Security incidents and the Personal Data Protection Bill. Need to do more and do better.

Donate to help sustain our work

Tl;dr

India has witnessed a spate of cyber security incidents in recent times, with the recent Big Basket leak being the latest high profile example. As more and more enterprises begin to adopt work-from-home policies, it is imperative that digital security is accorded the importance it deserves by beefing up the legislative framework for it. This would involve strengthening Personal Data Protection Bill, 2019.

Recent Data Breaches

On 9th November, various news portals reported that the  online grocery delivery platform BigBasket had experienced a massive data breach involving the information of around 2 crore users on 30th October. While the company said that financial data was secure, information such as full names, passwords, contact numbers, addresses, date of birth, IP addresses, and locations had been hacked and were being sold online.

This was just the latest in a spate of many recent hacks in India. According to the Indian government, 2019 witnessed 1,05,849 cyber security incidents (including phishing, network scanning and probing, virus / malicious code and website hacking) in just the first five months. 2019 and 2020 (til August) saw 54 and 37 Central and state government websites hacked respectively. Leaks in Aadhar data, banking data, and credit card information have also increased. Even nuclear plants, such as the one in Kudankulam, have been shown to be vulnerable. Below, we will discuss examples of large sectors from across different sectors.

  • Banking: In January 2019, an SBI server in Mumbai was shown to be unsecured and vulnerable, exposing the data of millions of its customers. The server was not password protected, and so information such as account balances, mobile numbers, and even account numbers were effectively on display. SBI secured the server soon afterwards, but this incident emphasised the need for improving digital infrastructure in the banking sector.

  • Aadhaar: The World Bank and certain digital security firms reported that in 2018 the Aadhar data of citizens was being sold online, with almost a billion users being affected in just the first few months of 2018. These leaks were a mixture of overt hacks and unprotected servers or leaky government websites. For example, in 2019 the Jharkhand government's website displayed the Aadhar details of around 100,000 government workers.

  • Whatsapp Pegasus: In 2019, it was reported the Israeli firm NSOs software Pegasus was being used to spy on 19 individuals, including journalists and human rights activists. By hacking into their devices via a simple missed call, the attackers gained complete access to the individual's data, including locations, passwords, and even the ability to turn cameras and microphones on.

  • Healthcare: In 2019, a US cybersecurity firm reported that an unnamed Indian healthcare website was hacked, with the hackers stealing the data of 68 lakh patients and doctors. The stolen information included patient details, patient case history, doctor information, and other personal information.

  • Credit and debit cards: In October 2019, a Singapore based cybersecurity firm reported that 13 lakh credit and debit card details had been stolen, and were now on sale online. It ws reported that it was likely that this data stolen by placing a magentic stripe in an ATM that was able to copy the information of the user's card.

Furthemore, as the COVID-19 pandemic necessitates the greater usage of the work-from-home set-up, enterprises too feel that digital infrastructure has to be upgraded to deal with new security challenges, as 66% of Indian firms have reported at least one data breach since they shifted to working from home. Given that organisations faced a cost of Rs. 14 crore on average per data breach in 2019-20, it is clear that data security processes need further tightening and regulation.

PDPB in context

The Personal Data Protection Bill, 2019 (PDPB) contains several clauses relating to security and breaches. For example, Clause 24 of the PDPB asks data fiduciaries and data processors to implement safeguards for several purposes, including "to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data". Clause 25 deals the breach of personal data breaches. The clause states that in cases where a data breach may cause harm to the data principal, the data fiduciary must inform the proposed Data Protection Authority, but informing the data principal has not been mandated. It is then left to the Authority to decide: a) whether the data fiduciary must inform the data principal, b) the remedial action the data fiduciary must undertake, and c) the details of the data breach that can be made public.

Further, Clause 50 states that the Data Protection Authority may specify codes of practice for data processors and data fiduciaries, including any security standards have to be maintained as required by Clause 24.

Currently in review with the Joint Parliamentary Committee on Personal Data Protection Bill, 2019, the bill is going through a clause-by-clause consultation as per media reports. However, questions have been raised over the conduct of the committee. Parliamentarian Derik O'Brien has written a letter saying "It is of serious concern that the committee is considering clause by clause consideration of the contents of the Bill before completing its consultation with the stakeholders" as reported in the Hindu. Concerns have also been raised about a lack of engagement with tech policy groups and civil society.

Our recommendation

While certain provisions are welcome, they may not adequately address the issues. India faces the twin problems of low capacity levels and weak and unsecure infrastructure. As witnessed in several instances, attackers may not even have to encounter a basic firewall to access personal data, while even those firms which do have a relatively better security infrastructure remain susceptible to attacks. Thus, it is imperative that the regulatory framework for security be robust.

To this end, a private member Bill (the Personal Data and Information Privacy Code Bill, 2019) introduced by MP D. Ravikumar may provide solutions. For example, clause 19(3) says that prior to disclosure data controllers must explicitly inform the data subject about "the security practices and other safeguards, if any, to which personal data shall be subject to". The bill also guarantees data subjects the right to be informed about any breaches of their personal information, and also asks organisation to designate privacy officers to ensure security compliance.

Important Documents

  1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
  2. The Personal Data and Information Privacy Code Bill, 2019 as introduced as a private members bill by Mr. D. Ravikumar, Member of Parliament (link)
  3. Our representation dated June 3, 2020 to the  IT Ministry to steps to be taken to stop data breaches (link)
  4. IFF post on our inputs to the framing of the National Cyber Security Strategy 2020 (link)
  5. IFF statement on NSO Pegasus attack (link)
  6. IFF post on our represention to MEITY on stopping data breaches by encouraging security researchers (link)
  7. IFF post on how the absence of protection for security researchers causes harm (link)
Join the Internet Freedom Forum