With Zomato being hacked and the 17 million users’ data up for grabs, Indian consumers face a new threat—of personal details being vulnerable to electronic bandits. Our outdated cyber security laws make the threat even more serious
~By Pavan Duggal
May 2017 has seen some of the biggest cyber attacks—the Ransomware WannaCry attacks and the onset of Adylkuzz mining malware, which is beginning to infect computer systems across the world. In this context, news about Zomato being hacked and details of 17 million users being stolen has also come in. This has not only shaken up the food app industry but other stakeholders in the corporate ecosystem. And they need to be aware that they could be potential targets.
Zomato’s theft is significant as the hacker also put up the stolen data for sale on the dark net. Zomato came to know about the breach and instantaneously reset the passwords of all its users. It clarified that data relating to payment information had been stored separately in a secured PCI Data Security Standard Compliant Vault and that no credit card data was stolen. The company has further stated that it will be reaching out to 6.6 million users whose encrypted passwords could be theoretically decrypted.
Zomato has also been in touch with the ethical hacker so as to convince him not to sell the said information. It has also proceeded to hold a bug bounty programme where ethical hackers will be asked to come and hack the company’s system so as to avoid future security vulnerabilities. While, 100 percent security is not possible, all efforts need to be taken to make computer systems and the resources of every stakeholder as secure as possible.
Indian cyber law has a distinct take on this. It considers companies like Zomato as intermediaries because their applications deal with, handle and process third-party data and also store, transmit or provide services with respect to third-party data. Indian cyber law mandates all intermediaries to exercise due diligence while discharging their obligations under the Act.
The Indian Information Technology Act, 2000 is an outdated piece of legislation which was amended only in 2008, with cosmetic changes
Compliance with cyber law will ensure that various sites and applications, be it for food, retail and taxis, protect customer data. Unfortunately, a majority of them offer lip service to cyber security and observe Information Technology Act, 2000, only for breaches rather than for compliance.
As more and more Indians get tech-savvy, mobile applications too are being used to provide various services. In such an environment, responsibility needs to be affixed on various stakeholders. These websites and applications need to put in place reasonable security practices and procedures to protect their third party data, including customer information from unauthorised access. Users also need to be sensitised about the significance of cyber security and make it part of their day-to-day life.
Users need to take adequate precautions before they log onto websites or download apps. Before downloading apps, it is a good idea to read the terms and conditions. These will give them a clear idea of how the app will deal with customer data and how it is preserved, retained and protected from security breaches. They should also go through customer reviews of the said app and get a clear idea about how it deals with customer-related information.
Though India is marching on the digital highway, cyber laws are not adequate to deal with the distinct challenges of cyber security. The Indian Information Technology Act, 2000 is an outdated piece of legislation which was amended only in 2008, nine years back. Though cyber law has given a legal definition of cyber security, only cosmetic provisions have been added, which are inadequate.
Given Zomato’s breach and the recent ransomware attacks, it is clear that India needs a dedicated cyber security law which can actually help define the roles, duties and responsibilities of all stakeholders. It can also provide substantial clarity to stakeholders if they choose not to comply with the provisions of such a law.
Given the historical and strategic significance of India as an emerging IT superpower and a huge e-commerce market, it is incumbent upon the government to come up with strong cyber legal frameworks. It should also make all stakeholders responsible for cyber security breaches of data which impact customer data and privacy.
In order to inculcate a culture of cyber security, training programmes need to be conducted not just by the government but also by other stakeholders also. It should be made an integral part of the curriculum from Class I onwards if India wants to build a digitally secure system.
Given Zomato’s breach and the recent ransomware attacks, it is clear that India needs a dedicated cyber security law which can actually help define the roles, duties and responsibilities of all stakeholders. It can also provide substantial clarity to stakeholders if they choose not to comply with the provisions of such a law.
The massive thrust on Digital India shows that Indians have now taken an irreversible route towards becoming a digital society and knowledge economy. In this ecosystem, cyber security is not an option but a necessity. No wonder, countries across the world are coming up with distinct cyber security laws, while India has still not woken up to it. On top of it, the National Cyber Security Policy, 2013, despite containing motherly statements on cyber security, still remains only a paper tiger and lacks efficient parameters for effective implementation.
One thing is clear—we are entering a new age where cyber security breaches will be the new norm and these will bring challenges for Indian policymakers and stakeholders. So any laws in this regard should play a proactive role in not only encouraging people to adopt cyber security as a way of life, but also come up with stringent punishments for violation. The advent of the dark net has further complicated the entire ecosystem.
It will be interesting to see how quickly India can learn lessons from Zomato’s breach, the WannaCry ransomware attack and the Adylkuzz mining malware attack. Will it protect itself fast by coming up with effective cyber security policies and regulatory frameworks? If so, these will take India to the next level on the digital highway.
—The author is an advocate in the Supreme Court
and a leading expert on cyber law and mobile law