Post demonetization, the government has initiated a timely and much needed measure to increase digital payment options to weed out black money and corruption from public life. As an integral part of the government’s move to take the country towards a total cashless economy, these measures would change the quality of life of citizens. One area that demands immediate attention is the need for a strong legal framework for privacy and protection of data shared by the individuals and entities. Legislative reforms are not as quick as technological innovations, and this leads to doubts regarding the enforce-ability of rights.
In the recent years, information and communication technology has been at the core of operational efficiency and success across enterprises around the world. However, as organizations are becoming open to the adoption of mobility, cloud and IoT, they are putting their networks and company information data under serious security threat. In India, too, as we move towards fulfilling the country’s digital dream, the instances of cyber security threats are not uncommon. The Sophos Labs geo-malware report states that with a threat exposure rate of 16.9 per cent, India is one of the countries that are most vulnerable to malware attacks.
In October 2016, the country witnessed the biggest ever breach of financial data security, as over 3 million debit cards were under cyber risk. Of these, around 2.6 million cards were on the Visa and MasterCard platform. The State Bank of India was worst hit and had to block and re-issue around 600,000 debit cards to customers. As per industry estimates, India reported a total of 50,362 incidents of cyber security threats during 2016, up from 49,455 in 2015. The various types of cyber security threats include phishing, scanning/ probing, website intrusions and defacements, virus/malicious code and denial-of-service (DoS) attacks.
The cyber security breaches are expected to further go up as the country embarks on a digital transformation journey. While the government’s demonetization move has encouraged people to switch to mobile wallets, it has also increased the scope of cyber crime.
The growing threat of potential cyber security breaches has resulted in a major transformation of the global as well as the Indian cyber security market. The adoption of traditional security solutions has increased as even smaller enterprises are now keen on securing their networks. Meanwhile, large enterprises have moved a step ahead and are exploring new and advanced solutions, and new security models such as managed services and automation. Key security initiatives across the majority of organizations include security operations, incident response network and data centre security, identity governance and administration, mobile and cloud security governance, advanced threat defense, application security, security policy, programmer development and governance, and risk and compliance.
The growth of the Indian cyber security market is partly driven by the government, which has undertaken several initiatives to strengthen the country’s cyber defenses. Under the Digital India initiative, the National Critical Information Infrastructure Protection Center recently released 40 tenets to improve cyber security in organizations essential to the economy, health and defense of India. Besides, there already exist several regulations laid down by the Reserve Bank of India, the Securities and Exchange Board of India, and the Institute for Development and Research in Banking Technology for ensuring data security. In December 2016, NASSCOM and the Data Security Council of India launched a detailed roadmap for the Indian cyber security industry. NASSCOM expects the Indian cyber security product and services industry to reach a size of $35 billion by 2025, and build a strong skilled workforce in the security sector.
Ransomware attacks become common
In the past one year, the instances of ransomware attacks have grown significantly. In these attacks, enterprises’ key data or sensitive information is illegally encrypted through crypto virology and then a ransom to decrypt it is demanded. It blocks users’ access to information until they pay a certain sum of money. In 2016, India was ranked fourth globally among the countries most affected by ransomware and unfortunately, experts believe that it is just the beginning. They expect ransomware attacks to take more variations and strength in 2017. According to Trend Micro’s projections, there will be a 25 per cent growth in the number of ransomware families globally in 2017. Cybercriminals are likely to use automation to further strengthen such attacks.
Just few days back, a bunch of Indian companies were infected by the ransomware WannaCry as a massive cyber-attack hit PCs across 99 countries. Amongst the India companies affected by the malware were two South India banks, two Delhi-based Indian manufacturing companies, one manufacturing unit of a MNC, corporate headquarters of a Mumbai-based conglomerate and a Mumbai-based FMCG company. Over 100 PCs of Andhra Pradesh police have also been affected. The ransomware affects the end-user PCs that don’t have a patch to prevent the malware from infecting the system.
To prevent such attacks, enterprises must focus on end-user awareness and training. They also need maintain adequate data-backup, so that information can be restored in an event of a ransomware attack.
Cyber-attacks to grow more complex
Cybercriminals are now exploring new ways to evade detection. Phishing and social engineering are emerging as dominant attack methods. In future, attackers are also expected to rely on artificial intelligence within server environments to figure out the best mode of attack. Custom-designed malware and cross platform malware designed to operate on and between multiple devices will become common. Drone jacking is also expected to become prevalent.
In response to the growing complexity of cyber-attacks, preventive security controls such as firewalls, application security and intrusion prevention systems are now being tweaked to add more intelligence to security operations, analytics and reporting platforms.
Some of the recent decisions of the Supreme Court have expanded the contours of privacy to arrest the increasing assaults on the privacy rights of the citizens. If the courts further expand the scope of the fundamental rights to include privacy and data protection, then the existing framework of law may be insufficient to address the future legal challenges. Hence, a comprehensive Data Protection Law is required for greater legal clarity and safe enforceability of rights by owners of the data. This could be achieved through a special legislation with the objective of affording protection to the data and information of the natural and legal persons.
The focus on implementation of newer areas of innovations may get blurred when included as part of the general laws. Hence, a special law is needed. The following could be the broad features of such a legal framework: Personal data must be clearly defined as any lack of clarity could expose the privacy rights to greater risks. There should be a process of registration of the data and data collectors.
This would create a central registry for tracking the flow of information. The authorities could then timely intervene and initiate penal actions against offenders. A central authority should be constituted for monitoring the collection of information and data, registration of collectors, regulating the collection and dissemination of data and to initiate penal action against offenders. What constitutes “offence” under law must be clearly delineated. The punishments under this legislation should be made stringent.
This will safeguard the interests of the citizens who participate in the space of digitized transactions against the misuse of their data. Knocking at the doors of justice in the ordinary course of time may prove to be expensive and a long drawn affair for them. Hence, prescription of a stringent penal framework with a time bound implementation mechanism will act as a deterrent against misuse. Penal provisions should be exemplary.
Penal provisions of fine, including issuance of disgorgement orders, non-compoundable offences, etc, should form part of such a law. Security measures required by the data collectors and controllers to prevent misuse should be stipulated. Collection, processing, usage and the grounds of exceptions from the provisions of this law should be clear. A comprehensive data protection legislation on the above lines will guarantee a sense of safety to the owners of the data.