This article is written by Leevanshiqa, Faculty of law, Kalinga University, 3rd Year BA.LL.B (Hons) Student during an internship at LeDroit India
Keywords
- Revolution
- Cyber-Security
- Data Breaches
- Information Technology Act (IT Act)
- Threat Landscape Report
- Juxtaposition
Introduction
The digital revolution changed everything about us and our way of living, from how businesses working to the manner in which we communicate. Since India is the most growing digital economies, there can be no shadow of a doubt that cyber security events and data breaches are becoming quite complex in order to cater problems for both common masses as well all organizations. The internet, mobile and cloud have opened up whole new horizons for growth with innovation now never far behind. But this increase dependence on digital has also resulted in rise of the Cyber Security Threats and Data Breaches. As per a report by the Indian Computer Emergency Response Team (CERT-In), cybercrimes in India shot up 15% from the last year alone, with phishing attacks and ransom ware and data breaches ruling as major types of online extortion. This has resulted in litigation for cyber security and data breaches becoming a critical practice area. Through this paper, we will present the juxtaposition between litigation within the ever developing technology landscape and dissecting: The India Legal data protection regime Cyber security incidents — its significance and Avenues of recourse to individuals/ entities in a digital world.
India Cyber Warfare Landscape
In recent years, there is a surge in cyber-attacks and data breaches across India. A data breach is defined as the unauthorized access to private files, causing their exposure. We all know that the number of Internet users and digital transactions has grown exponentially in India, so have vulnerabilities around information systems. As per the India Threat Landscape Report 2021, in 2020 alone, more than one million cybersecurity incidents were recorded by which was a jump of about 37% over previous year. Remote work was on the rise and digital services were increasingly becoming mandatory due to COVID-19, which only furthered this issue as hackers took aim at new network (such as home) or cloud infrastructure.
In response to this threat, the Indian Government enacted The Information Technology Act, 2000 (IT ACT) which aimed at providing a legal framework for cybercrime and mode of protection of electronic data. Nevertheless, the passage and implementation of this law have been fraught with challenges due to insufficient dedicated courts and inadequate technical skills of judges.
Cybersecurity breaches not only cause monetary losses but also bring long-term damages in the form of reputation and trust. When data breaches occur, companies are subjected to the scrutiny of consumers, regulators and media alike. The threat of legal action after the fact only muddies the waters even further. Companies better believe those measures will be tested in courts as victims of data breaches look to the law for answers about who should have stepped up and did not.
Navigating Litigation in Cybersecurity and Data Breach Cases
Litigation in the digital age presents unique challenges for both petitioner and respondent. Petitions for compensation following a data breach or cyber-security incident often deliver difficult challenges on the part of the claimant in terms across causation, quantum and issues relating to complex legal landscapes. For their part, Respondents must show that they have done what is reasonably necessary to protect the confidentiality of sensitive information and are in compliance with data protection laws.
Proving Negligence or a Failure to Exercise Reasonable Security Practices [Liability]: A primary legal hurdle is establishing negligence or lack of reasonable security practices. This duty arises from good data security practices, and claimants will need to show that the organization has fallen short of these standards. They must show that common security procedures were not in effect to demonstrate this. Expert evidence could be essential in proving that a “reasonable security” in the circumstances of this incident.
Quantification of Damages: A further substantial barrier is the quantification assessment. Unlike other tort claims, damages stemming from cyber breaches are frequently of economic variety — such as money thefts, the expense to remediate problems caused by hackers and harm (or potential damage) placed on a victim’s reputation. It may be difficult for courts to articulate these types of losses within the common law tort regime, or to acknowledge new heads of damage that adequately account for the loss experienced.
Establishing Which Laws Apply: – Due to the very name of cyberspace one does not know which nation’s laws apply to cyber litigation & this can present legal complications. Because cybersecurity incidents are innately transnational, establishing controlling law and jurisdiction is often complex. There is no single set of laws or standards with regard to data breaches from country to country. This makes it difficult for parties on different sides of an international legal transaction.
The legal structure in India to govern cases of cybersecurity and data breach is under early stages. It is the IT act and amendments on it, along with that of Personal Data Protection Bill which actually turn out to be based under law nomenclature in these cases. Unfortunately, implementation of the law by the courts has been inconsistent and spotty, resulting in interpretations that leave parties without clear guidance they can rely on when disputes arise.
The Legal Framework
The legal framework prevailing in India, for the redressal of such cybersecurity and data breach cases is majorly governed by Information Technology Act 2000 (IT act) along with Personal Data Protection Bill 2019… In relation to this, the IT Act operates as a base for controlling and searching Cybercrimes which is being inclusive of protection integrity confidentiality & origin. The PDP Bill, which is pending in Parliament, seeks to provide a full-fledged framework for data protection and privacy.
The Government of India had, in 2017 appointed a committee under the chairmanship of Justice B.N. Srikrishan to draft a comprehensive data protection law The resulting statute, the Personal Data Protection Bill, 2019 (PDP Bill), is landmark legislation seeking to protect individuals in relation to their personal data. While the PDP Bill has also seen delays in execution since its introduction, it does mark a movement towards acknowledging data privacy as a fundamental right.
