OCTOBER 21, 2024

By M G Kodandaram, IRS. Assistant Director (Retd) ADVOCATE and CONSULTANT

INDIA's growing reliance on digital platforms has brought immense convenience, but at the same time, it has exposed citizens to significant data breach and privacy risks.

The recent data breach involving a prominent insurance company, which impacted around 31 million individuals, highlights the vulnerability of personal information due to the absence of strong digital privacy laws and the inadequate enforcement of existing regulations. This issue is not new, as previous breaches in the healthcare sector have shown. The healthcare sector has increasingly become a prime target for cyberattacks due to the high value of personal health information on the black market. Such data breaches have been reported from public health establishments like Indian Council of Medical Research (ICMR), AIIMS.

Although such breaches are taking place regularly in all sectors of business in India, the Government Authorities have not taken adequate steps to strengthen regulations, leaving personal data vulnerable to being sold on dark web markets and exploited for various cybercrimes. These crimes often go un-investigated, and the perpetrators go unpunished, demonstrating a troubling lack of response from those in power. While the government and businesses are keen on promoting e-governance and digital technology, they seem largely indifferent to the rising cybercrime risks that endanger citizens. The regular occurrence of such breaches serves as stark reminders of the urgent need for stronger cybersecurity measures by all, i.e., by those engaged in commercial and public service activities, using digital means. The failure to enforce adequate cybersecurity measures has, in some cases, have even resulted in financial losses to the treasury, which go un-reported. (Read 'Lapses in De-Mapping of GST Officers: A Gateway to Fraudulent Activities' OCTOBER 14, 2024, by the Author)

Background of the Incident

The leading insurance company, based in India, has insured over 170 million individuals to date. In October 2024, it was revealed that a hacker group had infiltrated the company's systems and leaked sensitive customer data, including medical reports, insurance claims, tax details, and copies of identification cards. The data breach became public when the hacker group created Telegram chatbots to distribute this personal information.

In this incident, a hacker using an anonymous identity claimed to have accessed and sold sensitive personal information for as little as USD 150,000. The breach compromised a wide range of personal data, including names, PAN numbers, addresses, medical histories, financial information etc., raised suspicions of insider involvement. The breached data included medical records, home addresses, insurance claims, and tax details, highlighting serious privacy concerns for customers. This incident not only threatened individual privacy but also called into question the robustness of cybersecurity practices at responsible large institutions. Such information can be misused for identity theft, financial fraud, and even targeted attacks on individuals. Moreover, the exposure of medical history can cause personal embarrassment, societal stigmatization, or discrimination in certain cases, raising the stakes significantly for the victims.

Cybersecurity and Accountability

For large companies managing sensitive personal data, serving millions, and processing claims worth billions, maintaining a strong cybersecurity system is essential. This incident has raised serious concerns about the organization's security infrastructure. The ability of a hacker group to access and publicly share sensitive data underscores a significant breakdown in security protocols. Organizations handling sensitive data have a duty to protect against cyber threats, and in this case, the breach appears to stem from inadequate cybersecurity measures that permitted unauthorized access to critical information. The company's delayed notification to customers and lack of detailed public communication exacerbated the situation. In incidents like these, transparency and timely disclosures are essential, and their absence highlights shortcomings in the company's response to the breach.

The consequences for such companies may extend beyond reputational damage to legal ramifications. Trust is essential for health insurance companies, and breaches like this can undermine customer confidence, leading to potential attrition. The company's failure to promptly offer clear communication or guidance to policyholders has deepened the negative impact. While the insurance company cited the ongoing forensic investigation as the reason for its delay, a breach of this scale typically requires a more immediate and proactive response to address customer concerns.

From a legal standpoint, the company may face significant penalties if found negligent in its duty to protect personal data. While India's current data protection laws are relatively lenient compared to international standards, the forthcoming Digital Personal Data Protection Act, 2023 (DPDP Act) could introduce stricter obligations for organizations handling sensitive data. When enforced, such companies that fail to secure customer data could face increased liabilities and greater regulatory scrutiny.

Another dimension of this case involves the role of third parties, in facilitating the breach's dissemination. The hacker group used various chatbots to leak customer information, while another platform was allegedly hosting the group's website. The involvement of third parties raises broader questions about the accountability of tech platforms when they are exploited for illegal purposes. Although the third parties reported to have been involved may claim that they are not directly responsible for the breach, the incident raises questions about their roles in ensuring that their platforms are not used to further such criminal activities.

