"India suffers from both, too much identification and, too little privacy"

Updated: Sep 14 2008, 07:03am hrs
Basant Shroff, associate director, Risk Advisory Services, Ernst and Young, spoke with Abhay Rao of The Financial Express, about his take on identity theft and how it can affect us.

What is the current situation of identity theft in India What are the Governments and the corporate sectors responses to it

Identity theft basically involves stealing of another person's personal information, and using it for fraudulent purposes. In India, identity theft cases have been on the rise, particularly with increasing adoption of the Internet. With increased financial transactions online, fraudsters have started using the internet and emails as a bait to lure people into providing them with their personal data. This is called phising, and with an increasing number of financial services, customers use the internet as a channel, the life-like web pages created and emails sent by these fraudsters are likely to dupe more people. Earlier these fraudsters resorted to methods such as telephones, stealing of wallets, or mails, to gather personal information.

In the e-age, emails claiming to be from your bank, with a URL link to an equally impressive webpage that looks and feels like your banks, seeking personal information urgently, to prevent an adverse action on your account, leave many people easy prey for identity thieves.

The government has been aware of the lack of privacy laws and data protection norms in place, and the overall short-comings in this area. Another cause of concern is that many foreign organisations that outsource work to India are increasingly concerned about the lack of governance and regulations, with regards to information sharing, privacy and control over data. With organisations like Nasscom lobbying for privacy, and data protection laws to be put in place, we should expect to see some improvement in this area.

As far as Corporate India is concerned, many of them do want to streamline and better manage the personal data they collect and manage. This comes under the purview of their internal information security policies for some and specific privacy policies for the others. Some of these companies who wish to put procedures and systems in place, approach organisations like ours to help them. MNCs operating in India follow these practices as part of the mandate from their parent organisation. Also, I find many of the Indian organisations with international footprints imbibe these practices followed elsewhere in the world by their counterparts abroad where such laws do exist.

Why is identity theft such a threat in India

India suffers from two major problems, one is too much identification, and the other is too little privacy. Most Indians will always have multiple documents with them which can be used for identification purposes. Passport, PAN card, licence, ration card, etc and these documents are required to be produced in various places, be it financial services, telecom providers or other companies, to establish your identity.

With so many different documents that one can use to establish an identity, the chance of someone replicating one of these and pretending to be you, increases significantly. We are only at the initial stages of data gathering to introduce the concept of a National Social Security Number by the Central Provident Fund Commissioner. It is a step forward in the right direction.

In India, organisations and government offices have access to a variety of sensitive and personal information. However, there are no laws that are enforced to keep this data secure and private, without any leakages and breaches of privacy. Though, the telecom industry by introducing the concept of the "do not call" list, privacy policies and the likes, has instilled some sense of privacy amongst Indians; small habits, like removing a statement of accounts from an envelope and throwing the envelope aside, without checking to see what data it may contain on it, can also prove harmful. The concept of shredders or secure disposal is still in its infancy in majority of the households. This, combined with carelessness on the part of people, increases the risk of identity theft in India.

Do you feel anti-phising and credit monitoring software's that are out will help this situation What do you think about identity insurance

I feel anti-phising and credit monitoring software's are a good concept, however their likelihood, particularly credit monitoring of working in India is very subjective. We currently do not have a robust centralised data on credits for individuals. This will thus make it increasingly difficult for credit monitoring softwares to make a difference. However, I do believe that anti-phising software, which can scan the internet for replica websites, track their source and prevent potential phising attacks is increasingly becoming more efficient. These software react fairly quickly and have been very useful for financial services companies, particularly banks. The internet has grown in size and stature over the last few years and has both, a positive and negative influence.

There is a large cross section of websites, which are used by the hacker community dedicated to urging people to make better hacking tools and has gone to the extent of luring software programmers to make a quick buck in lieu of a malicious code that they can write.

Identity insurance might exist in many parts of the world. However, for such an idea to take off in India will take sometime. For starters, there could be concern around pricing. How do you assess the probability of a certain person being exposed to identity theft, and how much would the person be willing to pay to safeguard his reputation, will remain a question. Secondly, the insurance sector itself is going through a growth phase. Life insurance has been around for years, and yet we, in India have a relatively low base of adequately insured population. Hence, for a new and niche insurance product, while, there maybe a few takers, the public at large may shy away from it.

It will benefit those who have chosen to opt for it. Some of the large corporations like banking and financial services companies are covered for identity theft through the insurance covers related to fraudulent transactions and hence may not necessarily opt for a cover specific to identity theft.