The idea of accountability builds in the PDP Bill, with data fiduciaries (those who decide what personal data to collect and how it would be processed) being required to implement reasonable security measures. The Bill also introduces data subject rights for the first time, which allows everyone to seek redress when their personal information is being compromised or used unlawfully. These provisions create an‡ environment that allows petitioners to pursue litigation remedies when data security fails.
Judicial Trends
Recent years have seen a number of high-profile cybersecurity and data breach cases making their way before Indian courts. Here the interpretation of RBI guidelines was illustrated by Supreme Court in one of its initial and landmark case, Reserve Bank of India V. Jayantilal N.Mistry (2014), where it stated that internet banking guideline issued by RRBI were mandatory and not directory. The court also held that the RBI had legal sanction to issue such guidelines and insured a valid mandate of law as well power to inflict penalties in case guideline is violated.
One such important case was S. Ovais v Union of India (2018) where the Delhi High Court ruled that blocking by Government a few websites and Applications as Unconstitutional The court also ordered that the government must grant a prior notice to be heard, before taking such actions.
Situation like Indian Medical Association vs. Global Hospital In this judgment, patients suffered from the data breach which affected their right to privacy rights. The court underscored special responsibility of medical institutions to ensure the safety and confidentiality of patient data, also decided that patients were entitled to ask redress due to a security breach.
Similarly, Shreya Singhal v. Union of India is another landmark judgment on our Sui Generis Context where the Supreme Court strikes down Section 66A i.e. making it unconstitutional and to reprove Government over not possessing a morsel of sensitivity towards freedom in Digital Age voiced its disdain for habits(Section) based gloves slapped handovers as well- This ruling demonstrated that issues relating to cybersecurity & data rights also engaged core constitutional values, in turn raising the stakes of any litigation concerning a data breach.
The Air India Data Breach 2018 Millions of personal data was compromised in the case. This incident prompted an investigation and eventually resulted in a fine from the data supervisory authority.
The Wipro Phishing Attack 2019 was another prominent example, where attackers successfully got access to Wipro’s email systems and even extracted information from their clients. The event resulted in massive drop in the reputation of Wipro and brought forward the fact that organizations have to pay crucial attention towards their cybersecurity practices.
Challenges and Complexities
However, litigation issues when cybersecurity and data breach cases hit India are quite challenging. One of the major issue is that there are no standard for data breach notification, regulation requirement. This can cause uncertainty, for instance among businesses or individuals as to what the law requires.
A further problem has to do with providing the right knowledge for cybersecurity and data breach matters. Both are based on the legal and regulatory framework, which needs to be known in depth.
Future Prospects and Recommendations
With India now on the cusp of having in place a comprehensive legal framework for data protection, multiple recommendations can be framed to strengthen litigation landscape
- Compulsory Enforcement of Comprehensive Data Protection Laws: Strengthening comprehensive data protection law formulations, the immediate enforcement of PDP Bill is necessary to set out normative frameworks specifically for data breach scenarios. A bill should give consumers recourse when their information is exposed insecurely, the legislation must explicitly enumerate these remedies.
- Industry Best Practices and Training: Organizations should dedicate resources to the development, deployment of cybersecurity strategies. Training programs — Regular training sessions for employees that help in generating understanding about data protection practices which build a sense of obligation towards keeping company information securely.
- Strengthened Powers to the Regulatory Authorities: The regulators must be vigilant regarding compliance with data protection laws by organizations and they should have necessary enforcement power on those who are non-compliant in maintaining required levels of security. Rapidly looking into alleged data breaches may induce greater confidence in the protections that are in place.
- Promotion of Class Action Suits: There should be a mechanism in the legal framework enabling people affected by pervasive data breaches to file class action suits and claim collective redress.
Conclusion
This is a very important development as technology and legal framework are getting more intertwined that in any dispute the litigation related to cybersecurity or data breaches can be said to have risen. With digital threats changing, so to must the changes we take in our legal systems and business approaches by companies based on policy proposed. To foster trust in the digital environment, legal deployment has to go hand-in-hand with proactive obligations that form strict data protection measures. By navigating through the litigious complexities of cybersecurity incidents with care, not only can India ensure that legal ambiguity does not result in vulnerability exploitation by adversaries; it would also be able to lead a future where digital is secure and resilient.
This study was taken up for understanding how litigation operates in the digital age and focuses on dealing with cyber security & data breach cases specifically within India. The paper has reviewed the current legal framework, judiciary trends and various past case examples to identify intricacies, difficulties in litigating such cases.
The paper has also highlighted multiple important issues and hurdles, which include the absence of defined standards & regulatory necessities on data breach notification and security as well as qualified specialists in dealing with cyber risk/insurance claims.
References
- The Information Technology Act, 2000 (IT ACT)
- Personal Data Protection Bill 2019 (PDP Bill)
- Reserve Bank of India V. Jayantilal N.Mistry (2014)
- S. Ovais v Union of India (2018)
- Indian Medical Association vs. Global Hospital
- Shreya Singhal v. Union of India
- The Air India Data Breach 2018
- The Wipro Phishing Attack 2019
