The trend of Continuing cyber attacks on pharmaceutical companies, before the advent of the PDPA (Personal Data Protection Act of India) when companies are expected to have better security oversight seems to continue with the latest incident report from Lupin Laboratories Ltd.
According to the sketchy reports available in the media “Select IT Systems were affected”. Company has stated that the Core systems and operations were not affected and restoration of the impacted systems was underway.
Globally, it is known that data breach in Health Industry is expensive to a company (According to a study the average cost of data breach in a Pharma company is US$ 7.3 million). At the same time, the Health care industry is not so good in its IS practices as indicated by a study which states that it takes nearly one year to track down a Cyber Security issue in such a company. Hackers consider Health care industry to be a gold mine because the stolen health data may carry a price of around US $ 1000 per set in the darkweb. There is no surprise that most data breaches (nearly 50%) are due to malicious attacks.
While this situation is global, India is in the cusp of passing the PDPA and the current times may be the last opportunity for hackers to catch a negligent company.
First it was Breach candy hospital. Then it was Dr Lal Pathlabs and Dr Reddys. Now Lupin. May be others will also experience are have already experienced hacks yet to be identified and revealed.
Hopefully, Industry would wake up and fortify its defenses when the law is yet to impose the kind of fines that would be common place when the PDPA comes into operation.
We know that currently Indian law as in ITA 2000/8 has Section 43A which expects companies holding sensitive personal data maintain “Reasonable Security Practice”. Even those companies who are not handling sensitive personal data are liable under Section 43 along with other sections including Section 66 and 72A to ensure that “Prudent Security” is always available to protect data which has implications on the share holders or the public.
Fortunately, the implementation system currently is too weak to make the companies jump up and such incidents get buried from our memory soon.
We need to however take notice that so far we were considering that “Administrative fines” under GDPR and the proposed Indian PDPA at a maximum of 4% of global turnover as deterrent enough. But Singapore has come up with a shocker of an amendment in which the administrative fine in respect of a personal data breach can be as high as 10% of the turnover.
Considering the frequency with which data breaches are getting reported, if such fines are really imposed, many companies may need to file insolvency if confronted with a single data breach incident. In fact the “Risk of Doing Business in Singapore for a Company processing personal data” has now taken a quantum leap. This means Cyber Insurance costs in Singapore and salaries of DPOs and CISOs will also jump through the roof.
We must however recognize that “Breach of Personal Data” is different from “Breach of Non Personal Data”. Many security incidents including ransomware attacks may stop at the level of denial of access or a compromise without exfiltration of personal data. Such “Information Security Incidents” may not qualify for the “Personal Data Breach” and hence may not come under the jurisdiction of the Data Protection Authority or the Supervisory Authority or the PDPC. It may just be a “Cyber Crime Incident” where the victim has to claim his personal loss as a damage and Police will have to pursue the crime incident.
It will therefore be necessary for us to classify the “Security Incidents” as involving or not involving personal data. Similarly the Cyber Insurance contracts need to distinguish the incidents as “Personal data Breach”, “Sensitive personal data breach” and “Non personal data breach” and fix premia and coverage separately.
Under IPC we have different offences such as “Murder”, “Culpable Homicide Not amounting to Murder” and “Causing death by Negligence not amounting to homicide” etc., with different punishments.
Similarly the Data Industry needs to recognize different types of Data Breaches and ensure that they donot report a “Data Breach which is of a Non personal data breach” is not reported wrongly as a data breach to a Personal data regulator and vice versa.
At the same time, the law is vague enough and Police like in Mumbai can have such innovative interpretations that most data breaches may fall under both Personal Data and Non Personal data breaches and hence companies need to prepare themselves for this new regime of Data breach Oversight from the Police and Personal data regulatory agencies.