The recent reports of CoWIN data made available to everyone on Telegram channel, has brought the spotlight back on the lesser discussed problem of data theft in the country. Stolen database is a perfect recipe for cybercrime like extortion calls, identity thefts, phishing attacks and other scams.
The datasets provided on social media ensure that anyone intending to engage in cybercrime has almost everything they need. People are also likely to use information of the nature that was made available to set passwords. This is recipe for disaster.
At a time when the Government of India is pushing hard its Digital India programme to transform India into a digitally empowered society and knowledge economy, there is a growing concern about data privacy and protection of personal information.
A recent study by MeiTY (2019) has estimated the size of India’s digital economy at USD 200 billion in 2019, which is expected to rise to USD 500 billion by 2025. As more people engage in digital transactions and activities, the demand for data privacy and security will increase.
As the CoWIN data leak reports showed, India is far from having a fool-proof digital security systems in place. There are numerous challenges in the way of data security in the country.
According to a study, only 37% of Indians are aware of their digital privacy rights. This lack of awareness can lead to individuals sharing personal data without realising the risks associated with it. The lack of awareness can also make it difficult to enforce data protection laws effectively.
Being unaware of the harm caused by the misuse of our personal information tends to make us indifferent to privacy protection.
The report, titled ‘Cost of a Data Breach ‘, by IBM and Ponemon Research Institute, based on real-world data breaches experienced by 550 organisations globally between March 2021 and March 2022, and said India alone saw a massive 29,500 breaches during the period, with the average per record cost of a data breach hitting an eleven-year high. Indian firms lost a whopping US dollar 176 million on an average in financial year 2021-22 to data breaches, a 25% increase from USD 40 million in FY20, and up 6.6% from USD 165 million in FY21, according to the report.
Apart from data theft and monetary loss, there are larger concerns that are at stake, like safety of children from cyber stalking, child pornography and cyber bullying. With more and more children getting addicted to digital communication devices, especially in post-Covid scenario, the issue of cyber crime prevention related to children should also be given more prominence.
A lot has changed over the years. From offline communication, we have moved to predominantly online communication and data storage. Theft of critical defence related information also poses a huge security risk.
It’s not that everything is bleak. There are continuous measures that are being taken to prevent data theft and secure online transactions. Some of the initiatives taken by Indian Government for ensuring security include Cyber Surakshit Bharat, The Indian Computer Emergency Response Team (CERT-In), National Critical Information Infrastructure Protection Centre (NCIIPC), Chief Information Security Officers etc.
We have also seen how policies regarding banking passwords have changed over time. We see more measures being deployed by the banks to secure online transactions like introduction of OTP system, suspending transaction and sending SMS and email alerts to account holders after every transaction done by swiping debit/credit cards or online payments and receipts. There is also option of reporting on bank helpline in case transaction not done.
Yet, online thefts are happening, which means we need to strengthen our safety net further. The Union government informed the Supreme Court on April 11, 2023 that a new law, namely the Digital Personal Data Protection (DPDP) Bill 2022, to enforce individual privacy in online space is ready. The new bill will be tabled in the Monsoon Session of the Parliament in July. The new bill, if passed by the Parliament, would replace the current Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, which were notified in 2011. The Supreme Court had recognised privacy as a fundamental right in 2017 and highlighted the need to protect online personal data from prying eyes.
The DPDP Bill provides for formation of a regulatory body termed as the ‘Data Protection Board of India ‘. The Bill mentions that the primary function of the Board is to determine non-compliance with provisions of this Act and impose penalty under the provisions of this Act.
The government has proposed a penalty amount to up to Rs 500 crore for violating the provisions of data security under the new bill. The bill also proposes a penalty of up to Rs 250 crore in case the data fiduciary or data processor fails to protect against personal data breaches in its possession or under its control. It remains to be seen how effective would this be.
