2. One of the questions that arose during the discussions was on the “Data Breach Notification requirements” under the proposed act.
There was one concern of the industry that “Data Breach” reporting to the data subjects should not be mandated and even if required it should not be as immediate as notification to some industry authority etc.
This is a standard response from industry whenever data breach notification is suggested in any data protection act. Industry wants to protect its reputation by sweeping the data breach notification under the carpet. While most industry players would jump at Aadhaar leakage when reported, they would not like a breach in a Bank coming out in the open. Hence the demand that they should be exempted from notification of data breach to their customers.
Some industry players also brought out the issue of a need for time to determine whether a “Suspected data breach” is actually a “Data breach”, whether a “Data breach” is not exactly a data breach but only a “Denial of Service attack” etc and argued that industry should not be forced to report a data breach before it is confirmed.
However the industry agrees that most data breaches need to be confirmed with an audit and many times the recognition of data breach itself takes months and after the recognition, the completion of the internal audit takes several more months. If therefore the industry demand in this respect is to be accepted, then data breach will never become public for more than an year.
Industry is however not averse to sharing some potential breach information with an industry organisation because they know that the industry organziation can be manipulated and hide the information of the data breach. For example, many wannacry attacks on ATMs of Banks were never reported by Banks and public never came to know of them. Even a major cyber attack on a Bank after the Swift system hacking in Bangladesh, was pushed under the carpet. Given an option even the UIDAI would like not to publicise the data breach reports on UIDAI because it hurts the reputation of the system.
The strong opposition to data breach notification to the data subjects itself indicates that it is a very effective deterrent that industry would not ignore. Hence it is absolutely essential that this data breach notification must be incorporated in the law as a mandate. The time limit in other international regulations is around 30 to 60 days and it would be necessary to make a provision for “Public Notification” before 30 days.
In case there is difficulty in confirming the data breach because of the need for an audit etc., the notice can say that the investigation is under progress and the notice is a “Provisional Notice”.
Some persons also raised the issue of “Cost of Data breach notification” to the data subjects. The notification can be made
a) Through advertisement
b) Through notice in the website of the Data Controller
c) Through a notification in the Data Protection Authority website
c) Through e-mail
In order to further reduce the cost of “Advertisement”, a suggestion was made that to the effect that Data Protection Authority can create a broadcast platform. A mention can however be made that such services are already available at www.cyber-notice.com along with Section 65B certification. Industry is yet to recognize the potential of the service and perhaps a need for mandatory data breach notification would make the industry realize the need for such services.
(Will be continued)
Links to all the three parts of this report of the consultation are available here