The US$ 940 million penalty imposed on TCS by a US district Court (Wisconsin) is to be considered as a watershed moment in the history of data security management in India since it involves one of the most reputed IT companies of India and what could be a silly information security negligence.
What is also important to note is that the kind of contravention that TCS has been accused of is some thing many other companies in India are also indulging in as a matter of routine.
Some times these incidents of information security negligence arise out of ignorance of individual employees but when it goes undetected and even supported by several employees and their team leaders, one wonders ..
…”How come none of these people were aware of the basic information security routine?”
It is possible that TCS may fight it out in the court and get the penalty reduced. But there are many lessons Indian companies need to learn from this episode including,
” Even when my client is negligent, the liability can be on me”
To understand the reasons how a Rs 6000 crore liability arose on TCS (Bigger than the Satyam liability in the case of UPaid patent infringement in rupee terms), we need to look at the details of the case well explained in this article in wire.in (Article in wire.in ). Another article in business Standard debates on the amount of the penalty.
Essentially, the incident involves employees of TCS accessing confidential information on the information systems of Epic Systems, a health care software company which has accused TCS and Tata America International Corp (American arm of TCS) of “Brazenly stealing trade secrets, confidential information, documents and data”. One of the allegation is that TCS built a competing software called “Med Mantra” using stolen intellectual property of Epic Systems.
According to the details now available, the case involves three (possibly four) parties namely the TCS, Epic Systems and Kaiser Pemanente, a health care organization, one of the subsidiaries of which is includes a chain of Kaiser Foundation Hospitals. In view of this there is a HIPAA-HITECH angle and possible health data compromise which could lead to more damage claim on Kaiser and may be through Kaiser, on TCS. There is a previous client of Kaiser who may also have a role to play in this game of negligence.
Kaiser was using a software of Epic for hospital management since 2003 and TCS was a consultant to Kaiser and had also signed an agreement with Epic stating “Epic’s program property contained trade secrets of Epic protected by the operation of law”. In 2011, TCS was engaged by Kaiser to test Epic Software through approved off shore development centers in Chennai and Kolkata where certain data security measures were to be in place. Such data security measures included simple things such as web access being blocked, USB ports being blocked etc.. essentially to ensure that the employees donot get unauthorized access to Epic’s data.
(It may be noted that the testing environment ought to have also taken measures to be “HIPAA Compliant” since there was an exposure to the data compromise risk involving individually identifiable health information of US citizens though this point is completely missed in the discussions so far).
It appears from the records that TCS failed to have adequate information security measures in place in the development centers.
Additionally, during the testing process, TCS employees regularly required access to some internal documents of Epic since it was the essence of the testing process. Such documents were available in Epic servers and ought to have been selectively released to the TCS employees under authorization of Epic whenever required on a need to know basis.
To make the process simple, it appears that when required, access was granted to the Epic’s proprietary data such as “Release Notes” which were the foundation documents for the testing process directly to TCS employees. While one process was for the request to be made by TCS to a Kaiser employee for the relevant documents and for Kaiser personnel to download the document and provide access to TCS employees, a work around was initiated where TCS employees acted on behalf of Kaiser, accessed and downloaded the documents directly.
It is here that we can say that Kaiser was negligent in allowing such access but TCS could have refused to take such access as offered and raised the flag of potential breach of information security principles.
One of the employees who was earlier working with another Kaiser client and who had at that time given access to Epic system (UserWeb) then joined TCS and started working on the project. But this time he felt that not having a direct access to Epic system was delaying things and therefore checked if his earlier access to UserWeb was still working. Since to his surprise, neither his past employer nor Kaiser nor Epic had disabled his access, he felt happy and continued to use the old company’s access to do work for TCS. He also shared this access credentials with other members of his team and they all used it to access and download documents from Epic, impersonating themselves as the ex-employee of another firm without understanding the gravity of the situation.
The fact that these TCS employees are unaware of the risk of sharing passwords that too of a different firm indicates a complete failure of the training provided and the security culture prevailing in the team.
Here again there was gross negligence of the earlier employee of that erring employee, Kaiser and Epic which contributed to the unauthorized access.
While it remains a matter of debate if TCS or its employees can be charged of bad intentions or misuse of the IP for developing a competing product etc which are allegations in the course of a legal trial, the fact that there was an information security failure at TCS, EPIC, Kaiser and the unknown Kaiser Client where the erring employee was earlier working, is apparent.
Who has to take how much of the blame and how much of loss is a matter which the Courts can decide.
Will the Courts be able to appreciate this as an “Information Security Failure” and not “Hacking” depends on how mature are the Judges and how efficiently lawyers present their case.
Before I end, I cannot but express my feeling that it would have been better for all the parties concerned if this dispute had gone to an arbitration where technology and information security experts had sat in judgement rather than the Juries and Judges who may be more conversant with Computer Abuse law than the nuances of Information security governance.
Perhaps here is a case for TCS and the like to consider odrglobal.in as the dispute resolution mechanism at least in future. Of course odrglobal.in is only a technology platform and the adjudication of liabilities have to be assessed by experienced arbitrators who need to be appointed.
I call upon the IT industry in Bangalore to set up an “International IT Arbitration Council” and invite NASSCOM and STPI Bangalore to to take up the necessary initiative.