EXL data breach incident raises alarm among BPOs

by Sohini Bagchi    Nov 08, 2013

data breach

IT outsourcing has been on the rise in recent years. However, several issues are disrupting the development of contract and service level agreement in the BPO industry, the most contentious being that of data breaches. The breach of confidential client data is even resulting in the loss of lucrative million dollar contracts for these firms.

The recent company caught in this debacle is outsourcing firm EXL Services that has just lost a key client due to confidential client data breach by its former employees. According to a company source, a few company employees, who have since been terminated, shared a procedural document externally in violation of the company’s strict client confidentiality policies. The concerned client, US-based insurance firm, The Travelers Indemnity Company, scrapping a deal that was signed in 2006. 

EXL Services, that competes with companies such as Genpact, WNS and Firstsource, gets more half of its revenues from the healthcare and insurance space said in a statement that Travelers was ending the contract because it failed to comply with the provisions of the agreement in handling client information.

The client reportedly accounted for 9.6% of the company’s total revenue for the July-September quarter 2013 and it is estimated that the termination is likely impact revenues by at least Rs 86 Crore in 2014, as well as EXL also needs to provide transition-related services for 18 months from the termination date, at its own cost, as mentioned in the agreement.

The larger question of data security

EXL’s loss obviously raises larger questions on data security in BPO firms and other Indian firms in the recent past. Analysts tracking the outsourcing industry said this was not the first instance of a contract getting scrapped because of a breach of client.

According to a Ponemon Institute report, Indian companies lose over Rs 6-Crore annually to data breaches resulting from system glitches, human errors and malicious attacks and other mal-handling of data and maximum breaches are caused by the internal staff members. This is also true in the case of EXL. The study found that on an average it costs Indian organizations Rs 2,271 for each lost or stolen record, up 8% over last year.

Another survey by global advisory firm KPMG found that employees of more than three-fourths of the BPO firms lack awareness on liabilities arising out of data breaches, which can be humongous. “Almost 50 percent of the organisations are negotiating contracts to ensure that any liability arising from vulnerabilities in the client’s environment is borne by the client,” the report added.

Impact on the BPO industry

Many believe EXL’s loss also comes at a time when the BPO firms in India are looking to strengthen their presence in the healthcare vertical by acquiring more companies in the US and European market, even though it may not negatively impact the industry, which is already an established one.

However, Anantha Radhakrishnan VP and Global Head of Enterprise Services at Infosys BPO argues that the industry has moved from a transaction model to transformation, where security, as part of internal IT and business strategies play a significantly important role. He advised CIOs of BPOs to treat security as a point of differentiation to gain competitive advantage rather than a hygiene factor.

[Read Infosys BPO's Anantha Radhakrishnan's exclusive interaction with CXOtoday: Our success is driven by people, processes and technology.]

Anshuman Chakravarty, an analyst tracking the outsourcing industry believes that BPO firms have been handling data pertaining to credit cards, financial information for years now and they have strong processes and security systems – albeit they need to be careful when they are dealing with client data and only when a breach occurs, the industry wakes up to it. “Moreover, having a good working relationship with a service provider is necessary to the success of any IT outsourcing plan, and that confidentiality needs to be maintained at any cost,” he said.

Sachin Jain, CIO, Evaluserve believes that security breaches are anytime unfortunate but there are ways to avoid it in advance and when it comes to client data, companies need to be extra careful. “They should monitor and have control over their employees data, especially with BYOD becoming a usual thing at the workplace. It is important for IT to limit access to customer information to only those employees who need it to do their jobs. You can use access control lists (ACLs) for example, to make sure that only authorized employees can access credit card numbers,” he says, adding that even though breach incident are always an eye-opener for an industry like BPO that deals with highly sensitive client records.

The Indian BPO industry has grown nine times from $1.6 billion to $14.7 billion in just a decade and is expected to witness robust growth in years to come. By 2020, Indian outsourcing industry (IT and BPO) which is currently at $60 billion is expected to reach $225 billion.