1. What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
Since 2017, the Indian legal framework has witnessed several discussions, and reports from several stakeholders, public and private likewise, concerning data privacy and protection laws. In December 2019, a new iteration of the data privacy and protection legislation was introduced, titled ‘The Personal Data Protection Bill, 2019’ (PDP Bill). Since then, there have been recent developments in the sectors of healthcare and finance which have implications on the data privacy and protection framework but are not specifically addressing any concerns pertaining to cybersecurity standards. However, the recent ban on the prevalence of the Chinese apps, have been cited to suffer from cybersecurity related concerns. The details of such actions of the government and the responses of the affected private stakeholders are not available in the public domain, and the entire issue is rife with speculation.
Sector specific bodies of the government like the Department of Communications have also released guidelines for best practices, to mitigate against and prepare the users and corporates for any cybersecurity threats and breaches. The guidelines were released to mitigate against any cybersecurity threats emanating from WFH (work from home) activities during COVID-19. 
2. When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
Per the extant legal framework, reporting of a cyber security incident may be done by an individual, organization or corporate entity affected by it. However, under instances of (i) targeted intrusion or compromising of critical networks/ systems; (ii) unauthorized access of IT systems/ data, (iii) defacement of website, malicious code attacks, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, attacks on DNS and network services; and, (iv) attacks on applications such as e-governance, e-commerce etc. warrant mandatory reporting to the Computer Emergency Response Team (CERT-In).
Per the PDP Bill, every data fiduciary (data controller as per the PDP Bill terminology) shall by notice inform the Data Protection Authority (DPA) about the breach of any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal. The notification to the DPA shall be made by the data fiduciary to the DPA as soon as possible and within such period as may be specified by regulations, following the breach after accounting for any period that may be required to adopt any urgent measures to remedy the breach or mitigate any immediate harm. The notice of the breach reporting shall include the following: (i) nature of personal data which is the subject-matter of the breach; (ii) number of data principals affected by the breach; (iii) possible consequences of the breach; and, (iv) action being taken by the data fiduciary to remedy the breach.
The PDP Bill, further states that upon receipt of a notice, the DPA shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm. The DPA shall instruct the data fiduciary on such notification to the data principals.
3. What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
In case of a data security incident, while remediation measures and re-evaluation of technical and organizational measures are urgent concerns for any company, it is important that they adhere to the security incident/ breach reporting protocols, from a regulatory perspective. Meeting timelines will allow containment of any added risks of flouting applicable laws and will also enable the company to assess need to communicate the breach details to the end users, in conjunction with the appropriate DPA. Continued evaluation of access controls (including physical access to protected systems) is a necessary part for internal housekeeping measures. Immediate steps would also include measuring the extent and impact of a data security incident/ breach and embedding learnings into the system.
For companies who are data controllers (data fiduciaries in the Indian context) must ensure that their obligations are mirrored down to the data processors, to allow for speedy reporting and early recovery protocols to be complied with.
4. What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
Organizations in our jurisdictions are increasingly conducting data protection impact assessments (DPIAs) when they are integrating solutions or are onboarding any new platform/ service onto their enterprise set-up. Further, deployment of sector specific and global technical and organization measures and standards, even in the absence of specific legal requirements is also assisting the Indian organizations to improve their cybersecurity preparedness. Companies are also ensuring that they maintain personal data inventories (PDIs) within separate and parallel functions of the company to ensure that there is a proper audit trail created for the internal privacy teams to evaluate and re-assess the access levels granted, roles of the data owners and data stewards, and also to ensure the confidentiality, integrity and availability of data.
Companies are training their personnel in security principles, including the basic ones like a ‘clear screen and clean desk policy’. Further, the companies also provide only a very limited authority to install software (to the employees) and limit their use and access over company systems/ assets.
5. Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?
Prior to moving data to a cloud hosting environment, businesses must first consider the legal implications of such transfer (if any) and must necessarily comply with any localization or similar requirements. Additionally, since the businesses might not necessarily have controls over the physical access, the businesses must ensure that there are back-up instances to resort to in case of any redundancy and for business continuity.
Lack of visibility of the environment, and limited control over access are issues that businesses typical face when choosing to move data to cloud hosting environment. It is for the business to ensure that they are aware of the containers in which separate data identifiers are put in (where the requirement is to keep personal data and sensitive personal data in separate containers, as a business practice), the levels of access granted to the personnel, and, the levels of protection applied to the environment.
It is best that the company retains its own visibility over the data being moved to the cloud hosting environment, instead of trying to control portions of the data moved, partially. Internal teams must be made responsible for applications and must support the external vendor to ensure security. Further, automated application systems and deployment of management tools also ensures that nothing slips through the several processes. Similar to the four-eyes principle, there must be re-assessment by separate teams to make the system robust.
