The Good, the Bad and the Googly: The Curious Case of the Air India Data Breach
An indispensable virtue for humankind – personal data and privacy, unfortunately, wanders for sale in the dark web; with a substantial increase in data leaks over the recent years having become a central cause of concern for all and sundry. The equilibrium of data protection & technological advancement is in a disarray, attributable to the significant rise in the misuse of users’ information and the wildfire-like upsurge of incidents of data breach which have no plausible explanation to them.
All things considered, in light of the rampant instances of data breach doing rounds in the news, the issue of the Air India- Data Breach has posed an out-of-ordinary question of paramount consequence – legally, can a mechanism for monetary compensation exist for instances of data- infringement?
WHAT REALLY TRANSPIRED IN THE AIR INDIA DATA BREACH?
SITA is a multinational information technology company based in Geneva, Switzerland which has been furnishing IT & Telecommunication services to the air travel industry since 2016. SITA released a statement intimating the airlines it has partnered with, in March, 2021, that it has been affected by a cybersecurity attack to its system due to which customer-data has been leaked. Some of the notable airline companies which were compromised included behemoths like Lufthansa, British Airways, Finnair, and American Airlines, who individually issued statements to inform their customers of the breach in March itself. SITA, however declined to make a comment on the incident to the larger public and merely stated that it, “acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by SITA with the support of leading external experts in cyber-security.”
Interestingly, a few months later in May, 2021, Air India (“AI”) released a statement revealing that it was one of the compromised airline companies due to the cybersecurity attack on the SITA Passenger Service System (“SITA PSS”), and that there was a data-breach wherein personal data of its customers for the period of 26thAugust 2011 to 20th February 2021 was infringed upon. The cybersecurity attack lasted for 22 days, affecting the personal data of 4.5 million passengers, wherein the data breached included their name, passport information, frequent flyer details, and credit card information – but did not affect passwords including CVV/ CVC info. The lax inaction of Air India is questionable, looking at the magnitude of the attack and the impact on data privacy & security concerns. Dubious also was the defence put forth – AI shielded itself by claiming they made an announcement regarding the attack on their website on 19th March, 2021, but it seems like their announcement did not reach the doorstep of the consumers, leaving them confused, enraged, and with an impending feeling of vulnerability.
WITH EVERY ACTION, THERE IS A CONSEQUENT REACTION: THE CLAIM AGAINST THE BREACH
Ensuing the delayed appraisal of the attack, the AI management was sent a notice, by one of the aggreived customers (a journalist from Delhi), seeking damages of Rs 30 lakhs. In the notice, the airline has been accused of “knowingly, intentionally and deliberately leaking the personal data and for breach of sensitive information” of its customers. A reference was made in the notice to the famous case of K.S Puttaswamy v/s Union of India, in which the right to privacy was held to be a fundamental right under Article 21, subject to reasonable restrictions. As per the unanimous understanding of the nine-judge bench in the Puttaswamy judgement, the right to privacy includes one’s autonomy over his/her personal decisions, bodily integrity, and very importantly – a right to protection of one’s personal information.
The notice as sent to AI expressly mentions that as a corollary of the cyberattack, there has been a loss of autonomy over personal data and hence the journalist contends that she has been subject to hardship because of the violation of her right to privacy and her right to be forgotten – which is an extension of the rights recognised by the Apex Court in its Puttaswamy judgement.
Upon a careful perusal of the judicial acumen behind the Puttaswamy judgment, one can analyze that the interpretation given by the Honourable judges to the right to privacy is wide in its scope, which leads to a range of claims arising as a direct consequence of breach of privacy can be admissible; thus, the demarcation of the extent of application of this judgment has to be determined on a case to case basis, depending on the facts and other associated factors. Nonetheless, the number of data breaches occurring in neoteric times, in light of the KS Puttaswamy judgement, indicate a pivotal focal point: the urgent and dire need for the introduction of a data protection law in India.
