Ever since privacy was declared a fundamental right in 2017, the demand for data security has been gathering momentum. Affordable data plans, smart devices, and social media have also increased the generation of personal data and the need for personal data security.The General Data Protection Regulation (GDPR) in Europe put a spotlight on the need for comprehensive legislation to protect personal data, and increased scrutiny in democracies across the world on each country’s privacy regulations (or lack thereof).
This has culminated in the Personal Data Protection Act, 2019, which lays down a framework of regulations and penalties for safeguarding personal data.
Any organisation, including social media platforms that process personal data has to become familiar with the upcoming law. The protection of privacy has to be ensured throughout the data lifecycle, from collection to deletion. This includes the security of personal data, keeping it safe from breaches or leaks caused by cyber-attacks. Firms will need to prepare a privacy-by-design policy. Some firms will need to undertake a data protection impact assessment before they can begin to process personal data.
The penalties for non-compliance can be severe; upto Rs. 15 crores or 4% of total worldwide turnover for the previous financial year, whichever is higher, and the affected party can also seek compensation for harm suffered. Breaches of personal data may have to be reported to the affected parties, disclosed on the organisation’s website, and even reported on the data protecting authority’s website, leading to further costs from loss of reputation.
Under the similar GDPR in Europe, a leading airline company was fined €183.5 million for losing customer data through a cyber attack on a poorly secured web application, and an international hospitality group was fined €99 million for a breach in an acquired company that was compromised even before the acquisition. Neither loss of personal data was intentional, but steep fines have been levied.
Given the heavy penalties involved, a cyber-security event can constitute an existential threat to an organisation. Indian companies, unfortunately, are increasingly the target of successful cyber attacks as our nation embraces rapid digitisation of services. The average cost of a data breach in India now stands at Rs. 119 million, up 7.9% from 2017. The attackers may either aim to procure valuable personal data to be sold on the Dark Web to cyber criminals, or to extort payment from the victim by threatening to release the personal data.
How vulnerable are Indian organisations in 2020? Companies that don’t emphasise cyber hygiene are very vulnerable. We still see successful attacks on corporate networks that use older, unpatched systems that are vulnerable to exploits for which patches were available long ago but were not applied to these systems for whatever reason.
Such organisations can, and do, easily fall prey to a variety of threats including Ransomware, Advanced Persistent Threats (APTs), Phishing, and Crypto-jacking. Mobile platforms, both Android and iOS, could be another point of entry for many attacks, especially in organisations that allow employees to use their personal devices for work but don’t have an effective, or any, Bring Your Own Device(BYOD) policy. IoT devices that are not secure-by-design and don’t have powerful hardware to run cyber defences will emerge as a popular conduit for malware as we increase our dependence on smart gadgets, drones and industrial IoT.
We anticipate that data protection legislation will trigger greater adoption of data encryption methods (both in motion and at rest, on devices and in the cloud).
2020 will see greater concern and action over data privacy and protection. Data is the new gold; we are bound to see a surge in the gold rush and new or resurgent gold thieves.
The digital Fort Knox that will keep this gold safe is built with cyber-security skills, technology, and tools, fortified with a Cyber-safety First attitude.
About the Author:
Kesavardhanan Jayaraman is a recognised worldwide authority on security research, especially on anti malware.
He developed India’s first antivirus in 1991. He founded and has led the company from its humble beginning to its current international repute, focused on innovation and security research for more than 27 years.
He has personally authored and supervised many product versions and continues to contribute technically in product design and R&D. His innovative and technological contributions are continually being recognised by the many accolades he receives. Entrepreneur of the year, Pathfinder award, AV-Comparatives Gold award are some of the recent awards.