New Indian Privacy Rules Could Force The Hand Of Many U.S. RetailersWritten by Mark Rasch
Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
New data security regulations in India may make retailers think twice about outsourcing functions that involve consumer information to the subcontinent. The new government rules, which took effect in April, could impact virtually all retailer IT operations if anything is located in India.
How strict are these new rules? They require rapid notification of data breaches—but the rules also require getting express written consent from customers for using their data; getting consent if you want to have third-parties handle the data; providing consumers with contact information about every party who has access to their data; and allowing consumers to have their data purged from all your systems.
For those retail execs thinking, “This isn’t such a big deal. This only impacts our call center, because that is all we operate in India,” think again. The rules are an example of what the legal community calls the fruit of the poisonous tree. Under this scenario, the rule wouldn’t solely impact call center operations. If the information collected from a call center was used anywhere else in the chain—such as if any of that call center data was stored in CRM files or it was used, directly or indirectly, to help in-store, E-Commerce, M-Commerce, supply chain or any other part of the chain—then those divisions would also be subject to the same stringent Indian rules.
The rules also call for any privacy breach to be subject to whatever law is most strict. Usually that will mean the Indian law. However, if—for example—California has even tougher requirements and a retailer is subject to California law but also has an outsourced call center or data center in Mumbai, Indian courts will use the more stringent state requirements.
For most retailers, that could require serious second thoughts about outsourcing to India. Let’s face it, retailers typically outsource to foreign countries because they want to save money. This savings can result from lower labor costs, lower insurance or real estate costs, lower manufacturing costs and lower overhead of compliance costs—and usually a lighter regulatory environment.
However, a rash of highly publicized break-ins and thefts of personal information has apparently led the Indian government to decide that the best way to promote India as a haven for data centers, call centers and other outsourced data processing is not to lower privacy and security regulations but to raise them. “Look,” the government seems to be saying, “your customer data will be secure here, and our data centers must protect it.”
So what previously was the subject of contractual wrangling between companies and their outsourcers now has whatever “teeth” are added by the threat of government enforcement—all in the name of promoting business.