In India, we are 20 years into the period since civil liabilities arising out of Cyber Crimes became legally enforceable through a process of Adjudication. Since then, victims of Cyber Crimes are searching for Cyber Crime insurance. In June 2001, the RBI mandated that Banks should hold Insurance against losses arising out of hacking, denial of access etc. However, it was not until the last few years that individuals in India could take Cyber Insurance policies. Corporates were offered cyber insurance policies since few years earlier where the first party losses and third party losses were covered.
The industry is however still far below the state of maturity that is acceptable to the consumers in the country. To put it mildly the policies are constructed without an adequate risk assessment and consumers may be left feeling that the risk coverage is far less than what they would expect at the given premium.
The reasons could be many. For a long time the insurance industry could say that the law was inadequate, the judicial system was ill equipped, crime metrics were not available, the risks were too huge to be covered etc. But these excuses are not unique to Cyber Risks. Such risks have been there in every field and the industry has found ways and means to address them. What has been lacking is the willingness of the insurance industry to take the plunge.
In such a fluid state, the new Act namely the Personal Data Protection Act (PDPA) will come into operation shortly and cause disruption of unprecedented magnitude in the coming days in the industry.
The data breach reported about the Breach Candy hospital in Mumbai where 1 million patient records and 120 million medical images have been breached has jolted the health care industry. Most of the prudent managements would like to know what could be their liabilities in such cases after PDPA comes into force. The impact of this breach will be extending beyond the health care industry and affect other industries as well.
In India the possibility of individual patients making a claim for loss arising out of the data breach may still be low. Most individuals cannot quantify the loss and their claims would therefore look arbitrary. However, the Data Protection Authority (DPA) in such cases can easily impose an administrative penalty which in the minimum could be Rs 15 crores given the sensitivity of the information and the volume of the breach.
There is however a possibility that thousands of patients who ever had undergone any treatment in Breach candy hospital may send out e-mails to exercise their “Right to information” and ask if their personal information has been breached?. They may also ask for porting of their information including their medical profile back to them for better safety and erasure of the data in the hands of the hospital. The insurance companies may be fishing for information that would help them reject claims of some of their customers or rework their premium upwards based on the leaked information.
Acknowledging and answering such e-mails and resolving the disputes without creating another “Bhopal Tragedy type litigation in the Courts” will require a new “Dispute Resolution Company” to be set up by the Breach Candy hospital.
In all this confusion, there would be a doubt as to whether the leaked data is in fact the correct data. There would be many Phishing fraudsters who would try to come with their versions of fraud to further cheat the victims of the data breach in their own innovative manner. All the patients of the Breachcandy hospital may receive e-mails from fraudsters offering them help in getting compensation and this could itself lead to identify theft and further banking frauds.
Mumbai police have to warn the public about such a possibility.
It is obvious that the society cannot let an incident of this type to run riot and damage the business of private hospitals. What has happened today to Breach candy hospital can happen to Apollo tomorrow and Fortis day after. The community should therefore ensure that this type of incident is treated like a disaster which is definitely unwanted but some thing that needs to be faced with courage and pragmatism.
The Insurance industry has a big role in finding a way forward to how we face such data breaches in the current legal regime before PDPA and after PDPA comes into existence. Currently it is the duty of the CERT In to investigate and find out why and how this breach happened and how it can be prevented in future. The Ministry of Health has come up with guidelines on EHR management and the protocols used for storing of medical images are supposed to be a global standard. It is possible that Breach Candy hospital had implemented Privacy and Information Security standards equivalent to HIPPA requirements.
It is clear that these measures have not helped in preventing the breach. It is possible that the root cause of the breach may not be a sophisticated hack but only a simple password related negligence or lack of encryption. The reasons should be analysed and lessons learnt.
If all hospitals now rush to get Cyber Insurance covers the policies there is a need for the insurance companies to to be able to respond positively. But in writing any policy at this time, they need to take into account the emerging PDPA law that may be in place in the next few months. Hence, the first version of the “Post PDPA Cyber Insurance Policy” should be what these insurance companies need to offer.
For the industry which is still struggling to structure policies for the 20 year old Cyber Crime risks, the challenge of writing the policy for PDPA risks would be almost impossible at least for now. The Indian Companies may only look at the Re-insurers abroad and structure their policies based on what the re-insurers suggest. This may require time and may continue to be deficient in meeting the requirements.
The IRDAI should therefore step in and form an expert committee of the Insurance industry to study the impact of PDPA on the Insurance products and draw up a specific PDPA Risk coverage policy template, much the way RBI set up the S R Mittal working group in 2000 immediately after ITA 2000 was notified, which came up with the Internet Banking guidelines in June 2001.
Other sectoral regulators should also take cognizance of the emerging law and within their own sectors come up with PDPA related codes and practices that could be adopted by the DPA when it comes into existence.
The process of understanding the law and coming up with a set of suggestions is a time consuming affair. Hence these sectoral managers should start their action now rather than waiting until the Government passes the bill, appoints a DPA and the DPA in turn sets up its office and be ready to issue guidelines of its own.
It is to enable such introspection within each industry that the undersigned published his book on PDPA which is presently in e-book format and shortly would be available in print form too. Hopefully the industry would be equally concerned in starting their compliance exercise without any excuses.
When the Information Technology Bill 1999 was introduced in the Parliament in December 1999, Naavi had released his first book on Cyber Law titled “Cyber Laws for Every Netizens” with the hope that it would help the legislators while passing the law. It is with a similar objective that the book on PDPA has also been released though many may feel that it is premature to read the law before it actually gets passed. Even in 1999, the Bill was languishing in the standing committee and no body was sure when it would be passed. But suddenly a virus called “I Love You” hit the global scene and the standing committee suddenly woke up and the law got passed in a hurry.
It appears that the Breach Candy incident will be a similar jolt to the Ministry which may ensure that the Bill gets passed in the current budget session as planned.
If that happens, we can say “I Love you Breach Candy”….because some thing good can happen to the community as a result of this mishap.
There is a wise saying that “It is not the way we fall that matters, but the way we get up”. This applies to the Breach Candy hospital as well as the regulators and the legislators who are considering the passage of the Bill.