In October 2024, a data breach was reported from Star Health and Allied Insurance which is reported to have breached data of about 170 million data subjects. Advocate Mr m G. Kodandaram has made a detailed legal analysis which is enclosed.
This has become relevant in the aftermath of the AWS FIR where a Cloud client alleges data loss with suspected unauthorized access. The FIR has been filed in this case under Section 66 and 66C besides other sections of BNS on “Cheating”.
Naavi.org had also discussed the Star health breach incident suggesting investigation at the level of CBI and ED.
These incidents reiterate the damage being created by the reluctance of MeitY to complete the formalities related to the DPDPA Rules and delaying the formation of DPB.
These incidents have highlighted the responsibilities of the CISOs, DPOs on the one hand and the Data Processors and Vendors on the other hand.
Many times, the companies are not aware of a data breach and the regulator like CERT In himself alerts the company about a data breach. In such cases the “Data Breach Notification” becomes a thing of acknowledging the lack of awareness till it is pointed out by the CERT In.
Once DPDPA becomes effective, sending notices to 170 million data principals as in the case of Star Health Insurance Breach itself is a big issue of concern to a data fiduciary.
When the data breach has the involvement of an intermediary cloud service provider who is a giant like AWS/Microsoft Azure/Google cloud, the data fiduciary is at a loss to understand how much he can rely on them to take accountability for the data breach.
Open for Discussion.
Naavi