FACT VS FICTION: CAN COMPENSATION INDEED BE SOUGHT, OR IS IT MERE WISHFUL THINKING?
In the not-so-distant past, we have witnessed a lot many data breaches that have emanated in India – we have had the personal data of over 29 million job seekers which found its way to the dark web, and the expose of the sensitive data of over 7 million CSC-BHIM users last year, and the (in)famous Domino’s India data breach which affected over 180 million of its customers, to cite a few examples among many such instances which have come to light, and the plethora of instances which have not.
In light of such breaches and in the absence of a specific data protection law, limited safeguards are guaranteed by the existing legal regime. Section 43A of the Information Technology Act, 2000 (“IT Act”) specifies that the body corporate, which holds, handles or deals with the sensitive data or information of a similar nature of a particular person, and under whose oversight a data or information breach has taken place (i.e., concerning our discussion, Air India), would be held negligent and liable to compensate such aggreived person. The victim of a data breach can thereby approach the Adjudicating Authority established under the IT Act seeking redressal – with the only catch being that the victim will have to show that he/she has sustained a monetary loss of INR Five Crores or less.
To add on, the umbrella protection of Section 43A comes with one particular condition which can be misused by body corporates, which we find in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“2011 Rules”) – whereby, Rule 8 says that the body corporate is absolved of liability to a large extent if it has complied with reasonable security practices, standards, and procedures as specified by the 2011 Rules. Thus, when Rule 8 of the 2011 Rules is read with Section 43A of the IT Act, the threshold of the onus on the body corporate is consequentially lowered – and the single pit-stop defence of a body corporate having adhered to “reasonable security practices and procedures” could let it off the hook hassle-free.
This showcases that as per the current legal regime governing data breach-compensation in India, no aggrieved customer/consumer/user can seek compensation ‘ipso facto’ – even if a particular body corporate concedes to a data breach on its end.
However, this raises a crucially pertinent question – should the corporate under whose aegis the data breach took place be vindicated merely because it adhered to set standards of security as per the IT Act and the 2011 Rules?
An answer in affirmative to the immediate question is troublesome on two grounds – One, the standard of care & reasonability established in the years 2000 and 2011 are far outdated when viewed in contrast with the degree & magnitude of data and information breach that we witness in 2021 and thus, accountability goes for a toss since the body corporate has to merely prove that it has adhered to a yardstick of standard of care, which is archaic & obsolete to its very core, for it to go scot-free; and two, the ambiguity and vagueness in the definitional aspects of the IT Act and its aligned Rules, along with the dearth of an efficacious checks-and-balances mechanism, makes space for expansive legal incertitude. In turn, all of this would provide for a potential leeway wherein the interests of corporations supersede the interests of customers/users/consumers – thereby defeating the very purpose which brought to existence the IT Act, and subsequently, its allied Rules.
CONCLUDING REMARKS
The quandary remains – when one is left to fend for themselves, can the doors of justice be knocked to claim reparation for a data breach? This question needs to be addressed taking into consideration the Personal Data Protection Bill, which is still pending on the floor of the Parliament and thus doesn’t have the accord of being considered a law, yet.
However, not all hope is lost as the legislative machinery is keeping up with the digitisation trends and bringing accountability to data collecting corporates – we now have E-commerce companies brought under the Consumer jurisprudence and the BIS framework for data privacy assurance.
Although, India doesn’t have a piece of legislation that addresses the issue of compensation or redressal of consumers in cases of a data breach so far – nevertheless, this makes the Air India data-breach case of a high consequence since the Court’s ruling will pave the way for corporate accountability, especially in cases of data breach.
The quandary remains – when one is left to fend for themselves, can the doors of justice be knocked to claim reparation for a data breach? This question needs to be addressed taking into consideration the Personal Data Protection Bill, which is still pending on the floor of the Parliament and thus doesn’t have the accord of being considered a law, yet.