/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
/vnd/media/post_banners/wp-content/uploads/2023/10/Welcome-to-the-new-data.jpg)
Amid the rising incidence of data breaches comes the new data protection law. Here’s what you need to know about the changes in the data security domain
India is set to break old patterns and form new ones for its data management regime thanks to its recent data protection law. As the country weaves the infrastructure for a USD 1 trillion digital economy, the need for safeguarding the personal data of users in the borderless digital realm and for organisations, the data fiduciaries, to invest in integrated data management and cybersecurity practices becomes all the more crucial. The average cost of a data breach in India touched USD 2 million (Rs 17.9 crore) in 2023, reflecting a 28% increase since 2020, according to IBM Security’s Cost of a Data Breach Report. Meanwhile, Acronis’ Mid-Year Cyberthreats
Report 2023 revealed key insights about the existing threat landscape: ransomware continued to be the major threat to large and medium-sized businesses, including government, healthcare and other critical organisations.
Data stealers were the second most prevalent threat, leading to most data breaches along with traditional usage of stolen credentials. Also, with the exponential rise of applications using ChatGPT and similar generative AI systems, the report discovered that they were being used to commence cyberattacks and create malicious content.
Ransomware continued to be a major threat to large and medium-sized businesses, including government, healthcare and other critical organisations.
India’s new data protection law has been lauded for being business-friendly, not as compliance-heavy as the EU’s GDPR and not over-prescriptive in dictating how businesses should protect user data from the above-stated threats. The law is yet to go into effect, but companies will have to start making major pivots in their data management processes as the government has indicated that it expects the law to be fully implemented in less than a year
However, its principle-based rather than prescriptive-based approach could potentially burden data fiduciaries operating in India.
TRICKY TERRAIN FOR FIDUCIARIES
The protracted timeline of the Data Protection Law (called ‘The Digital Personal Data Protection Act, 2023’) saw many draft versions with varying sentiments on how to best safeguard user data. The current law imposes high standards on the data fiduciary to ensure that personal data processed by it or on its behalf is ‘complete,’ ‘accurate’ and ‘consistent’. The standard practice under the law is to now “ensure” that ‘reasonable efforts’ are taken to safeguard data. Since it is a principles-based law, instead of a prescriptive law; the chances of guidelines being issued later to help organisations understand their responsibilities and obligations regarding data protection and cybersecurity appear slim.
The government has decided to let data fiduciaries handle the interpretation of ‘reasonable measures’ and to translate that into instilling a holistic cybersecurity system to safeguard the data principal’s (end-user) data.
/vnd/media/post_attachments/wp-content/uploads/2023/10/Privacy-essentials.jpg)
THE NECK ON THE BLOCK
Unlike its preceding versions, the current law does not hold data processors responsible for data breaches. The data fiduciary bears the sole responsibility for complying with the provisions of the new law and of reporting any personal data breaches to the concerned authority, i.e., the Data Protection Board and to affected data principals.
The new law imposes high standards on the data fiduciary to ensure that personal data processed by it or on its behalf is ‘complete,’ ‘accurate’ and ‘consistent’.
With a penalty of approximately USD 30 million (Rs 250 crore) awaiting data fiduciaries for any data breach, the Indian market is making it crucial for data fiduciaries to onboard data storage and cybersecurity partners who could provide holistic protection. With the new law easing up on cross-border data flows, security measures must be met at all five stages: prevention, detection, response, recovery and forensics. This must be across virtual, physical, cloud and mobile platforms, regardless of size or location, through a single comprehensive solution to instil trust with the end user.
IT’S TIME FOR FORTIFIED DATACENTRES
While the new law eases cross-border data flow for global and Indian firms, sectoral regulators like the Reserve Bank of India will still get the upper hand in setting data localisation norms for banks, fintechs and financial institutions. This would mean that depending on the sectoral guidelines, data fiduciaries will have to scout for cloud datacentre facilities possessing a full range of security measures upon which they can build new services while delivering faster access, constant data availability and data sovereignty to their end users.
The need of the hour is to have partners who could offer integration of backup, disaster recovery, next-gen antimalware, cybersecurity and endpoint management tools, thus creating fortified guardrails at these datacentres against any kind of security threats. Chasing a global datacentre network means your data can be stored where required, provided regulatory compliance and connectivity requirements are met.
INVESTMENTS IN ACTIVE PROTECTION TO GO UP
In India, 28% of data breaches studied resulted in loss of data spanning multiple types of environments — public cloud, private cloud — indicating that attackers were able to compromise multiple environments while avoiding detection. When breached data was stored across multiple environments, it also had the highest associated breach costs at USD 2 million and took the longest 327 days to identify and contain. India’s data protection law nudges investments in active protection systems for user data that should incorporate measures such as pattern detection, maintaining an Allow List and self-defence of backup files. The pattern detection feature would constantly observe patterns in how data files are being changed on a system and would compare them against malicious behaviour patterns.
India is at a pivotal juncture where organisations would need an agile risk management strategy to deal with evolving data security threats.
Maintaining an allow list would mark programs that are allowed and expected to perform certain actions, to prevent authorised activities from being falsely tagged as unauthorised. Also, as criminals could choose to compromise files by attacking the backup software itself to corrupt the backup files it creates, fiduciaries should get a self-defence feature for backup files.
Being proactive in monitoring threats becomes easy with endpoint detection and response (EDR) solutions. EDR enables real-time monitoring, endpoint data collection, and rule-based automated response and analysis to secure a system against potential security incidents. They are, however, also complex with multiple point products, expensive and could disrupt business continuity. Hence, IT teams need to pay attention to EDR solutions that offer integrated backup and recovery capabilities, providing unmatched business continuity where point-security solutions fail.
India is at a pivotal juncture where organisations would need an agile risk management strategy to deal with evolving data security threats. To be able to deal with the humongous change that is coming with the new data law, data fiduciaries must leverage cyber protection experts and gain access to an advanced external support infrastructure which can eliminate the expense and risk of building in-house solutions.
/vnd/media/post_attachments/wp-content/uploads/2023/10/Rustom-Hiramaneck.jpg)
By- Rustom Hiramaneck, Country Head for South Asia at Acronis.
feedbackvnd@cybermedia.co.in