Data PrivacyInternal Vulnerabilities of Organizations and Data Privacy Compliance

Introduction

Organizations today operate in an era where information and data play a crucial role in their success. However, with the increasing reliance on technology and interconnected systems, the risk of internal vulnerabilities affecting data security has become a significant concern. Internal vulnerabilities within organizations along with insider risks, pose a threat to data privacy, making it imperative for businesses to prioritize compliance with data protection regulations as applicable.

Understanding and addressing internal vulnerabilities is paramount for safeguarding organizational data and ensuring compliance with data privacy regulations. By adopting a proactive approach to cybersecurity and adhering to privacy standards, organizations can mitigate the potential risks.

Vulnerability Assessments

Vulnerability testing or risk assessment is essential to protect any company from data breaches and financial losses. It is used to identify the potential weaknesses and provides the proper mitigation measures to either remove those weaknesses or reduce below the risk level. By identifying and addressing potential security risks, one can avoid the consequences of a data breach.

• Internal Assessments: A process that helps organizations identify vulnerabilities within their networks, internal servers, workstations, applications, etc. and fix them before such vulnerabilities become an issue. This can be done through many different methods, but one of the most common methods is through vulnerability assessment software or systems.
• External Assessments: This method entails inspecting your network from the outside. This can encompass public-facing assets, open ports, services, public applications, etc. By doing these external assessments, one can identify any weaknesses in their network that may lead to a potential threats or exposure.

Principle of Privacy by Design

Privacy by Design means that privacy is already integrated into technology, IT systems, services, and products to ensure data protection. Basically, the entire engineering process is conducted with privacy in mind, while safeguarding personal data becomes as important as any other functionality. It is an essential principle under the General Data Protection Regulation, and is one of the primary practices for crafting a robust and strategic privacy and security system for an organization.

The foundation of Privacy by Design rests on seven core principles, thus providing a guiding framework for integrating privacy into an organization’s daily operations.

• Proactive, not Reactive; Preventative, not Remedial
• Privacy as a Default Setting
• Privacy embedded into Design
• Full functionality: Positive- Sum not Zero-Sum
• End-to end security: Full data lifecycle protection
• Visibility and Transparency
• Respect for User’s Privacy

Emergence of Artificial Intelligence

The traditional approach to cyber security before Artificial Intelligence (herein after referred to as “AI”) was introduced was largely reactive and remedial, relying on manual analysis, signature-based detection systems, and rule-based systems. This approach was often ineffective against new and unknown threats, and it could generate a high number of false positives, which could be a drain on resources.

AI-based solutions in cyber security differ from traditional approaches in several ways. For example, AI-based solutions use machine learning algorithms that can detect and respond to both known and unknown threats in real-time. Machine learning algorithms are trained using vast amounts of data, including historical threat data and data from the network and endpoints, to identify patterns that are difficult for humans to see. This allows AI-based solutions to identify and respond to threats in real-time, without the need for human intervention.

As new threats emerge, machine learning algorithms can be trained on new data to improve their ability to detect and respond to these threats. This means that AI-based solutions can keep pace with the evolving threat landscape and provide more effective cybersecurity protection over time.

The use of AI in cybersecurity represents a major shift in how organizations approach cybersecurity. AI-based solutions can provide more effective protection against both known and unknown threats – using machine learning algorithms to detect and respond to threats in real-time. This helps organizations to better safeguard their sensitive data and critical systems.

Bodies Established Under the Information Technology Act, 2000

1. The Indian Computer Emergency Response Team (CERT-In)

Section 70B of Information Technology Act, 2000 (hereinafter referred to as “IT Act, 2000”) describes Cert-In and the function that shall be performed as a national agency. It is mandatory for the companies to report Cyber Security Incidents as provided under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. However, there was no time limit prescribed under the said rules and was only to be reported in a reasonable period.

The Directions have been issued on 28 April 2022 providing clarity in this regard by fixing a timeline of 6 hours. The incidents can be reported to CERT-In via email (incident@cert-in.org.in), Phone (1800-11-4949) and Fax (1800-11-6969). The directions require any service provider, intermediary, data center, body corporate and government organization to mandatorily report cyber incidents to CERT-In within 6 Hours of noticing such incidents or being brought to notice about such incidents.

The types of cyber security incidents which are mandatorily to be reported by service providers, intermediaries, body corporate and Government organizations include targeted scanning, probing of critical networks, identity theft, phishing, data breach, data leaks, unauthorized access of IT systems, defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites. etc.

