Cybersecurity Breaches and Liability Concerns for Indian Corporations

Abstract:

India has witnessed the growing pace of digitalization of any of the major world economies. The nation with over trillion-dollar economy has adopted to the digital transformation in a rapid progression. As a result, Indian Corporations have been under radar for data protection of the public. The foundation of the country’s cyber law and security rules has seen a significant change over the years. These laws are responsible to mitigate the risks and preventing illicit alteration, utilization, and destruction of the data of people by complying to the prescribed security standards while upholding the data privacy laws. Cybersecurity refers to the steps undertaken by the organization to protect data privacy of the people prone to cyberattacks. Cybersecurity breaches and the liability concerns it has upon the Indian Corporations arising thereby have become a great concern that the Indian Corporations struggle to escape. It sheds light on the effect such cyberattacks, and malwares have on people’s data while extorting a sum from the corporations lead to promotion of Cyberterrorism. This Research Paper also emphasizes on the several remedies available beforehand that could be implemented by the corporations to escape liabilities while complying with the provisions of the law and measures that could be undertaken for further perusal and compliance of the said provisions. This Research Paper aims to put forth and suggest a robust risk management system that can be place in the purview of a cybersecurity landscape.

Keywords:

Cybersecurity, Cybersecurity breaches, liabilities, mitigation of risks, data protection, data privacy.

Introduction:

“Confidentiality is an essence of Faithfulness and Trust. A breach of Data Privacy is enough to pose a question of the system’s Integrity”. With the increasing reliance on technology in several manifolds, there has been a dynamic change in the corporate and technological landscape. India has become a data-hub in the past years.

India has contributed to the technological revolution and has been the preferred destination for nations like United States of America which outsources the data of its consumers to Indian BPOs. This led to emerging of India as the data-centre hub of the world.1 A Data Centre is a secured place meant for processing, storage, handling, and management of data with measures to ensure data protection and privacy. The rise in in data collection comes with the risk-bearing security.

Corporations across the nation dwell on consumer’s data to provide goods and services to their targeted consumers. The cybersecurity landscape has to be secured and comply to the procedures and legislations laid down by the Legislature and Government of the country it is in. Several corporations retain the data of its consumers without their consent. While this database is expected to be protected, and guarded from any potential risks, this database is time and again been a target to malicious attacks and malwares. These acts of trespassing into the database illicitly through modes of hacking, viruses, malwares are called Cyberattacks.

Cyberattacks are also synonymously called cybersecurity breaches. A cybersecurity breach results into the release of confidential information of the consumers. This is done with nefarious purpose of the attacker such as phishing, selling information to third party and release of confidential information that could be a potential target for hackers. The data could include personal information such as health, banking information, Aadhar, contact details and so on.

In India, this data could be retained by government, corporations, healthcare sector, banks, etc. and many institutions to name a few. A cybersecurity breach happens when data of such individuals is compromised for the purpose of financial extortions as well as blackmailing.

While consumers and individuals trust the corporations with data protection and utilization for business purposes, in the absence of a robust secured network and measures undertaken, the confidential data comes to be at stake. This Research paper strives to provide for various methods that could be undertaken by the Indian corporations as well as entities in the public sector to uphold data privacy and keep cybersecurity breaches at bay.

Research Methodology:

This Research Paper is an Applied Research in nature and seeks to solve cybersecurity breaches while providing insights to policymakers and corporations to create strategies for mitigation of risks and liabilities so associated with them in the cybersecurity landscape. The research is based on secondary sources that have been relied upon for analysis of the risks associated with cybersecurity breaches. Secondary sources including newspapers, websites, articles, and papers have been referred for the research.

Review of Literature:

A Cybersecurity breach is when an individual or organization invades upon the confidential information system of another company or individual. India has a series of legislations and Regulations that corporations and entities are expected to comply with for data security.2

The Information Technology Act, 2000 is the primary legislation that talks about measures to tackle cyberterrorism, phishing attacks, hacking, selling information of public, alteration of people’s data, etc. It lays down the penal provisions and the authorities to be approached for grievance redressal.

