The Star health Insurance Data Breach: Investigation required from Enforcement Directorate

The Star Health Insurance Data Breach has been in news for some time now. The Company also seems to have acknowledged the breach. As per this article in India Today, 31 million data principals might have been affected in the breach and the personal data is reportedly being sold online.

The the data has been accessed by an identity under the name xenZen who has also suggested that the data was sold for US $150000. The net price is as low as 38 paise per data set which is not realistic. The normal price for such data .

One indicative price list of data is as follows:

The type of data leaked in the Star Health breach is indicated as

  • Full Name
  • PAN No.
  • Mobile No.
  • Email
  • Date of Birth
  • Residential Address
  • Insured Date of Birth
  • Insured Name
  • Gender
  • Pre-existing Disease
  • Policy Number
  • Health Card
  • Nominee Name
  • Nominee Age
  • Nominee Claim %
  • Nominee Relationship
  • Insured Height
  • Weight
  • BMI

The leak also indicates that the CISO of Star Health Management Mr Amarjeet sold the data but later tried to change the deal terms.

The hacker also invites journalists to contact him on his email for proof etc.

Data Breach is not new in India but what is strange in this instance is that the name of the CISO is given along with an indication that the management is also involved in the data breach.

There are several issues in this case which are beyond the scope of investigation by the Company itself. In fact the more company wants to investigate, it will vitiate the evidence in violation of law.

The value indicated is not realistic and hence there is a prima facie doubt that some body who wanted to frame the CISO and blame the company is involved in this data leak. In view of the doubts raised on the company and the CISO himself, an internal investigation is not reliable.

Further, the consideration involved is in US dollars and hence there is also a FEMA angle.

From all angles this is a case to be investigated by CBI and ED and extend to other employees of the Company as well as competitors of Star health Insurance who are the beneficiaries of this data leak.

The CERT In also has to start its investigation. However this investigation is beyond the scope of a single organization involved in Data Breach investigation.

We urge that CERT IN should file a complaint with CBI and ED to trigger an investigation , assist them in the investigation and find out the truth behind this data breach.

In the meantime, we re-iterate that the existence of “Proton Mail” kind of services and the dark web itself is the root cause for such crimes and the country as a whole should declare Proton Mail as a “Terror Outfit” and take up the investigation as a “Cyber Terrorism Case”.

There is an urgent need to completely ban Proton Mail in India and also ban the use of Tor browsers making it an offence to use them without license. The MHA should also look into this case and bring some fundamental changes to our legal system so that Cyber Crimes are not facilitated by the existence of dark web and its allies like the Proton Mail.

Naavi

Posted in Cyber Law | Leave a comment

The Vision of Tatas lives on

Sri Ratan Tata has lived a full productive life which any body can be proud of. While we regret that his leadership would no longer be available to guide the Indian industry, it is our duty to remember and follow his vision and principles.

One of the notable observations about his career is his commitment to the good of the nation. He was an example for other industrialists and exhibited this commitment in no small measure when he took over Air India.

Naavi and FDPPI appreciate this spirit of working for the benefit of India and follow similar principles of indigenous approach to what we do whether it is DGPSI as a framework or C.DPO.DA. as a Certification.

We therefore would continue to remember him and dedicate one of our annual Privacy Awards we normally distribute during our annual flagship event “Indian Data Protection Summit 2024” (This year to be conducted on November 30 and December 1 at Bengaluru as a hybrid event), to “Commitment to National good”.

More details would be shared separately.

Naavi

Posted in Cyber Law | Leave a comment

Should there be Insurance for DPDPA Fine?

Currently Cyber Insurance covers first party damage in case of any data breach. This covers cost of recovery of lost data, legal and forensic costs and perhaps some consequential damages such as third party liability claims.

In the post DPDPA scenario, there is a concern about the cost of the Administrative fine which could be substantial. It is a grey area whether this fine if any can be insured.

By the nature of the fine, it is levied because of the non compliance of law besides other reasons such as causing harm to the data principal. It is therefore difficult to provide coverage since in principle, insurance cannot protect and reward non compliance of law.

However, in most cases when fines are levied, the data fiduciary may claim compliance and it would be a matter of the regulator not agreeing that the measures taken were adequate enough. It would be a matter of debate whether there was “Reasonable” measures and “Due Diligence” on the part of the data fiduciary. It is possible that a breach was attributable to the action of a third party despite reasonable measures taken by the data fiduciary for compliance in good faith. It is like an automobile accident which occurs despite careful driving and not because of blatant violation of law such as driving in the one way street in the opposite direction or driving in a drunken state.

If automobile insurance as well as the law for punishment to drivers for rash and negligent driving can distinguish between what is rash and negligent and what is not, should there be a similar discussion on the fines levied for DPDPA non compliance?