6. How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
The government in addition to inviting comments from stakeholders towards the PDP Bill, is also in the process of evaluating the existing intermediary guidelines and the draft intermediary guidelines, with participation from sectoral associations. Serious cybersecurity threats (including political opportunities) are being evaluated by the government and bans/ prohibitions pertaining to vulnerable demography (children) of the population and high-risk applications (including e-commerce platforms) have been implemented. In view of these threats, DoT has further directed all state-owned companies, central ministries and government departments to give preference to locally produced cybersecurity products in public procurement.
Further, institutions like CERT-In also conduct assessments and upload reports, open to public access to review the prevalent conditions. Also, sectoral regulators are independently and proactively evaluating the standards which are necessary or typical for the sectors.
7. When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
A company must seek information on the privacy processes, which is inclusive of internal and external policies, standard operation procedures, enforcement efforts in light of the applicable regulatory and compliance requirements. The manner in which a company collects, uses, discloses, stores, shares, discloses, and purges personal / sensitive personal data is a key element in analysing its risk profile. Further considerations would also include: (i) robustness of information security program (policies, implementation procedures), (ii) disaster recovery and business continuity plans, (iii) management of all vendors (solutions, services, including cloud service providers), (iv) DPIAs (vulnerability and penetration testing), (v) any information security certifications (more importantly compliance with sectoral standards/ industry practice), (vi) incident response, reporting protocol and plan (vii) records of any prior incidents or breaches, (viii) PDI or a data map, data flow chart, (ix) documentation on security audits. Additionally, contractual arrangements and the exposure in terms of liability must also be considered by the acquiring business.
The Inside Track
a. When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?
In choosing a lawyer to help with cybersecurity, clients must look for their experience in the domain of ITeS, or related domain, enabling the lawyer to present solutions which can be best implemented at an enterprise level. The lawyer should be able to offer handholding services, and also appreciate the internal functioning of the clients prior to making any suggestions of modifying the business structure per se.
b. What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?
The ambiguity that exists, and the overlaps which predicate the domain make advisory in cybersecurity and privacy domain interesting. The constant need to reconcile the sectoral rules with the central legislation and devising ways to ensure compliance with the existing best global practices is a challenge and keeps every privacy professional looking for better and efficient solutions to implement.
c. How is the privacy landscape changing in your jurisdiction?
The consumer perspective towards data privacy and protection is changing, as they are witnessing the unabashed exploitation of user data, behavioural data and likewise, globally. Also, with the apex court’s judgment on the right to privacy and the mandatory delineation of a national unique social ID (Aadhaar) from the welfare schemes, and private interference has brought to the fore the need for a data privacy and protection framework.
The privacy landscape may be slightly impacted by the introduction of a provision to identify the first originator, under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules, 2021); however, does not require the intermediary to to disclose the contents of any electronic message, any other information related to the first originator, or any information related to its other users.
Further, the union government has also factored in the prevalence of non-personal data and has released reports in an attempt to regulate the same.
d. What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?
Of late, DDoS attacks, Web Application attacks, and payment card skimming have been on the rise, and much similar to the global trend malware, ransomware attacks are also pretty common in the country. Also, there has been a trend of data theft in the banking and the e-commerce sectors. Confirmed data breaches were often associated with banking Trojans stealing and reusing customer passwords, along with ATM skimming operations.
Abhishek Malhotra, Founding Partner
Abhishek Malhotra, Founding Partner, TMT Law Practice (having offices in Delhi, Mumbai and Bangalore), has two decades of experience in the primary areas of expertise, including intellectual property, commercial dispute resolution, technology, media and telecommunications. Mr Malhotra is a member of the Bar Council of Delhi and the State Bar of California, and also holds memberships of national and international professional associations. He has contributed to the policy realm by providing inputs to the Governments and think tanks on copyright issues, sports and fantasy gaming, Digital Health; and as a Principal Advisor to the Broadband India Forum on issues relating, inter alia, to satellite communication and data protection. Mr Malhotra is a guest lecturer at Indian Institute of Information Technology, the National Law School of India University, NUJS, Kolkata.
Bagmisikha Puhan, Associate Partner
Bagmisikha Puhan, Associate Partner, TMT Law Practice, is a technology lawyer and privacy practitioner. She is a member of the Bar Council of West Bengal. Her primary areas of focus include technology, telecommunications, and healthcare. She advises new age technology institutions in the healthcare, fintech and space communications sectors on general corporate advisory, statutory compliance, foreign direct investment, and also focuses on implementing privacy measures at an enterprise level. She has contributed to books and papers on telehealth, data privacy and protection, cybersecurity, and commercial space and policy. She is the legal advisor to the Telemedicine Society of India and has assisted the society in collaborating with the government/s for policy implementation. She is also a member of the Ethics Committee (Academic) of Mohan Foundation, which is a leading organization in the field of deceased organ donation and transplantation in the country.
 Rule 4, IT Rules, 2021.