Cybersecurity breach is an epidemic that has spread around the globe and has become difficult to contain. 3 Despite the laying down of security standards and measures to contain the breaches and laying down guidelines for the corporations to protect and uphold the data privacy of individuals, there has been a steep rise in cases of cyberattacks.

 The privacy and data protection of the people is an unalienable right of the people of India under Part III of the Constitution of India. The Apex Court has time and again emphasized on the need to bring about stringent laws for upholding privacy of the citizens.4 Indian values portray the consumer as God, while the law interprets that even a consumer has the right to erase his mark from the records.

The Digital Personal Data Protection Act, 2023 (DPDA) was enacted by the Indian Legislation that aims to lay down laws for processing of personal data of the people for lawful purposes. Under the Act, the businesses and corporations in the Indian Territory have to comply with certain regulations in order to contain cybersecurity breaches.

With digitalization, financial frauds have found their way into the market. The rise in internet banking and digital payments, has contributed to the figures. While digital apps and corporations have been storing consumer data referring to it as an essential ingredient of business data processing. The negligent data handling has been given the red stop under the DPDA.

Since times, the corporations hoarding the data have had the upper hand over the individuals submitting the data. However, in the Digital Personal Data Protection Act, it is the target audience of the businesses, that has been given the right to manage and control their personal data.

The DPDA in consolidation with the Information Technology Act, 2000 particularly Section 43A of the latter Act puts forth the liability upon the companies that fail to deploy measures and practices to protect the confidential personal information of the people. These legislations have compelled Indian Corporations to enhance their data processing activities and invest in the mandated policies for data minimization, protection, and data localization.5 As per DPDA, Indian Corporations must secure the consent of the consumers and allow them to delete their data or modify it at their own perusal.

This research paper dwells deep into the provisions of the law while also prescribing measures that corporations can further adopt to enhance and secure the data privacy of the consumers and citizens that could be a potential target of cybersecurity breach.

Purpose and Execution of Data Breach:

A Cybersecurity breach or Cyber-attack is an unauthorized access gained to confidential data of the public with the purpose of extortion. Cybercriminals generally gain access to any computer source or network using malware (a source code developed to harm the source), ransomware (a system that hijacks the personal data stored on a computer source and locks it in an encrypted mode till a ransom amount is paid to the hacker), phishing (an email or text sent to a targeted individual that lures him into downloading a malware).

Phishing attacks resemble a normal transaction purporting to be a financial transaction that lures the target into adding their financial information such as credit card information or passwords.

But what is the outcome of such cyberattacks? Indian Corporations holding onto the data of individuals are more than often threatened by the cyber-attackers to pay them a ransom amount. But what do the cyber attackers gain from the amount gained?

Corporations have a shortfall of an incident-response planning. While companies invest a lot into brand-strategy, marketing, distribution, and resource planning, they have a resource constraint. Indian Corporations are the victims of Cybersecurity breach due to their lack of advanced infrastructure, financial planning, and employment training.

Indian Corporations moreover frame Hacking and cybersecurity breach as IT issue and not as a holistic business concern. But the question arises- How do corporations fail to track the source of a hacking incident or cybersecurity breach? Contrary to how simple it sounds; a hacking resource is difficult to track. But when a company makes the ransom payment, does it not make it easier to catch hold of the perpetrator? The answer is -it doesn’t.

The growing popularity of cryptocurrency- a digital mode of currency is to be blamed. According to a report, the cybercriminals, or organizations make use of cryptocurrency/Bitcoin as a mode of payment in ransom.6 Due to the decentralized nature of crypto, locating the cybercriminal becomes impossible.

The cybercriminals impersonate to be any bank employee, employee of an organization and seek sensitive and confidential data of an individual. These attacks could be using emails, phone-calls, messages, etc. With the mismanagement of any corporation to take hold of such impersonator, innocent individuals are at loss. This is due to the lack of regulations or a legislative framework.

For example, a cybercriminal breaches a secured portal of a company ABC Ltd- a food and beverage service. He hacks into the database of ABC and leaks the data of over millions of ABC’s customers on the dark web. The data comprises of names, credit card information, addresses, phone numbers, etc. In return of deletion of the database off the web, he asks for $60 million from ABC Ltd via Bitcoin.

