The fintech and startup ecosystem that has emerged in recent years has a major governance issue: data breaches and leaks are not taken seriously. Unfortunately, the regulatory system has not woken up to the fact that the recent data breaches at Juspay and MobiKwik can significantly cause harm to idle users in the future.
The Indian government is yet to introduce a Personal Data Protection Law (PDP Law) in Parliament at a time when incidents of data breaches and personal information being sold on the darkweb are increasing year-on-year. The lack of a Data Protection Authority and a Personal Data Protection Law means that there is regulatory ambiguity in terms of who should respond to breaches and investigate them. Industry experts told MediaNama that the entire regulatory system needs to be strengthened, business models need a rethink and that companies need to be made more accountable, whether through the courts or through internal governance practices.
1) CERT-IN is the primary agency for data breaches
According to legal experts, it is the Computer Emergency Response Team (CERT-In) — the nodal agency under MEITY for computer security incidents — that is the primary agency responsible to investigate data breaches and not the Reserve Bank of India (RBI)
According to Mathew Chacko, Partner at the law firm Spice Route Legal, any server compromise or breach needs to be disclosed to CERT-In (under the IT Act) regardless of the sensitivity of the data leak. “There are no two ways about reporting the incident to CERT-in,” Chacko said.
After reporting to CERT-in, it’s the company’s decision to report the incident to its customers and the public, he added. “Not all data breaches are significant enough to be reported to the public, but in some cases, companies take it for granted that the public need not know,” he said.
The RBI only steps in when it comes to financial data, but data breaches fall within CERT-In’s ambit, NS Nappinai, a Supreme Court advocate and founder of Cyber Saathi said.
“Non-reporting of such data breaches carries heavy penalties for such incidents. But the issue is that organisations tend to be lax in complying with this requirement, which begs the question — what is the regulator doing to ensure compliance? There is a trust deficit and sense of fear among companies to comply with the reporting requirement under the IT Act.”— NS Nappinai, Advocate, Supreme Court
According to Anu Monga, Partner at AnantLaw, if the PDP Bill in its current form becomes law, data breaches would have to be reported to the sectoral regulator, the Data Protection Authority as well as CERT-In. “Everything else, whether it was negligence on the company’s end or not, will follow after that. If companies do not notify the breach, there is a penalty that can be imposed against the company under the bill, which is still not law of the land,” she said.
2) Data Protection Authority is the need of the hour
The delay in bringing about a data protection law and creating a Data Protection Authority (DPA) has created a regulatory gap, which allows companies to skirt serious issues like data breaches, while consumers and victims of such breaches are left wondering what to do. More importantly, the lack of a DPA places a burden on existing regulators like the RBI to delve into areas of privacy, security and data governance when they are not geared to do.
“Data breaches are inevitable in the world we live, but companies should not be downplay the issue with relative ease,” said Chacko of Spice Route Legal. “We have to stop burdening RBI with the duty to regulate or frame rules for data, when it has so many other functions. They can of course make add on rules for the financial services sectors,” he said.
“We need to have a general set of rules to deal with data, which the PDP Bill needs to address. The proposed DPA should look at data issues, have specialised technical teams and even a financial services division. It should also set thresholds for mandatory reporting of data breaches, which would trigger voluntary disclosures from anybody at any point”—Mathew Chacko, Partner at Spice Route Legal
Nappinai of Cyber Saathi said that there seems to be ambiguity between the types of data that various regulators require companies to store for regulatory objectives versus commercial purposes. “The kinds of data that the RBI requires from a regulatory standpoint would be very different from that required by law enforcement agencies [in the present case] and these requirements have to be balanced with the requirements for deletions upon completion of purpose under the proposed PDP Bill,” she said.
“If the RBI requires payment companies to store transaction data for 7 years, it needs to specify which part of the data needs to be stored and what specifically they mean by transaction data. Ideally, the DPA could provide common standards for entities that are storing and collecting types of financial data and information. Thereafter, the RBI can use this basic standard and add specific regulations for entities that come under its ambit”—NS Nappinai, Advocate, Supreme Court and Founder, Cyber Saathi
The Joint Parliamentary Committee on the Personal Data Protection Bill is expected to submit its report during the upcoming Monsoon Session of Parliament.
3) RBI needs to move beyond compliance measures
Two cyber security experts told MediaNama that IT audit reports — just like financial audits — unfortunately suffer from certain limitations as both are conducted on the basis of sampling. While financial auditors analyse a sample of financial records to prepare financial statements, IT auditors have only a limited view of a company’s systems, they said on the condition of anonymity.
At present, the RBI’s role with regards to cyber-security is limited to mandating companies to file compliance reports routinely. In the case of payment aggregators and payment gateways such as Juspay, the RBI’s guidelines state that data breaches have to be immediately reported to the central bank and CERT-IN. For pre-paid instrument players such as MobiKwik, the RBI requires players to create a mechanism to monitor and follow-up cyber security incidents and breaches.
The RBI also mandates payment aggregators to submit monthly cyber security incident reports with root cause analysis, quarterly internal and annual external audit reports and bi-annual vulnerability and penetrating testing assessments. When it comes PPI players, the RBI said that they have to implement a board-approved Information Security policy, implement security measures and review these measures on an on-going basis, after any security incident or breach and before/after major infrastructure changes to their systems.
The first cyber expert said that the RBI needs to move beyond mandating compliance reports for cyber security and data governance issues. “Getting a compliance report from an empaneled firm is the easy part, testing your system effectively is not,” they said.
