Recently, Air India, Dominos, and BigBasket were victims of cyber attacks. In the Air India cyber attack, the data of 45 lakh customers was compromised.
In the case of Domino’s the data of 18 crore customers was on sale on the dark web which included their personal details.
The data of 20 million users of BigBasket was leaked on the dark web, which included their personal details and their personal address.
How strong are the cyber security laws in India
The current law lacks in some areas. As per the sensitive personal data and information rule (SDPI rules of 2011), the sensitive personal information of a person like password, financial information, physical and mental health conditions, any bank related information and others if shared by another entity it could lead to legal consequences according to article 43 A.
“The issue with that is if due to the breach if there is some loss or profit only then the organisation is liable to pay damages to the person affected,” said Khushbu Jain, Advocate, Supreme Court of India.
She further added that the laws require changes as data, AI, machine learning, big data are involved. Criminals tend to combine the data in order to meet their goals. One can’t be sure that if there has been a data breach today, they might face a loss on the same day itself or face an impact.
The combination of the data available on the dark web and the kind of data breaches that are taking place today, keeping these things in mind the Governments of various countries have made stricter rules.
PDPL still pending
“Our data protection bill is still pending and in section 25 of the bill there are strict rules with regards to data breach and it is also mentioned that if you are a data controller then it is your liability to keep the data secure and take care of the fact that if there is a breach from your side then what all steps are to be taken.
If the data protection bill that we are talking about now, if it passes in the same form then there are more rules added in it.
One of which is there will be a penalty of 4 to 5 percent on the overall turnover per breach if the reasonable security of the data is not maintained. It is important that these rules are implemented,” added Jain.
She further pointed out that in the Asia pacific region many countries already have strict laws in place for data breach, even GDPR is strict with data breach.
The U.S is very strict on data, if it is the data related to health they have the HIPMA Act and there are other acts for their normal data and the penalties are high.
Giving an example of the European Union she pointed out that well-known organisations had to pay huge penalties because of data breaches because reasonable data security measures were not maintained.
She also underlined that it is important to set industry-wise standards that should be maintained because the SDPI rules state to maintain the reasonable security standard, but the reasonable security standard has not been defined which is important to be done so that the organisations are aware of the rules that they have to follow and the kind of standard they have to maintain in order to secure the data.
For example, the Reserve Bank of India (RBI) has a rule in which there had to be regular audits by certified authorities that had to be done and maintain a particular standard.
When there are penalty and penal provisions then it becomes the responsibility of the organisation to focus more on the security of the data.
“It is important for the organisations to create awareness amongst its employees. If there are penalties imposed there should also be a clear differentiation on what kind of data can the company have access to and do they have the authority for it.
There should be a nexus for example if you are company A then you take the data related to it and you can’t take the data of all users.
Clarity needed in terms of who can process the data and who can sell the data and if there are strict laws and penal provisions on the same then the companies will be careful in terms of securing the data,” pointed out Jain.
She further added that there are strict norms introduced by the RBI according to which if there is a cybercrime then the banks or the payment gateways will have to bear the loss. The banks then started creating awareness for their users that they should not share the password and other details with anyone.
If there are uniform and strict penal provisions for everyone then even the companies will be careful that if they keep a lot of data and they don’t maintain the required security then they could be in trouble.
Cyber attacks become easy when companies are not attentive towards the security of the data and if the companies come to know that the penalties could be 4 to 5 percent which is equal to the global turnover they would be extra careful.
If you see in the year 2019 and 2020, globally high penalties have been imposed due to data breach.
Keeping these things in mind the companies would become aware and pay more attention to the cyber security and will avoid any kind of loopholes that will make it difficult for the attackers to breach any system.
