“Misprision is a very subtle crime. The statutory words say that you commit a crime if you see a crime and don’t report it.” –Benjamin Wright, Cyber Attorney
One of the emerging and disruptive technologies has been the growing incorporation of data analytics techniques by organizations for competitive decision-making and business strategies. It is virtually impossible to exist in modern society without submitting at least some personal details online.
As an unfortunate flipside to the new data-fuelled World order, the growing digital interconnectivity has paved the way for greater vulnerability in the threat landscape. With an upward trend in the data-driven digital economy in India, the breach of sensitive data and critical personal information are a constant threat. According to the Indian Computer Emergency Response Team (CERT-In), the government agency responsible for tracking and responding to cybersecurity threats, over 3.13 Lakh cybersecurity incidents were reported in 2019 alone.
A survey conducted by the security firm Barracuda Networks, a California based leader in the field of data protection, revealed that about 66% Indian companies reported at least one data breach since the rapid shift to the work-from-home structure. Corporations need to take stock of this grim reality of the cyber security space and acknowledge that adequate and timely disclosure is the right move towards establishing customer trust and confidence in the long run. Data privacy principles adopted by firms need to be straightforward.
Beenu Arora, CEO of Cyble said, “Our own discoveries during 2020 more than confirm the alarming statistics by Barracuda. Organizations should take proactive measures for understanding their attack surface and taking a risk-based approach in managing it. Until regulations come into place, corporates would do well to step up self-regulation by establishing strong disclosure SOPs once a breach has been discovered.”
Cyble was recently invited by the Joint Committee on the Personal Data Protection Bill, 2019 to share their views on the bill. Cyble believes that the bill is the need of the hour and a significant step in addressing the rising data privacy and security concerns, besides providing a legal framework for the collection, use, and destruction of personal information. “Personal data protection is essential to fully capitalise on the benefits of the digital revolution”, says Beenu Arora.
Mandar Patil, VP of Business Development and Customer Success at Cyble said, “India is of significant importance to Cyble, and we are committed to assist the Government, public and private sectors in assessing their threat exposure. We always advise our clients on focusing their security efforts right from the data collection stage, making sure that only relevant information is collected, securely managed across the entire data lifecycle, and appropriately destroying data when its utility for providing the service has been exhausted.”
Cyble also advises the marketplace that it is also necessary that organizations give people the means to control how their personal data is to be used and inform them of who has access to the data. To facilitate this, enterprises must be transparent and honest with end users whose data they are collecting, handling, and processing. An eminent example in the field of data protection is the European Union’s General Data Protection Regulation (GDPR) law which specifies that in the event of a personal data breach, the organization is expected to notify the supervisory authority of the personal data breach within 72 hours after having become aware of it. The law also mandates that organizations must provide valid reasons for the failure to respond to breaches or even a delayed response.
Beenu Arora added, “This is a necessary step towards proactive measures that fight back and mitigate risks. By having a strong disclosure culture once a data breach has been discovered, corporates can play a big role in collectively dampening the incentives for hacking in the first place, while placing the interests of their customers foremost. It is imperative that businesses truly comprehend the implications and ethics of data security and data mining, not only as a regulatory obligation, but also as a means for achieving a basic alignment of the technology with the needs of the business. Like in many other countries, we believe that data breach disclosures in India should be made mandatory under the data security regulatory framework. These privacy regulations are expected to revolutionize the existing ways in which businesses secure, reserve, share and anatomize consumer data.”
Data Protection and Data Privacy are two broad categories of data security. Data protection deals with safeguarding the data from unauthorized access, while data privacy involves the empowering users to make their own decisions about who can process their data and for what purpose. With data security considered a fundamental right, the protection of personal data is as an indispensable facet of informational privacy, directly translating to the sense of accountability and social responsibility that entities processing the personal data must adopt. Appropriate technical security measures are necessary to protect personal information (PI) that is transmitted, stored, or processed by organizations from accidental or unlawful usage.
With data being collected round-the-clock, it is important to understand then types of data that organisations may be collecting. The data accumulated by data fiduciaries may be classified into any of the following categories.
Personal data – This includes personally identifiable information name, contact information, IP addresses, web browser cookies, and device IDs (which both your laptop and mobile device have).
Engagement data – This category comprises details of how consumers interact with a business’s website, mobile application, social media channels, email communications, promotional alerts, and other customer service routes.
Behavioural data – This primarily includes transactional details such as online purchase histories, browsing data, and product usage information such as actions that are often repeated. This type of data is often collected to foster a seamless customer experience backed by behavioural analytics.
Attitudinal data – This category of data collected consists of preference metrics or logs on consumer satisfaction, purchase criteria, feedback, product desirability, etc. This is mostly captured through customer satisfaction surveys and feedback forms.
Policies that make it mandatory for organizations to inform individuals whose data has been compromised of the details of data breach will allow data principals to better understand the information leaked. The Article 12 of GDPR clearly states that data fiduciaries must explain how they process data in a transparent and easily accessible form to make it easy for people to access rights such as Right to Erasure, and respond to such requests swiftly and adequately. The right to erasure is also known as ‘the right to be forgotten’, through which consumers can request GDPR-compliant organizations for erasure either verbally or in writing.
About Cyble Inc.,
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io.