The year 2019 was the worst in the history of data breaches. More than 5,500 large breaches resulted in approximately 8 billion leaked records. Most affected sectors were health, followed by financial, energy, industrial and pharma. Even the Education sector was badly hit. A worrisome factor of these breaches and hacks is that the average time to discover a breach is more than 200 days (IBM study). As this article was being written, news came that in May 2020 8.8 billion records had been breached, exceeding the volume of the entire last year.
The effects and potential harms of a data breach are multifarious. Apart from a breach of privacy and loss of money to the customers, data breaches result in loss of business to the corporates. The biggest breaches in numbers included 275 million records of Indian job seekers, Microsoft’s 250 million customer records, phone numbers of 419 million Facebook accounts that were leaked, 139 million users of the graphic design service Canva. Another disturbing trend is the increasing cost of the average data breach. The IBM’s latest annual Cost of a Data Breach study pitches it to $3.92 million per breach. These costs include notification costs, forensics and investigation, damage control, repairs, lawsuits as well as regulatory fines and other administrative costs.
The legal obligations to secure personal information include an expanding set of laws, regulations, enforcement actions, common law duties, contracts, and selfregulatory regimes. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 requires businesses to use “reasonable security procedures and practices to protect personal information from unauthorised access, destruction, use, modification, or disclosure. The organisations should adopt security standards to achieve an appropriate standard of care for personal information. Some practices Indian corporates can adapt are:
Timing provision
There should be timing provision, which allows for achieving an appropriate balance with a specific deadline intended to prevent major delay, the outer bound may become the de facto standard for notification. The time needed from discovery to notification with specific industry as a deadline of 30 or 45 days would be too long in many industries, and might be too short in others. This provision of timeframe must also be in tune and updated as what constitutes a reasonable time for notification today might be unreasonable tomorrow, as technological improvements allow for faster forensic analysis, cheaper and more effectively targeted notice, and an improved ability by companies to quickly provide consumers with remedies.
Breach notices
Easier the better. Such breach notices shall be easier to understand by using/ restricting to a format that will make them easier to understand by prescribing one of two options: (i) use the title “Notice of Data Breach” and the headers “What Happened”, “What Information Was Involved”, “What We Are Doing”, What You Can Do”, and “For More Information;” or (ii) use the form provided in the statute. There can be a provision for mandating the companies to post such breach notice on their website after
How do breaches occur?
1. System vulnerabilities: Cybercriminals are constantly looking to exploit and when most software companies are updating their products to keep up with advancements in hardware capabilities, some of these updates create unexpected vulnerabilities. At times, it is not the software upgrade that is vulnerable but thirdparty vendors that may have access to your system are not secure. One such example: the Target data breach (one of the largest data breaches in history).
2. Weak passwords: Using passwords such as ‘password’ or ‘123456’ which tops the list of most commonly used passwords in the last decade. Or the extreme of using most complicated passwords and frequent password changes which forces employees to write and often store in unsecure or predictable locations. Reusing passwords which makes it easier for hackers to target sites with minimal security, helping them to break into sites with much higher security.
3. Employee negligence: Employee negligence is number one cause of all security breaches. One of the prime reasons for a ransomware attack is the result of a phishing or social engineering attack aimed at tricking employees into clicking on a malicious link.
Advisory
1. Limit access: Restrict providing any one employee access to all systems. Provide access only to those systems and the specific information that are necessary in respect to their jobs. Also, make sure you disable and purge old user accounts. Disable user accounts after employee’s exit.
2. Back up important data: Back up important data on each computer used in your business. It is necessary to back up this data because computers die, hard disks fail, employees make mistakes, and malicious programs can destroy data on your computers. Test your backups to ensure they can be read on regular intervals.
3. Securely dispose of stored data: When disposing of old computers containing sensitive information, business or personal data, make sure the same is cleaned and disposed of securely.
4. Unique accounts: Each of your employees should have an individual account with a unique username and password. Without individual accounts for each user, you may find it difficult to hold anyone accountable for data loss or unauthorised data manipulation.
Conclusions
Data breaches are here to stay; corporates should evolve a strategy of risk governance rather than risk avoidance. This entails changes in the way we acquire, process, retain and dispose of data. With the advent of a data protection legislation in India, it would be incumbent upon anyone dealing with data of personal nature to take stringent measures with a view to protect individual privacy, dignity and other legitimate interests.
Cyber security has been gaining ascendance as a critical business consideration, and today it has become existential. Corporates and governments need to understand that there is a huge cost-benefit asymmetry in cyberspace, which needs to be addressed as of yesterday. This would entail huge investments in encryption, anomaly detection, threat hunting, hardening of critical infrastructure, collaboration and threat intelligence sharing. A comprehensive understanding of what one is protecting and how it can be attacked is essential to build the right data protection posture.
Data today is not limited to its economic value; it has myriad dimensions ranging from strategic to aspects of statecraft. Data is the new oil, more inflammable than the other; it is time to get the act right or risk losing reputation, trust, business and even sovereignty.
Brijesh Singh is Inspector General of Police, Maharashtra, and Khushbu Jain is a practicing advocate in the Supreme Court.