Ransomware attack: AIIMS is victim or liable for compromising critical data?

The ransomware attack on AIIMS and the critical data breach of crores of individuals, including dignitaries of the government, judiciary, and administrative body of India, creates a compelling case about how the legislature is blind-sided to the real threats to data privacy.

What the Digital Personal Data Protection Draft Bill fails to address?

Many Indian citizens lost their lives due to the unethical hacking of their personal data that made them vulnerable to extortion by Chinese loan apps. The Enforcement Directorate (ED) is pursuing the perpetrators but the families and loved ones of the victims of the Chinese loan apps may never get compensated. This is because the draft bill of digital personal data protection neither provides for criminal misuse of a person's data nor defines any circumstances whereby citizens may be compensated.

Even for a case like AIIMS, it is a matter of debate as to who should be held liable for the cyber-attack and who should compensate whom? It needs to be kept in mind that the law and its implications for AIIMS would also be the same for any data-fiduciary operating in India. Legally, should AIIMS be considered a victim of a data-breach or a data-fiduciary who has compromised critical data of Indian citizens? The fact of the matter is, there are no laws about the measures an institution or a private entity needs to take in order to secure the data it holds. The current Draft Bill provides only for events where personal digital data is compromised by a data-fiduciary by non-compliance.

Should you worry about privacy when your security is at threat?

The Fortune India report on Digital Policy Paralysis published on November 4, 2022, highlighted how vulnerable digital India is. As the matters stand today, India has no law that effectively addresses real-life cases like the cyber attack on AIIMS, which are real threats to the life of the citizens through data breaches.

The Intelligence Fusion and Strategic Operations (IFSO) division of the Delhi Police has filed a case of extortion and cyberterrorism with respect to the cyber-attack on AIIMS. The case has to join the queue of a long list of cyber-attacks that have been plaguing India for many years now without much respite to the victims. The Indian Computer Emergency Response Team (CERT-In) reported more than 6.7 lakh cyber security incidents in the first half of 2022. According to the Cost of Data Breach 2022 report by IBM, the average cost of data breach in India is $2.32 million. It means a business loses an average ₹17.4 crore in a single data breach.

The legislature has engaged in multiple deliberations and probably used copious amounts of man-hours in preparing three draft-bills on the issue of personal data-privacy, since 2018. However, not only is the latest Draft Bill on Digital Personal Data Protection the most ambiguous and ineffective amongst the three but also completely fails to ensure data security for Indian citizens.

Legislation in digital domains: Needs of the nation versus wants of the authorities

There seems to be a dichotomy between the threat to the nation and the threat perceived by the government when it comes to formulating legislation for data privacy and protection.

Free speech seems to be the pivotal threat perceived by the authorities, which appears to give unequal importance to user generated content in the regulatory frameworks.

The current regulations for Social Media Intermediaries framed by the Ministry of Electronics and Information Technology (MeitY) is largely formulated to contain social-media posts that are against public decency and public policy. The government also has the supreme authority to dictate a social media intermediary to remove any posts or block any individual from accessing his/her social media account without having to give any notice to the individual posting the content.

However, the threat to citizens and the nation is through data breaches and data theft that happen through cyber-attacks like the recent data theft of AIIMS. It is time to question as to what comes first, laws that make data-fiduciaries secure and protect user data from external and internal threats or laws to make data-fiduciaries not peep into user data.