This article is written by Chaitanya Suri who is pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
Table of Contents
Dell Inc., an American international information technology corporation announced on Nov. 14, 2018 that it reset passwords for all accounts on its Dell.com online electronics shop almost five days after it found and prevented hackers seeking to steal consumer info.
Context. The business is one of the world’s largest technology companies, employing 1,00,000 plus workers around the world.
Dell offers PCs, computers, data storage systems, network switches, applications, peripherals, printers, HDTVs, MP3 players, cameras and other industrial electronics. The firm is well known for its operations management and technology for electronic commerce, especially its direct-sales model and its manufacturing “build-to-order” or “configure to order” strategy, providing individual PCs configured to consumer requirements.
Any type of offensive manoeuvre targeting computer information systems, infrastructures, computer networks, or personal computer devices is a cyber assault. Cyber threats may be labelled as a cyber attack, cyberwarfare or cyber crime, based on the context. National-states, persons, organisations, communities or organisations may employ a cyberattack or it can come from a source that is anonymous.
According to a source familiar with the hack, the device manufacturer did not inform clients about the intrusion as it forced password resets.
In a tweet, Dell said the organisation found and prevented hackers on Nov. 9 who had infiltrated its network and were seeking to steal consumer details. Investigators found no proof that the hackers were successful, but could not rule out the probability that any information was compromised, the firm said.
Dell said the hackers were just searching for client names, email addresses and scrambled passwords. According to a source familiar with the hack, the device manufacturer did not inform clients about the intrusion as it forced password resets. The breach happened as corporations are constantly scrutinised by regulators around the world to provide fast and reliable consumer data theft disclosure. In May of the same year, the European Union enacted tough new privacy rules (GDPR) targeting violators with penalties of up to EUR 20 million ($23 million) or 4% of global sales, whichever is greater.
Dell stated that the incident was not disclosed by any regulatory or legal requirements, but decided to come forward with consumer confidence in mind. To perform an unbiased inquiry, Dell has since hired a computer forensics company and has consulted law enforcement. In order to keep clients updated on the more changes in the scenario, a website has been set up.
Dell refused to tell how many users were compromised but said that there was no targeting of payment details and Social Security numbers. Dell said that the case had been reported to law enforcement.
The author’s assessment is that in today’s modern environment, cyberattacks on global companies are a typical risk factor and Dell could have noticed the intrusion earlier. It is believed that Dell should enforce a tighter firewall policy on its staff and we also assume that in the case of a cyber threat, Dell is liable for warning its customers.
For Dell, India represents a wide market and there is a chance that the cyber assault could have abused several Indian user accounts. However, how many Indian accounts, if any, have been hacked remains unknown.
If it would have led to personal information being leaked, would Dell have been left off the hook?
Considering that the organisation exists in multiple nations, in many territories, it would probably have had to suffer repercussions. GDPR and the Indian PDPB, 2018 will be the subject of this post.
For a second, assume the traffic laws mandated citizens to self-report every traffic rules infringement within set hours of the infringement by submitting an online complaint. You may get an acceptable sentence when you register, which may be a fine or imprisonment or both. In its discretion, the cops can even announce your breach either by publishing details of your breach on the website of the department or by requiring you to post a note containing details of your breach on your house door or both. If you neglect to report and your infringement is identified by some other way, be it a traffic camera or due to some other motorist or pedestrian causing an event, you may still be penalised for failure to notify, in addition to the punishment for your infringement.
Data fiduciaries are mandated by “Section 25 of the Personal Data Protection Law, 2019 (PDPB)” to notify the “Data Protection DPA of India (DPA)” by notification of the violation of any personal data processed by the data fiduciary if such breach is likely to cause any damage to the data principal. The fact, whether or not the violation happened because of a mistake by a data fiduciary is irrelevant.
Description of breach of Personal Data
The PDPB describes a “personal data breach” as implying any unwanted or unintentional leak, acquisition, transmission, usage, modification, degradation, lack of access to, personal data violating the security, dignity or accessibility of personal data to the data controller. While this is not explicitly specified in the PDPB, it is likely to be inferred that the violation happened when the data fiduciary refused to comply with the legislation and protect the personal data kept by the data fiduciary or by a data processor reporting to the data fiduciary.
