get the impression that you shouldn’t outsource to India, that it isn’t somewhere you can trust. That will be very bad for them. I think they will bring something in — regulation for outsourcing vendors and the industry. It’s a young industry and not as settled as banks in the UK are. It can still change rather easily.

CRM: The Channel 4 News report said that 40 percent of the world’s largest companies now have call centers in India. It’s likely, therefore, that security breaches aren’t just happening in banking. What else is being sold? With what consequences?

By the week, more and more go outsourced. More consumer information is getting out, and it’s very worrying.

What I’m seeing in Europe is accountants running companies. And they only look at the bottom line. They don’t normally understand the business and run roughshod over IT services. The accountants are the ones who got into outsourcing, who started the ball rolling. The ones who started outsourcing are long gone and they’ve taken their millions with them.

Now companies are spending a lot [to remedy security breaches], and they’re losing customers. One UK bank is making a point of saying its call centers are all UK-based. Consumers are leaving their banks and taking their accounts to this bank because they’re concerned about call centers being in India.