Abhishek Malhotra, founding and managing partner of TMT Law Practice, has two decades of experience in the primary areas of expertise, including intellectual property, commercial dispute resolution, technology, media and telecommunications. He has advised clients in minimising legal risks and devising strategies for safeguarding against civil and criminal liability. Mr Malhotra’s expertise in the media sector has resulted in a close alliance with production houses, broadcasters, and artists across the industry, and he is recognised as the ‘go to’ professional for issues across broadcasting, music and sports.
Mr Malhotra is a member of the Bar Council of Delhi and the State Bar of California, and holds memberships of national and international professional associations. He has contributed to books and papers on intellectual property, sports and gaming, data protection, cybersecurity and artificial intelligence.
Atmaja is a senior associate with the dispute resolution team at TMT Law Practice. Her areas of expertise include technology and media law, competition law, copyright law and constitutional law. She has represented the firm’s clientele from the telecommunications, media, television, online gaming and radio broadcasting industries before courts, including the Supreme Court of India and High Courts, in and tribunals and complex arbitrations involving start-ups.
Atmaja is enrolled with the Delhi Bar Council and has a keen interest in academia. She has published articles on contemporary legal issues in reputed international and national journals and delivered lectures on intermediary liability at leading Indian law schools. In February 2022, Atmaja was recognised as one of the youngest Future Legal Leaders by India Business Law Journal.
1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
In the past year, India has taken significant strides in bolstering its cybersecurity standards, in order to ensure user safety on the internet. The regulators typically favour sectoral guidelines, in absence of any umbrella legislation.
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 were issued by the Ministry of Electronics and Information Technology (MeitY), in February 2021, which now provide users with a comprehensive grievance redressal mechanism, and further mandates intermediaries to assist government agencies in any investigation into any cybersecurity incident and provide information in their control within 72 hours of receipt of a government order.
As recently as April 2022, the Indian government’s Computer Emergency Response Team (CERT-In) overhauled the breach reporting guidelines in India, by introducing directions in relation to information security practices, procedures, prevention, response and reporting of cyber incidents (CERT-In Directions, 2022). These directions, inter alia, mandate each body corporate to: (i) report cybersecurity incidents within six hours of notice to CERT-In; (ii) store system logs locally in India for all information and communications technology (ICT) systems for 180 days; and (iii) furnish information or any assistance if directed by CERT-In for the purpose of proactive and preventive actions relating to cyber incidents.
Further, the sectoral regulator Department of Telecommunications (DoT) has released a best practice guideline that provides guidance on safe computer practices, internet and email handling practices, avoiding social engineering attacks and safe methods of using digital signatures. To strengthen financial data management, in September 2021, the Reserve Bank of India (the nodal banking sector regulator in India) issued guidelines mandating tokenisation and masking the user’s card details for all payments through online platforms, to secure user data.
Separately, the pending data privacy legislation (by way of its several iterations) may bring about further changes to this, by introducing sector-agnostic compliance and reporting requirements.
2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
The aforementioned CERT-In Directions, 2022, mandate reporting of data breach incidents to a regulatory body (ie, CERT-In) within six hours of knowledge of any cybersecurity incident in their ecosystem. Failure to comply with the breach reporting regime may invite punitive action, which may extend to imprisonment for up to a year, or a fine up to 100,000 rupees, or both. These directions provide for the types of cybersecurity incidents mandatorily to be reported by service providers, intermediaries, data centres, body corporate and government organisations to CERT-In.
The banking regulator, the Reserve Bank of India (RBI), mandates that cyber incidents (including: (i) outage of critical IT systems; (ii) cybersecurity incidents; (iii) outage of infrastructure; and (iv) theft or loss of information) are reported to the RBI within a period of two to six hours.
3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
In the event of a data security incident, as a matter of practice, every company must prioritise: (i) using a prompt and accurate incident reporting mechanism, (ii) deploying resources for analysing the incident and its resultant impact; and (iii) finally adopting remedial measures so that a similar incident is not repeated. Depending on the experience, the companies must ensure that their internal policies, reporting procedures and protocols are all aligned to meet the regulatory and compliance requirements.
A data security incident may also indicate a lapse in technical and organisational standards and the need to upgrade or develop the security standards. Continued evaluation of access controls (including physical access to protected systems), and scrutiny of measures in place through continuous and deliberate risk assessments, is necessary to maintain and upgrade security standards. Companies that are data fiduciaries should ensure that their obligations are mirrored with those of the data processors, to allow speedy reporting and compliance with early recovery protocols.
4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
Entities operating in India are statutorily required to adopt reasonable security practices and procedures that are commensurate with the best industry practices, and that can be relied upon for the specific nature of datasets, and the applicable sector. Companies are increasingly relying upon international standards to improve their cybersecurity preparedness by the adoption of International Standard IS/ISO/IEC 27001 on Information Technology – Security Techniques – Information Security Management System Requirements. Owing to the extraterritorial applicability of GDPR, the Indian companies are already acting in compliance with practices so cited therein. Apart from this, with the host of service providers also having a marked presence across the US jurisdiction, they also comply with the state specific privacy, consumer data and child protection legislation.
Indian organisations are cognisant of their responsibility, and in this regard they also conduct regular data protection impact assessments (DPIA), deploy security information and event management systems (SIEM) for real-time monitoring and analysis of events, tracking and logging of security data for compliance or auditing purposes, so that potential security threats may be recognised and dealt with adequately without any business disruption.
