India may impose higher penalties to ensure companies report cyber security breaches

The government wants to impose higher penalties on companies that fail to immediately report incidents of data breach of Indian users to the authorities, a senior government official has said adding that the current ones are too low.

The move comes following incidents of breaches of personal data of Indian users from internet companies such as Facebook and Google, which the government came to know from public statements by these companies, the official said.

While the IT Act and subsequent rules stipulate financial penalties for not reporting security breach incidents to the Ministry of Electronics and Information Technology (MeitY) or cyber agencies, most companies do not actively do it. In some cases, companies do not respond even after multiple letters to them asking for a response, possibly not deterred low penalties which do not exceed Rs 1 lakh, the official said.

MeitY is now working on drafting the final data protection law and hopes to bring it to the Parliament by end of this year. Simultaneously, it is also working a new set of rules under the Information Technology Act 2008 which may increase the penalties for companies for not reporting such incidents. Nehaa Chaudhari, public policy lead at Ikigai Law said, “Increasing penalties to increase reporting of incidents is one way of looking at it, regulators around the world be it in the GDPR or the Data Protection Bill are resorting to fairly high penalties so that they act as deterrents but it only goes so far, we also need legal and regulatory framework to support them. There is clarity required on how quickly companies need to report breaches along with absolute clarity on what constitutes a data breach etc.”

In October, the ministry had written a series of letters to social networking giant Facebook on the extent of the damage after it was reported that many Indians on Facebook are likely to be among at least 50 million victims of a breach that exposed accounts and their linked third-party apps to hackers. In the breach, attackers exploited a vulnerability in the code of the ‘view as’ feature that lets users see what their profiles look like to others. Facebook promised to get back to the government post an investigation.