In today’s day and age of digitization data security has gained utmost importance in the field of information technology. A lot of personal data is now in control of various data processors or data controllers and they must ensure that they take all reasonable measures to protect that data. Data breach notification is a concept that stems from data security. As per data breach notification laws an entity be it a data controller or a data processor is obligated to notify its customers in the event of any data breach of their systems along with the steps being taken to remedy the breach. Breach notification laws are important as they help in analyzing the nature of the data breach which can help in determining patterns to identify if the breach was an isolated incident or a large-scale attack and secondly, users can be made aware by the data controller about the breach that has taken place and certain corrective steps can be taken to ensure the protection of their personal data.
Currently there is a dearth of breach notification laws in India. There are currently no provisions present in the Information Technology Act, 2000 or the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 that make it mandatory for an entity to report a data breach to the consumers. This in essence means that a hospital or a bank could get hacked, leading to a compromise of the customers sensitive and personal information and the customers would not have any idea as these institutions have no obligation to inform them. This being said India does have certain laws that mandate an organization to report to the industry regulators in the event of a data breach. The Cyber Security Frameworks in Banks, 2016 issued by the RBI elucidates the important and need of data security. Under this framework all banks are obligated to report a data breach within 2-6 hours to the RBI. Failing to do so will result in penalties being levied on them. The RBI in October, 2017 levied a fine of ₹ 6 Crore on Yes Bank for non-compliance with the RBI with respect to the above-mentioned framework. Secondly, the Computer Emergency Response Team (CERT-In) that is set up by the Ministry of Electronics and Information Technology needs to be has prescribed certain rules under which it needs to be notified in case of a data breach. However, these laws are still unclear. Lastly the National Critical Information Infrastructure Protection Centre (NCIIPC) that has been created under Sec. 70A of the Information Technology Act, 2005 has prescribed that if an entity is falling under an industry that is a part of the “critical infrastructure” then any incident relating to a data breach will have to be reported to the NCIIPC. The above-mentioned laws though present are still quite unclear. Bank employees themselves are at a loss in the event of a data breach as to whom the breach has to be reported to. There is no concrete process to do the same.
There are certain countries in the world like Australia and the U.S. that require companies to notify the users whose have been affected of the breach that has taken place. Such laws are generally woven in the privacy protection framework itself. The State of California was the first State to implement a law relating to breach notification in the U.S. It came into effect in July, 2003. In Australia, the Mandatory Data Breach Notification (MDBN) became a law on 22nd February, 2018. This is a huge step forward in the sphere of data protection and security. As per the MDBN, any organisation that has had a data breach must notify the Privacy Commissioner and the individuals who are at a risk due to the data breach.
India should get a more uniform and streamlined law relating to breach notification and data security in place. This particular law should lay down the procedure for notification as well as give a timeline to do the same. This will encourage all organisations to put in place better security measures and help in dealing with the issue of data security.