Last month India's national airline, Air India, announced a cyber-attack on its data processor’s data servers that has affected about 4.5 million customers around the world. The breach involved personal data registered between August 2011 and February 2021. Details including name, date of birth, contact information, passport and ticket information as well as credit card data were all compromised. In a statement Air India said: “The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers.”
Home working, digital transformation and a lack of action create the perfect storm
Unfortunately, India is no different from other countries when it comes to cyber breaches, and cybercriminals are carefully discovering new ways to obtain sensitive personal and business data. This, coupled with the fact that the pandemic has accelerated digital transformation initiatives and catapulted the ecosystem forward five years in a few months, has compounded the issue.
In recent years, India has experienced its fair share of incidents, from the well-publicised international Facebook hack, whereby more than 500 million Facebook users were found available on a website for hackers including those of Indian consumers, to a massive database breach that occurred in MobiKwik servers, whereby Indian card holder data was leaked and hundreds of thousands of its users’ details surfaced on the dark web. Likewise, Indian telecommunications company, Tata Communications, suffered a data breach and the cybercriminals claimed they had sold access to Tata’s servers to hackers. And BigBasket, the popular Indian online grocery vendor, faced a data breach that affected the data of over 20 million customers.
In fact, according to India publication, THE WEEK, India saw a 37% increase in cyber-attacks in the first quarter of 2020 compared to 2019 and India features as one of the top countries that has fallen prey to data breaches over the years. With more employees now working from home, many without adequate protection, these companies are an easy target for cybercriminals.
Serious data breaches and incidents of cyber intrusion have a powerful effect on driving regulatory change and, while companies in India are already adhering to regulations such as GDPR and CCPA when servicing overseas customers, they have only recently started to look seriously at privacy and data protection frameworks and ensuring that such frameworks are enforced. This is not just because it enables the nation to trade with overseas customers but because it is good business practice to protect data and have the customers’ best interests at heart.
A lack of dedicated cybersecurity laws
Today India doesn’t have any dedicated laws on cybersecurity, the only provision is the Indian Cyber Law in the Information Technology Act, 2000. However, many say that this merely pays lip service to legal cybersecurity frameworks. It is therefore timely that the India Personal Data Protection Bill (PDP) is being introduced, which will supersede the Information Technology Act. Right now, the new law is in front of parliament with the aim to bring about a comprehensive overhaul to India's current data protection regime.
Regardless of when this law gets ratified, Indian organizations should look to implement the appropriate measures to prevent unauthorized access to sensitive and confidential information, and to prevent malicious cyber-attacks, accidental loss, or the deletion of any confidential data.
This involves putting in place a robust data security strategy that centers on people, process and technology. Organizations need to ensure that employees are trained and understand the importance of securing sensitive and confidential information. Security should become embedded into the culture of the business and processes put in place to support this. This also involves implementing the right technology to guard against both the malicious and accidental loss of data. Here data security is only as robust as the various elements that support it, therefore, layering proven solutions to ensure your sensitive and confidential data remains secure from start to finish is an imperative.
This is where Fortra data security platform really helps as our suite of products is designed to bring an organization’s data security policy into this modern hybrid reality with multiple ways of working with organizations. We have data security solutions that help ensure intellectual property and sensitive data is kept safe and secure. Our products run right across the various data protection requirements from classifying data inside the organization at the outset, through to detecting and preventing leaks of sensitive information outside the organization.
Viewing compliance as a positive competitive differentiator
Going forward, the Indian PDP Bill and numerous other regulatory regimes will continue to be developed. But while compliance with data protection regulations is non-negotiable and the penalties for failure are severe, it is a mistake to see compliance solely as an inevitable burden. With a comprehensive and proactive approach, that involves a combination of people, process and technology, organizations can pivot from viewing compliance as an expense and turn it into a positive competitive differentiator and one that, over the long term, will prove to deliver business benefits.
Ultimately, in today’s highly regulated data environment, organizations in India need to embrace and build an effective compliance strategy, as those that do will experience positive business benefits and undoubtedly reap the rewards. Those with low levels of data privacy protection and data governance software adoption need to change – and change quickly. By taking a layered approach to data security and adopting a people, process and technology centric approach, organizations in India can confidently embrace the new PDP Bill and, once compliant, should view this as a competitive advantage.