In this technology driven era, all kinds of data obtained from the usage of smartphones, laptops, mobile applications and websites is collected and stored with the manufacturer and/or developer of the device or software. Data is considered to be the “Oil” of the 21st Century, which holds exceptional value upon the extraction, processing and decrypting of the raw data into useful information. In this backdrop, there arises a need to protect such data from hackers and other unauthorized personnel, who may misuse such information or sell the bulk of such data gathered to research-based third-party companies in order to gain undue financial advantage.
The information may comprise of personal data such as name, phone number, address, pin code, GPS location and financial data such as debit/credit card number, internet banking passwords, PIN, CVV and other such data. This information may be useful for various kind of third-party research and finance-based companies, who purchase such collective bundles with thousands of users’ information and make the most out of such investment.
According to multiple studies, an average of 4,800 websites have witnessed a data breach every month over the period of 2018-2019. The average time to identify a data breach is 228 days and containing and retrieving the information lost takes approximately 80 days. In a world where the human dependency on technology and the Internet has reached a capacity wherein maximum actions are performed through the use of technology in some or the other way, which inevitably requires the creation and sharing of data with the manufacturer or developer, the need for protection and security of data is urgent and mandatory.
Moving forward, we shall analyze the data breach in the servers of Dominos India, which created panic amongst the common people and a hue and cry in the social and news media.
On 24.03.2021, when India was battling the worst peak of COVID-19 pandemic outbreak, Jubilant Foodworks, the master franchisee of Dominos India was left aghast with the news of a breach in the online server database of the company, which resulted in the personal information of the users and customers of Dominos being leaked.
The hackers attacked the Domino’s India database, containing a massive 13TB worth of information, and stole the data of 18 crore customers amassed through more than 180 million orders. The data breached contained customer information such as name, phone number, delivery address, pin code and GPS location of the users. The hackers had created a search engine on the Dark Web, which was easily available for the public to gain access and search for any personal information available with Dominos.
This leaked data was also made available for sale on the dark web. It is also peculiar that an official notification from Dominos India was sent to the users around 25.05.2021, a little more than two months after the data breach and nearby the time when the Special Purpose Search Engine was created by the hacker. Moreover, there has been no news of information related to the nabbing of the mastermind hackers behind the crime till date.
The Information Technology Act, 2000 (hereinafter “IT Act”) is the governing law for all e-commerce activities and cybercrime. Additionally, the Indian Computer Emergency Response Team (also known as “CERT-In”) has been established by the Government to collect, analyse, decrypt and disseminate the data and information related to cybercrimes, keep track of doubtful and fraudulent activities, and coordinate activities regarding cyber incidents. There are certain mandatory disclosure requirements for all body corporates to report in the event of breach of cybersecurity incident under The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (hereinafter “CERT-In Rules”).
It is pertinent to note that Domino’s India is an establishment of Jubilant Foodworks Ltd, who has a Master Franchise Agreement with Domino’s Pizza Inc. in United States of America. Due to this relationship, Domino’s India is governed under the laws of Republic of India and has no legal obligation, per se, to comply with the data privacy laws in the United States of America. For the sake of argument, had the breach been occurred in the States, the corresponding obligations have to be strictly complied by all companies and businesses in order to protect the data of their users.
Furthermore, in USA, the first aid in a data breach is to provide disclosures with regards to such leak, the quantum of information lost, etc. within a period of 30 days from the receipt of such information. Presently, the issues pertaining to Data Privacy are governed under the State Laws, which differ from each other according to their needs and circumstances. However, in the recent past, all the 50 states have enacted the U.S State Data Breach Laws wherein private entities as well as Government Agencies need to notify individuals in case of any security breaches which might affect them in any way or the other. Besides, with the existence of State Laws, the establishments are required to protect their data to avoid corresponding penal actions, including penalty and imprisonment.
Due to the absence of a dedicated Data Protection and/or Data Privacy law in India, the scope of remedies for the victims are limited to the provisions under the IT Act along with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and the Consumer Protection (E-Commerce) Rules, 2019 (hereinafter collectively referred to as “the Rules”).
1. Information Technology Act, 2000
The primary provisions dealing with the protection of data, under the IT Act, impose an obligation upon the body corporate to protect the personal data, including sensitive personal information under Section 43A of the IT Act. The establishment, herein, shall maintain a ‘reasonable security protocol’ or rules to protect the data in its possession from a cyberattack, which may cause wrongful gain or wrongful loss to the body corporate and/or any other third party. The failure to perform these aforementioned legal duties may attract compensation in the form of damages to the tune of the loss occurred.
Upon acting in a negligent manner and the resultant failure to duly protect the personal data or upon unlawful and illegal disclosure of such information by the body corporate, the concerned accused shall be subject to imprisonment of three years, or fine up to Rs. 5 Lacs, or both under Section 72A of the IT Act.
2. Consumer Protection (E-commerce) Rules, 2019
Pursuant to the scope of the Rules, these shall be applicable upon “all forms of unfair trade practices across all models of e-commerce”. Moreover, the Rules enforce a legal duty under Rule 4(3) to refrain from adopting any such unfair trade practice while dealing with e-commerce platforms. Therefore, if it can be proved before the Consumer Forum/Commission that there exists a leak of data and the breach was caused due to the unfair trade practice of the E-commerce Body Corporate, the concerned entity shall be held liable under the Rules.
Till date, however, there have not been any notable punishment or damages awarded against the body corporates for negligence under the IT Act or the Rules.
In a historic judgment in the case of K.S. Puttaswamy v. Union of India [(2018) 3 SCC 797], the Hon’ble Supreme Court of India declared ‘Right to Privacy’ as a Fundamental Right under Article 21 of the Constitution of India. However, since then, the actions of several high-profile corporate entities have not been equivalent to the promises that the Supreme Court’s endorsement of the Right to Privacy was expected to bring in. If anything, the concerns of the people about the privacy and security of their data online have only worsened.
From the notable Aadhar Breach, which caused a leak of more than 1.1 billion users, to the latest high-profile Domino’s breach, the data of more than 80% adult users in India have been leaked and India has been witnessing an ever-increasing number of such data breach incidents.
The introduction of Personal Data Protection Bill, 2019 in the Parliament was seen as a positive note by the experts in an attempt to control one of world’s largest source of data breach. However, due to the spread of the COVID-19 pandemic and initiation of nationwide lockdown, the technology consumption has increased manifold, along with a corresponding increase in fraudulent cyber activities, as depicted in our previous editions of Data Breach Saga. The need for urgent enactment of a comprehensive and cohesive Data Privacy and Protection law is becoming imminent with each forthcoming day, with every cybercrime acting as a ringing alarm bell for the Government and the Authorities to wake up and take stock of the era of digital destruction we have stepped into.
For any query or feedback, please feel free to connect with firstname.lastname@example.org or email@example.com.