The Risks of Unreported BreachesPanel: Breach Disclosure Mandate May Alter Security Tactics
Data breaches are not big news currently in India, and breach notification is a rare phenomenon. After all, there is no legal mandate for enterprises to report breaches, nor legal ramifications for unreported breaches.
Yet with growing breaches and risks, Indian security leaders find it critical to bring the new dangers of unreported breaches to the notice of practitioners at large.
A panel of leaders discussed data breach disclosure at Information Security Media Group's Data Breach Summit Asia. The panel included Sameer Ratolikar, CISO, HDFC Bank; A K Vishwanathan, senior director, Deloitte; K S Naryanan, CISO, PWC; Prashant Mali, president, Cyber Law Consulting; and Mathew Schwartz, executive editor, Data Breach Today. These panelists discussed the importance of notifying about breaches, taking precautions and findings ways to encourage information sharing among enterprises and peer groups.
"Though Indian enterprises deploy reasonable security best practices, data breach notification or disclosure is not practised as a norm as compared to matured regions like USA, Europe or Australia, where it is a legal mandate," says Ratolikar, who moderated the discussion.
While Ratolikar doesn't rule out efforts by Institute for Development and Research in Banking Technology to set up Indian Banks-Center for Analysis of Risks and Threats to enable members share data breach information, he says it's restricted to the banking fraternity alone.
Data Breach Disclosure: The Reality
Security leaders say the reason behind lack of notification is primarily an issue with corporate governance, or gaps in the contractual agreement and a lack of legal mandate from any regulatory body to impose any liability.
Vishwanathan of Deloitte strongly believes that there is no accountability for abiding by any law or governance policy; hence, no breach, small or big, is reported.
"From a breach notification law, India has a two-page law which speaks about data confidentiality and criticality to protect and report to the concerned authority in case of a breach of data leakage," says Vishwanathan, adding, "No enterprise has a governance policy making it compulsory to report breaches; business heads also have not prescribed such norms."
Schwartz of DataBreachToday tells how western countries have leveraged the benefits of breach disclosure best practices after California passed its breach notification law, while some countries remain laggards.
"There are three key aspects - which need attention, and are recommended by experts like Bruce Schneier - missing among Indian enterprises, the key reason for confusion," says Schwartz. These attributes are:
- Awareness about data breach or leakage among customers which would enable them to take appropriate precautions;
- Publishing data breach statistics by the concerned department would help solve the problem, help law enforcement groups equip personnel with the necessary ammunition and also help enterprises seek necessary budgets;
- Information sharing about stolen data or breaches within organisations or the industry with employees and peers would help prevent more breaches.
Narayanan of PWC says if India must emulate the West's best practices, it's critical to compare value of risks for the same specific data of various countries.
"This has reference to the social security number of US citizens provided by US regulatory authorities; everyone has access to it; the risk of financial gains by perpetrators are high," says Narayanan. "India has floated the Aadhar card similar to USA's SSN and contains citizen's details. If lost, it doesn't have major financial implications as every organisation has reduced its risk exposure to data with an authentication mechanism," he says.
Mali of Cyber Law Consulting, discusses the legal ramifications of unreported breaches and their liability on fraudsters.
"Section 72 of the IT Act has implications of criminal liability if data is leaked by the police or adjudication officer with three years' imprisonment," he says, adding "Section 72A also specifies three years punishment under criminal liability of losing data as per the contract."
CERT-In prescribed rules in 2011 and discusses the mechanism of reporting threats or breaches, but enterprises don't adhere to them, he says.
Handling Future Breach Disclosure
There's no incentive for Indian organizations to improve reporting processes and disclose present threats, panellists say.
But a breach report mechanism and a mandate would help CISOs alter their approach.
"Regulators must inform banks or government or corporate bodies that it's important to report breaches; otherwise, you are in big trouble, as it happens in Britain," Schwartz says.
"My gut feel is that the Indian government and private sector will soon announce financial incentives for disclosure norms, inspiring CISOs to establish processes," Ratolikar says.
Viswanathan says most enterprises fail to realize when a breach occurs or to detect a breach.
"As a pre-requisite, equip the team to understand the symptoms, easily detect breaches and challenge the value at risk," he argues.
One must ascertain the criticality of the data being shared and the attached value at risk.
"When there's accountability, by default, the strictest rules will be applied as it impacts the organisation's privacy norms and this would be shared with the stakeholders," Vishanathan says.
Narayanan supports developing the information sharing model across sectors - this will make sharing about every small discrepancy among peers necessary, rather than always associating the breach to the balance sheet.
Mali says most often data breaches occur from exchange of data without a thorough check: hence, have security practices or rules against sharing without fulfilling set norms.
"CISOs must ensure a set of permissions, rules and privacy policies as part of security governance," Mali says.