Companies like Byju’s, Bigbasket, MobiKwik and several others have had a data breach or an exposed server, at least once. None of them were penalised due to the lack of a specific provision against data breach in the Information Technology Act of 2000 and a separate comprehensive statute on data protection laws, writes VISHAL RAGHAVAN.
The pandemic has forced even companies that aren’t technologically savvy to go virtual. With the rapid expansion of the online business, caused by both advancing technology and the pandemic, online crimes, like data breaches, have increased as well.
In response to an unstarred question in the Lok Sabha in 2020, then-minister of electronics & information technology Sanjay Dhotre said that according to CERT-In, 49,455 cybersecurity incidents were reported in 2015, 50,362 in 2016, 53,117 in 2017, 208,456 in 2018, 394,499 in 2019 and 696,938 till August 2020.
Most companies, including tech giants, like Google, Microsoft, Apple and Amazon, have been hacked at some point due to loopholes or weak security.
Indian companies breached in 2020-2021
Byju’s, Bigbasket, Air India, Paytm, MobiKwik, Zee5, Nykaa and others reported data breaches or exposed servers.
Bigbasket, October 2020
Data of two crore Bigbasket customers were stolen and available on the dark web for $40,000, according to Atlanta-based cybersecurity firm Cyble. Bigbasket acknowledged the breach only after an international media outlet approached Cyble.
Byju’s-owned WhiteHat Jr, November 2020
WhiteHat Jr, an edtech start-up, faced a data breach discovered by an anonymous independent cybersecurity researcher. Names, addresses, emails, phone numbers and chat logs of 2.8 lakh students and teachers were exposed for up to 24 hours.
MobiKwik, March 2021
A fintech company which provides e-wallet services, like Paytm and Freecharge, MobiKwik was hacked with KYC details—Aadhaar numbers, signatures, phone numbers, address, etc—of 110 million customers totalling 8.2 terabytes available on the dark web.
MobiKwik, like Bigbasket, denied the breach, reported by independent security researcher Rajashekhar Rajaharia, who was backed by French cybersecurity expert Elliot Anderson and Australian web security researcher Troy Hunt.
Flipkart data breach and ghost orders, April 2021
A regular Flipkart shopper and the founder of customer service start-up Intentico, Satish Medapati, had got multiple SMSes claiming that he had booked 17 orders from the ecommerce portal. Rajaharia claimed that Flipkart was not compromised but it was the Bigbasket stolen data doing the rounds on the dark web and Telegram purporting to be of Flipkart.
Byju’s second consecutive breach in June 2021
Security researcher Anurag Sen alerted that Salesken.ai, which provides CRM tools used by the EdTech, was not secure and data was exposed. However, Salesken.ai denied his claims saying the open-end server was used as a sandbox.
Information Technology Act, 2000, and data breach
All these companies didn’t notify their customers of the data breaches; it was either cybersecurity firms or independent security researchers or the media who made them public.
The I-T Act, 2000 lacks a provision making reporting of data breach by a company mandatory. Hacked companies take advantage of this flaw and never report such breaches to avoid judicial proceedings.
Section 43A only prescribes a penalty or compensation to be paid by a company for its failure to protect customer data. The compensation amount or penalty will be decided by an adjudicating officer appointed under Section 46.
Section 47 mentions three factors to be taken into account to calculate the compensation or penalty:
a) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
b) the amount of loss caused to any person as a result of the default;
c) the repetitive nature of the default.
If the claim for damages is less than Rs 5 crore, the adjudicating officer appointed under subsection 1 of Section 46 shall have jurisdiction to adjudicate the matter. Whereas, if the damages claimed exceed Rs 5 crore, the jurisdiction vests with the competent court.
Till date, no court has punished a company for data breach or ordered payment of damages to a customer(s) affected by such breach.
Section 85 specifically provides for a penalty against companies and their officers for contravening provisions of the Act. However, such an officer cannot be punished if he proves that the “contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention”.
EU’s General Data Protection Regulation
The European Union’s General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, has watertight data protection laws and the most stringent provisions for companies.
As per Article 82, any person whose data is breached by the controller or processor shall have the right to compensation and liability.
Article 83(4)(5) enumerates offences and penalties depending upon the gravity of the infringement. Subsection 4 (lower-level fine) prescribes a penalty of up to €10 million or 2 per cent of the company’s global annual turnover. Subsection 5 (higher-level fine) prescribes a fine of up to €20 million or 4 per cent of the company’s global annual turnover.
Fines collected under GDPR
As per research conducted by multinational law firm DLA Piper, €272.5 million, or $332.4 million, has been collected as fine from companies between May 2018 and January this year with Italy on top, followed by Germany and France.
Since May 25, 2018, more than 281,000 data breach notifications were reported to the regulators with Germany topping with 77,747, followed by The Netherlands at 66,527 and the UK at 30,536,
The highest corporates fined under GDPR were Google with €50 million in March 2020, H&M at €35 million in October 2020, TIM at €27.8 million in January 2020, British Airways at €22 million in October 2020 and Marriott at €20.4 million in October 2020.
Need for a watertight law
The Personal Data Protection Bill, 2019, which is based on GDPR and provides for comprehensive data protection, is expected to be discussed during the Winter Session of Parliament.
The Bill governs the processing of personal data by “(i) government, (ii) companies incorporated in India and (iii) foreign companies dealing with personal data of individuals in India”. The Bill categorises certain personal data as sensitive personal data.
With no proper law against data breach, companies are not liable to action. Besides, the I-T Act is only applicable to companies, not the government. A comprehensive data protection law, like GDPR, Australia’s The Privacy Act, 1988, and Canada’s The Privacy Act, 1985, is the need of the hour.
Correction: A previous version of this story misstated that data was stolen from WhiteHat Jr.
(Vishal Raghavan is a law graduate from University of Mumbai. The views expressed are personal)