Cap on Time
Sub-clause (3) of section 25 of the PDPB specifies that the notification referred to in sub-section (1) shall be sent to the DPA by a data trustee as soon as practicable and within such time as may be defined by the regulations made by the DPA pursuant to the PDPB after an infringement after allowing for any date which may cause it to take any immediate steps to remedy the infringement. It is expected that the government will frame rules under this provision after the PDPB falls into force to determine the time span during which the DPA must be contacted by the data fiduciary after a personal data violation occurs. Notwithstanding such a time limit, the data fiduciary shall be obligated to inform the DPA as soon as practicable after the detection of the infringement.
Information that should be published
The notification submitted by the data trustee is expected to contain details such as:
(1) the type of personal data exposed to the infringement,
(2) the sum of data principals impacted by the infringement,
(3) the potential implications of the infringement, and
(4) the steps taken by the data fiduciary to resolve the infringement.
Sub-clause (6) of section 25 of the PDPB specifies that the DPA must therefore order the data fiduciary, as quickly as necessary, to take effective corrective measures and to report explicitly on its website the specifics of the personal data violation. In every case, after any personal data violation happens, each data fiduciary is under an obligation to take all practicable mitigation action.
It is likely that a data fiduciary does not have complete information as to the existence of the personal data subject to the violation or the amount of data principals harmed by the infringement or the possible implications of the infringement. This will be the case, for example, where a robbery at the data processing centre of a financial company resulted in stealing of a variety of computers containing personal data belonging to the clients of the financial institution.
With passwords that made it difficult to access personal data, the laptops may have been protected. If the financial institution is assured that the codes cannot be broken, the event will not be recorded since no personal data breach will arise. However, the stealing of such laptops may have to be documented if any of the laptops did not have sufficient protection. It could take the financial institution several hours to figure out which of the stolen laptops were securely shielded, which ones were not, and what personal data were kept in the unsecured laptops.
It is for this purpose that “sub-clause (4) of section 25” of the PDPB specifies that, where it is not practicable to provide all the details demanded, the data fiduciary shall at the same time, without unreasonable delay, provide the DPA with such information in stages. Details of the violation must then be disclosed to the Regulator as quickly as possible, supplying the data fiduciary with whatever details are available. Further reports have to be filed as more details become available.
In any case, within the specified period, a report must be filed, using whatever details is relevant to the data fiduciary.
The DPA’s intervention
Upon receipt of a notice, the Data Protection Authority shall determine whether any breach should be reported to the data controller by the data processor, taking into account the nature of the harm that may be caused to the data controller, or whether any action on the part of the data controller is required to mitigate any damage.
The DPA may request the data fiduciary to report on the data fiduciary’s website specifics of the personal data loss. The DPA can even publish reports of a misuse of personal data by the data fiduciary on its own website.
Furthermore, if an abuse of personal data has been brought to the attention of the Regulator, it is assumed that the causes for the infringement will be analysed and, within the relevant rules, litigation will be brought against the data trustee for any infringement of those laws. As mentioned above, any loss of personal data is likely to generate an assumption that the data trustee, or any data processor answerable to the data trustee, has neglected to comply with the legislation and to protect, as the case may be, the personal data kept by the data trustee or the data processor. The data trustee will have to resolve this assumption by presenting the DPA with adequate evidence to persuade the DPA that the personal data loss has happened without any disclosure by the data trustee or any data processor.
Consequences of failing to disclose a personal data breach
Where the data fiduciary fails its responsibility to take timely and effective action in response to a breach of data security pursuant to section 25 of the PDPB, the data fiduciary shall be liable for a “liability that may extend to Rs. 50,000,000 or 2% (two percent) of the gross worldwide revenue of the previous financial turnover”, as per “Section 57(1)(a)”.
