Legal Expert: Poor InfoSec Culture to Blame in TCS vs. EpicIndia's 'Naavi' Urges NASSCOM to Adopt Self-Regulation
In the TCS vs. Epic Systems case, a jury in the United States awarded Epic $940 million in compensation, but TCS plans to appeal. The main allegation was that TCS downloaded proprietary documents, which were then used to develop a competing product (see: Jury Awards EHR Vendor $940 Million in Trade Secrets Case)
In an interview with Information Security Media Group, Bengaluru-based cybersecurity and cyberlaw expert and auditor Na. Vijayashankar, popularly known as "Naavi," notes: "The more important aspect to me is that in an organization as big as TCS, employees have not followed basic information security practices and ethics," he says. If this is a reflection of the state of security in the Indian outsourcing space, it could be a black mark for the multi-billion dollar industry and have major business implications in the times ahead, he adds.
In the absence of an regulation or a privacy law in India, NASSCOM needs to start looking at forming a voluntary industrywide self-regulation under its guidance to push for better information security compliance, Naavi says. "There is no need to wait for a new standard or law to be setup - there are many that will serve the purpose. Before this case goes to the higher courts in the U.S., the Indian IT industry, represented by NASSCOM, needs to take a posture saying that information security failure will not be tolerated."
Naavi believes the case involves intentional and unauthorized use of credentials - but not necessarily to benefit TCS, which is the main argument in the case, but rather a convenient workaround taken by TCS employees who were working on an outsourcing project. These kind of workarounds are becoming routine in Indian enterprises for the sake of convenience, he contends. The poor security culture demonstrated will now cost TCS dearly, he says (see: Epic Systems vs. Tata: Key Security Questions).
"What is also important to note is that the kind of contravention that TCS has been accused of is something many other companies in India are also indulging in as a matter of routine," he wrote in a recent blog.
Either the TCS employees were unaware of the implications of what they were doing, or they did it consciously, he says. "In both cases, this is not a very sophisticated information security failure. It's pure and simple, negligence or recklessness of the employees, and part of the blame has to be taken by the training system of the organization and highlights the lack of security culture in an organization like TCS."
In fact unauthorized access can attract criminal punishment under Indian law if a case should be filed against TCS in India. While there is an information security lapse on both sides, the implications on the Indian software services industry could be severe, he says (see: Important Lesson From Trade Secrets Case).
In this exclusive interview (see audio player below photo), Naavi explores the information security aspects of the TCS/Epic Systems case and shares his insights on the implications for the Indian software services industry. He speaks about:
- The InfoSec aspects of the case on both sides of the fence;
- Why training and awareness are crucial to prevent such incidents;
- His observations on the state of InfoSec in the Indian IT industry.
Na.Vijayashankar, more popularly known as Naavi, is an information assurance consultant based in Bangalore, India. Naavi is a pioneer in the field of cyber law in India and founder of www.naavi.org, the premier cyber law portal in India. He is a leading HIPAA and ITA 2008 compliance consultant, with more than three decades of senior corporate executive experience. Naavi has also introduced pioneering web based services, such as the Cyber Evidence Archival Center and the Online Arbitration Center. He pioneered the concept of "Total Information Assurance," a three-dimensional approach to information security that goes beyond the technical concepts of confidentiality, integrity and availability to authentication and non-repudiation.