Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.
1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
Since 2017, we have witnessed several discussions, as well as reports from several stakeholders, both public and private, about the Indian legal framework for data privacy and protection. In December 2019, a new iteration of the data privacy and protection legislation was introduced, the Personal Data Protection Bill 2019 (the PDP Bill). Since then, there have been developments in the healthcare and finance sectors with implications for the data privacy and protection framework, although these do not specifically pertain to cybersecurity standards. However, the recent ban on a large number of Chinese apps is reportedly related to cybersecurity concerns. Details of the government’s actions and the responses of the affected private stakeholders are not available in the public domain and the entire issue is rife with speculation.
Sector-specific government bodies such as the Department of Communications have also released best practice guidelines, to mitigate against and prepare users and corporates for any cybersecurity threats and breaches. The guidelines were released to mitigate against any cybersecurity threats emanating from work-from-home activities during the coronavirus pandemic.
2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
Under the extant legal framework, a cybersecurity incident may be reported by an affected individual, organisation or corporate entity. However, instances of targeted intrusion or compromising of critical networks or systems, unauthorised accessing of information technology (IT) systems or data, website defacement or malicious code attacks, denial of service (DoS) and distributed denial of service (DDoS) attacks, domain name server (DNS) or network services attacks, and attacks on e-governance or e-commerce applications, etc warrant mandatory reporting to the Computer Emergency Response Team (CERT-In).
According to the PDP Bill, every data fiduciary (or data controller in PDP Bill terminology) must notify the data protection authority (DPA) about any breach of personal data processed by the fiduciary where the breach is likely to cause harm to any data principal. The data fiduciary must notify the DPA as soon as possible following the breach and within the period specified by the regulations, after accounting for any period that may be required to adopt any urgent measures to remedy the breach or mitigate any immediate harm. The notification must include the nature of the personal data that is the subject matter of the breach, the number of affected data principals, possible consequences of the breach and the remedial action being taken by the data fiduciary.
The PDP Bill also states that on receipt of a notice, the DPA will determine whether the breach should be reported by the data fiduciary to the data principal, taking into account the potential severity of the harm to the data principal or whether the data principal is required to take some action to mitigate any harm. The DPA will instruct the data fiduciary about the notification to be made to the data principals.
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
While remediation measures and re-evaluation of technical and organisational measures are urgent concerns for any company, in cases of a data security incident, it is important from a regulatory perspective that companies adhere to the security incident and breach reporting protocols. Meeting timelines will allow containment of any added risks of flouting applicable laws and will also enable the company to assess the need to communicate details of the breach to end users, in conjunction with the appropriate DPA. Continued evaluation of access controls (including physical access to protected systems) is a necessary part of internal housekeeping measures. Immediate steps would also include measuring the extent and impact of a data security incident or breach and embedding learning into the system.
Companies that are data controllers (data fiduciaries in the Indian context) must ensure that their obligations are mirrored by those of the data processors, to allow for speedy reporting and compliance with early recovery protocols.
4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
Organisations in our jurisdiction are increasingly conducting data protection impact assessments (DPIAs) when they are implementing solutions or onboarding new platforms or services into their enterprise set-up. Furthermore, even in the absence of specific legal requirements, deployment of sector-specific and global technical and organisational measures and standards is assisting Indian organisations to improve their cybersecurity preparedness. Companies are also ensuring that they maintain personal data inventories (PDIs) within separate and parallel company functions to ensure creation of proper audit trails for internal privacy teams to evaluate and reassess the access levels granted and the roles of data owners and stewards, and also to ensure the confidentiality, integrity and availability of data.
Companies are training their personnel in security principles, including the basic ones like a ‘clear screen and clean desk policy’. Companies also provide employees with only very limited authority to install software, and limit use and access to company systems and assets.
5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
Prior to transferring data to a cloud hosting environment, businesses must first consider the legal implications (if any) of such a transfer and must necessarily comply with any localisation or similar requirements. Additionally, since businesses might not necessarily have control over physical access, they must ensure that backup instances are available in case of any redundancy and for business continuity.
Lack of visibility of the environment and limited control over access are issues that businesses typically face when choosing to move data to a cloud hosting environment. It is for the business to ensure that it is aware of the containers separate data identifiers are put in (the requirement is to keep personal data and sensitive personal data in separate containers, as a business practice), the levels of access granted to personnel and the levels of protection applied to the environment.
It is best that the company itself retains visibility of the data being moved to the cloud hosting environment, instead of trying to control portions of the moved data. Internal teams must be made responsible for applications and must support the external vendor to ensure security. The use of automated application systems and deployment of management tools also ensures that nothing slips through the several processes involved. As with the four-eyes principle, there must be reassessment by separate teams to make the system robust.
6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
In addition to inviting comments on the PDP Bill from stakeholders, the government is also in the process of evaluating both the existing and the draft intermediary guidelines, with participation from sectoral associations. Serious cybersecurity threats (including political opportunities) are being evaluated by the government and bans or prohibitions pertaining to vulnerable population demographics (children) and high-risk applications (including e-commerce platforms) have been implemented. In view of these threats, the Department of Telecommunications has also directed all state-owned companies, central ministries and government departments to give preference to locally produced cybersecurity products in public procurement.
In addition, institutions such as CERT-In also conduct assessments and upload publicly accessible reports reviewing current conditions. Also, sectoral regulators independently and proactively evaluate the standards necessary or typical in their sectors.
7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
A company must seek information on existing privacy processes, including internal and external policies, standard operating procedures, and enforcement efforts in light of applicable regulatory and compliance requirements. The manner in which a company collects, uses, discloses, stores, shares, discloses, and purges personal and sensitive personal data is a key element in analysing its risk profile. Further considerations would also include robustness of information security programmes (policies, implementation procedures), disaster recovery and business continuity plans, management of all vendors (solutions, services, including cloud service providers), DPIAs (vulnerability and penetration testing), any information security certifications (more importantly, compliance with sectoral standards and industry practice), incident response, reporting protocol and plans, records of any prior incidents or breaches, PDIs or a data maps or data flow charts, and documentation on security audits. Additionally, contractual arrangements and the exposure in terms of liability must also be considered by the acquiring business.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
Clients must look for experience of information technology enabled services or related areas, enabling the lawyer to present solutions that can be best implemented at enterprise level. The lawyer should be able to offer hand-holding services and also appreciate the internal functioning of the client business prior to making any suggestions about modifying the business structure per se.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
The ambiguity that exists and the overlaps that predicate the domain make advisory work in the cybersecurity and privacy field interesting. The constant need to reconcile sectoral rules with central legislation and to devise ways to ensure compliance with existing global best practice is a challenge and keeps every privacy professional looking for better and efficient solutions to implement.
How is the privacy landscape changing in your jurisdiction?
The consumer perspective on data privacy and protection is changing, as consumers are witnessing the unabashed exploitation of user data and behavioural data and this is the case globally. The apex court’s judgment on the right to privacy and the mandatory delineation of a national unique social identity system from the country’s welfare schemes has, together with private interference, also brought to the fore the need for a data privacy and protection framework.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
Of late, distributed denial of service attacks, web application attacks, and payment card skimming have been on the rise and, in line with the global trend, malware and ransomware attacks are also pretty common in the country. Also, there has been a trend for data theft in the banking and the e-commerce sectors. Confirmed data breaches are often associated with banking Trojans stealing and reusing customer passwords, along with automated telling machine skimming operations.