Data Protection Newsletter (October, Issue I)

October 18, 2024

Summary

  • India’s Data Breach Crisis Explained
  • Star Health Insurance Data Leak: Timeline and Synopsis
  • Over 237,000 Customers affected by Ransomware attack: Comcast Data Breach
  • AI is too important not to be regulated: Google Managing Director
  • Regulations crucial for Cybersecurity and Data Protection: Quick Heal CEO
  • Penalties under the DPDP Act
  • Map Out Personal Data Points
  • Institute Robust Access Controls

Headlines of the Week

India’s Data Breach Crisis Explained

India has a serious problem with data breaches, with over 100 million records leaked in recent years, exposing sensitive information like Aadhaar numbers, financial details, and medical history. A recent study revealed that PII of over 81.5 Cr Indians is up for sale on Dark Web. The DPDP Act aims to combat this with strict data protection laws and penalties up to ₹250 Crores for non-compliance with data breach prevention measures. Data breaches can have severe financial and reputational impacts, including legal actions, fines, and loss of consumer trust, as seen in cases like Zomato and BigBasket. Organizations must adopt security measures such as encryption, data minimization, and regular audits to prevent breaches. Immediate breach notifications to both the Data Protection Board (DPB) and affected users are mandatory under the DPDP Act, with strict guidelines for content and timing.

Read the Full Article

Star Health Insurance Data Leak: Timeline and Synopsis

Star Health and Allied Insurance suffered a massive data breach on 9th of October. Reportedly, data of over 31.5 mn costumes has been compromised. The hacker, reportedly named xenZen, claims to have accessed 7.24TB of data, offering it for sale online for $150,000. Smaller batches of 100,000 records are reportedly listed at $10,000 each. The compromised data reportedly includes confidential information such as customer names, PAN numbers, mobile numbers, email addresses, policy details, birthdates, and confidential medical records. There are claims that the chief information security officer (CISO) of the company may have had a role in the data breach.The company completely denies these claims. Star Health and Allied Insurance announced that they received an asking ransom demand of $68,000 on 12th of October. The company has constituted a Risk Management Committee, which handles the cybersecurity function. The company in its October 9 statement noted that an investigation led by independent cybersecurity experts is underway as the company is working with the government and regulatory authorities for the investigation.

Source: Livemint

Over 237,000 Customers affected by Ransomware attack: Comcast Data Breach

Comcast confirmed a data breach in February 2024 that affected over 237,000 customers. The breach was due to a ransomware attack on a former debt collection partner. Personal information, including Social Security numbers and addresses, was compromised. Over 237,000 Comcast customers were affected, with compromised data including names, addresses, Social Security numbers, dates of birth, Comcast account numbers, and internal ID numbers used by FBCS. Comcast is now offering free identity theft protection for 12 months to the affected customers.

Source: Economic Times

Analysis of the Week

AI is too important not to be regulated: Google Managing Director

Google’s MD and Interim country manager for India, Roma Datta, noted that Google’s strategy in India will continue to be closely aligned with the country’s aspirations of becoming a developed nation in the next two decades. She also confirmed that the decision to host Google’s genAI model locally will aid businesses, the company’s investment strategy in India and regulations on AI. As per the new policy, Google’s Gemini model will be based in India – the data and the model will be running in India. She also touched upon the significance of regulating AI. She noted that AI is a very general purpose technology that can be used for a variety of use cases. Google has AI principles and practices in place, to ensure a governance framework.

Source: Economic Times

Regulations crucial for Cybersecurity and Data Protection: Quick Heal CEO

Regulations are crucial for cybersecurity and data protection, says Quick Heal CEO Vishal Salvi. He highlighted the importance of frameworks and said that they are essential for ensuring data protection and fostering trust between businesses and consumers. Further, he noted that in today's interconnected world, rules like the (Digital Personal Data Protection Act) DPDP Act and global privacy regulations are vital to ensuring data protection and promoting trust among businesses and consumers. The company launched a new AI-powered fraud prevention solution, AntiFraud.AI, available for Rs 750/year. Quick Heal plans to expand its market presence and strengthen partnerships.

Source: Economic Times

Insights of the Week

Penalties under the DPDP Act

Read our blog to understand the penalties under the DPDP Act. Non-compliance with the DPDP Act can result in penalties ranging from ₹50 Crore to ₹250 Crore per violation. The Data Protection Board (DPB) serves as the primary authority for enforcing the DPDP Act. The DPB will operate digitally allowing for online complaint filing and adjudication. Penalties will be assessed based on several factors including the nature, duration and recurrence of violations. To avoid hefty penalties, businesses must implement comprehensive compliance strategies particularly on managing user consents effectively.

Read the Full Article

Compliance Tip of the Week

Map Out Personal Data Points

Indian businesses are advised to conduct a thorough audit to map out every personal data point across the system. Companies are advised to clearly mark the PI collected, corresponding to nature of activity and respective retention periods. This will help companies to effectively store PI and provide end-users the option of edits at the required time.

Institute Robust Access Controls

Indian businesses are advised to institute robust access controls and limit access to personal data. Companies should provide access to such information on a need only basis, ensuring that access is authorized to limited and essential employees. This shall reduce the risk of data leaks and other manual risks.

Explore Leegality Consent Manager

Discover how our Leegality Consent Manager can streamline your data protection processes and ensure compliance with the DPDP Act. Our Consent Manager offers:

  • Compliant consent notices across all customer touchpoints
  • Storage of verifiable and auditable records of each consent
  • Dashboard for customers to change consent preferences and exercise data rights
  • Oversight over the data practices of your third parties

Explore Leegality Consent Manager for your Business

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.