Blog Details

WHAT IS DATA BREACH AND HOW DOES IT AFFECT?

• What is Data Breach- It is the unauthorised access to confidential or protected data.

https://www.cyberark.com/what-is/data-breach/ 

• How does data breach happen- It may happen by a malicious insider who may have authorisation to access the data but uses it with an intention to cause harm; losing a hard drive containing important information and hacking [including PHISIHNG (data hackers posing as a trusted source), BRUTE FORCE ATTACKS (password guessing) and MALWARE (malicious software entering the system due to lack of proper security)]

https://www.kaspersky.com/resource-center/definitions/data-breach

• How does data breach affect:

1. BUSINESS- revenue loss, damage to brand reputation, loss of intellectual property, hidden costs and online vandalism 

https://www.theamegroup.com/security-breach/

2. CONSUMERS- name, address, phone numbers and sensitive information compromised.

https://www.insurancethoughtleadership.com/cyber/data-breaches-impact-consumers

3. GOVERNMENTS- malicious mails can be sent to all government email users, personal information of citizens and officials at cost.

https://www.thehindu.com/news/national/data-breaches-expose-emails-passwords-of-several-government-officials-to-hackers/article60676924.ece

DATA PROTECTION LAWS IN INDIA

• A right balance and blend of laws as learnt from different countries- 

INDIA

https://www.digitalindia.gov.in/writereaddata/files/6.Data%20Protection%20in%20India.pdf

• I.T ACT, 2000- This act basically deals with cybercrimes and electronic commerce. https://www.legalserviceindia.com/article/l37-Data-Protection-Law-in-India.html 

1. Section 43 (penalty for unauthorised access to computer system)

2. Section 65 (protection against tampering of computer source code)

3. Section 66 (imprisonment or fine or both for hacking)

4. Section 70 (imprisonment and fine for hacking into protected government systems)

5. Section 72 (a person given the authority to secure access to any data must keep the data confidential) 

• The Personal Data protection Bill, 2006- https://cis-india.org/internet-governance/proposed-privacy-bill#:~:text=The%20Personal%20Data%20Protection%20Bill%202006%20was%20a%20simple%2014,%E2%80%9D%20or%20%E2%80%9CCommercial%20Gain%E2%80%9D. (Personal data shall remain confidential and shall not be collected without consent or disclosed for marketing or commercial gain) 

• Draft Digital Information Security in Healthcare Act ('DISHA')- The Indian Government is planning to implement the Digital Information Security in Healthcare Act ('DISHA') which would be India’s first Health Data specific legislation. 

http://www.nlujlawreview.in/digital-information-security-in-healthcare-act-its-impact-on-m-health-vis-a-vis-personal-data-protection-bill-2019/#:~:text=In%20PDP%20Bill%2C%202019%2C%20health,commercial%20purposes%20has%20been%20prohibited.

• Geospatial Information Bill 2016- makes it mandatory to take permission from a government authority before acquiring, disseminating and publishing or distributing any geospatial information of India.

https://economictimes.indiatimes.com/tech-life/geospatial-information-bill-2016-all-you-need-to-know/slideshow/52292015.cms 

• Data Protection Bill, 2021- Upon recommendation of the Supreme Court in 2017, the data protection bill was introduced in 2018. The draft bill brings in a number of significant changes as compared to the earlier iterations of the proposed law, such as expanding the scope of the law to cover not only personal data, but non-personal data as well.

https://iapp.org/news/a/a-look-at-proposed-changes-to-indias-personal-data-protection-bill/ 

• Guidelines on Regulation of Payment Aggregators and Payment Gateways by the Reserve Bank of India- RBI introduced a restriction on payment aggregators and merchants from storing card and card related data. 

https://www.meity.gov.in/writereaddata/files/Intermediary_Guidelines_and_Digital_Media_Ethics_Code_Rules-2021.pdf 

• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021- These rules provide for certain due diligence requirements to be followed by internet ‘intermediaries’ including an obligation to retain information of all users collected upon registration for one hundred and eighty days even after any cancellation or withdrawal of such registration. The rules also went a step ahead by recognizing certain intermediaries as ‘significant social media intermediaries’ if the number of registered users cross a certain threshold (subsequently notified as 50,00,000 registered users)

https://prsindia.org/billtrack/the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021 

• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011

Prescribing security practices for personal data. https://tsaaro.com/blogs/it-act-spdi-rules-data-protection-regime-of-india/ 

THE BIGGEST DATA BREACHES IN INDIA

These include- Air India data breach highlights third-party risk, CAT burglar leaks 190,000 applicants’ details to dark web, Hacker delivers 180 million Domino’s India pizza orders to dark web, Trading platform Upstox resets passwords after breach report, Police exam database with information on 500,000 candidates goes up for sale, COVID-19 test results of Indian patients leaked online, User data from Juspay for sale on dark web, BigBasket user data for sale online, Hackers steal healthcare records of 6.8 million Indian citizens, SBI data breach leaks account details of millions of customers, Local search provider JustDial exposes data of 10 crore users

https://www.csoonline.com/article/3541148/the-biggest-data-breaches-in-india.html