In most cases, the order of the regulatory authority may specify the root cause and whether there was gross negligence or lack of food faith in the incident on the part of the data fiduciary. If so, should a “DPDPA Liability Insurance Policy” cover not only the cost of conducting investigation, legal defence , meeting the liability to the data principals but also the administrative fine (may be subject to a sub limit)?

The insurance industry needs to ponder over this.

On the part of Auditors FDPPI would like to offer

a) An Assessment of DPDPA readiness for an Insurance company to accept an insurance proposal

b) An assessment of DPDPA penalty liability when an incident occurs or an inquiry is ordered by the Data Protection Board.

These assessments can be structured for the needs of the Insurer and conducted at the instance of the insurance company.

They may be different from the assessment made as “DPDPA Gap Assessment” or “DPDPA Compliance implementation Assistance”.

Posted in Cyber Law | Leave a comment

California becomes the second US State to recognize Neurorights

Two days back, Californian Government signed a new law SB 1223 which recognized neuro rights as part of the Privacy Rights by defining Neural data as ‘Sensitive data” under CCPA.

With this California became the second state after Colarado (Refer here) to expand the scope of Privacy Act into Neuro Rights Protection.

The bills also suggest that it is possible to extend Neuro Rights by just tweaking the understanding of “Sensitive Data” within a Privacy law.

There is a concern in India that DPDPA 2023 does not recognize “Sensitive Data”. However, the definition of a “Significant Data Fiduciary” under DPDPA 2023 includes such data fiduciaries who process high volumes of “Sensitive Personal Data”. It does not require a legal definition to define “Neural Data” as “Sensitive”.

Hence any organization in India which is working on “Neuro Technology” will now have to be classified as “Significant Data Fiduciaries” and treated as such for compliance. The NIMHANAS type of organizations eminently qualify for such categorization along with all hospitals who may be involved in technologies that could read, store, manipulate or disclose neural data.

“Neural Data” represents the binary activity of the brain cells which is an electro mechanical exercise that builds up charges in a brain cell and when it crosses a threshold charge level, pushes the data to the next brain cell. This is a typical reflection of a binary activity where a built up charge beyond a threshold level represents the binary value of 1 while the value below the threshold level represents zero.

Hence without waiting for further changes in law, India can start protecting Neuro Rights within the current law unless there is any proviso inserted to exclude such data in the rules which is unlikely.

Naavi

also refer: https://neurorights.in/wp/

Posted in Cyber Law | Leave a comment

Want to be a “Master Trainer” for C.DPO.DA.?

FDPPI is closely working with Cyber Law College to develop capacity of Data Protection Officers and Data Auditors.

In this direction, FDPPI being a Not for Profit Organization with an interest in developing the community interests, has decided to develop a set of “Master Trainers” in the immediate future at 20 major cities of the country who can conduct local physical training programs for C.DPO.DA. These Master trainers will be individual torch bearers of Privacy Training supported to the extent required by FDPPI/Cyber Law College.

Since FDPPI has introduced a “Cross Certification” program where by professionals trained by DSCI/IAPP/ISACA are provided privileged entry into the C.DPO.DA. examination ( with a concessional examination fee of Rs 6000/- plus GST as a launch offer applicable till October 17, 2024), it is decided that professionals trained by these “Master Trainers” are also allowed a direct entry to C.DPO.DA. at a differential pricing of Rs 10000/- plus GST (Subject to change).

One of the pre-requisites for being a Master Trainer is however that the entrepreneur should himself be a C.DPO.DA. qualified (at Level 3).

Level 1, 2 and 3 are three grades in C.DPO.DA. and Level 3 represents “Distinction”. Level 1 would be considered as the minimal Certification level for Privacy Professionals and Level 2 is recommended for Implementations consultants. The classification is based on different cut off points in the examination.

Since FDPPI/Cyber Law College is conducting the next program for C.DPO.DA. in Bengaluru on 27-29 of September 2024, it has been also decided to allow three persons aspiring to be “Master Trainers” to attend the training at 50% discount. (Net price would be Rs 20000/- plus GST 3600/- for three days). Persons coming from outside Bengaluru need to make their own arrangements for travel and stay. Interested persons may contact Naavi immediately. Since only three persons will be accommodated in this scheme, aspirants are requested to act quickly.

This will be purely optional for the trainees and if they are satisfied with the certifications given by the individual trainers there is no need to also try to get a C.DPO.DA. Certification. This is a voluntary offer from FDPPI and the other organizations whose Certifications are eligible for this cross certification are not required to provide any mutual counter offers.

With this Cross Certification Scheme and opening it out to Private Individuals, FDPPI is democratizing the training to persons with passion of training. This is an opportunity for every training professional or training company to develop their own training programs at their own pricing and enabling their candidates to opt for industry standard certifications. It is presumed that in the long term this will revolutionize the Certification mechanism and enable reduction of cost to the professionals aspiring for multiple Certifications.

Naavi

Posted in Cyber Law | Leave a comment

Opportunities fly past. Recognize and Seize it

Posted in Cyber Law | Leave a comment