The liability upon ABC Ltd is to ensure that the consumer data is secured using a robust security measure that is not vulnerable to cyberattacks. It is also the duty of ABC Ltd to intimate its users about various tactics used by hackers and protect them in advance.

Moreover, the Corporations must also be steps ahead and lay down measures while anticipating any attacks from unethical attackers. As per the IBM Report on Cost of a Data breach in 2023, data breach has costed at an average about INR 179 million in 2023- to Indian Corporations. This figure is at an all-time high and has seen a steep rise from 2020.7.

The IBM Report of 2023 signifying the losses caused due to a cybersecurity data breach says that Phishing constituted majority (22%) of the data breaches in Indian Corporations. The second on the list were stolen or compromised credentials that comprised almost 16% of the overall cybersecurity breaches.

Tackling Complex Data Breaches:

A solution-oriented approach to counter cyberattacks is the primary solution. As we saw earlier, there are several ways to intrude into the database system of any corporation.

In India, the Indian Penal Code of 1860 is the supreme legislation that prescribes action to punish criminal offences. In addition to offences relating to harm caused to the human body and disrupting the peace of the public, modern offences relating to digital attacks such as- hacking, tampering of digital data, publishing of confidential data, publishing obscene posts, threatening via email/social media, forgery of documents, cyber fraud, etc. are all embodied under the Information Technology Act, 2000.

The following steps could be brought to action to ensure that Indian Corporations are protected from any liabilities concerning from cyberattacks targeted at them:

  1. Legislation- The Information Technology Act, 2000 deals with cybercrimes, security breaches, denial-of-services, phishing, and hacking attacks on the databases owned by corporations.

The newly approved legislation- DPDA (Digital Personal Data Protection Act, 2023) provides for the protection and processing of the personal data of individuals held onto by the corporations.

By the proper implementation and enforcement of the legislation and bringing about additional regulations and bringing about stringent laws for punishing the cyberattack-accused of committing cybersecurity breach, the issues could be tackled.

At present, the Computer Emergency Response Team (CERT) is an administrative agency responsible for collecting, analyzing and diffusion on information related to cybersecurity breach. It is a central agency but the range of cyberattacks that corporations have witnessed in the last few years need the setup of more such Task forces for the proper securisation and preventing the dissemination of personal/confidential data.

This could be done at agency-level i.e., for every Corporation there needs to be an agency. The Government has also prescribed regulations across different sectors such as insurance, banking, finances, etc. to comply with the regulations laid down by the law.

As stated previously, the Section 43A of the Information Technology Act, 2000 lays down that the corporation or organization that fails to protect the personal and sensitive data of any person and practices negligence in storage and security of the data is liable to pay damages. Not only this lone provision, but S.85 of the IT Act too elaborates on the offences committed by the companies that do not abide by the provisions of the Act.8

However, there is no effective implementation of these provisions, and neither are there any stringent punishments that would make any corporation to put into effect a robust management system.

  • Incident-Response Planning- Indian Corporations lack the enforcement measure plans or setting up of a proper planning for execution of steps immediately to be taken post the event of a cybersecurity breach.

This event includes the notifying the concerned authorities (head of the corporation), the government bodies enforced to tackle data breach, the stakeholders, the consumers, etc. The Emergency plan must be executed in a stipulated manner under the guidance of a team that is well-oriented with the Cyber Laws.

  • Organizational Culture- Accompanied by the Response-Planning Team, the staff of an Indian corporation must be properly trained and guided to understand and comprehend when the database of a company is hacked under an event of a cybersecurity breach.
  • Cybersecurity Advanced Infrastructure- All Indian Corporations must implement modern secured strategies and invest in proper infrastructure and devices that could be used in the event of a data breach.

The Staff must be acquainted with the training to follow and enforce proper measures for following the procedure established by the Response-Planning Team.