“Companies have found ways to ensure that their testing environments are controlled and limited. If the security tests for any system is conducted in a controlled environment, then in reality the company will not know how to deal with a real cyber-attack and data breach. We need to make all companies open to penetration or vulnerability tests of their system by random, anonymous and foreign actors.” — First Cyber Security Expert
The second cyber expert told MediaNama that most IT audits do not involve penetration testing, for which you need red teams from abroad. They explained that IT audits are based on the principle of immutability at the end of a certain period, which means that everything that takes place between two audit period goes unaccounted for.
“The purpose of an IT audit, in the case of MobiKwik, is to see if there was an internal security failure or bad governance practices, and why. Not to just find out how the data breach happened. As per our calculations, if 8.2 TB worth of data was extracted from MobiKwik’s Amazon Web Services’ cloud storage database it would have taken 23 days to download the entire dataset, leading to a considerable cost in just that month. This should have been the first red flag that went up within the company.” — Second Cyber Security Expert
It seems that MobiKwik was aware of the data breach back in February, prior to the news being made public. According to screenshots of a conversation between a MobiKwik employee and Amazon Web Services on February 25, the company sought details from AWS on the logs for a S3 bucket which the company realised was being exploited by “some other person outside the organisation.” MediaNama has reviewed the screenshots.
4) RBI should promote data light companies
Banks and non-bank lenders have a large physical presence, employee base and vast amounts of capital at their disposal. Fintechs, on the other hand, are meant to be the asset-light competitors to the traditional financial institutions. Yet, in a data hungry market like India, both banks and fintechs are data heavy. That is, the amount of data flowing through the financial system and the swaths of data collected and processed by individual entities make them vulnerable to cyber-attacks and data breaches.
As per the RBI’s guidelines, all payments data has to be stored domestically by payments companies and they need to store transaction data for 7 years. The central bank mandates that companies delete data from their system which is no longer relevant.
“At a broader level, if the RBI says that data localisation improves security and these companies have complied with these rules, law enforcement agencies should be able to pin point the attack,” said Srikanth L, co-convenor of Cashless Consumer, a consumer group on digital payments. Yet nobody has been arrested in either these recent data breach cases or in the Hitachi ATM hack a few years ago, he added.
“The RBI needs to carefully review the data storage norms for regulated entities, even if the majority of companies are secure now. In the case of MobiKwik, not only was card information belonging to users’ leaked but also Unified Payments Interface and Bharat Bill Payments System data,” Srikanth said.
“The way systems are being built today, in fintech or in other industries,needless amount of data is being handed over to both industry as well as hackers on a platter. The regulator perhaps needs to think about data light / data minimisation first systems going forward, review and dismantle existing data heavy payment systems.” — Srikanth L, co-convenor, Cashless Consumer
5) Victims should file legal cases and pursue tort claims
Victims of data theft or data breaches can approach investigative authorities and the courts to seek compensation. The IT Act states that companies — if found negligent in maintaining cyber security or data protection controls — are liable to pay damages to persons affected by the theft of personal data or information.
Victims can also approach the police and courts under the rules for e-commerce entities under Consumer Protection Act, 2019 or file complaints with the RBI’s Ombudsman for digital payments or banking.
Nappinai of Cyber Saathi said that unfortunately despite the growing number of data breaches and theft, there is no effective action being taken visibly. “You need to see a law in action in order to have faith in the system. Though there is a data protection regime under Section 43A and 72A of the IT Act, nobody realises they have options for remedies,” she said.
Monga of Anant Law said that users want actions to be taken against companies for data breaches which are effective and long-term. Whenever there is a deadlock in terms of progress in the law, usually it is the user/consumer or victim that jolts the system,” she added.
“Section 43A of the IT Act may not give victims the right resolution, especially within a time-frame to solve data related issues, while issues like data breaches at payment companies may not fall under the Consumer Protection ambit. It is better that victims approach the court with a tort claim to ensure that the judiciary takes appropriate action against the company and impose strict liability on them resulting in compensation to the victims. If users resort to tort claims, users may not only be able to solve the problem, but it will make other players/ stakeholders in the ecosystem sit up and take notice.” — Anu Monga, Partner at AnantLaw
6) Companies need to be pro-active when breached
Despite their massive user-base and size, both Juspay and MobriKwik have tried to play down the scale of their respective data breaches.
In a blogpost, Juspay maintained that no full card numbers, no order information, no card PINs & no passwords were leaked. But that some non-sensitive masked card information, card expiry information, mobile numbers and email ids of some users were compromised, it said. On the other hand, MobiKwik went as far as to say that users may have uploaded data on other websites, and therefore it is “incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.”
As the Internet Freedom Foundation stated in a post on Wednesday, cyber security researchers need to be provided with legislative protection against legal prosecution. The advocacy group has called on MobiKwik to recall any legal threats it has made to cyber-security researchers who reported the issue on social media platforms. The IFF has listed several steps for MobiKwik to follow, which should also apply to all organisations that face a data breach:
- User communication: inform each affected user of the extent to which the data breach has impacted them.
- Remedies and Compensation: and implement a strategy to provide adequate remedies to users, including but not limited to compensation under Section 43A of the IT Act
- Details of data breach: why the data breach took place, provide details of the breach, including the number of users affected by the breach and the date and time on which the breach took place
- Next Steps: Explain the next steps that will be taken to ensure such a breach does not occur again
- Forensic security audit: It should be conducted independently and its findings must be made public
- Hacker pulls database from website showcasing MobiKwik leaked data
- MobiKwik raises $7.2 million in pre-IPO funding round
- Millions of cardholder data leaked from Juspay servers