The last few days have seen the news cycle inundated with reports about the cyber theft incident at Cosmos Bank, Pune. For those of you who aren’t quite familiar with the details of the case, here’s what happened based on news available at multiple websites.
Cosmos Bank, an urban cooperative banking institution located in Pune, disclosed on the 14th of August that its servers had been hacked over a course of 2 days, resulting in approximately Rs. 94 Crore being siphoned off. The hackers targeted the bank’s e-system and launched a malware attack. They cloned a large number of VISA and RuPay debit cards and used them to carry out multiple fraudulent ATM transactions across 28 different countries.
Preliminary inspection of the IT systems and the digital trail indicates that the hackers attacked the bank’s e-system known as a switch which interacted with the VISA and RuPay payment gateways in order to establish their own proxy switch through which they authorized around 15,000 fraudulent transactions. Cosmos Bank continues to assure that its Core Banking System was not attacked.
Although, prima facie, it appears that the customer accounts were untouched, there is some concern regarding the theft of financial information of VISA and RuPay card holders who are customers of the bank.
In light of this cyber fraud, and the growing prominence of cybercrime in our daily lives, the question that pops to the forefront is whether the Personal Data Protection Bill proposed by the BN Srikrishna Committee can aid in mitigating and preventing cyber frauds.
The attack on Cosmos Bank would fall within the ambit of data breaches under the proposed law. The Bill states that data breaches which endanger the data principals and their personal data have to be notified to the Data Protection Authority of India (to be established under the proposed law).Once this bill gets into Act, the DPAI will oversee the investigation of similar breaches to determine if all the necessary data security measures and data protection precautions were taken or if the data fiduciary, (e.g. Cosmos Bank in this case), was in contravention of the Act.
The Bill’s provisions are so stringent that it also provides for criminal proceedings if the violation of provisions is in a reckless and negligent fashion. If the company directors were to be found negligent, the outcome could be imprisonment extending to 5 years for the directors, as well as massive financial penalties amounting to the higher of Rs. 15 Crore or 4% of global turnover. This aggravated penalty results from the fact that the information compromised was of a financial nature, i.e. it was sensitive personal data within the meaning of the Bill.
The scope of liability for breach of sensitive personal data has been greatly expanded because the Bill puts the onus on the data fiduciaries to demonstrate their compliance with the Bill’s requirements. However, it has not quantitatively defined those requirements, merely requiring “reasonable standards of security”. Whether the standards implemented and followed by data fiduciaries satisfy the Bill’s requirements is uncertain at best and will vary depending on the background and the circumstances of each case.
Much of these determinations will depend on the interpretations adopted by the Data Protection Authority of India. Enforcement of the Bill will play a pivotal role in the data protection regime India cultivates in the coming future. If the Authority takes a tough stance on all data breaches, companies in India will need to become especially cautious about their data protection and data privacy practices.
Incidents such as the Cosmos Bank hack in future will have greater consequences on not only institutional reputation, but at a personal level for heads of departments and directors. On the other hand, if the DPAI takes a more lenient approach, industries including the Indian Banking Sector, may not feel the need to prioritize compliance at all. The delicate balance between tough and lenient will be critical to India’s data privacy culture.
Although there is much uncertainty regarding the development of India’s nascent data protection regime, and the risk of cybercrime is only increasing by leaps and bounds, the Bill is a welcome step which can instigate a change in data practices, especially regarding the prevention and detection of data breaches, response mechanisms, and the evolution of strong cyber security measures and security governance at board level.These changes in turn, should result in prevention and mitigation of cyber frauds to a significant degree over a period of time.
Co-founder & CEO, CyberImmersions Solutions
The ideas, view and opinions expressed above are those of the author and do not necessarily reflect the opinions or official position of any agency, organization, employer, or company. The views expressed are for informational purposes only. They are not intended to constitute legal advice or opinion.