Now, more than ever, India needs a cyber breach notification strategy

With Aadhaar being made mandatory for filing of IT returns, data privacy concerns are at an all-time high in India. Over the past week, we’ve seen how easy it is for Aadhaar numbers to leak into the public domain (even M S Dhoni wasn’t spared) and the McDonalds India app leaked personal data about users. This while our IT minister said “Aadhaar is fully secure” and McDonalds said they store no sensitive data.
The best case scenario is to avoid such attacks from occurring in the first place. However, despite our best efforts, attacks will occur, data will be lost, networks will be breached.
India needs a well thought-out strategy on how to react when such incidents (or security breaches) occur in the private as well as government sectors.

This is where breach notifications — an important aspect of cybersecurity policy framework — could help big time. There are two reasons why breach notifications are important. First, they help crunch data from various breaches and observe patterns. This is important as it can help us understand the scale of the attack. For instance, is an ongoing attack on a bank an isolated incident or a concerted attack against multiple Indian banks.
Second, breach notifications to users are important to ensure their privacy. If a website hack leads to millions of user records being leaked, the least the website owner can do is to notify the user and request them to corrective action. Unfortunately, in India, we do the former poorly and completely ignore the latter.

Sharing breach information

India has multiple information sharing mechanisms regarding breaches. Industry regulators such as the RBI require that every significant breach be reported to them. Similarly CERT-In, India’s cyber emergency response team needs to be notified too. If you are part of an industry which falls under “critical infrastructure”, you will need to report the incident to the National Critical Information Infrastructure Protection Centre (NCIIPC) too.
The intention behind the above steps is noble. The idea is for a central agency to collate all the information so as to observe patterns. This is especially useful if the attack is not limited to a single entity.
However, this is the perfect example of the road to hell being paved with good intentions. In a recent information security conference in Goa, a panel discussing the handling of breaches opened the floor to the audience. A polite gentleman in his 30s went first. He introduced himself as an employee of a private bank, working in the InfoSec team. Then — almost comically — he went on to describe the pain bank employees have to go through when a breach occurs.

“Should I report the finding to the RBI, CERT-in and NCIIPC or should I deal with the breach?” he asked. A panelist agreed that these agencies don’t make it easy (or secure) to report breaches. The process often involves filling PDF forms and sending unencrypted emails. It is cumbersome and, ironically, insecure. No wonder, the private bank employee was frustrated!
The other way of sharing breach information is by forming industry-wide closed groups. While there has been talk about such forums, nothing robust exists as of today. Even if such a forum existed, it would be hard to translate data into action without a central body to act on the intelligence. Industry bodies such as Nasscom, and the Data Security Council of India (DSCI) are best suited to attempt building such networks.

Notifying users of a breach

At present, there is no government policy requiring entities to report breaches to consumers. This means, if a bank gets hacked and that leads to leakage of consumer’s sensitive information (such as phone number, account balance etc), the organisation is under no obligation to inform the consumers about the extent of the breach or explain what steps have been taken to prevent such incidents in future. This means, consumers are in the dark about the status of their data and can’t take corrective steps. If a consumer knows that her credit card number is compromised, she can at least contact her bank, cancel the card and get a new one issued.

However, many countries such as Australia and most states in the United States have laws which require companies to notify certain kinds of breaches to those affected by it. Such laws are usually part of the privacy protection framework of the state. Given that India lacks a privacy framework in the first place, the chances of a breach notification framework is a pipe dream.
A good beginning may be to list answers to certain questions that a breach notification policy should address, as I had written in ‘A breach notification strategy for cyber attacks is needed’ for Logos, the Takshashila Community Blog.

What type of breaches should be notified?

Agencies like CERT-In require companies to report any “significant” breaches. However, attacks that are “significant” to central agencies may be irrelevant to a consumer. For example, does the consumer really need to be notified if an attack causes internal network outage at an organisation? How about if only employee details were leaked?
On the other hand, attacks that lead to leakage of consumer PII (personal identifiable information) certainly warrant consumer notification. It is important to make it easy for organisations to distinguish between breaches that need to be notified and otherwise.

Who should be notified?

The policy should address the question of who needs to be notified. Should it be limited to “affected parties” (for example: users whose accounts were compromised) or should the entire public be notified? The answer to this question may differ based on industry, company size, ownership model (i.e. publicly held v/s privately held companies).

Should notifications be enforced? If yes, who should enforce them?

It is important for the policy to define if it merely “recommends” notifications or enforces them. If the latter, the policy needs to define who the enforcer should be. Options include the central government, state governments (such as in the USA) and industry regulators.

What should be the nature of notifications?

It will be useful to define the nature of notifications as well. While some flexibility can be provided to the breached organisation, broad guidelines should be provided. The absence of such a guideline might lead to an organisation notifying a breach through a small column on Page 16 of a local daily.

When should a notification take place?

While it makes sense to give breached organisations some time to investigate the breach, it is important to have a deadline by which it has to notify the consumer. For example, the US state of Florida mandates that such a breach be notified within 30 days of determination of the breach.
A robust breach notification policy for consumers and central agencies is a requirement as we move rapidly towards a digital economy. While some entities (private and government) may resist such a policy as it makes things harder for them, it certainly serves the interest of their customers and brings in much-needed transparency to the world of cyber attacks.
Read other r00t access stories.
Online security and privacy will change the way we think about our digital lives. This column attempts to showcase the nuances of those changes by exploring facets in the intersection of cyber security and everything else.