The government needs to impose higher penalties on corporations that fail to right away report incidents of information breach of Indian users to the authorities, a senior government official has aforesaid adding that this ones are too low.
The move comes following incidents of breaches of private data of Indian users from internet corporations like Facebook and Google that the govt came to understand from public statements by these corporations, the official aforesaid.
While the IT Act and future rules stipulate monetary penalties for not news security breach incidents to the ministry of physics and data technology (MeitY) or cyber agencies, most corporations don’t actively be intimate. In some cases, corporations don’t respond even once multiple letters to them posing for a response, presumably deterred low penalties that doesn’t exceed Rs 1 lakh, the official aforesaid.
“Recent incidents make a case for much stringent penalties,” the person told.
MeitY is currently acting on drafting the final data protection law and hopes to bring to the Parliament by finish of this year. At the same time, it’s conjointly operating a replacement set of rules below the information Technology Act 2008 which can increase the penalties for firms for not report such incidents.
Nehaa Chaudhari, public policy lead at Ikigai Law said, “Increasing penalties to extend coverage of incidents is a technique of staring at it, regulators round the world be it within the GDPR or the info protection Bill are resorting to fairly high penalties so it acts as a deterrence however it solely goes thus far, we tend to conjointly want legal and restrictive framework to support them. There’s clarity needed on however quickly companies need to report breaches alongside absolute clarity on what constitutes an information breach etc.”
In October, the ministry had written a series of letters to social networking giant Facebook on the extent of the damage once it was reported that many Indians on Facebook are possible to be among a minimum of 50 million victims of a breach that exposed accounts and their connected third-party apps to hackers.
In the breach, attackers exploited a vulnerability within the code of the ‘view as’ feature that lets users see what their profiles appear as if to others. Facebook promised to induce back to the govt post an investigation.
Similarly, Google conjointly declared last month that it’ll shut social network Google and once stating that data from up to 500,000 users could are exposed to external developers by a bug that was present for more than 2 years in its systems.
A spokesperson for Google said that each year, the firm sends scores of notifications to users regarding privacy and security bugs and problems. “Whenever user information could are affected, we go beyond our legal needs and apply many criteria targeted on our users in deciding whether or not to produce notice. Our Privacy and information Protection workplace reviewed this issue, watching the kind of knowledge concerned, whether or not we may accurately determine the users to tell, whether or not there was any proof of misuse, and whether or not there have been any actions a developer or user may take in response. None of those thresholds were met here.”
Governments across the globe are tightening rules with reference to how internet majors handle information of users, the official aforesaid, giving samples of countries like Vietnam and Greece that have pop out with new cyber security legislations.
While the draft of the info Protection Bill submitted by the Justice BN Srikrishna committee covers bound aspects with respect to news incidents, they deal additional with privacy and not security. “While privacy deals with user information, security incidents involve any quite breach, regardless of its nature,” the official aforesaid.