Implementation of security safeguards may include the adoption of encryption, de-identification measures such as hashing, anonymisation and two-factor verification to ensure the confidentiality and integrity of the data. With increased incidence of work from home, companies are relying on use of virtual private networks, and deployment of data servers at an enterprise level for the purposes of effecting robust cybersecurity frameworks. With cloud service providers also offering advance solutions, it is not difficult for companies to adapt to the better security practices.
Further, deployment and implementation of standard protocols for employee training, in security principles and safe data handling measures arm the processors of the information with the relevant safeguards, obligations to ensure data subject rights are not eroded. Limited access to data, restrictions upon accessing ‘not safe for work’ websites and such other measures are also routinely streamlined. For instance, certain employers do not even allow the WhatsApp web, iCloud and Google Drive to be accessed from the company devices, to ensure that no information is breached or compromised or tampered with owing to unwarranted access being provisioned within their own devices.
5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
It is of paramount importance that businesses planning to move data to a cloud hosting environment must first consider the legal implications, and compliance requirements, of the transfer in accordance with the sectoral regulations on outsourcing data processing, data localisation norms and other requirements. Further, cross-border transfer of data will necessitate adherence to transfer regulations of foreign jurisdictions, which may be required with that particular recipient nation-state. It is important for the engaging businesses to evaluate the locations from which the CSPs operate, the measures that are in place and the standards that they adhere to, in order to be compliant with the data localisation norms (if any), and to be effectively deploy business continuity and disaster recovery measures.
In the absence of any law lending specific guidance on engaging CSPs for work of this nature, businesses must execute a well-negotiated contract with the external vendors to ensure that the performance and offerings of the CSP corresponds with the requirements of the business and the laws of the land.
6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
As indicated in question 1, in the past year, the Indian government has brought about a remarkable regulatory overhaul to address cybersecurity incidents. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the CERT-In Directions, 2022 have strengthened cybersecurity preparedness by advocating and mandating expeditious reporting and investigation into cybersecurity incidents. The Information Technology Act 2000, read with extant regulations, penalises cybercrimes, making the offenders liable to imprisonment or fines, or both.
The government is evaluating serious cybersecurity threats and even banned malicious websites and applications by invoking the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009, as a pre-emptive measure to prevent cybersecurity incidents. The Indian government also engages in constant dialogue with stakeholders, inviting comments on relevant issues concerning cybersecurity and data protection prior to introducing any new regulatory measure. The pending data privacy legislation is being deliberated upon further with respect to inclusion of aspects concerning the security of non-personal data as well, which if enacted in its current form, will further strengthen the security standards to be adopted by organisations. The government is also contemplating the adoption of a National Cybersecurity Strategy to adequately address increasing cybersecurity incidents.
In addition, the CERT-In conducts regular assessments and investigations, uploads publicly accessible reports addressing current cybersecurity concerns, forecasts and alerts cybersecurity incidents, coordinates cyber incident response activities and issues advisories and guidelines on prevention, response and reporting of cybersecurity incidents. Additionally, other sectoral regulators also independently and proactively evaluate the standards necessary or typical in their sectors. With these CERT-IN Directions, 2022, there has been a commitment that with reporting of the incidents and log reports being submitted to the authority, the CERT-IN would also share reports with the larger group for their consumption and better understanding of how things might work better at an implementational level.
7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
While contemplating M&A deals, companies must undertake thorough due diligence of the existing company posture on data privacy and security. There must be thorough investigation of the internal policies, protocols, vendor engagement and management, on the part of the ‘acquired company’. In the event of transitioning or integration of any software or online environments of the two companies, there must be a data protection impact assessment conducted right at the start. It is not ideal for the companies to merge their datasets at the first instance, but to let the consolidation take place only upon subsequent evaluation of the policies as well as the protocols followed by both the companies. The companies should be aware of the fact that there could be a difference even at a basic cultural level, in both the entities, and this can only be dealt with in a gradual process.
The companies must ensure that the policies of both the entities can be aligned to come from a single source of truth. There will have to a structural change in the organisational structure and hierarchy that governs access to the personal data available within the entity. This will also lead to changes in the third-party services that may be engaged by either party, to be able to bring in parity. Furthermore, the entities must also familiarise themselves with any peculiar sectoral compliance requirements, or that of a particular jurisdiction, or a registering authority (for cross-border transactions, some jurisdictions might have registration requirements), as the case may be.
The Inside Track
When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
Clients should seek legal counsel from lawyers with technical knowledge along with appropriate sectoral knowledge. It is advisable to choose a one-shop stop where lawyers can assist with legal compliances in the relevant sector as well structure advice factoring in concerns that may arise at the stage of dispute resolution. Lawyers should be abreast of the latest cybersecurity threats/incidents and the technological and organisational standards adopted to address such threats.
What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
The absence of a central data protection law that adequately addresses data security and breach issues, along with the ambiguity from amendments to the pending data privacy legislation, complicates the advisory work. Sectoral rules make it challenging to assume compliance for an entity with diverse business activities.
How is the privacy landscape changing in your jurisdiction?
The privacy landscape in India is undergoing a slow yet substantial change. The pending privacy legislation has undergone several amendments. The last iteration underwent a complete overhaul with introduction of non-personal data into the fold. The judiciary’s proactive measures, starting with the right to privacy as a constitutional and fundamental right, have led to constitutional courts now recognising an individual’s right to be forgotten as an offshoot of the right to privacy.
What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
Server access and system attacks, cloud attacks, data theft, impersonation, mail-spams, fake applications, ransomware and malware are the most common cybersecurity incidents in India. The CERT-In Directions, 2022 identify approximately 20 types of cybersecurity incidents. Companies should be mindful of this list for reporting and investigation protocols, and adopt appropriate technological measures.
