India ranks third in global data breaches in 2021, a 356% increase from the previous year. Since we do not currently have a national data protection or data privacy law, such cybersecurity failures pose massive threats of financial fraud and identity thefts on citizens. There needs to be a better mechanism that incentivises organisations that are collecting and storing citizen data to maintain stronger internet security measures.
Neither the proposed Data Protection Bill nor the amendment to the Information Technology Act, speaks about the responsibility of cybersecurity compromises. The Data Protection Bill mandates that companies need to report breaches within 72 hours of the occurrence, but there is no requirement for companies to secure citizen data. India had also introduced the National Cybersecurity Policy in 2013 which suggested several broad strategies including the provision of fiscal schemes and incentives to encourage entities to install, strengthen and upgrade information infrastructure for cybersecurity. As the government changed in 2014, not much has been done to implement the policy or to extend it to legal accountability and enforcement.
India’s e-commerce sector has witnessed tremendous growth in recent years. It is expected to grow to $188 billion by 2025. The Fintech market in the country is estimated to be the third-largest in the world. India is also the world’s second-largest telecommunication market.
This rapid and accelerated digitisation over the past few years has meant personal data collection at an equally rapid, yet unregulated, pace. The data collected online ranges from basic information (such as name, address, age, gender and phone number) to sensitive details (such as bank account numbers, credit/debit card numbers, government ID numbers, and so on). Added to this information that is directly collected and stored, there is metadata that can reveal deeper insights about customers (such as personality types, spending patterns, personal interests, political inclinations, food preferences, schedules, physical and mental health). However, other than the informal trust that the customer puts into these companies, there is no legal or policy promise requiring these companies to ensure customer data is safe, secure, and only used for purposes informed to the customer.
For a solution, we can look to banking regulation. There, policies of zero liability and limited liability for cards and online financial frauds made the banks responsible for unauthorised financial transactions. Similarly, we need to push accountability for data security on all companies collecting and storing citizen data.
The need for economic growth, and hopes for foreign investments, should not deter us from enforcing internet security. All companies, public and private, should be required to report to the government the measures taken by them to ensure data security and information regarding potential threats and targets. There needs to be a channel to facilitate information exchange between companies facing similar threats. For companies that fail to show serious efforts for internet security or lack compliance with standards set by the government, customers should be actively notified of the risks while sharing their data with them. The required standards of internet security measures can also vary basis the sensitivity of the data being collected.
This added accountability is often seen as an additional cost, especially for small and medium enterprises. But this can also be an opportunity where the government guides and assists SMEs to choose cloud services wisely, safeguard their websites and portals, and ensure that they are protected from ransomware attackers as well as other threats over the internet.
Over the last decade, many countries have established agencies to focus on cybersecurity and a safe national digital infrastructure: Singapore, the United States, and Israel are examples. India does have the National Cyber Coordination Centre, but this agency is an internet scanning agency for real-time assessments of cyber threats and report generation. It lacks real-time partnerships with domestic and international private and government agencies. It also does not act as a mentor on matters of cybersecurity or enforce guidelines around data protection and overreach. Without proactive measures, partnership with private enterprises, collaborative efforts and legal accountability, effective execution and results may prove difficult.
Government guidance and support are not interchangeable with government surveillance or government overreach. The Indian government needs to put in place standards to protect citizen privacy and digital security, from all domestic and international malicious players online, and itself.
Data is the new oil, the new weapon of war, and the new gold. 54% of India’s 1.2 billion population is estimated to have access to the internet. A large push to India’s growth has been from its accelerated development and adoption of digital public infrastructure and digital public goods. Internet security has been an elephant in the room and it’s time it is seen as urgent and crucial for continued growth propelled by digitisation, internet penetration, and innovation.
Avni Sinha is at the Harvard Kennedy School of Government
The views expressed are personal