Capitalmind
Capitalmind
Actionable insights on equities, fixed-income, macros and personal finance Start 14-Days Free Trial
Actionable investing insights Get Free Trial
General

The Simplified Version of Why TCS has to Pay Epic $940 Million For Stealing Data

TCS has been fined $940 million – around Rs. 6300 cr. at current USD to INR levels – for stealing documents belonging to Epic Systems. This includes punitive damages of $700 million, above a regular fine of $240 million.

Let’s simplify the case for you:

  • There’s a non-profit healthcare company called Kaiser Permanente (KP), which has 150,000 employees.
  • KP licensed software from Epic, a private company in the US that provided healthcare management systems. Epic has something called “Userweb” which is only available to customers, and where it restricts access to sensitive stuff from people who only “consult” with their customers. 
  • KP had TCS helping it test the Epic installation at KP, and had like 1000 employees working on that account
  • TCS people needed to access Epic release documents etc. but didn’t have direct access, so TCS signed a confidentiality agreement with Epic directly, saying they will use any documents from Epic only for use with KP.
  • Epic still restricted TCS access as a consultant, but TCS Employees still managed to get other docs through KP employees
  • Then TCS hired a person who earlier had a KP email address, and who had full access to the Userweb system
  • This person shared his login credentials with other people inside TCS. Not good, because that’s not allowed, apparently. 
  • And they downloaded 6000+ documents from the portal, some of which were not at all relevant to KP’s use of the product
  • Importantly, TCS had a competing healthcare software called Med Mantra, which is currently used by Apollo Hospitals in India.
  • Simply put: Epic says TCS used the illegally downloaded documents to make Med Mantra better, which is a breach of contract and an IP Infringement.
  • All this was found through a whistleblower inside TCS who warned KP and Epic about the issue.

The jury seems to have agreed. They have ordered that TCS Pay $940 million as damages.

The idea is that a) TCS Downloaded Documents it shouldn’t have. This is something even TCS seems to agree with. And then b) TCS used those documents to build Med Mantra. There isn’t concrete evidence this happened, except for a “Epic-MedMantra comparison” file which was transferred between TCS employees. 

According to TCS, the judge has said even though the verdict went against TCS, he is likely to reduce the damages (which can be done if a judge finds the damage excessive).

How Does This Impact TCS?

Assume TCS has to pay Rs. 6300 cr. – this is about 1/3rd of the cash balance it had (Rs. 17,413 cr. in cash) on December 2015. (Source) This won’t kill it, but it will hurt.

However, the situation opens up for other situations:

  • Is the appeal going to work? A jury verdict isn’t a small thing, and an overturn is only possible if there is very strong evidence that TCS didn’t do anything wrong – the fact that they had taken out documents they shouldn’t have (going from what they haven’t disputed) might be enough to prove that they have the ability to use those documents to build competitive software. Circumstantial, no doubt, but that’s how it is.
  • Will KP now sue TCS since TCS has also apparently violated agreements with it – like not having the right kind of confidentiality setup etc. TCS employees working on the KP project were supposed to not have access to the internet from the building and to have USB drives disabled to prevent data leakage, and this case shows that apparently wasn’t done. 
  • Will other whistleblowers come up and hurt TCS in other companies and contracts?
  • Will TCS have to spend a large amount of money tightening up security for its offshore access to customer software and documents?

Oh yes: This could be a one-off, and just get forgotten like everything else is nowadays. This should really be the base case, because anything else is conjecture at the moment.

As someone who has worked in India’s IT industry I believe that the whole system of “IP protection” of customer data isn’t often taken very seriously, and a “deep discovery” will unearth documents that show how shoddy the system is. This is the time when the IT players need to step up and really show proof of how well they protect customer data – otherwise like the US FDA for Indian pharma, we are going to see IT companies get rapped on their knuckles big time.

TCS defends itself saying, okay, we downloaded documents, but we didn’t misuse them, so don’t fine us so much. This isn’t defensible – the reason those documents were confidential were that TCS shouldn’t have access to them even to read them and get ideas about their competitive projects. How do you even know that someone hasn’t really read those documents and thought of some features for MedMantra? And then to discourage such things happening in the future, there will be punitive damages. If not $940 million, it will likely be in the order of 100s of millions of dollars (my estimate is $500 million). 

TCS announces results on Monday (post market) and everyone’s going to be looking for one answer: How bad is this thing? 

Readings:

Disclosure: Author’s family owns shares in TCS. No other relationship with the company.