News & Media 11th Sep 2018
Anthony Gonsalves booked a stay at a hotel online and provided his credit card details to make the payment. For future convenience, Anthony saved his credit card details on the hotel’s website. The hotel retained his credit card details along with the credit card details of other guests for many years. Recently, the hotel’s cloud server was under cyber-attack, and Anthony’s card details along with other guests were up for grabs in cyberspace. This incident highlights today’s reality—your identity can be sold for petty cash. The more personal data we share, the more susceptible we are to data breach. Information is the new currency and potentially, every data cloud has its black lining.
Recent events have only underpinned the extent to which personal data can be violated and misused. As per the secure file sharing and transfer service Citrix ShareFile, healthcare is the most vulnerable industry in the U.S., with technology, retail, and finance industries taking second and joint third places respectively. Even India has faced its fair share of data breaches; food ordering app Zomato reporting a theft of approximately 17 million email addresses being just one example.
In response to such threats, governments the world over are stepping up to tackle this threat and compelling businesses to be more responsible for securing the personal data of individuals.
India presently does not have comprehensive data protection legislation. The main enactment that deals with protection of data is the Information Technology Act 2000, and the rules framed thereunder. Under the provisions of the Act, the IT authority has adjudicated a number of cases related to cyber fraud and data breaches. In one such significant case in 2013, Maharashtra’s IT secretary directed Punjab National Bank to pay Rs 45 lakh on a complaint, where a fraudster had transferred Rs 8.10 lakh from the complainant’s account after he responded to a phishing email. The complainant was asked to share the liability since he responded to the phishing mail. A more important point to note is that Punjab National Bank was found negligent due to lack of proper security checks against fraud accounts. This incident highlights the need for businesses to be more responsive to prevalent data security threats.
The Indian government is also in the process of providing for a more robust legislature. The Data Protection Bill by the Justice Srikrishna Committee is keenly awaited by corporate India. The two pending cases before the Supreme Court which are likely to have an impact on the legislature are (a) the challenge to the Aadhaar Act and (b) the case filed by Karmanya Singh Sareen challenging the change in privacy policy of WhatsApp Inc.
Given the scenario of high data privacy compliance globally (and potentially very soon in India), the pressing need is to understand some best practices which organisations within India can adopt to mitigate data privacy risks within their organisations.
The first immediate step is to conduct an extensive audit on existing privacy policies and procedures. Being prepared in advance with checklists of requirements met and equally with lacunae which need to be addressed, will ultimately ease and help streamline the data protection requirements once the Data Protection Bill gets adopted.
According to American global computer security software company McAfee, insiders are responsible for 43% of data breaches. What then are the steps can one adopt when the problem lies within? Bring your own device, remote working, storing data on shared files, weak firewalls and passwords are all possible avenues for inadvertent insider data leaks. To tackle this issue, only those employees who need to work directly with such sensitive data could be given partial or complete access, depending upon the requirements. Along with granting limited access to employees, organisations could give additional protection to data which is sensitive in nature by implementing strong data security policies and introducing network logging anytime an employee wants to access the data.
Data should not be stored beyond a certain time period, and collecting data beyond the scope of regulatory requirements/contract requirements should be avoided. Also, former employee data retention policies must be thoroughly reviewed; it is appropriate to retain former employees’ personal data up to the expiry of the statute of limitation period provided by local laws. At the same time, organisations should not ignore the request for deletion of personal data by the data subject. Right to forgotten is an important right under certain legislatures like GDPR.
Companies will need to be one step ahead and be adequately prepared for the new legislature. The plinth will be a cohesive data privacy strategy supported by, technology, operations and people. There will be a paradigm shift in how organisations function. Data cannot be taken for granted any more.
As per the rules of the Bar Council of India, lawyers and law firms are not permitted to solicit work or advertise. By clicking on the "I Agree" button, you acknowledge and confirm that you are seeking information relating to Economic Laws Practice (ELP) of your own accord and there has been no advertisement, personal communication, solicitation, invitation or any other inducement of any sort whatsoever by or on behalf of ELP or any of its members to solicit any work through this website.