The DPDPA 2023 has completely changed the outlook of the industry in the Use and Management of Data. So far, like every other business entity that has adopted itself to the “Data Driven” business strategy, the industry was concerned only with “Information Security” or “Cyber Security”, preventing Cyber criminals access data in their custody and commit frauds.
In late 2018, J W Marriot chain had “become aware” of a data breach of its reservation system which had actually happened in 2014 in the network inherited from “Starwood” hotels which had been purchased by the Marriott in 2016. Over 500 million guest data with credit card and passport details had been accessed by hackers. Investigations revealed that one of the Competing bidders for the takeover of Starwood could have been responsible for the breach. The involvement of the Chinese Military was also traced. It was therefore a business rivalry and foreign state sponsored attack. This was considered an “Information Security Issue” and the damage to individuals was collateral.
However in terms of the damage to the Company, the penalty imposed by the UK ICO was more than $120 million under GDPR and was much more than the direct loss suffered most of which was covered by the Cyber Insurance.
The Insurance industry is deeply divided on whether the administrative penalties can be covered by Insurance and in the instant case J W Marriott did not contest the fine and it is reported that it ultimately settled the penalty at around $52 million.
Indian Hospitality industry so far was not much concerned about such data breaches since the industry was protected by weak enforcement and weaker judicial system in India.
The the current law of ITA 2000 required an affected party to claim damages for it to be liable for such data breaches but the “Valuation” of personal data for claiming damages continues to be a grey area and it would require decades of litigation for a PIL to materialize (eg: Bhopal Gas Tragedy case). Hence industry was taking it easy. Most large hotel chains today have lakhs of personal data including Aadhaar data, PAN data, Driving license data etc and they are retained for decades.
Now with DPDPA 2023 coming into force, the “Risk of DPDPA Non Compliance” hangs over the heads of all the members of the hospitality industry though to the limited extent of around Rs 250 Crores to say around Rs 500 crores if multiple breaches or non compliance is recorded.
Under DPDPA 2023, the Hospitality industry players will be given a new responsibility as “Data fiduciaries” and responsible for the protection of the “Privacy Rights” of their customers.
Industry should therefore wake up and start taking steps to mitigate the DPDPA non compliance Risk.
After shedding the complacency and deciding to secure the personal information under their custody, the industry should not fall into the second trap of complacency that they are secured by being certified for ISO 27001 or GDPR. They need to look for Certification under the India specific Compliance frameworks such as DGPSI.
In this context it is timely that ETCISO is hosting an event on 18th February 2025 at 4.00 pm to 6.00 pm in Bengaluru (Park Hotel).
Naavi