  • Security Database Audit- The Corporations must regularly carry out audits to ensure that the data base is secured and comply with the security procedure. The data must be encrypted end-to-end and could only be accessed or procured with the consent of the consumers whose data has been so held by the company.
  • Cybersecurity Insurance- The database held by any corporation qualifies as the digital asset for any company. The concentration of the data makes it probable for faster escalation of the exposure points of the data. The digital assets when concentrated in one single network makes it more susceptible to hacking.

A consumer whose data has been exposed and published on the web due to the negligence of any corporation he has trusted with the data receives no compensation or is provided with any remedy.

So, what can be done for the benefit of a person whose data has been leaked? The answer is getting an insurance! Indian Corporations are advised to procure Cyber-insurance for safeguarding their database and get immunity from any legal consequences.

With the increase in cybersecurity data breaches that have taken place in last few years and is on a constant rise, a cyber-insurance covers the loss caused to the affected corporation and also helps in dispensing the necessary funds for setting up of the required IT-Infrastructure, Data Liability claims coverage, and so on.9


Cyber Insurance is an effective tool to mitigate the risks caused due to the cyber-attacks and have also been popular in the frequent times for effective diligence of cyber laws.

  • Data Localization Measures- A Home is the safest abode. A lot of corporations outsource (supplying of data to another country) their database for cutting down on their company expenditure. The database of big corporations is handed over to third-party vendors for effective management.

Untrusted vendors make the data prone to being breached. A popular case study being American Multi-national companies outsource their data to BPOs located within India. This data is sent for non-core operations such as making calls for customer care purposes.

How can outsourcing be put to an end? This can be done via the medium of Data Localization. A data base provided to a company located within the territories of India must store and process sensitive and confidential data of its consumers within the local territories.  Data Localization can be effective since robust security are easier and cheaper to deploy and implement within the country borders.

Outcome and Effects of a Cyber-Attack:

A cybersecurity breach or a cyber-attack is a vicious and ferocious trespassing upon the sensitive and confidential data of the people. The purpose of the attack could range from siphoning of funds from the financial information retrieved from the data so breached or extortion of money from the companies holding onto the data of the individuals. Threatening any person with the releasing of their personal information on the dark web or encroaching into their computer system or network via malware or deletion of the data of a person are some types of cyber-attacks.

Indian Corporations that fail to execute measures for safeguarding of the sensitive data of the people are likely to get their data breached. The cybercriminal in the guise of any organization asks for funds from the concerned person in the form of emails, social media message and so on. These texts could resemble a threat to leak private videos of the person or verification of bank details.

The funds demanded by the cybercriminal are ordered to be paid via cryptocurrency or Bitcoin- a type of digital currency that is difficult to track. The amount paid by the corporations as ransom are then utilized for more unethical activities- the highest form being Cyberterrorism.

Conclusion:

Indian Laws are constantly developing to include modern offences and in specific digital crimes. An individual who has his sensitive information published on the Internet against their will suffers in panic.

With the advent of new technologies and the escapade of corporations storing onto the data of people in the guise of business planning and marketing, in the absence of secured management it has become more on difficult for the consumers to catch hold of the accused.

While the Government of India has deployed ample of authorities and regulations for the companies to ensure that the data processing is secured and encrypted in a prescribed manner, Indian Corporations on their own lack the infrastructure and intention to invest into cybersecurity.

A few of the suggested measures, such as Cybersecurity Insurance and Data Localization while ensuring a robust Incident response planning can tackle the cases of Cybercrime by a large margin.

Footnotes:

·       Lakshmi Visakha K.B, IBM Report: Average cost of a data breach in India touched INR 179 million in 2023, (July 25, 2023) https://in.newsroom.ibm.com/IBM-Report-Average-cost-of-a-data-breach-in-India-touched-INR-179-million-in-2023#:~:text=INDIA%2C%20Bengaluru%2C%20July%2025%2C,a%2028%25%20increase%20since%202020.

·       Kevin M. LaCroix, Guest Post: Cybersecurity and D&O Liability: Emerging Concerns under Indian Law, The D&O Diary, (Nov 10,2023, 4:11 AM) https://www.dandodiary.com/2018/05/articles/international-d-o/guest-post-cybersecurity-liability-emerging-concerns-indian-law/

AUTHOR:

Harshada Nirmal


Government Law College, Mumbai