On November 23, 5 servers at AIIMS were breached by hackers and the encrypted data was no longer accessible.3-4 crore patients were affected, including many VIPs. OPD follow-ups for critical ailments like leukemia, ground to a halt. Never ending queues were seen outside AIIMS of patients, who had travelled long distances from various states, exposed to the mercy of the elements. The Indian Computer Emergency Response Team (CERT-IN), of the Delhi police, the Intelligence Fusion and Strategic Operations (IFSO), Central Forensics Lab (CFL) etc, got involved. Two system analysts were taken to task and stories emerged of a foreign hand being involved demanding a Rs 200 crore ransom in crypto currency; the authorities remained tight-lipped on both these issues.
The Sree Saran Medical Centre in TN reported that hackers were currently selling over 1.5 lakh patients’ data on the dark web; $100 for multiple copies of the database; $300 for exclusive ownership of the database, and $400 if the ‘customer’ intended to resell the database. A sample was provided to establish authenticity with data records from 2007-2011. Popular cybercrime forums carried the advertisements, with names of doctors and Protected Health Information (PHI) of hospital patients. CyberPeace Foundation and others revealed that this year alone nearly 1.9 million cyber-attacks were recorded on the Indian healthcare network from countries like Pakistan, China and Vietnam. Six thousand unsuccessful attempts at hacking were reported by ICMR. Safdarjung Hospital was also hit, with limited impact as the hospital runs mainly on a manual system; only one server was down, and rectified in one day. And it’s not just the healthcare sector that is vulnerable.
More than 360 million phone numbers of WhatsApp users from 108 countries were leaked and put on sale on the dark web according to the cybersecurity firm Check Point Home, exposing the owners to phishing, vishing and smishing. Amazon alone reported an 86% increase in phishing e-mails this year with a 17% increase during the Black Friday sales alone. What then is the current status of digital security in India?
Digital security has two aspects, there is the defence against hackers, and the threat of punitive action in case the hackers breach these defences. The defence could be one of many security programmes and firewalls and are largely a matter for specialised security firms. For instance, the weak security of the AIIMS data was known and flagged as far back as 2019. An agency was appointed, at the cost of Rs 48.92 crores to install a new secure system; the upgradation of the old system was not in the contract, and therefore left unattended till a fresh tender was sanctioned.
Cybersecurity became a major issue with the nine-judge bench of the SC on 24th August 2017 passing the historical Puttaswamy judgement (Justice KS Puttaswamy v Union of India) in which the supreme court affirmed the right to privacy as the fundamental right Thus began a search for an adequate data protection law. The Justice BN Srikrishna committee published a white paper in 2017, and called for comments. It eventually led to the draft Data Protection Bill, 2018 (DPB 2018). After inviting comments, the government introduced the Personal Data Protection Bill, 2019 (PDPB 2019) in Parliament and referred it to a Joint Parliamentary Committee. The JPC report with numerous amendments was tabled in 2021 after two years of deliberations. This was withdrawn suddenly in August this year. The Ministry of Electronics and Information Technology (MeitY) has now published the draft Digital Personal Data Protection Bill, 2022 (DPDPB 2022) and invited comments to be submitted by Dec.17th. The urgency for data protection cannot be overstated. 43% of organisation actions have failed security compliance audits at some point.
Regrettably, in spite of this being the fifth reincarnation, the bill still suffers from a number of infirmities. The bill itself has been reduced from 90 clauses to 30. Even as the language has been simplified, the phrase “as may be prescribed” occurs 18 times indicating that the rules and bye-laws will follow later. This is a matter of concern, as it is the rules that determine how effective or toothless the law is. The term ‘Right to privacy’ is totally absent in the document. The enforcement of the bill shall rest with a “Data Protection Board”; the appointment of whose chairman, members, their numerical strength and qualifications, the terms of reference, will all be the privilege of the Central government who undoubtedly will act as a master puppeteer. There are no provisions for imprisonment; only financial penalties up to Rs500 crores (which may be increased to Rs 10,000 crores) with no reference to the turnover of the offender. This waters down the element of criminality of the bill and weakens it considerably. The relationship between this bill and the RTI Act is murky and the boundaries need defining. Whilst it is commendable that suggestions from the public are invited.
We have a history of bulldozing through the legislature, badly drafted laws, and follow this with endless tinkering subsequently. The GST Act has had 376 changes in the first 10 months after the Act was passed and are still on going, with nearly twenty this year alone. We sincerely hope the DPDPB fares better if we are to achieve the PMs goal of a digital India.
(The author is a founder member of VHAG)
