DATA BREACH
Data Breach is the procurement and transmission of confidential, sensitive, and critical information, that otherwise, is protected and secured from illegal access or unauthorized intervention by a responsible authority of a government or private agency. Incidents of exposure of data include healthcare, social security, credit card numbers, etc, which are accessed through hacking specialized security systems and corporate websites. Users connecting to rogue wireless networks that capture login IDs or sensitive information are prone to be subjected to unauthorized exposures. Unnoticed private data on the dark web has published sensitive information of celebrities as well as common men. With the enhanced amount of data breaches, there is a visible enhancement of threat of Identity theft, scams, and corporate spying, leading to safety concerns. In a recent instance, there was an alleged procurement of access to 756GB of personal data of celebrities. This data, which was procured by hacking New York-based law firm’s database, included phone numbers, email addresses, contracts, non-disclosure agreements, and personal contact details, etc. In such ransomware attacks, cybercriminals take extortion from victims in return for restoring their data and not leaking it to the world.[i] They are many instances of data breaches which have curtailed the privacy of many and have posed a threat to their safety and security in various ways, some of which are-
1. LEAKAGE OF PERSONAL DATA ON DARK/DEEP WEB
In the latest case, Cyble, a cybersecurity firm declared that personal data of 2.9 crore Indian job seekers was leaked on the dark web by cybercriminals. It included a lot of static information regarding their education qualification, home address, phone, email, job experience, etc. [ii] The agency also reported trading of personal data of 267 million Facebook users and 22 million users of Unacademy for a negligible amount on the dark web. The number of cyber leaks and data breach incidents happening each day is dreadful.[iii]
2.MALWARE HACKING OF DATA
On October 16, 2016, Hitachi Payment services got trapped in a malware attack, which led to the exposure of essential data of customers from the custody of banking institutions such as Axis Bank, MasterCard, ICICI Bank, Visa, and Yes Bank. As a result, around 3.2 million debit cards were revealed and data compromised. The National Payment Corporation of India received complaints from banks that customer’s cards had been fraudulently used in China and the USA while customers were in India.[iv]
3. AUTHORIZED MANNER OF DATA BREACH BUT CONTRARY WITH PRIVACY CONCERNS
In 2008, the Mumbai attack caused widespread data surveillance and schemes to preserve personal data of individuals against crime and terrorism in India. However, the project raises privacy concerns as the central Monitoring System provides access to law enforcement agencies to communication data centralized by and if implemented, it would connect to Telephone Call Interception System (TCIS) which includes voice calls, video call, SMS and MMS, fax, GSM and 3G networks. Continuous monitoring of citizens and the creation of surveillance state is dangerous for democracies and it allows the government to surveil information without the knowledge of entities like telecom operators.[v]
With a constantly increasing dependence on technology, the regularization of data acts as an asset. It ensures safe and secured transmission of information for purposes related to storage and maintenance of digital records in organized as well as unorganized sectors of the country with the help of Laws, Rules and, Regulations. Data can be broadly classified into Public Data; which is made accessible to the public at large and Private Data, which is mostly inaccessible (with exceptions) to the public without the explicit consent of the informant. Moreover, Section 69 of the IT Act,2000 provides reasonable restrictions on right to privacy to protect the sovereignty and integrity, the security of the state, public order, defense of India, friendly relations with foreign states, or incitement of an offense. It also strengthens the Government to give orders to intercept, monitor, or decrypt personal information in computer resources.
At the moment, India doesn’t specifically have any legislation relating to data protection, but it ascertains regulatory mechanism for data protection and privacy through amendment under Information Technology Act, 2000 to include section 43A and section 72A and IT(Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under section 43A, which imposes additional requirements concerning sensitive personal data, according to GDPR and Data Protection Directives. It obligated corporate bodies to publish online; their detailed and descriptive privacy policies and requirements regarding disclosure of sensitive personal information and take consent; in the mode provided for in the Rules; for lawful usage and revelation of such data except for fulfilling legal obligations for revealing information to government agencies or third parties demanded by legal orders.[vi]
IT Act, Section 43A imposes liability upon a corporate, which possesses; handles or transmits sensitive personal data on computer resources that he possesses; runs or controls, to compensate the aggrieved party for inflicting wrongful loss or gain because of negligence in complying with security procedures to secure the personal data of the user. In addition to that, Section 72A provides that a person including intermediary giving services under a contract, who in the intervening time; accesses personal data of other individual and reveals it to cause wrongful loss or gain without the consent of informant or in contradiction with the terms of the binding legal contract, shall be sentenced for a term which may exceed to three years or fine which may exceed to 5 lakh rupee or both.
On the contrary, the shortcomings in the IT Act are-
1. Scope and applicability on data protection are very narrow and it fails to mention any government agency for data protection in India.
2. Applies only to restrictive sensitive personal data recorded in electronic computer resources without analysis of critical data and maintenance of manual data.
