With hundreds of Indian users’ data compromised due to recent cyberattacks have put the spotlight on the lack of regulation to protect consumers and make companies accountable. According to experts in the recent Moneycontrol MasterClass episode, the personal data protection bill will in part address the issue and should be implemented soon.
Justice BN Srikrishna said during the recent masterclass episode on ‘Data Breaches Rock India: How can you stay safe online’ moderated by Chandra R Srikanth on May 28, said, “Today the problem is there is no law.” According to him, the government should be pressured to bring the law soon, and the law will take care of itself.
This comes at the back of recent data breaches that have rocked India, where lakhs of customer data have been compromised. The companies include Air India, Domino’s India, BigBasket, Dunzo, and Upstox, which saw its user data compromised. Arvind Gupta, co-founder, Digital India Foundation, said that data breach attempts have gone up 10 to 20 times in recent times, including state-sponsored attacks.
Rajshekhar Rajaharia, an internet security researcher, explained that the spike in breaches have come at the back of people working from home with no proper security in place like they have with offices. This has made the systems vulnerable, which the cybercriminals have made use of.
The impact is particularly notable in rural areas, Rajaharia noted. “Unlike the tier-1 and tier-2 cities, where people are aware about different forms of attacks, the same cannot be said for rural India, who has just started embracing digital at the back of the pandemic.” Cybercriminals are using the data leaked to scam the people in rural India, who end up losing money.
At present, while the consumers can take the companies to court, it is not viable for the common man, in terms of both time and money. As Justice Srikrishna put it, “I can tell you, you can go and file a civil suit, your grandson will get the compensation if he succeeds. That is the problem. How many things can the court deal with you add to it the data protection problems also they will really totally run a ground.”
"Today there is no promise or accountability over data. Nobody (companies) needs to say how we will protect the data, and this is exactly how we will use it," said Saket Modi, co-founder, and CEO, Safe Security.
The only solution, experts agreed, is the personal data protection bill.
The data protection law obligates every person/entity that stores data to maintain it in good shape to ensure that there is no breach. In case of a breach, under the law, the entity should promptly inform the data protection authority within 48 hours or 72 hours, whatever that limit is prescribed. Justice Srikrishna explained that this gives the government the authority to tell the entities to investigate the data leak and plug the holes.“Then there is constant dialogue between the data protection authority and the entity, the data fiduciary,” he added.