Data breaches: legal landscape and safeguards

Contributed by: Samvad Partners

What is a data breach?

A data breach, in simple terms, means the release of secure, private or confidential information, arising out of an unauthorized access or disclosure of such information. In today’s technology driven world, it is common to hear about an organisation having suffered a data breach. A few popular names which have suffered data breaches in the past include Target, Home Depot, eBay, Adobe, Uber, LinkedIn, Yahoo, Equifax, Facebook and Twitter. Common reasons for data breaches can generally be explained in two broad categories- (1) Mostly all types of applications suffer from technical vulnerabilities and no technology can be said to be 100% safe. It is such vulnerabilities (including through malwares) that are exploited by hackers to gain unauthorized access to confidential or personal data; and (2) Lack of internal controls by organisations, which make them susceptible towards attacks by third parties. Common types of such lack of controls can be- not requiring mandatory information security certifications from vendors, not having a stringent assets policy and improper security procedure after theft of a device.

Recent data breach incidents

Below, we take a look at a few major data breaches that have recently occurred.

1. Air India: Air India announced on 28th April, 2021 that SITA PSS, the data processor responsible for storing and processing personal information of passengers of Air India, had been subjected to a cybersecurity attack resulting in the compromise of personal data of an estimated 4.5 million passengers. The information compromised included passengers’ names, passport information, credit card details (excluding CVV), date of birth, contact information, ticket information and frequent flyer data.

2. Dominos: In early April of 2021, Dominos was the subject of a data leak which left the data of approximately 180 million users exposed. The hacker claimed to have 13 TB worth of personal data of the users of Dominos. The information that has been leaked includes the name, email, phone number and in certain cases, even the GPS location of Dominos’ users. Access to the compromised data was also made available on the internet.

3. Bigbasket: In November, 2020, Bigbasket confirmed that it had suffered a data breach that compromised data of approximately 20 million users. The information obtained was later uploaded on a popular hacking forum and could be downloaded for free.

Legal compliances around data breach

In the sphere of data breaches, it is important to analyse the legal landscape in India and its implications with respect to data privacy and unauthorized access to systems.

IT Act and rules thereunder: At the foremost, the Information Technology Act, 2000 (“IT Act”) levies penalty on persons who unlawfully access and/or extract data from a computer system or computer network. It further provides for payment of damages to the affected person, by a body corporate handling, dealing, or possessing sensitive personal data, if it is negligent in implementing and maintaining reasonable security procedures, which causes ‘wrongful loss or wrongful gain’ to a person. The IT Act also imposes stringent punishment, including imprisonment in case (i) a person fraudulently accesses or extracts or uses data from a computer system or computer network, or dishonestly uses password or unique identification feature of any other person; and (ii) a person (including an intermediary), while providing services as per a contract, accesses, reveals or discloses personal information about another individual in violation of the contract or without consent of such other individual, knowing that the same will cause wrongful loss or wrongful gain.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules”) mandates body corporates to adopt a privacy policy, to obtain consent from data subjects for collecting or transferring their sensitive personal data or information and intimate them about recipients of such collected data, as a mechanism of establishing a robust security standard. Further, the IT Rules as well as the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 require body corporates and intermediaries (respectively) to implement appropriate security control measures that are commensurate with the information assets being protected. The IT Rules recognises IS/ISO/IEC codes as best practices for data protection.

Computer Emergency Response Team- India (“CERT-In”): CERT-In is the national nodal agency for responding to computer security incidents that occur and also assist Indian users in implementing measures to reduce the risk of cyber security incidents. The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 ("Cert-In 2013 Rules") requires prompt notification of the occurrence of certain cybersecurity incidents by providers, intermediaries, data centres and corporate entities to Cert-In, for timely action.

Personal Data Protection Bill (“PDP Bill”): The PDP Bill defines a ‘personal data breach’ as “any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data that compromises the confidentiality, integrity or availability of personal data to a data principal.” As per the PDP Bill, every data fiduciary must promptly notify the Data Protection Authority of India about breach of any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal. Along with such notification, the data fiduciary is also required to provide the following details (a) nature of personal data which is the subject-matter of the breach; (b) number of data principals affected by the breach; (c) possible consequences of the breach; and (d) action being taken by the data fiduciary to remedy the breach.

Upon receipt of such notification, the Data Protection Authority of India may direct the data fiduciary to (i) notify the data principal of such data breach; or/and (ii) take appropriate remedial action immediately; or/and (iii) conspicuously post the details of the personal data breach on its website. The penalty for failure of a data fiduciary to take prompt and appropriate action in response to a data security breach can go as high as Rupees five crores or two percent of its total worldwide turnover of the preceding financial year, whichever is higher.

Apart from the foregoing, the PDP Bill also requires every data fiduciary and data processor to implement necessary security safeguards including (a) use of methods such as de-identification and encryption; (b) steps necessary to protect the integrity of personal data; and (c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data, keeping in mind the nature and risks of the processing. Further, the PDP Bill requires that significant data fiduciaries must additionally conduct data protection impact assessments.