3. Does not apply to any state or government agency but only to the corporate body in the absence of a valid contract.[vii]
Theoretically, we have formulated a skeleton for the law on the subject, but the provisions of the Act succumb to the limitations put on it and hence, there is a critical need for adequate implementation of data protection policies through proper enforcement of the laws by authorities responsible for safeguarding privacy and security interests of the individuals and other corporate bodies of India.
RIGHT TO PRIVACY
The genesis of data protection is implied from the landmark judgment of Justice K.S. Puttuswamy (Retd.) and Anr v. Union of India (2017), in which it was declared that the right to privacy is an intrinsic part of Article 21 and Part III of Constitution. It was contended that there would be a misuse of power by the government if the right to privacy was not recognized. According to Justice S.A. Bodbe, although 80% of the internet is Dark Web, yet that cannot justify state action in violation of privacy and Justice D.Y. Chandrachud exemplified privacy to be equally available to the masses. Every person has a right to control their data and disseminate his/her information on the internet for a limited purpose. Since fundamental rights are enforceable against state and the central government, therefore, the Supreme Court judgment in 2017 conclusively recognized that the right to privacy against private entities requires legislative Acts and policy. The court probed into the Data Protection measures under the Aadhaar Act, 2016. The state has an obligation to protect the data of the public and to provide a specific mechanism for privacy Justice Chelameswar states that there is no data protection in Aadhaar as the moment you put fingerprint in the system, the whole world gets the access to data. The information used by the state, out of legitimate interest, does not count as a violation, but it would be a violation if, the state tracks public profiles. The court ordered that a robust mechanism to protect data privacy in the Aadhaar card scheme was required.
Before the passing of the landmark judgment, the right had been upheld in several consecutive judgments in the past by the courts in India-
In 1975, in Govind v. State of M.P, SC derives right to privacy from right to life and personal liberty, freedom of speech and movement. It is framed to safeguard the private data of home, family, marriage, motherhood, procreation, and child-rearing but is subjected to state interest.
In 1994, in R. Rajagopal v. Union of India, the court held that the right to privacy could be both tortuous (actionable claim) and fundamental right. No person is authorized to publish information unless the concerned person consented to it or publication is made out of public records (except for rape, kidnapping, and abduction). It was also held that remedy for damages is not available to a person if he is a public servant and claim is following the discharge of his official duties.
In 2004, in District Registrar and Collector, Hyderabad &Anr. v. Canara Bank&Anr., the court concluded that the right to privacy deals exclusively with personal liberty, freedom of speech and expression, and freedom of movement as a fundamental right enshrined in the Constitution of India.
In 2010, in Selvi and others v. State of Karnataka and Ors., the court acknowledged physical privacy and mental privacy. Although criminal and evidence law pave way for interference with physical privacy, a person cannot be forced to impart his knowledge about the case against his will. It claims privacy under article 20(3), wherein techniques such as narcoanalysis, polygraph exam and Brain Electrical Activation Profile (BEAP) cannot be practiced on a person against his choice as that would be a violation of mental privacy.
CONCLUSION
Technology has made the user facilitate the exchange of information through a digital platform and has thereby instigated the providers and policymakers to ensure that specific data protection rules and regulations are being adhered to and to set standards to determine whether applications and platforms being used for continuous exchange of data are secure enough to avoid data leaks or manipulation by non-trusted third parties. After all “ Data is the new oil”.
[i]HemaniSheth, Personal data of celebrities including Lady Gaga, Priyanka Chopra hacked in data breach: Report, The Hindu Business Line (May 12, 2020), www.thehindubusinessline.com/info-tech/personal-data-of-celebrities-including-lady-gaga-priyanka-chopra-hacked-in-data-breach-report/article31566006.ece [ii]Cyber criminals leak personal data of 2.9 cr Indians on dark web for free, The Economic Times(May 23, 2020)https://economictimes.indiatimes.com/tech/ites/cyber-criminals-leak-personal-data-of-2-9-cr-indians-on-dark-web-forfree/articleshow/75904331.cms [iii] The economic Times, https://economictimes.indiatimes.com/topic/Cyble [iv]Pratik Bhakta, Hitachi owns up: Systems compromised in 2016 leading to scare, The Economic Times(February 09, 2017),https://economictimes.indiatimes.com/industry/banking/finance/banking/hitachi-owns-up-systems-compromised-in-2016-leading-to-scare/articleshow/57058658.cms?from=mdr [v] Sneha Johari, Govt’s Central Monitoring System already live in Delhi & Mumbai, Medianama, May 11, 2016, www.medianama.com/2016/05/223-india-central-monitoring-system-live-in-delhi-mumbai/ [vi] Ministry of Communications and Information Technology (Department of Information Technology) Notification dated April 11, 2011, https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf [vii]RK Dewan & Co- Dr. Mohan Dewan, Personal Data Protection Laws in India, Lexology(May 13, 2020), www.lexology.com/library/detail.aspx?g=08197ebe-aeb4-41d6-a855-ce57a313ea6d
Comments