Data Breach Notification.. What PDPSI expects

[In continuation of the earlier article/s on PDPSI, we proceed to unravel the further details of the Personal Data Protection Standard of India (PDPSI). The objective of the standard is to make available a open source guideline to Indian Companies to comply with Privacy and Data Protection requirements that meet the standards of BS10012, GDPR as well as the Indian laws such as ITA 2000/8 and the proposed PDPA 2018.]

Data Breach Notification is an important responsibility cast on any data processor under every Data Protection regulation.

Whenever a Data breach occurs, the Data Controller/Processor/Data Fiduciary need to report it to the regulatory authority within a certain time limit and with a certain amount of details. A failure in reporting itself is a serious non compliance issue. Even when the data breach victims may not have any compensation to claim, the regulatory authority may impose a heavy fine on the organization for the data breach and with an exalted penalty if the breach notification is delayed.

Under GDPR (Article 33) a data controller should report a breach within 72 hours to the supervisory authority. A Data Processor should report the breach to the data controller “without undue delay” after becoming aware of a personal data breach.

Under PDPA 2018, (Section 32) the time limit specification is left to the DPA to notify when the DPA comes into existence.

In the meantime, ITA 2000/8 under Section 79 prescribes “Due Diligence”, time for initiating a grievance redressal mechanism has been prescribed as 36 hours and time for taking down of disputed information upon receipt of an order from a competent authority would be considered as “Immediate”. Under rule 3(9) of the Intermediary guidelines of 2011, it was mentioned that the intermediary shall report the cyber security incidents to the CERT-IN. But no specific time was specified.

The CERT In separately gave out a notification in which details of what to be reported has been indicated. The time for reporting has to be within a “Reasonable Period”. Apart from this, sectoral regualtors like RBI expect Banks to report incidents to them for which they may prescribe different time limits.

All the regulations normally provide that a provisional report can be made immediately and progress reports can be filed later. GDPR provides that report should be made to the Data Subjects also. Some regulations like HIPAA require reporting through news paper advertisements and websites.

While we await the DPA of India to provide the time limits for data breach notification, it is necessary for us to recognize that it is not the time and content which are important for a Data Breach report. This is easy to define in a “Data Breach Notification Policy” which every organization should develop as a part of the control. This is also required under PDPSI.

However, since PDPSI attempts to provide a Data Trust Score (DTS), it is essential for the auditor to assess the quality of the data beach notification policy. If it contains only what is to be reported, to whom and when, it would not be considered an adequate policy.

We must understand that a “Wrong Data Breach Notification” would be disastrous for a company from the point of view of reputation loss and hence before classifying an event as a “Breach” some discretion has to be applied. This is the most difficult part of a DPO’s responsibility since some regulations like GDPR expects the DPO to be directly responsible to the supervisory authority and non-reporting could be a “Breach of Trust” for the DPO.

Security professionals however know that after a breach occurs, it takes time for it to be detected. First it would be a suspicion and then after a preliminary investigation, suspicion becomes confirmed as a “Breach incident”. Within this time there may be a need for an internal investigation if necessary with forensic intervention. The DPO may not be fully in control of this time frame and the delay could expose him to non compliance charge from the supervisory authority.

In order to ensure that the DPO is not exposed to unintended consequences during such internal deliberation, the “Data Breach Notification Policy” should clearly establish how a breach will be recognized, evaluated and classified. If the company has a “Whistle Blower Policy”, the data breach recognition commences with the initial whistle blower’s report. The” Incident Management Policy” should also be integrated with the Data Breach notification policy since the reported incident after being resolved, needs to be evaluated as to its classification as a “Breach”.

Additionally, all regulations provide that certain law enforcement agencies have the power to demand information and not providing information when law requires it to be provided has its own penal consequences.

Hence every organization should develop a “Data Disclosure Policy” which addresses the issues of how to respond to a “Data Disclosure Requirement”. Such request can come from a data subject or a police officer or a supervisory authority or a DPA etc. While the law may be clear on who has the right to ask for the information and it is easy to incorporate in the policy, the difficult part is to establish the identity of the person who is requesting the information.

Any disclosure to a wrong person would become a “Data Breach” and hence the “Data Disclosure Policy” has to be aligned to the “Data Breach Notification policy”, which should also be aligned with the whistle blower policy and incident management policy. To the extent that the first report of a data breach goes to the call center employee, the awareness of how to escalate a complaint to a potential incident report should be available to all the call center employees and the perimeter level personnel who interact with customers.

PDPSI requires the quality of a data breach notification policy to be assessed so that a proper DTS can be assigned.

(To Be continued)

Naavi

Other Reference Articles