Specials

Legal Challenges of Cybersecurity Risks

Analysing the Implications of Recent Breaches & Legal Frameworks Governing Data Protection

By Gaurav Sahay

 

In this digital age, cybersecurity risks are a reality that every small business to multinational corporations, must face. With a rapid expansion of data-driven business models, cyber-attacks have become a looming threat. The challenges are particularly significant for emerging economies like India. As one of the fastest-growing digital economies, India has witnessed a surge in cyberattacks targeting both private and public sectors. While technological defences are crucial, the legal framework governing cybersecurity in India has also been evolving. The introduction of the DPDPA and the increasing enforcement of existing cybersecurity laws, reflect the growing recognition of cybersecurity as a priority in India’s regulatory landscape i.e., addressing the challenges and setting the regulatory environment read along with the global frameworks.

 

Thet frequency and sophistication of cyberattacks have increased significantly, driven by factors, including proliferation of connected devices, remote workforces, and rise of ransomware-as-a-service. India’s rapid digital transformation has increased its vulnerability with a population over 1.3 billion people and an expanding digital economy making India a lucrative target for hackers. According to the CERT-In, India witnessed more than 18 million cybersecurity incidents in 2023.

 

Encapsulating from both Indian and international context, some of the in-famous, yet significant Cybersecurity breaches that have left a thumping impact on the industry and regulatory system, are the Aadhaar Data Breach (2018) wherein personal information of over 1.3 billion Indian citizens was compromised. the breach had triggered multiple PILs, and although the Supreme Court of India upheld the Aadhaar scheme’s constitutionality, it introduced stringent safeguards to ensure data privacy. The ruling reinforced the principle that businesses and government agencies must uphold high standards of data security or face legal consequences. The Cosmos Bank Cyberattack (2018) was yet another significant breach in India when hackers siphoned off INR 94 crore from Pune-based Cosmos Bank, in a highly sophisticated malware attack. The attackers cloned debit cards and used them to withdraw money from ATMs across 28 countries. This breach exposed the vulnerabilities of India’s banking systems and emphasized the need for stronger cybersecurity measures in financial institutions. Following the attack, the Reserve Bank of India (RBI) issued stricter cybersecurity guidelines for banks and financial institutions, mandating them to adopt real-time monitoring systems and bolster their incident response protocols.

 

One of the most notorious cybersecurity incidents is the SolarWinds breach (2020), the hackers exploited vulnerabilities in SolarWinds’ Orion software to gain access to the networks of government agencies and corporations worldwide. Similarly in 2021, Air India suffered a massive data breach that compromised personal data of approximately 4.5 million customers. The breach included sensitive information like passport numbers, credit card details and passenger names. In May 2021, a ransomware attack on Colonial Pipeline led to widespread fuel shortages across the eastern United States. The attack forced the pipeline to shut down for several days, highlighting the vulnerability of critical infrastructure to cyber threats. Colonial Pipeline paid a ransom of $4.4 million to the hackers in cryptocurrency, a move that sparked a debate about the legality and ethics of paying ransoms in such cases.

 

The rise of multinational corporations operating in India and increasing data flows across borders, there are concerns about how Indian data is protected overseas. Cross-border data transfer is a significant legal challenge. The DPDPA, aims to regulate the collection, processing, and storage of personal data, addresses cross-border data transfers by establishing stringent conditions for transferring sensitive data outside India. The DPDPA imposes stringent obligations on businesses, including Indian subsidiaries of foreign companies, to safeguard personal data and implement robust cybersecurity measures. It aligns with international standards, ensuring that Indian companies processing data of foreign citizens must comply with the international laws and regulations. It may seem to raise apprehension of dual compliance burdens for Indian businesses operating internationally, as they must navigate both Indian and global data protection laws.

 

Apsos to the Air India breach case, the significant role of third-party vendors in cybersecurity incidents is starkly visible. The Indian law deliberates that the businesses are responsible for ensuring that their third-party vendors adopt reasonable cybersecurity practices. The law in conjunction with industry-specific regulations, requires businesses to implement contractual safeguards ensuring that third-party providers adhere to security standards. Indian businesses face the challenge of ensuring compliance across a complex supply chain, as outsourcing and third-party vendors are integral to sectors such as IT, banking, and e-commerce. Failure to enforce strict cybersecurity protocols among vendors can result in legal liability for data breaches, further complicating the risk landscape.

 

The CERT-In, is the primary regulatory body responsible for monitoring and responding to cybersecurity incidents in India. CERT-In has mandated that organizations report cybersecurity incidents within six hours of detection, a measure designed to enhance incident response and mitigate damage. For businesses in regulated sectors like banking, compliance with RBI’s Cybersecurity Framework is mandatory. RBI guidelines require banks to conduct regular security audits, maintain secure networks, and implement real-time monitoring systems. The failure to adhere to these guidelines can result in penalties and restrictions on operations, as evidenced by fines imposed on several banks following the Cosmos Bank attack.

 

Given the increasing frequency of cyberattacks and the evolving regulatory landscape, Indian businesses must adopt proactive legal strategies to minimize cybersecurity risks. Indian businesses must conduct regular risk assessments to identify vulnerabilities and ensure compliance with applicable laws. The DPDPA mandates businesses to revisit their data processing practices and adopt stricter measures to ensure compliance.

 

With the rising incidents and risks of cybersecurity, Indian businesses are turning to cyber insurance to mitigate the financial impact of breaches. While cyber insurance policies in India are fairly new, they are gaining traction. Businesses must carefully evaluate and curate their insurance policies, to ensure adequate coverage for regulatory fines, breach notification costs, and legal defence.

 

India’s regulatory landscape for cybersecurity is undergoing significant transformation. The future of cybersecurity in India is likely to witness greater accountability for businesses and stricter enforcement of data protection regulations. The role of the judiciary will also be crucial, as courts interpret these new laws and set precedents for liability in cybersecurity cases. By adopting proactive legal strategies, ensuring compliance with evolving regulations, and building robust cybersecurity frameworks, Indian businesses can protect themselves from the legal, financial, and reputational damage associated with cyberattacks.

 

(The author is Practice Head – Technology & General Corporate, Fox Mandal & Associates LLP, and the views expressed in this article are his own)