This article is written by Amala Maria George who is pursuing a Diploma in Cyber Law, Fintech Regulations & Technology Contracts from LawSikho.

Introduction

A recent report by IBM Security X-Force ranked India second on the list of Asia-Pacific countries to face the highest number of cyber-attacks in 2020, the first being Japan. It reported that India faced seven percent of all cyber security attacks in Asia. With the ongoing pandemic, there is a steep increase in online activity, as also the volume and value of digital transactions, the past few months have seen a number of corporates facing data breaches. Close on the heels of data breaches in Facebook, LinkedIn, Mobikwik, JusPay Technologies, Upstox and Bizongo another major company, Jubilant Foodworks confirmed a data breach. 

The following article analyses the facts of the Domino’s India data breach, the privacy policy of Domino’s India, the response to the breach by Jubilant Foodworks, existing legal provisions in relation to the breach and Domino’s India’s compliance to the provisions. 

The Domino’s India data breach

On 18th April 2021, Alon Gal, co-founder and Chief Technology Officer of Israeli cybersecurity firm Hudson Rock tweeted about an alleged data breach at Domino’s India. The tweet mentioned a data leak of 13 TB data worth of data including 180 million order details containing names, phone numbers, emails, addresses, payment details, and 1 million credit cards. According to Alon Gad, the data is up for sale on the dark web, the threat actor is asking for around 10 Bitcoins (approximately Rs. 4.25 crores) for the stolen data and claims to be building a search portal to enable data search. Alon Gad shared screenshots according to which the breach also included internal files and details of 250 employees.  

Jubilant Foodworks which owns the master franchise for Domino’s Pizza India came out with an official statement in response on 20th April which confirmed that it experienced an information security incident recently, however it claimed that no financial data was compromised as by policy it does not store financial details or credit card data of customers. The privacy policy available on Domino’s India’s website also states that it does not store any credit card details. However, Domino’s passes the order details and card details to Verisign for secure payment and Verisign’s privacy policy provides for collecting and storage of financial data including payment card details. Jubilant Foodworks said that its team of experts is investigating the matter and necessary actions have been taken to contain the incident. Jubilant Foodworks publicly acknowledged the data breach only after the breach was first publicly reported by Alon Gad on Twitter.4

Independent cyber security researcher, Rajashekhar Rajaharia said that he had alerted CERT-in (The Indian Computer Emergency Response Team, set up under the Ministry of Electronics and Information Technology for responding to cyber security incidents) on 5th March 2021 and he had a suspicion that the same hacker responsible for the Mobikwik hack had access to Domino’s data since February 2021 and that the first hacker sold the access to some other seller. Rajaharia also tweeted that while there was data including payment type and social login tokens, financial data did not seem to be there as per his analysis. Rajashekhar’s tweet corroborates Jubilant Foodworks’ statement regarding no financial and credit card details being leaked, as against the initial report of the breach by Alon Gal.

There seems to be a lack of proper measures and callous attitude in dealing with the data breach by Jubilant Foodworks. The breach is suspected to have happened in February and was brought to public notice by Alon Gal in April, it took two more days after Alon Gal’s tweet for Jubilant Foodworks to even comment on the alleged data breach. A spokesperson has seemingly trivialized the event by not giving any specifics of what data was breached, only denying allegations of financial information being compromised. There is an absence of a written statement and information regarding the breach on the Domino’s India website as well as Jubilant Foodworks website to alert its customers regarding their data being compromised as on 22nd April, 2021. The vague statement by Jubilant Foodworks has left ambiguity over whether any data has been compromised and if yes, what kind of data has been compromised, it has failed to explain what measures are being taken to combat the breach and cyber security incident. 

Existing legal provisions governing data privacy and security in India

With India’s Personal Data Protection Bill yet awaiting a go ahead from the Parliament, the existing laws dealing with data privacy issues is the Information and Technology Act, 2000 and the Rules thereunder and sectoral regulator specific circulars and guidelines like those laid down by Reserve Bank of India (“RBI”) and Insurance Regulatory and Development Authority. 

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI Rules”) currently govern the protection of personal data collected by corporates in India. It defines ‘personal information’ to mean any information relating to a natural person which in combination with other information available with the corporate is capable of identifying such a person. The information collected by Domino’s and compromised by the breach does include names, phone numbers, addresses which makes it fall under the definition of personal information.

