Recently, the agent for a Noida-based call center was arrested for misusing information from the customer database. While his fate is to be decided in court, it raised a critical question—will customer database security prove to be the Achilles’ Heel for BPO operations in India?

The agent was handling the account of a US-based pay-TV channel and had access to personal details and credit card numbers of subscribers. During his tenure, Sony launched an online scheme targeting NRIs—they could order gifts and get them delivered to relatives in India. The agent used the personal details of one NRI to order gifts online and then sold them off. Subsequently, the incident came to light when the subscriber saw his credit card bill and raised a hue and cry.

By and large, Indian call centers have taken adequate measures to prevent such misuse and have brushed aside this incident as a stray case, confident that most have mechanisms to control such acts. A major deterrent is the destination point of the goods to be delivered. With most customers of call centers being US-based, purchases are usually within the country. Remote destinations like India are enough to trigger careful scrutiny and more caution.

Experts point out two aspects of the issue—one, the inherent security of the call center’s networks; and two, the security from human failings, which could be either inadvertent or intentional.

Call centers go to great lengths to ensure security of their networks. Pavan Vaish, senior V-P at Daksh eServices—"Ensuring the security of customer databases is sacred for call centers, and one of the areas that receive maximum attention. All our Fortune 100 and Fortune 500 clients satisfy themselves with our security arrangements before signing up."

Daksh has sought the help of KPMG to help it with security practices. It adheres to the British security standard of BS 7799, which seeks strict compliance by all users. Besides, the company has also installed high-end firewalls from CheckPoint and Cisco to prevent hacking of its network. The company also has an encrypted VPN in place and can access software at its customers’ premises in a secure manner.

The other aspect of security, that arising from human failings, is difficult to control but not unmanageable. Agents are educated about the criticality of customer databases during an orientation program, and trained on the need to treat it with utmost caution. They are also informed about the liabilities arising out of carelessness in handling customer databases. Raman Roy, the vice-chairman of Spectramind, says—"There are lots of checks and balances in the system. We undertake a huge amount of cross-reference while recruiting agents. Every move of our agents is monitored. With our monitoring, verification and control mechanism, we are not worried about misuse of information."

Most credible call centers have set up central monitoring systems which check the movements of agents. Cameras are installed at the workplace to observe agent behavior. Among other precautionary measures, agents are not allowed to carry a pen and paper while working. Some call centers have comprehensive liability insurance in place—protecting them from "human error".

But there are indications that much as companies brush aside any incidents of misuse of personal information, there are many that do take place. "Most centers do not have a legal infrastructure in place to address such issues. In most cases, we are asked to solve cases amicably, out of court. There are many cases which are hushed up since corporates are wary about bad press," says Pavan Duggal, advocate and cybercrimes expert. Most operators seem to have got their act together. The few that don’t would do best to follow suit.

Balaka Baruah Aggarwal/CNS in New Delhi