With Aadhaar being made mandatory for filing of IT returns, data privacy concerns are at an all-time high in India. Over the past week, we’ve seen how easy it is for Aadhaar numbers to leak into the public domain (even M S Dhoni wasn’t spared) and the McDonalds India app leaked personal data about users. This while our IT minister said “Aadhaar is fully secure” and McDonalds said they store no sensitive data.
The best case scenario is to avoid such attacks from occurring in the first place. However, despite our best efforts, attacks will occur, data will be lost, networks will be breached.
India needs a well thought-out strategy on how to react when such incidents (or security breaches) occur in the private as well as government sectors.
India needs a well thought-out strategy on how to react when security breaches occur in the private as well as government sectors
India has multiple information sharing mechanisms regarding breaches. Industry regulators such as the RBI require that every significant breach be reported to them. Similarly CERT-In, India’s cyber emergency response team needs to be notified too. If you are part of an industry which falls under “critical infrastructure”, you will need to report the incident to the National Critical Information Infrastructure Protection Centre (NCIIPC) too.
The intention behind the above steps is noble. The idea is for a central agency to collate all the information so as to observe patterns. This is especially useful if the attack is not limited to a single entity.
However, this is the perfect example of the road to hell being paved with good intentions. In a recent information security conference in Goa, a panel discussing the handling of breaches opened the floor to the audience. A polite gentleman in his 30s went first. He introduced himself as an employee of a private bank, working in the InfoSec team. Then — almost comically — he went on to describe the pain bank employees have to go through when a breach occurs.
India has multiple information sharing mechanisms regarding breaches. The idea is for a central agency to collate all the information and observe patterns. This is especially useful if the attack is not limited to a single entity
At present, there is no government policy requiring entities to report breaches to consumers. This means, if a bank gets hacked and that leads to leakage of consumer’s sensitive information (such as phone number, account balance etc), the organisation is under no obligation to inform the consumers about the extent of the breach or explain what steps have been taken to prevent such incidents in future. This means, consumers are in the dark about the status of their data and can’t take corrective steps. If a consumer knows that her credit card number is compromised, she can at least contact her bank, cancel the card and get a new one issued.
At present, there is no government policy requiring entities to report breaches to consumers about the extent of the breach or explain what steps have been taken to prevent such incidents in future
Agencies like CERT-In require companies to report any “significant” breaches. However, attacks that are “significant” to central agencies may be irrelevant to a consumer. For example, does the consumer really need to be notified if an attack causes internal network outage at an organisation? How about if only employee details were leaked?
On the other hand, attacks that lead to leakage of consumer PII (personal identifiable information) certainly warrant consumer notification. It is important to make it easy for organisations to distinguish between breaches that need to be notified and otherwise.
The policy should address the question of who needs to be notified. Should it be limited to “affected parties” (for example: users whose accounts were compromised) or should the entire public be notified? The answer to this question may differ based on industry, company size, ownership model (i.e. publicly held v/s privately held companies).
It is important for the policy to define if it merely “recommends” notifications or enforces them. If the latter, the policy needs to define who the enforcer should be. Options include the central government, state governments (such as in the USA) and industry regulators.
It will be useful to define the nature of notifications as well. While some flexibility can be provided to the breached organisation, broad guidelines should be provided. The absence of such a guideline might lead to an organisation notifying a breach through a small column on Page 16 of a local daily.
While it makes sense to give breached organisations some time to investigate the breach, it is important to have a deadline by which it has to notify the consumer. For example, the US state of Florida mandates that such a breach be notified within 30 days of determination of the breach.
A robust breach notification policy for consumers and central agencies is a requirement as we move rapidly towards a digital economy. While some entities (private and government) may resist such a policy as it makes things harder for them, it certainly serves the interest of their customers and brings in much-needed transparency to the world of cyber attacks.
Read other r00t access stories.
Online security and privacy will change the way we think about our digital lives. This column attempts to showcase the nuances of those changes by exploring facets in the intersection of cyber security and everything else.