However, the SPDI Rules further goes on to define ‘sensitive personal data or information’ and majorly deals with privacy and security of ‘sensitive personal data or information’ and almost ignoring the security of ‘personal information’ except in Rule 4 where it requires the body corporates dealing with personal information to have a policy for privacy and disclosure of information. The ambit of Section 87 read with Section 43A of the Information Technology Act, 2000 (in exercise of which the SPDI Rules have been made) is restricted and the regulations relating to personal information may not withstand a challenge to its vires particularly in light of the clarification notification by the Ministry.

The data compromised as per the statement by Jubilant Foodworks does not include credit card information of the customers and thus does not fall under the definition of sensitive personal data or information as defined in the SPDI Rules.

The RBI in March 2020 had disallowed merchant sites such as Domino’s from storing customer card data, and authorized Payment Aggregators to audit the merchant sites for compliance however, the RBI has allowed the merchants additional time up to 31st December 2021 for implementing the same.

The SPDI Rules require corporations to have an accessible privacy policy detailing what kind of personal information it collects, what are the purposes and usage for the data collection, disclosure to third parties and the reasonable security practices it has implemented. The requirements laid down in the SPDI Rules are bare minimum and, in most cases, it does not cover all personal information rather it is applicable only in the case of sensitive personal data or information.

The SPDI Rules have distinguished between personal information and sensitive personal data or information in the definitions, however, it does not have a consistent approach in delineating the security practices and requirements for personal data vis-à-vis sensitive personal data or information. A close examination of the SPDI Rules reveals a confused approach in setting out the requirements for both kinds of data. For instance, it seems that consent for collection and disclosure to third parties is applicable only in case of sensitive personal data or information. 

In case of a breach, the SPDI Rules only require the corporation to demonstrate that they have implemented security control measures in accordance with the documented data security policies as is elaborated above. While the SPDI Rules also do not require a notification to the affected customers or authority, the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 requires corporates to report cyber security incidents to report the incident to CERT-In within a reasonable time of occurrence, or notice to leave scope for timely action. There is no news or any public report of the breach being reported by Jubilant Foodworks to CERT-In. 

Privacy policy of Domino’s India 

Domino’s India has a privacy policy accessible on its website, which on the surface meets the requirements of the SPDI Rules. However, it does not give any details of the reasonable security practices and procedures, nor does it not mention the standard or codes of best practices it follows/ has implemented as required in Rule 4(v). Since Domino’s has a simple privacy policy with no additional paraphernalia or onerous obligations, it seems to have complied with its policy despite the data breach and lack of action. It remains to be seen whether CERT-In will require Jubilant Foodworks to provide a demonstration of the reasonable security practices and procedures it has implemented.

Conclusion

The need for a stringent legislation on data privacy and security has never been stronger. The existing provisions under the Information and Technology Act, 2000 are woefully inadequate in terms of requiring and mandating best practices from Indian corporates and stakeholders. Indian corporates must come in line with worldwide data privacy standards and adopt best practices like specific consent requirements whether opt-in or opt-out based on the information being sought, purpose limitation and data minimization, access to data for correction, providing breach notification etc.

Currently, there is no authority which is investigating/ following up or bringing to book perpetrators of cyber-attacks and companies which do not have an adequate data privacy and security framework. It does not provide any recourse to the consumers or people whose data has been compromised as a result of the breach, not even a basic right to be informed of their data being compromised. If the legislature does not pave way for cyber security and data privacy in the form of enacting the Personal Data Protection Bill, it is time for industry organizations and the general public to demand accountability from corporates.

References

1. https://www.moneycontrol.com/news/india/india-2nd-biggest-target-of-cyber-criminals-in-asia-pacific-in-2020-ibm-6569201.html 
2. Domino’s Privacy policy available at https://www.dominos.co.in/privacy-policy 
3. Verisign’s Privacy statement available at https://www.verisign.com/en_US/verisign-privacy-statement/index.xhtml 
4. https://cio.economictimes.indiatimes.com/news/digital-security/no-financial-data-of-dominos-india-users-leaked-jubilant/82173516#:~:text=Jubilant%20Foodworks%20that%20owns%20the,leaked%20on%20the%20Dark%20Web.
5. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“Rules”) available at https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf 
6. RBI’s Guidelines on Regulation of Payment Aggregators and Payment Gateways (DPSS.CO.PD.No.1810/02.14.008/2019-20 dated March 17, 2020), Section 7.4 available at https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11822&Mode=0 
7. https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12050&Mode=0 
8. Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, Rule 12 available at https://www.meity.gov.in/writereaddata/files/G_S_R%2020%20%28E%292_0.pdf
9.  Clarification on Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000 available at https://www.meity.gov.in/writereaddata/files/PressNote_25811.pdf 

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: