Data loss prevention (DLP) systems are crucial tools for the safeguards of intellectual property and business secrets. IT is the business enabler in every company, however the simplicity of communication calls for major risk for sensitive information. Employees with access to such information may- deliberately or inadvertently -leak such data to third parties. Cases of Aadhar biometric data leaks have already started surfacing in India.
The implementation of DLP system is a powerful tool to protect data losses and leaks. There are general points to be kept in mind before implementing DLP system from a data protection perspective in India-
In India, personal and confidential information is protected under the Information Technology Act, 2000 (IT Act) and the IT Rules. The IT Act is based on the United Nations resolution recommending all members to adopt the Model Law on Electronic Commerce adopted by the UNCITRAL. The IT Act, inter alia, addresses the data security concerns and provides for civil and criminal liability for breach of personal data, information, computer database theft, privacy violation, etc.
In April 2011, India’s Central Government has notified the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Protection Rules”) under the IT Act, governing the collection and processing of personal information in India.
What needs protection: Sensitive Data-Definition (what needs protection)
The Data Protection Rules define “Sensitive Personal Data or Information” of a person as such personal information which consists of information relating to
• password;
• Biometric information;
• medical records and history;
• physical, physiological and mental health condition;
• financial information such as Bank account or credit card or debit card or other payment instrument details;
• sexual orientation;
• any detail relating to the above clauses as provided to body corporate for providing service; and
• any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise
provided that, any information that is freely available or accessible in public domain or furnished under any law for the time being in force shall not be regarded as sensitive personal data or information.
RESTRICTIONS ON DATA TRANSFER OUTSIDE INDIA
• The recipient entity ensures adherence to the same level of data protection (reasonable security practices are prescribed under the Rules), and
• only if the transfer of information is necessary to comply with a lawful contract, or
• with the prior consent of the data provider.
Besides the Data Protection Rules, there is no other law that governs overseas data transfer. Further, the data transfer restrictions /requirements are applicable to any personal information transferred outside India irrespective of the countries to which the data is transferred.
CYBER-ATTACK AND REPORTING
The IT Act provides legal framework to tackle the issues related to security breaches and hacking of information technology infrastructure. Under the IT Act, the Indian government has constituted “Indian Computer Emergency Response Team” (the “CERT-IN”) as the national nodal agency for cyber security.
In January 2014, the Government has enacted The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT-IN Rules”) which prescribes the functions and responsibilities of CERT-IN, procedure for incident reporting, response and information dissemination, etc. There are sectoral CERTs established for various sectors including defense and finance.
The CERT-In Rules impose mandatory notification requirements for service providers, intermediaries, data centres and body corporates (handling sensitive personal information) to report all cyber security incidents to CERT-IN “as early as possible”.
All individuals, organizations or corporate entities have the option to report the cyber breach incidents to CERT-In. Notwithstanding the foregoing, all entities must mandatorily report the cyber security incidents specified in the CERT-In Rules to CERT-In at the earliest. These cyber security incidents are:
• targeted scanning/probing of critical networks/system;
• defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.;
• attacks on servers such as database, mail and DNS and network devices such as routers;
• identity theft, spoofing and phishing attacks;
• attacks on critical infrastructure, SCADA Systems and wireless networks;
• compromise of critical systems / information;
• attacks on application such as e-governance, e-commerce, etc.
• unauthorized access of IT systems/data;
• malicious code attacks such as spreading of virus/worm/trojan/botnets/spyware;
• denial of service (DoS) and Distributed Denial of Service (DDoS) attacks;
Logix InfoSecurity provides latest DLP systems and cyber security tools for real time protection of system.