2. National Critical Information Infrastructure Protection Center (herein after referred to as “NCIIPC”)

 Section 70 of IT Act, 2000 describes “Protected Systems” which defines “Critical Information Infrastructure” that includes the impact of computer resource when gets destructed or compromised would result into the impact on national security, economy, public health or safety. The Punishment mentioned under the same provision states that offender shall be punished with imprisonment for a term which may extend to 10 years and shall also be liable for fine. Section 70A describes “National Nodal Agency” which shall be established for protecting Critical Information Infrastructure which is NCIIPC.

NCIIPC was created to safeguard vital information about our nation that is vital to public health care, economic progress, and national security. The following have been primarily designated as “critical sectors” by NCIIPC: banking, insurance, power and energy, telecom transport, government, and strategic and public enterprises.

National Cyber Security Policy, 2013

The objective of this policy is to make cyberspace secure and resilient for citizens, enterprises, and the government and to secure cyberspace information and infrastructure, build skills to prevent and respond to cyber attacks, and minimize damage.  One of the essential component includes creating mechanisms for security threat early warning, vulnerability management and Response to security threats.

Compliance under Digital Personal Data Protection Act, 2023 

The Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP Act, 2023”) which is recently introduced describes the right and duties of Data Fiduciaries and the compliance required by the corporations with respect to the personal and sensitive data of the individuals. By analyzing and addressing internal vulnerabilities in the context of data privacy regulation in India, it is essential for organizations to ensure compliance and safeguard sensitive information.

It is also pivotal to maintain a proactive and adaptive approach to data privacy to stay compliant and protect sensitive information effectively of the employees, clients and other associated organizations.

Below are steps that an organizations can undertake to ensure the safeguards against any internal vulnerabilities or insider risks:

1. Conduct a comprehensive data mapping exercise to identify all the data their organization processes.
2. Classify data based on sensitivity and the level of protection required under DPDP, 2023.
3. Use encryption technologies to protect personal data both in transit and at rest. Ensure that encryption protocols are up-to-date and meet the standards outlined in DPDP, 2023.
4. Provide regular training to employees on how to handle the sensitive personal data and best practices for handling personal data. Foster a culture of awareness and responsibility regarding data privacy.
5. Assess the data protection practices of third-party vendors and ensure they comply with DPDP, 2023.
6. Conduct regular internal audits and assessments to identify and rectify compliance gaps.
7. Review internal policies and documents from time to time.

Case Study: Malware attack on Kundankulam Nuclear Power Plant

In 2019, a malware attack on Kudankulam Nuclear Power Plant (hereinafter referred to as “KKNPP”) was reported to the Indian Computer Emergency Response Team. An investigation by India’s Department of Atomic Energy revealed that a user had connected a malware-infected personal computer to the plant’s administrative network.

While the plant’s operational network and systems were separate from and not connected to the administrative network, s virus scanning website owned by Google’s parent company, Alphabet, had indicated that a large amount of data from the KKNPP’s administrative network has been stolen.

In the view of the above, subsequent attacks on the nuclear power plant could target its critical systems more effectively. Cyberattacks on nuclear power plants could have physical effects, especially if the network that runs the machines and software controlling the nuclear reactor are compromised. This could be used to facilitate sabotage, theft of nuclear materials, or in the worst-case scenario a reactor meltdown.

The KKNPP breach is said to be undetected for six months until it finally came to the forefront. In a densely populated country like India, any unwarranted radiation release from a nuclear facility would be a major disaster.

If the network that runs the machines and software controlling the nuclear reactor are compromised, cyber-attacks on nuclear power plants could have physical effects. Threats may be posed by nation states, terrorists, extremists, criminals including organized groups, outsiders such as suppliers or insiders acting intentionally or negligently. As the digitalization of nuclear reactor instrumentation & control systems increases, potential for malicious and accidental cyber incidents also increases.

AMLEGALS Remarks

The Supreme Court’s decision to recognize the Right to Privacy as a Fundamental Right marked the beginning of Digitally Secure India. India has made huge technological development that intends to alter how businesses store, use, and secure personal data.

India has made considerable progress in the age of digitization. However, through modern tools like AI and machine learning, cyberattacks can be prevented if it is used wisely. Awareness programs of employee training regarding emerging technologies can assist them taking informed decision at the crucial times.

The organizations must ensure regular vulnerability assessments and penetration testing in order to ensure the security of the data. By integration of technology and Artificial Intelligence, one must ensure that both data security and data privacy is treated as the top most priority of an organization.

– Team AMLEGALS assisted by Mr. Sahaj Desai

For any queries or feedback feel free to reach out to mridusha.guha@amlegals.com or jason.james@amlegals.com