This article is written by Kazi Ashique Azfar, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from Lawsikho.com.
More and more people are going online in today’s day and age, and almost every company and services have an online presence. However, given the nascent stage that India is in, its digital journey, cybersecurity is not at the top of the priority list for many, and thus India has become an easy target for cyber-attacks.
A data breach is any unauthorised acquisition, the release of or access to information from any organisation, which may be storing or managing it directly or through a contractor or cloud service provider. In 2020, several Indian startups and companies like Dunzo, BigBasket, Haldiram, Edureka, RailYatri and even the prime minister’s personal website, Narendra Modi, were attacked and suffered data breaches. Many a time, these data are sold on the dark web and may even be publicly available. They carry sensitive personal data, which can be used by scamster through calls or phishing.
The GDPR obligates data controllers to notify the users about any data breach where there is a risk to their rights. That is when personal data loss may lead to identity theft, fraud, financial loss, or reputation damage. Thus, companies have a legal obligation to have an institutional framework to ensure the security of all personal and clear responsibilities in case of a breach. Cyber first aid are the first steps that should be taken in case of a data breach and also covers the framework that should be in place to deal with such a situation.
What is a Data breach?
A data breach is an incident of security failure where information is accessed without authorisation. The breach may have been caused due to “Insider threats” or threats coming from within the organisation or targeted attack by cybercriminals. While insider threats may involve employees accidentally or maliciously exposing or divulging personal information or business-sensitive data, targeted attacks are incidents where hackers plan and attack organisations by extracting the company’s vulnerabilities.
Not all cyber incidents lead to personal data compromise and might involve cases where only control of an organisation’s IT systems are lost. However, these incidents should be taken seriously, and the security vulnerabilities rectified as otherwise, it may lead to future attacks. Companies need to take effective steps to reduce the risk of data breach and form an action plan to follow in case a data breach occurs.
Steps to take in case of breach
Cyber First Aid involves four distinct steps to be taken – Identification of the breach, Arresting and containing the attack, Notifying the victims and regulatory body, and Recovering from the breach.
Identification of the breach
Regular security monitoring and forensic analysis help in the identification of data breaches early. Further, a data breach may be identified through the study of the symptoms. Some of the most common symptoms are modification of files and logs without knowledge, slow internet speed, malfunctioning of devices, getting logged out of the system.
The modification of files or logs in a computer is hard to detect unless an active monitoring system is in place, for which tools like Security Information and Event Management (SIEM) can be used. While reduced internet speed is easier to detect, finding the root cause is often a challenge. In most cases, it is due to viruses and malware, which diverts traffic, thereby overloading and slowing down the network. Another symptom of the viruses is pop up ads and malfunctioning of the computer such that it does not function properly. These viruses might be leaking personal data or may leak data later on. The most alarming sign is getting logged out of the system without the knowledge and, in most cases, is when the user has lost control, and the breach has already occurred.
It is necessary to detect the source of the attacks to manage and arrest the damage for which Internal control systems, Security Orchestration, and Automation Response (SOAR) can be used.
Arresting/Stopping the breach
In the instance of a data breach and where the attack could not be detected in time, there is a need to have an effective Incident Response Plan (IRP). An IRP helps in stopping or slowing down the attacks and is a necessity for any company which relies on the internet and stores data. The IRP will guide the people involved in managing the breach efficiently and blocking ports to deny attacker access.
After halting the breach, the company needs to do a forensic analysis and security audit to identify the number of corrupted data. While the first instinct would be deleting all infected files to stop any further spread, it’s best to allow the forensics team to complete their analysis before modifying anything or taking the machines offline to identify culprits and not lose data. The updating of passwords after the regular interval is a good security practice and should be mandatorily done after any breach across the network because it is as weak as the weakest link. Have in place a backup system and network that can be relied upon till the data breach is handled.
Alerting the victims of the attack, relevant regulatory body
It is a legal obligation to inform affected people about any breach and also the regulatory bodies, notwithstanding the extent of the compromise. Irrespective of the extent of the breach, the affected parties must be notified because the attackers may have stolen critical information. The data controllers are obliged to notify of the data breach to data subjects. The controller must notify about the supervisory authority’s breach without undue delay and, if feasible, within 72 hours after receiving the knowledge of the same. If there is a delay of more than 72 hours, the data subjects should be informed of the reason for the delay and the notification of the breach.
“Become aware of a breach” means when they have a degree of certainty that a security incident has occurred which involves personal data. There is a need to investigate and find out if the data breach has occurred. For which internal processes should be in place to detect and handle breach and also document the breach. The Data Protection Officer (‘DPO’) that has been appointed acts as a contact point for supervisory authorities and data subjects affected by any breach.
The situation is even direr in case of personal data loss like health or financial data, and the company would have greater responsibility to monitor and manage the use of the individual’s data. The consequence of not notifying supervisory authorities or data subjects affected where necessary can be as large as €20 million or 4 percent of the total worldwide turnover of the preceding financial year – whichever is greater. Even for breaches that are considered less serious, the fines can go as high as €10m or 2% of global annual turnover.
Recovering from the Breach and Remediation
To avoid future breaches, long term corrections would be required. However, the first step would be to identify the ports through which the attack was made and patch them. Professional services providing forensics and cybersecurity suits will be helpful, and identification and patching.
Third-party vendors and business partners are also required to be informed about the breach, and if it was due to their fault, then knowledge sharing should be done, and steps to avoid similar breaches in future should be taken. Steps to improve network security like stronger passwords, better encryption, regular change of user ids should be taken to secure the network.
Regular cybersecurity audits, penetration testing, vulnerability scans and various other security steps should be integrated into the day to day working to mitigate impending attacks and stay at the top of any impending attack. These services help by studying the attacks and analysing attackers’ methods to plan and put into action safety measures.
Organisations should be prepared for cyber-attacks and data leaks because it is impossible to guarantee that a data leak will not take place. However, the volume of attacks and data leaks can be mitigated, and in case of data leaks a plan of action can be in place to arrest the spread of the attack and stop it within time.
The plan should cover notification to detecting and handling data breaches, determining risk for data subjects, notifying supervisory authorities, and notifying affected data subjects. There should be a check if the breach can result in infringement of the rights of the data subjects, and if there is, then the supervisory authority should be informed about the same within 72 hours. However, if it is found that the breach may not affect the data subjects, then they are not required to inform the authorities and can resolve the issue without making it public.
Similarly, the data subjects have the right to be informed about these breaches if they are getting affected and be informed of measures and steps to mitigate individual damage. Documentation of the breach is also mandatory to make sure future incidents can be averted and could be a learning experience.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: