Breach Notification: The Legal ImplicationsSupreme Court Advocate Pavan Duggal on India's Challenges
While many enterprises in the West adhere strictly to data breach notification norms, India remains far behind in reporting such incidents for fear of loss of reputation, as well as a lack of clarity on the legal consequences of the reporting.
The reason for this is that barring a few isolated efforts from some regulators, a nationwide approach to data breach notification is missing in India, says Pavan Duggal, advocate at the Supreme Court of India (see: Why India is Still not Ready for Breach, Privacy Laws).
"Across Asia Pacific, organizations have had a propensity not to report data breach incidents and put it below the carpet, primarily because of the fear that it may impact their potential business opportunities and prospects," he says in an interview with Information Security Media Group. "But increasingly, companies are finding out that it's leading to a weaker cybersecurity ecosystem. In that context, we are beginning to see various legal developments in different jurisdictions."
While there are no laws that provide a detailed legal regime for the reporting of breaches in India, under the IT Act there is a passing mention that it's the responsibility of the relevant stakeholders to report cybersecurity breaches to CERT-In. But no legal ramifications or consequences were detailed in an effective manner, Duggal says.
"Indian companies, despite the fact that there is a mandate, do not want to report because they are not clear how the reporting is going to be taken, what kind of potential reputational harassment are they going to face and whether the authority to which they will be reporting is efficient enough to handle the reporting mechanism," he says.
These are some legitimate concerns, Duggal contends, given that India does not have a dedicated data protection law or privacy legislation.
Duggal, however, says he welcomes Reserve Bank of India's recent mandate to banks for putting in place a board-approved cybersecurity plan. But other than some isolated efforts from regulators, India lags behind in developing a holistic and national approach to breach notification, he says (see: RBI Issues New Cybersecurity Guideline).
With new regulations, such as Europe's General Data Protection Regulation, coming into the picture, Indian organizations now will have to tighten their belts, Duggal advises.
In this interview (see audio player below photo), Duggal shares his views on various aspects of data breach notification and its importance in India and puts forth his recommendations. He also discusses:
- Why India is still not ready for a data breach notification law;
- The EU's GDPR and its impact on Indian enterprises;
- What RBI's new cybersecurity framework guidance may mean for Indian banks.
As a practicing advocate at the Supreme Court of India, Duggal has an international reputation as an authority in cyber law, e-commerce law and cybersecurity law. Duggal is the also the president of Cyber Law Asia, an organization committed to the passing of dynamic cybersecurity legislation in Asia.