Anthony Gonsalves booked a stay at a hotel online and provided his credit card details to make the payment. For future convenience, Anthony saved his credit card details on the hotel’s website. The hotel retained his credit card details along with the credit card details of other guests for many years. Recently, the hotel’s cloud server was under cyber-attack, and Anthony’s card details along with other guests were up for grabs in cyberspace. This incident highlights today’s reality—your identity can be sold for petty cash. The more personal data we share, the more susceptible we are to data breach. Information is the new currency and potentially, every data cloud has its black lining.
Recent events have only underpinned the extent to which personal data can be violated and misused. As per the secure file sharing and transfer service Citrix ShareFile, healthcare is the most vulnerable industry in the U.S., with technology, retail, and finance industries taking second and joint third places respectively. Even India has faced its fair share of data breaches; food ordering app Zomato reporting a theft of approximately 17 million email addresses being just one example.
In response to such threats, governments the world over are stepping up to tackle this threat and compelling businesses to be more responsible for securing the personal data of individuals.
India presently does not have comprehensive data protection legislation. The main enactment that deals with protection of data is the Information Technology Act 2000, and the rules framed thereunder. Under the provisions of the Act, the IT authority has adjudicated a number of cases related to cyber fraud and data breaches. In one such significant case in 2013, Maharashtra’s IT secretary directed Punjab National Bank to pay Rs 45 lakh on a complaint, where a fraudster had transferred Rs 8.10 lakh from the complainant’s account after he responded to a phishing email. The complainant was asked to share the liability since he responded to the phishing mail. A more important point to note is that Punjab National Bank was found negligent due to lack of proper security checks against fraud accounts. This incident highlights the need for businesses to be more responsive to prevalent data security threats.
The Indian government is also in the process of providing for a more robust legislature. The Data Protection Bill by the Justice Srikrishna Committee is keenly awaited by corporate India. The two pending cases before the Supreme Court which are likely to have an impact on the legislature are (a) the challenge to the Aadhaar Act and (b) the case filed by Karmanya Singh Sareen challenging the change in privacy policy of WhatsApp Inc.
Given the scenario of high data privacy compliance globally (and potentially very soon in India), the pressing need is to understand some best practices which organisations within India can adopt to mitigate data privacy risks within their organisations.
The first immediate step is to conduct an extensive audit on existing privacy policies and procedures. Being prepared in advance with checklists of requirements met and equally with lacunae which need to be addressed, will ultimately ease and help streamline the data protection requirements once the Data Protection Bill gets adopted.
- Organisations should look at implementing standard operating procedures to meet consent requirements of data subjects as well as to deal swiftly with data breaches. It may be helpful for such organisations to have dedicated teams to ensure compliances with data privacy laws.
- Cross-border data transfer policies vary from country to country. In case of cross-border data transmissions, a specialised team should be engaged to ensure local law compliances. The foremost issue with regulating cross-border data flows is determining the threshold factors based on which the transfer will be permitted. For example, cross-border data flows to a jurisdiction with lower levels of privacy protection can undermine domestic privacy protection. This creates an incentive for regulators to restrict cross-border transfers of personal information.
- Certain countries have robust data localisation norms. Indian companies, which have subsidiaries in different jurisdictions, should be mindful of such requirements before transmitting data to local servers in India.
- Many executives may be surprised to learn that one of the most frequent causes of data breaches is employee error, and not just employees in the IT department. Errors could be as simple as failing to lock a door, replying to phishing emails, or sending emails to the wrong iDs. A careless mistake can cause massive damage. Training for employees is crucial in a cohesive data security plan.
- Data portability is a right of the data subjects under certain legislatures. Organisations should be ready to honour the requests for transmission.
- A viable security breach response plan helps in identifying the steps to be undertaken by the organisation to restore the damage. The incident response plan must be unique and tailored to the working nature and operational requirements of each business. If these aren’t considered, the plan holds minimal value. It is important to list the most valuable assets and clearly state where these are located—be it physical or virtual. Once listed, the plan must consider the risks that would be posed if those assets were to be seized during an attack.
According to American global computer security software company McAfee, insiders are responsible for 43% of data breaches. What then are the steps can one adopt when the problem lies within? Bring your own device, remote working, storing data on shared files, weak firewalls and passwords are all possible avenues for inadvertent insider data leaks. To tackle this issue, only those employees who need to work directly with such sensitive data could be given partial or complete access, depending upon the requirements. Along with granting limited access to employees, organisations could give additional protection to data which is sensitive in nature by implementing strong data security policies and introducing network logging anytime an employee wants to access the data.
Data should not be stored beyond a certain time period, and collecting data beyond the scope of regulatory requirements/contract requirements should be avoided. Also, former employee data retention policies must be thoroughly reviewed; it is appropriate to retain former employees’ personal data up to the expiry of the statute of limitation period provided by local laws. At the same time, organisations should not ignore the request for deletion of personal data by the data subject. Right to forgotten is an important right under certain legislatures like GDPR.
Companies will need to be one step ahead and be adequately prepared for the new legislature. The plinth will be a cohesive data privacy strategy supported by, technology, operations and people. There will be a paradigm shift in how organisations function. Data cannot be taken for granted any more.
The author is a partner in the Corporate & Commercial and Private Equity & Venture Capital practices of Economic Laws Practice. He is a qualified Company Secretary and a law graduate from the University of Mumbai.