Sector specific requirements: In India, there are also certain sector specific requirements mandated by regulators with respect to cybersecurity and risk, such as:

1. The Reserve Bank of India introduced the Cybersecurity Framework in Banks (“Cybersecurity Framework”) which requires banks to implement certain controls to improve their existing deficiencies in addressing cyber risks. Banks have been held responsible for ensuring appropriate management and assurance on security risks in all outsourced and partner agreements. Banks are also required to establish appropriate frameworks, policies and controls supported by system security configuration standards to evaluate, assess, and approve and monitor risks and materiality of all its vendor/outsourcing activities.

2. The Master Direction- Information Technology Framework for non-banking financial companies (“NBFC”) provides that NBFCs must report all types of unusual security incidents (whether attempted or successful) to the Department of Non-Banking Supervision, central office, Mumbai.

3. The insurance sector is subject to the Guidelines on Information and Cyber Security for Insurers, issued by Insurance Regulatory and Development Authority. Under these guidelines, insurers are responsible for implementing adequate measures to ensure that any potential cybersecurity issues are addressed and resolved. Insurers are also required to appoint a chief information security officer and formulate a cyber crisis management plan.

The General Data Protection Regulations, 2016 (“GDPR”): Most Indian companies which operate out of multiple jurisdictions should also keep in mind compliances required under the GDPR which governs the collection, processing, sharing and transfer of personal data in the European Union and the European Economic Area. The GDPR lays down specific guidelines with respect to how personal data must be utilised by any entity collecting the same and the rights which data subjects have with respect to their personal data. The GDPR specifically requires controllers and the processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The GDPR also provisions for certification mechanisms to be established at a union level, to be obtained by controllers and processors on a voluntary basis, for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors under the GDPR. Further, the GDPR also requires that a data controller conduct a Data Protection Impact Assessment before transferring any personal data to countries which are deemed to not have an adequate level of protection offered to the personal data.

The penalty for non-compliance with the GDPR is quite steep- at the greater of a maximum fine of €20 million or 4% of annual global turnover.

Contractual considerations to deal with a data breach

It is not uncommon today for organisations to outsource their technology requirements, whether partly or completely. Often when outsourcing such requirements, the responsibility of technology maintenance passes on to the relevant vendor to whom the work has been outsourced. Organisations must seek to impose risk mitigation factors prior to finalising the contract, such as:

1. require the vendor to implement technical, organisational and security measures which are of the highest industry standards (such as ISO/IEC 27002 or 27001);

2. require that all information is handled, as per the highest standard, such as the following requirements under the GDPR, (i) pseudonymisation and encryption of personal data; (ii) ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) providing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;

3. obtain a right to audit and inspect the security measures implemented by the vendor;

4. require that all data be stored in the systems of the counterparty (if feasible);

5. require that the vendors indemnify the service recipient for (i) any unauthorized access to or disclosure or loss of any personal information; and (ii) breach of or noncompliance with applicable data protection laws;

6. If the vendor is involved in providing a service directly to the end user or if the vendor is storing the personal information of end users, then the vendor must extend the aforementioned indemnity to such end-users as well; and

7. With ever increasing incidents of cybercrimes and cybersecurity breaches, organisations should also obtain appropriate insurance against such risks. Such insurances usually cover the risks associated with data breaches, cyberattacks, business interruption and system breaches and are becoming a minimum requirement in terms of information security. All organisations, whether in storing their own data or in handling a customer’s data must consider procuring adequate cyber insurance coverage keeping in mind the quantum of data available and the measures to protect the same.

8. In addition to the foregoing, it would also be prudent to:

9. ensure that the indemnity sought from the vendor is not capped, as it will not be possible to ascertain or estimate the actual losses suffered due to a data breach.

10. ensure that the data subjects are aware that their information will be shared with third parties and expressly consent to the same, through terms of usage or privacy statements.

Conclusion

Ultimately, a data breach occurs due to the fact that the security measures with respect to systems are not strong enough. However, with adequate security and technical measures, and implementation of robust policies with respect to protection of data, organisations could aim at mitigating their risk to cybersecurity attacks.

Whilst there have been considerable amendments to laws in India with respect to data privacy, which have made the compliance requirements stringent and sought to bring the same at par with data privacy and protection laws applicable globally, however, in practice, there is much work to be undertaken to increase accountability. Unlike other countries, where companies like Uber, Target, Home Depot, LinkedIn and Twitter have been heavily penalized by foreign authorities for data breaches/failure to report data breaches timely, no such action has been taken on body corporates in India by relevant Indian authorities. Further, while it has been more than 3 years since the PDP bill has been introduced, the same has not been enacted as law till date, which has led to a status quo in terms of data breaches and cybersecurity in India.

Contributed by Samvad Partners

The above article has been authored by Ms. Anisha Shroff (Partner) and Mr. Kevin Robin(Senior Associate)