It is bad enough that Tata Consultancy Sevices, the poster-child of Indian IT and a gold standard for excellence, has been easily eclipsed by recent laggard and arch rival Infosys in terms of quarterly results. Now, to add insult to injury, it faces a gargantuan lawsuit -- some $240 million in damages plus $700 million in punitive damages -- that threatens to derail not just itself but Indian IT as well. TCS has said it has done nothing wrong and is appealing the verdict.
The essence of the suit goes something like this: TCS had, in 2005, done some work for Kaiser Permanente, a healthcare company in the US. Later on, in 2011, the company was contracted again by Kaiser to test a healthcare system software that they had originally installed by Epic, a company which makes software for the healthcare industry to manage things such as patient data. TCS went on to contract a third-party consultant who had worked on Epic's software to execute this testing.
During this period, Epic had apparently forbidden anyone from TCS accessing its web portal that was a reservoir for sensitive documents -- training manuals, software updates and information about its data model. TCS was required to ask a Kaiser employee if it needed anything from this portal for its ongoing work. Apparently, TCS employees working on the project were not given access to the internet and USB ports were accordingly disabled.
However, what transpired according to the lawsuit filed in 2014 was that between June 2012 to June 2014, someone or some collection of individuals downloaded over 6,000 documents and more than 1,600 files which they were not theoretically given access to. In April and June of 2014, a TCS whistleblower began tipping both TCS and Kaiser executives as to what was taking place.
"This is basically every CIO and CISO's nightmare -- unauthorized access to sensitive data and information by offshore contractors that are a direct or indirect part of their supply chain," said Avivah Litan, vice president at research outfitGartner, in a Wall Street Journal blog.
A crucial issue that has arisen from this lawsuit is how a company chooses to protect its intellectual property rights by perhaps using the same software expertise it has in-house to fashion adequate digital rights management protocols. According to the lawsuit, an Epic employee testified that the company intended to deactivate the TCS consultant's account but didn't ultimately do so -- in fact, it was erroneously marked "expired" which apparently allowed the TCS employee to reactivate and use it for a few years.
Still, user and behaviour analytics should be able to detect such egregious breaches, and accounts should be automatically disabled when an employee finishes an assignment, but evidently this did not happen -- and Epic isn't revealing what it did to protect itself -- leaving just an agreement to police the arrangement.
However, agreements are often not worth the paper they are inked on. "A common mistake is that you codify the terms of engagement in a legal document but you don't adequately monitor or audit those things," Jon Oltsik, senior principal analyst at the Enterprise Strategy Group, told CIO Journal (via the WSJ blog).
The Epic lawsuit could not have come at a worse possible time for the Indian IT industry, which is already beleaguered by accusations that it is stealing jobs from American workers via the H1B program. Now, as it tries to climb the value chain from maintenance jobs to creating new products in the high-margin digital space for the American market, issues about trust and the safety of IP and market-sensitive information have suddenly vaulted into the consciousness of customers. This lawsuit is bound to make things much worse.
It doesn't help that TCS had previously wanted to partner with Epic more closely but was turned down by the company. Today, TCS is a major player in the fast-growing healthcare space -- apparently, life sciences and healthcare made up 7.3 percent of TCS' revenue in the last quarter and was the fastest-growing division for the firm. It offers its own health management solution, Med Mantra, to the industry, which Epic is insinuating has benefited from its own product.
Therefore, any insinuation that TCS -- which normally benefits from an unimpeachable reputation and was named the Top Employer in Europe for the third consecutive year -- cannot be trusted could be a major blow for the company.
Peter Bendor-Samuel, CEO of research outfit Everest Group, said in the Economic Times that reputation was taken very seriously in the healthcare space, unlike in other sectors. "This judgment will likely be used by competitors to throw suspicion on TCS and potentially other Indian firms, and will make this journey (of winning healthcare clients) more difficult," he said.
The anti-outsourcing sentiment in the US will not make things any easier, Phil Fersht, CEO of HfS Research, said. "In the current political climate, the knives are out for Indian outsourcers being seen to take short cuts, so they'd better be extra vigilant."
Not something that either Indian IT or TCS would like to hear at this point.