“Section 57” of the PDPB clarifies that the phrase “absolute worldwide turnover” applies to the aggregate sum of revenue recognised in P&L report or some such comparable statement, as the case may be, in respect of the selling, delivery or delivery of products or services, or in respect of services provided, or both, and in respect of revenue produced within and outside India. It also clarifies that, in relation to the data fiduciary, the total worldwide turnover of the data fiduciary is the global total turnover of the data fiduciary in accordance with the data fiduciary and the global total turnover of any data fiduciary community body, where such turnover of the group entity exists as a result of the output activities of the data fiduciary, taking into account factors including:
- Alignment of the general economic interests of data trust and community group;
- The relation between the trustee and the collective entity in relation particularly to data trust processing activities; or the relationship between the data trustee and the collective entity in respect of the data trust processing activity; or
- The degree of influence exercised by the group body over the data confidence or vice versa, as the case may be.
Article 33 of the General Data Protection Law (GDPR) addresses data loss reports which is somewhat close to Section 25 of the PDPB. Under Article 33 of the GDPR, any violation shall be recorded without unreasonable delay and preferably within 72 hours of being informed of it. In comparison, Section 25 of the PDPB does not specify any time limit once the data fiduciary becomes aware of the violation as it is mandated to inform the DPA as soon as possible after a violation has occurred. The phrases “as soon as possible” indicate that the information fiduciary would have been aware of the breach.
However, it is not the knowledge of the data fiduciary that is subject to the final date (which could be implied in the laws to be framed). It is likely that by the moment the data fiduciary becomes conscious of the infringement, the laws to be framed would trigger the timer for the deadline.
It is important to observe that Article 34 of the GDPR deals with the reporting to the data subject to personal data breaches and states that if the violation of personal data is likely to result in a high risk to the rights and freedoms of persons, the controller is required to disclose to the data subject without undue pause the breach of personal data.
In the PDPB, there is no equivalent clause that allows the data fiduciary to report a personal data violation to the data principal directly. In accordance with Article 34 of the GDPR, the information needed to be transmitted directly to the data subject must contain the same kind of description as is necessary to be reported to the supervisory authority in accordance with Article 33 of the GDPR.
However, Article 34 of the GDPR also provides that the correspondence with the data subject is not required if appropriate technical and organisational protection measures have been enforced by the controller and those measures have been applied to the personal data affected by the personal data breach, in particular those measures which render the personal data unintelligible to any individual. Where contact requires a disproportionate effort, Article 34 of the GDPR states that data respondents must be told in an equally efficient manner instead of general communication or an equivalent measure.
Furthermore, Article 34(4) of the GDPR specifies, like the PDPB, that if the controller has not already notified the data subject of a personal data violation pursuant to Article 34 of the GDPR, the supervisory authority has the power to direct the controller to do so. In compliance with Article 58(2) of the GDPR, the supervisory authority is entitled, inter alia, to give reprimands to the controller or processor where the processing operations have been in violation of the provisions of the GDPR and, where appropriate, to compel the controller or processor to put the processing operations in line with the provisions of the GDPR in a prescribed manner and within a specified period. Under the GDPR, however, the supervisory authority has no discretion either to require the controller to post personal data violation information on the website of the controller or to post specifics of the breach on the website of the controller.
When under the PDPB would the obligation to disclose a personal data leak arise?
Not all personal data violations have to be disclosed to the Authorities, as stated above. A data fiduciary is mandated under section 25 of the PDPB to inform the DPA of any personal data violation if the breach is likely to trigger damage to any data principal. The usage of the term ‘maybe’ makes it plain that the data fiduciary may not have to be completely confident that one or more data principals would be affected by the infringement. The chance of damage is enough. Even “likelihood” is, though, a subjective term which may contribute to uncertainty and future clashes with the DPA.
Under GDPR, when would the duty to disclose a personal data violation arise? – The UK’s Regulatory Guidance
Through its website, the Information Commissioner’s Office (‘ICO’), an autonomous agency set up in the United Kingdom to protect information freedom in the public interest, and encourage public authorities’ transparency and data protection, offers clarification as to what data violations are needed to be reported. The ICO website provides, among other items, as follows: What violations do we need to submit to the ICO?
One will need to assess the likelihood and seriousness of the resulting danger to the rights and freedoms of citizens where a personal data breach has arisen. If there is a risk, you must inform the ICO; if the risk is unlikely, you don’t have to report it. But, if you believe you don’t need to report the breach, you need to be willing to explain this position, then you can log it.
