Bombay: Cybersecurity activists can drag the country’s cybersecurity regulator to court for failing to take action against companies that have seen data breaches and failing to provide clarity on what measures are being taken to protect customers.
His thinking is that the Indian Computer Emergency Response Team (CERT-In) has not taken any action despite the country witnessing a number of data breaches, including Air India, BigBasket and Domino’s, during the last few months.
“Cybersecurity activists are exploring all possible options, including legal ones, to demand better accountability and transparency when it comes to data breaches,” said Suman Kar, CEO of Banbreach, a specialist cybersecurity company. in network security, data breach management and forensics. “Efforts to reach the CERT-In, both individually and organizationally, have had limited success.”
At least one petition is likely to be filed in Delhi High Court in a few days, people familiar with the development said.
Activists weigh in whether they should file a class action or move different higher courts individually. The Ministry of Electronics and IT (MeitY) may also become part of the request, they said.
“Since the creation of the IT Act in 2000, there has been no penalty from any company that has faced a data breach,” said Srinivas Kodali, a researcher at the Free Software Movement of India (FSMI). who has been tracking data breaches. “We want to ask ourselves what measures the CERT-In takes. We are not looking for compensation, but we want to know why government agencies have not reacted so far. ”
The development stems from the increase in data breaches and cyberattacks, especially since the onset of the Covid-19 pandemic last year.
Recently, Air India reported a data breach in which the passport data of 4.5 million passengers were compromised. Another attack exposed the order details of 180 million Domino’s Pizza customers. In March, independent cybersecurity investigators said the personal data of more than 100 million customers of the MobiKwik fintech boot was available on the dark network. The company denied the leak.
Cybersecurity attacks have affected 52% of India’s organizations over the past twelve months, according to a report from cybersecurity solution provider Sophos and IT consulting and research and analysis firm IT Tech Research Asia (TRA). As many as 71% of these companies described it as a “serious or very serious attack” and 65% said it took more than a week to resolve, according to the report.
Under the 2013 CERT standards, the government agency should provide services, including cybersecurity incident response and cybersecurity incident analysis and forensics, according to the Digital Freedom Law Center (SFLC.in) .
“CERT-In has the function of collecting, analyzing and disseminating information on cyber incidents under section 70-B of the IT Act,” said Prasanth Sugathan, technology lawyer and legal director of SFLC.in. “However, there has been no response to several petitions sent to CERT-In. The aggrieved persons could approach the courts for help against CERT-In’s inaction.”
Kar de Banbreach said activists want to “start a conversation around what steps are being taken to protect customers and any new controls and balance that may be needed.”
The cybersecurity watchdog had recently asked Facebook Inc. users. to protect your profile information on the social networking site after it was noted that allegedly leaked online and posted personal data of 533 million users worldwide, including details of 6.1 million users of India. for free in hacking forums.