Our recommendations to protect Indians against data breaches
In the past few months, we have seen one data breach after the other. As a result of these breaches, data of Indian users is available to any third party over the internet for nefarious use. We have addressed a representation dated 11th June 2021 to the Ministry of Electronics and Information Technology (“MEITY”). In the representation, we have provided a range of recommendations to prevent and provide redressal against data breaches. We have also affixed along with the representation, a set of concrete recommendations to Air India Limited by Mr Suman Kar. Mr Kar is the founder of Banbreach and has expertise in cybersecurity consulting, digital forensics and incident response.
On 10th June 2021, we came across reports which claimed that data of 15 crores vaccinated Indians had been breached. Thankfully, cyber-security researchers subsequently verified that the breach had not taken place. The Ministry of Health and Family Welfare also assured that the data on the CoWin portal was safe but nevertheless asked the Computer Emergency Response Team (“CERT-IN”) to investigate the issue. While we can breathe easily for now, this signals our worst fears. We do not have a robust data protection regime to respond to the rise in data breaches.
A data breach exposes confidential, sensitive and protected information to unauthorised persons. As a result of data breaches, data of Indian users is available to any third party over the internet for nefarious use. The table below, which is based on publicly available information, illustrates the frequency, scale and threat posed by data breaches. Reports also indicate that data breaches affecting Indian users have been on a rise. The economic impact of data breaches is also tremendous. An IBM study reported, the average data breach in India cost Rs 14 crore an increase of 9.4% from 2014. The per-unit data cost increased by 10% to Rs 5,522. The report also noted that the average time to both detect and contain a breach went up from 221 days to 230 days and from 77 to 83 days respectively.
Previously, we had written to CERT-IN on 31st March 2021 and 8th April 2021 asking them to investigate data breaches affecting Indian users of MobiKwik and Facebook. However, in our opinion, CERT-IN did not respond in a robust manner and we will be following this up with further advocacy actions in the near future. We also kept coming across reports of new data breaches, including the one reported by the Government of India owned Air India Limited. Thus, we examined the legal framework and felt that there was a need to suggest substantive changes.
Air India: your data up in the clouds!
We have addressed a representation dated 11th June 2021 to MEITY, CERT-IN and Air India Limited. The representation details - a) the laws data fiduciaries such as MobiKwik may have violated when data of their Indian users were breached; b) the limitations prevalent in the existing legal framework; and c) a list of recommendations to ensure that responses to data breaches are more robust.
Along with the representation, we have also affixed a set of concrete recommendations by Mr Suman Kar. These recommendations are in reference to the breach reported by Air India Limited. Mr Kar is the founder of Banbreach and has expertise in cybersecurity consulting, digital forensics and incident response. We are thankful to Mr Kar for advising us on the representation and for providing his recommendations.
Certain data breaches may be in violation of the law
The data fiduciaries who faced data breaches had a legal obligation to ensure that the personal data in their custody was safeguarded. The obligation is one of conduct and not of result - that is, a data fiduciary cannot guarantee that the data will be secure but they have to employ best practices to ensure the safety of the data. This obligation flows from the Constitution, Information Technology Act, 2000 (IT Act, 2000) and the common law.
- Constitution: The Hon’ble Supreme Court has recognised that informational self-determination is an aspect of the right to privacy in Justice K.S Puttaswamy vs Union of India (2017) 10 SCC 1. Chandrachud J in his judgement in Justice K.S Puttaswamy (II) vs Union of India (2019) 1 SCC 1 has noted that - “974…..The right to informational privacy is not only vertical (asserted and protected against state actors) but horizontal as well. Informational privacy requires legal protection because the individual cannot be left to an unregulated market place.” Thus, data fiduciaries have a constitutional obligation to prevent infringement of the right to privacy.
- IT Act, 2000: Section 43A of the IT Act, 2000 makes ‘body corporates’ liable for losses arising from their negligent handling of sensitive personal data. Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Or Information) Rules, 2011 (“2011 Rules”), mandates these “body corporates” to deploy ‘reasonable security practices and procedures’ to protect sensitive data. If data processors do not employ these practices and suffer a data breach, they have a legal obligation to provide redressal to affected users.
- Common law: Common-law courts have recognised the right to claim damages for privacy violations. For instance, in ABC vs Commissioner of Police and Others, WP(C) No. 12370 of 2005, the Delhi High Court awarded punitive damages of Rs Six (6) Lakh to a minor girl whose details had been leaked by the Commissioner of Police to media houses.
Limitations in the existing legal framework
While the law does impose certain obligations on data fiduciaries, the redressal to users in the event of a data breach is not forthcoming. We list a few reasons why this is the case:
- No obligation to notify: There is no legal obligation on data fiduciaries to notify affected users in case a breach takes place. Communicate-Comply-Investigate is a three-step process that should be complied with for mitigating the impact of breaches. This means that data fiduciaries must inform the public when a data breach occurs. While Air India Ltd did send across a notification to its customers, MobiKwik chose not to engage at all.
- Sensitive personal data is narrowly defined: Section 43A only provides compensation for negligent handling of sensitive data. According to Rule 3 of 2011 Rules, sensitive data is limited to information such as passwords, financial information, sexual orientation, medical records, and biometric information. The IT Act, 2000 does not provide any redressal if information such as name, email address, home address and passport details is breached.
- Lack of investigations: When breaches take place, proper investigations are not conducted to enable users to claim compensation under Section 43A of the IT Act, 2000. For example, CERT-IN, which is the body tasked to investigate such breaches under Section 70B of the IT Act, 2000, has only issued an advisory with respect to the Facebook breach. Till date, it is unclear if Facebook has been complying with Rule 8 of the 2011 Rules. With respect to the other breaches listed above, it is unclear if CERT-IN has taken any steps.
- Inadequate redressal mechanism: The redressal mechanism under Section 46 of the IT Act is inadequate. Under this provision, MEITY has appointed the Secretary of the Department of Information Technology of each state as adjudicating officers to determine if anyone has committed a violation of provisions of Chapter IX of IT Act, 2000 including Section 43A. In cases where data in the custody of the Government is breached, as is the case with the Air India breach, these adjudicating officers cannot adjudicate the dispute. This is because they are appointed by the government and thus, do not have the independence that is necessary to resolve a dispute which involves the government.
List of recommendations
Considering the possible violation of law by data fiduciaries in whose custody data was breached and the lacunae in the existing legal regime, we have made the following recommendations in the representation:
- Direct investigation into the conduct of data fiduciaries, including those mentioned below, that have faced data breaches in the past two years.
- Mandate data fiduciaries to notify users in case they experience a data breach.
- Ensure that the Indian Citizens who have been impacted by data breaches are provided adequate compensation.
- Undertake steps to make suitable changes in the Information Technology Act, 2000 so that a judicial officer is empowered to adjudicate disputes under Section 46.
- Hold the Government and Government-owned entities to stricter data security standards as compared to private entities.
- Increase the types of personally identifiable information mentioned in Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data Or Information) Rules, 2011 considering that the current set is exceptionally narrow.
- Mandate the need to maintain ‘accountability logs’ for security measures to ensure a dynamic compliance mechanism.
- Introduce a tiered system of security compliance based on the scale and sensitivity of data involved to enforce the security of Indian networks and databases.
- Representation dated 11.06.2021 along with recommendations by Mr Suman Kar (link)
- Actions on the data breach of Indian Facebook users (link) MobiKwik (link) and security vulnerability in CSC e-Governance Services (link)
- A round-up of other recent security breaches in the context of a Data Protection law (link)
- Need to provide legislative protection to security researchers for responsible disclosures (link)