It is necessary to reflect on the possible harmful effects for people in determining risk to rights and freedoms. The GDPR Recital 85 states that: “A personal data breach may result in physical, material or non-material harm to natural persons, if not dealt with in an effective and timely manner, such as loss of influence over their personal data or limitation of their privileges, prejudice, theft or fraud of identification, financial loss, unauthorised reversal of pseudonymisation, damage to credibility, loss of confidentiality of personal data”
This ensures that a violation will have a variety of detrimental impacts for individuals, including mental trauma and physical and property harm. Certain violations of sensitive data would not lead to risks of potential annoyance with others who use the information to do their work. Some breaches will have a serious impact on citizens whose personal data has been breached. Hence, this ought to be assessed case by case.
Given the influence this is likely to have on any people who may incur financial damage or other effects, the misuse of a consumer database, the details of which may be used to conduct identity fraud, will need to be alerted. On the other hand, you will not usually need to inform the ICO, for example, of the disappearance or unlawful altering of a staff contact list.
Therefore, once you become informed of a violation, you can attempt to mitigate it and determine the possible harmful impacts on people, depending on how bad or severe they are and how probable they are to occur.
Some explanations of a personal data violation are also given on the ICO website, which include the following:
- Unauthorized third-party access;
- A controller or processor’s malicious or unintended behaviour (or inaction);
- Sending personal data to an inaccurate receiver;
- Lost or stolen computational machines containing personal data;
- Alteration, without consent, of personal data; and
- The loss of access to personal data.
A self-assessment test is also offered by the ICO platform to help decide whether a company has to disclose a data breach to the ICO.
Dell seems to have missed a bullet if the early signs are to be trusted. Because no sensitive records or card numbers have been obtained, the hardware manufacturer would not need to compensate for the customer’s credit management or identification security programme. If the password is changed, Dell says that even though the data has been discovered to have been stolen at all, clients would be safe.
The event could, however, come as a wake-up call to both management and consumers. When one of the world’s biggest tech corporations can be at least partly compromised by hackers, it’s simpler for smaller firms to fall prey.
- Cimpanu, Catalin. “Dell Announces Security Breach | ZDNet.” ZDNet, 28 Nov. 2018, https://www.zdnet.com/article/dell-announces-security-breach/.
- Correa, Diago. “Dell.Com Resets All Passwords After Cyber Attack.” Tech Success, 30 Nov. 2018, https://techsuccess.com.au/dell-com-resets-all-passwords-after-cyber-attack/.
- “Dell Hit With Cyber Attack | Synergia Foundation.” Synergia Foundation, 30 Nov. 2018, https://www.synergiafoundation.org/insights/analyses-assessments/dell-hit-cyber-attack.
- Goud, Naveen. “Dell Fails To Notify Customers On Cyber Attack – Cybersecurity Insiders.” Cybersecurity Insiders, 29 Nov. 2018, https://www.cybersecurity-insiders.com/dell-fails-to-notify-customers-on-cyber-attack/.
- Joseph, Vinod, and Deeya Ray. Self-Reporting A Personal Data Breach – An Obligation Under The Personal Data Protection Bill 2019 – Privacy – India. 23 Jan. 2020, https://www.mondaq.com/india/data-protection/886348/self-reporting-a-personal-data-breach–an-obligation-under-the-personal-data-protection-bill-2019.
- Panache. “Dell Didn’t Inform Users About Cyber Attack, Forced Them To Reset Passwords.” The India Times, 29 Nov. 2018, https://economictimes.indiatimes.com/magazines/panache/dell-didnt-inform-users-about-cyber-attack-forced-them-to-reset-passwords/articleshow/66864126.cms?from=mdr.
- Reuters. “Dell.Com Resets All Customer Passwords After Cyber-Attack.” NDTV Gadgets 360, 29 Nov. 2018, https://gadgets.ndtv.com/internet/news/dell-com-resets-all-customer-passwords-after-cyber-attack-1955091.
- Winder, Davey. “Dell Admits Hackers May Have Stolen Customer Data.” Forbes, 29 Nov. 2018, https://www.forbes.com/sites/daveywinder/2018/11/29/dell-admits-hackers-may-have-stolen-customer-data/?sh=974170f215c4.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: