INTRODUCTION
Data is one of the primary assets of any organization. With the growth of the data economy and the penetration of Internet, the businesses and companies find huge value in the collection, storage, and sharing of data. However, the businesses and companies processing such data need to practice transparency, incorporate robust privacy policies and ensure the application of data privacy measures.
Data Privacy is a branch of data security that typically deals with the proper handling and processing of data. The concept of Data Privacy and Security are intertwined and are often used synonymously. Specifically, Data Privacy concerns often revolve around how the data is shared with third parties, how it is stored or processed, and the regulatory compliances which need to be practiced by the corporate entities in order to safeguard the data.
Companies such as IT and e-commerce giants have built their empire atop the data economy and have also ensured due diligence while incorporating Data Privacy measures and have sustained the same over the years. However, many organizations have learned the stark importance of Data Privacy the hard way, via highly publicized data breaches and cybersecurity attacks.
In the light of this, one such data breach which made the headlines was the Air India passenger data breach. Moving forward, we shall delve further into the data breach and its implications.
BACKGROUND
Global airline and airport data giant SITA Information Security Services (‘SITA’) confirmed a data breach involving the data of passengers on 24.02.2021. SITA is one of the largest aviation IT companies in the world and serves around 90% of the global airlines. SITA relies on the company’s passenger service system for managing reservations, tickets, and aircraft departures.
Following the incident, SITA confirmed that they have notified all the airlines about the breach. Several airlines were affected by the data breach and the National Carrier of India-Air India was one such airline. Three months post the data giant SITA reported the breach; Air India (‘the Airlines’) confirmed that the personal data of about 4.5 million passengers was compromised. Vide its Notification to passengers issued on 15.05.2021; Air India stated that the first Notification with regards to the incident was received on 25.02.2021, following which the Airlines issued a general announcement on 19.03.2021. However, the identity of the affected passengers was provided to the Airlines much later, on 25.03.2021 and 05.04.2021.
IMPLICATIONS OF THE DATA BREACH
The data breach involved the personal data of 4.5 million passengers registered between 26.08.2011 to 03.02.2021. The personal data included name, date of birth, contact information, passport information, ticket details, Star Alliance and Air India frequent flyer data (excluding passwords data) as well as credit cards data. However, no passwords, or CVV/CVC numbers were compromised as the data processor, SITA, did not store the same.
The Airlines ensured that certain measures were taken immediately to bring the situation under control, such as:
- Reporting the incident and investigating the same;
- Engaging external specialists with expert knowledge about data security incidents;
- Securing the servers which were compromised in the breach;
- Notifying and cooperating with the credit card issuers; and
- Resetting all the passwords of the Air India Frequent Flyer Programme.
Further, SITA ensured that no abnormal activities were noticed after securing the compromised servers and SITA continued to take remedial actions wherever applicable to maintain the safety of the personal data.
The struggling Airlines which have been surviving on taxpayer money had to witness a major setback due to this enormous data breach. Several passengers switched to other airlines in the light of this breach, due to privacy concerns. Few passengers have also sent notice to the Airlines Authorities seeking damages under the Information Technology Act, 2000 (‘IT Act’). The passengers have stated that such a data breach is an infringement of their Right to Privacy as the compromised data is ‘extremely private’ as it includes names, date of birth, contact information, passport information, etc.
REMEDIAL ACTION
India does not have a dedicated Data Protection Law yet and the Personal Data Protection Bill is yet to be enacted and is pending since 2019. Due to the lack of a robust Data Protection Law on the national front, Air India reported the incident to the United Kingdom’s (‘UK’) Data Protection Regulator and they have been investigating the breach.
The UK and European Union (‘EU’) laws mandate the reporting of cases pertaining to a data breach within 72 hours of becoming aware of it, failing which, the Airlines can face steep fines. However, India does not have any such regulations and for the same, the companies cannot seek remedial measures under the Central or State laws.
However, immediately after becoming aware of the data breach, the Airlines reported the incident to all the Regulators present in EU, UK, and other areas within 72 hours. The Airlines has been also communicating and cooperating with lawyers around the globe following the incident. Till now no cases or event of misuse of passenger details has been reported.
India has witnessed several data breaches in the recent past including that of renowned organizations such as MobiKwik, Big Basket, and Money Control. Furthermore, several data breaches and security attacks are not even properly reported or informed by the companies. Such incidents are taken casually and forgotten in the long run due to the lack of a proper Data Protection Regime.
AMLEGALS REMARKS
Several data breaches and sophisticated cybersecurity attacks go unnoticed as there are no Regulators to look after such issues pertaining to Data Privacy in India. The affected citizens cannot claim damages or seek justice as the scope of doing the same is extremely limited.
Currently, only a couple of legislations govern the area of data privacy in India and they have extremely finite reach. The IT Act and the IT Rules 2011 are the two major legislations regulating Data Privacy in India. However, these legislations cover only certain aspects and not the concept of Data Privacy as a whole.
India should focus on enacting the Personal Data Protection Bill, 2019 as that would provide some clarity to the corporate entities and the common people regarding data privacy and its several facets. With the advent of digitization and easy internet access, the databases and all the information stored in computer systems and cloud storage are exposed to risks and potential threats. Therefore, to tackle the same, a robust data protection regime is the need of the hour.
___________________________________________________________________________________________________________________________________________
For any query or feedback, please feel free to connect with vineeta.tekwani@amlegals.com or aditi.tiwari@amlegals.com.
Leave a Reply