Legal Protection Against Privacy Breach

In this case and instances of similar personal data breaches, which reportedly compromised the sensitive personal information of millions, Indian law provides a legal framework through Section 43A of the Information Technology Act, 2000 (amended in 2008). This provision mandates that the corporate entities should implement "reasonable security practices and procedures" when handling such information. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 create a comprehensive framework for managing sensitive personal data. These rules define "reasonable security practices," as incorporating the internationally recognized standards such as ISO/IEC 27001. If personal data is compromised due to an organization's failure to maintain these security measures, the provision requires that affected individuals receive compensation. The apparent indifference of concerned agencies in enforcing these laws raises questions about whether appropriate measures were initiated in this incident or previous cases. (Privacy in Peril: Have We Forgotten Our Rights? - OCTOBER 07, 2024, by the author)

Legal Recourse for Affected Individuals

However, the victims of the insurance data breach and similar incidents by health and banking sectors etc., whose sensitive personal information was leaked, as on date, have the following legal recourse:

- Under Section 43A, individuals whose sensitive personal data has been compromised can file a claim for compensation against such entity. The company may be held liable for failing to implement 'reasonable security practices' and for any resulting losses. The extent of compensation is determined by the adjudicating officers under the IT Act, and there is no upper limit specified under the law.

- Affected individuals can file a complaint with the Adjudicating Officer appointed under the IT Act. The officer has the authority to inquire into the complaint and direct the company to pay compensation if found liable for negligence in protecting sensitive personal data.

- The performance of the adjudicating officers in attending to such cases has been dismal, as evidenced by the victims' feedback. The government's failure to compel these officials to act on time has further exacerbated the problem.

- It is important to note that the proposed DPDP Act 2023 does not provide any compensation to the victim/principal for the harm caused by data breaches. (read- DPDP Act 2023 Falls Short on Addressing 'Harm'- NOVEMBER 28, 2023 by the Author)

Role of CERT-In and the Need for Reform

The Indian Computer Emergency Response Team (CERT-In) is the country's primary agency for cybersecurity, essential in managing incidents like this. CERT-In must take the lead in partnering with international cybersecurity agencies to track the sale of compromised data on the dark web and dismantle the networks enabling these illicit activities.

The involvement of foreign currency transactions, with the data sale allegedly involving payments in USD, introduces an angle related to the Foreign Exchange Management Act (FEMA). This transforms the case into not just a data privacy issue, but a potential economic crime, warranting the attention of the CBI and ED. Given the cross-border nature of cybercrime and the role of global platforms like the dark web, a comprehensive legal framework addressing both domestic and international issues is essential. Therefore, it is also crucial for CERT-In to file formal complaints with the Central Bureau of Investigation (CBI) and the Enforcement Directorate (ED) as the complexity and scale of the breach demand law enforcement resources that extend beyond technical cyber investigations.

The dark web and encrypted communication platforms, such as Proton Mail, were identified as key enablers of this health insurance data breach. While these platforms provide legitimate privacy protections, they also afford anonymity to cyber-criminals. Consequently, there have been calls for either banning or heavily regulating such platforms in India due to their association with illegal activities. In this context, CERT-In and other regulatory bodies should advocate for immediate reforms in how Indian organizations manage sensitive data. Implementing regular security audits, mandating the encryption of sensitive information, and establishing prompt reporting mechanisms should become industry standards across all sectors.

The Way Forward

As India moves toward implementing a more comprehensive data protection regime under the DPDP Act, 2023, this breach may serve as a crucial test case, prompting organizations to reassess their data security measures and regulatory compliance. It exposed significant flaws in how personal data is managed, underscoring the urgent need for comprehensive legislation that sets strict standards for data collection, storage, and breach notifications. The possibility of insider involvement and the use of global platforms to sell the stolen data further complicate the issue, making independent investigations essential. This breach highlights the deep shortcomings in India's current data protection framework and emphasizes the need for stronger laws that hold companies accountable and safeguard citizens' personal information in an increasingly digital society.

All organizations, namely fiduciaries and governmental digital platforms, must strictly adhere to standards set out in the Information Technology Act, which, unfortunately, has largely been ignored. They must invest in robust security measures, conduct regular audits, and train employees to prevent data breaches, as the financial, reputational, and emotional costs are too high to overlook.

[The views expressed are strictly personal.]