Data protection Law :: Need of the Hour

Data Protection Law:: Need of the Hour

Why in the news?

Back-to-back leakages of sensitive information of Indians on the internet have highlighted the issue. We are looking at the two recent incidents.

 

a. A German cybersecurity firm reported that the medical details of millions of Indian patients were leaked and are freely available on the Internet. 

b. Another report came recently that    Group-IB- a Singapore based cybersecurity company has revealed that sensitive credit and debit card details of around 4.5 Lakh Indian customers have been put up for sale on one of the most secretive portals "Joker's Stash" on the Darknet 

Darknet:: Restricted computer networks which exchange information using means such as peer to peer file sharing which enables users relating to networks where each computer can act as a server for others allowing shared access to the data files

Introduction

India’s Richest man Mukhesh Ambani in one of his interviews said “Data is the modern age Gold”. 

With the internet revolution, data has become the most important asset for every organization across the globe.

India being a huge market and one of the underdogs in technological advancements compared to the west, has become more vulnerable to cybercrimes.

What kind of data was leaked?

The German cybersecurity firm listed 1.02 million studies of Indian patients and many medical images like CT Scans, MRIs, and patients’ photos as being available.

Group-IB's Threat Intelligence Team has found that the details are comprehensive in nature, and include card numbers, expiration dates, CVV/CVC codes, and in this case, some additional information such as cardholders’ full names, their emails, phone numbers, and addresses.  

How these critical data were made available on the internet?

These Medical data were made available on the internet due to the absence of any security in the Picture Archiving and Communications Systems (PACS) servers used by the medical professionals. These PACS servers seem to have been connected to the public Internet without protection.

The credit card and debit card data have been collected by phishing rackets which have been on rising in India's cyberspace in the last few years. This is the second major leak of cards relating to Indian banks detected by the Group-IB Threat Intelligence team in the past several months. In the current case, we are dealing with information on card number, expiration date, CVV/CVC, cardholder name as well as some extra personal info. In the previous case(October 2019), we dealt with card dumps (the information contained in the card magnetic stripe), which can be stolen through the compromise of offline POS(Point of Sale) terminals.

Implications of such kind of data leak

Such information has the potential to be mined for deeper data analysis and for creating profiles. These profiles could be used for social engineering, phishing, online identity theft, and other practices that thrive on the availability of such data on the Darknet.

Social Engineering:: The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes

Phishing:: The fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers. It is one form of social engineering.

Citizens will be on the receiving end of any kind of digital financial fraud. Such incidents may trigger waves of panic and fear among the citizens and affect their digital behavior drastically. 

This will affect the global reputation of India adversely and may gradually become a greater obstacle in leading India to a completely digital economy. 

It can have many more chain effects which will affect the growth of the economy. 

How these data can be protected?

Public data leaks have been quite common in India. Even the data are leaked from government websites. Unlike the data protection regulations in place in the European Union and the US, India still lacks a comprehensive legal framework to protect data privacy. 

Along with this following necessary steps are indispensably required::

1. Development of Robust cybersecurity infrastructure

2. Adoption of newer technology and Global standards with an enhanced security framework

3. Spreading awareness and educating people about internet behavior, data privacy, and cybersecurity

4. Encouraging cutting edge research and development in the field of cybersecurity

5. Human Resource Development through education and training programs to build capacity in the field of defensive as well as offensive cyber operations.

6. Strengthening the regulatory framework coupled with periodic reviews, harmonization with international standards, and spreading awareness about the legal framework.

GoI Initiatives to strengthen cybersecurity

1. National Cyber Security Policy, 2013 under which there are several ambitious objectives like

a. Securing E-Governance services

b. Protection and resilience of Critica Information Infrastructure.

c. Promotion of Research & Development in cybersecurity.

d. Creating Cyber Security Awareness

e. Developing effective Public-Private Partnerships

f. Creating an assurance framework

g. Creating a secure cyber ecosystem

2. Computer Emergency Response Team (CERT-in)

3. Cyber Swachhta Kendra’ (Botnet Cleaning and Malware Analysis Centre)

4. To combat the ever-evolving techniques of cyber intrusions the GoI has signed a Memorandum of understanding with Cisco and some other industry partners.

5. The Draft Personal Data Protection Bill 2019 is still to be tabled. If the table, it could enable the protection of privacy. The draft Bill follows up on the provisions submitted by the Justice B.N. Srikrishna committee to the Ministry of Electronics and Information Technology in 2018.

What the B.N. Srikrishna committee wanted to do?

The committee sought to codify the relationship between individuals and firms/state institutions so that privacy is safeguarded by design.

[Data principals - whose information is collected; Data fiduciaries - those processing the data].

What is the 2019 version of the Bill?

This version of the Bill seeks to retain the intent and many of the recommendations of the Srikrishna committee, but it has also diluted a few provisions.

The Bill tasks the Data fiduciary to seek the consent in a free, informed, specific, clear form from the Data principal.

But, it has removed the provision that said selling or transferring sensitive personal data by the fiduciary to a third party is an offense.

There are other issues with the Bill about the situations when state institutions are granted exemption from seeking consent from principals to process or obtain their information.

Conclusion

considering how public data are being stored and used by both the state and private entities, a comprehensive Data Protection Act is the need of the hour.

The government must accelerate the setting up of a National Cyber Security Agency (NCSA) to address cybersecurity issues and collect intelligence.

Another proposed measure is setting up a National CyberCoordination Centre (NCCC) as a cybersecurity and e-surveillance agency, to screen communication metadata and co-ordinate the intelligence-gathering activities of other agencies. 

Apart from these citizens must educate themselves about various cybersecurity threats and precautions.