Legal Understanding of Breach in Dominous/ Big Basket
Updated: Sep 3, 2022
In the present day and age, the most important thing which any of us possess is our data. Data could constitute anything from our name, our contact details, our financial information, etc. When we agree to provide a company or institution access to this sensitive information by accepting their terms and conditions, we do so in good faith. It is the basic responsibility of the company to protect our information so that we are not exposed to any fraud or any such activities.
Due to advances in technology, our data is increasingly being targeted by hackers who, on gaining access to this information will sell it to the highest bidder. On the face of it, this might not seem like a serious issue but its effects run deep.
Information is the new deadly weapon. Using it, one can find out anything about anyone. If misused, it can have serious repercussions. Imagine having all your entire confidential information from your aadhar number to your user pan card number being available to someone in exchange for a price.
In a world that is becoming more and more reliant on technology and the internet to function, having our data breached and sold on the dark web is not a good sign. In 2020 alone, 3950 confirmed data breaches took place. If left neglected, this can prove to be a huge issue later on in the future.
India is no stranger to such data breaches. Over the years, we have seen some major leaks taking place. From the Aadhar leak in which the Aadhar information of close to one billion people was being sold for as low as Rs. 500 to the Just Dial expose where the personal information of 10 crore users was stolen and leaked by hackers.
More recently, the data breach at Big Basket, Air India, Dominos, and MobiKwik has raised new concerns among security experts as to the framework put in place to ensure the security of users online.
The issue came to light when Alon Gal the CTO of Hudson Rock tweeted about how the hacked Dominos data was being sold on the dark web for 2-8 bitcoins. The hackers demanded 50 bitcoin from the company to stop the sale of the database. A month or so later, cybersecurity researcher Rajshekhar Rajaharia tweeted screenshots of a search engine created by the hackers on the dark web. Using this, anybody could access the 13TB of hacked Dominos data.
After the Big Basket data leak which took place in November 2020, cyber security experts were concerned about the safety of consumer data in India. Since no proper action was taken, this made them question the activities of the statutory body responsible for looking into these matters.
CERT-IN or the Computer Emergency Response Team India was established under the Information Technology Amendment Act 2008. It exercises its powers under the direction of the Ministry of Electronics and Information Technology. According to the provisions of the Act, its main functions are -
“A. Collection, analysis, and dissemination of information on cyber incidents. Forecast and alerts of cyber security incidents. Emergency measures for handling cyber security incidents.
B. Coordination of cyber incident response activities. C. Issue guidelines advisories, vulnerability notes, and whitepapers relating to information security practices procedures, prevention, response, and reporting of cyber incidents. D. Such other functions relating to cyber security as may be prescribed.”
After these recent leaks, questions were raised as to what the agency was doing to protect and handle such security breaches. A case was filed in the Delhi High Court by Yarlagadda Kiran Chandra, the General Secretary of the Free Software Movement of India (FSMI). The writ petition was filed against the Computer Emergency Response Team highlighting their failure to carry out their duties as mandated by section 70 of the Information Technology Act.
In the latest hearing which took place on August 17th, the Honourable Single Bench of Justice Rekha Palli directed the Counsels of the Respondents to present their case at the next hearing which is scheduled to be held on 23rd September 2021.
This case has the character to be one of the most important judgments of our time because of the subject that it deals with. Due to the absence of any legislation governing personal data and its usage in India, companies tend to get away with not taking the necessary steps required to protect user data.
As emphasized before, this leaves the public vulnerable to exploitation. The implementation of laws such as the General Data Protection Regulation which was implemented by the European Council in 2018 will be a huge step forward in securing the right to privacy of the Indian citizens under Article 21.
The Information Technology Act under section 43, provides for compensation to be paid to the aggrieved party… If any person without the permission of the owner or any other person who is in charge of a computer, computer system, or computer network,- downloads, copies, or extracts any data, computer database, or information from such computer, computer system, or computer network including information or data held or stored in any removable storage medium.
Due to the anonymity behind which hackers hide, it is often difficult to bring any sort of prosecution against them. Another important thing to highlight is that this section can only be used against the person who has stolen the data and not the company from which it has been stolen.
The Personal Data Protection Bill 2019 seeks to
“provide for the protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data…”
The provisions of the Bill let the “data principal” transfer their data from one “data fiduciary” to another as well as withdraw their consent to having their data stored by a certain fiduciary. The Bill also seeks to establish a Data Protection Authority of India in order to
“ protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection.”
Although not approved by the Parliament yet, the Bill takes great strides in the right direction in order to ensure that the Citizens are provided with more clarity with respect to their data rights. The Data Protection Authority will act as a specialized task force in order to ensure that serious cases of data leaks are actually investigated and dealt with. With the world becoming more information technology-driven, this is much required.
For any information kindly reach out to us on firstname.lastname@example.org