In continuation of our post of yesterday on Consent Manager, we would like to point out that the “Personal Data Breach Notification Rule” as contained in the draft rules also requires a re-look before the next version of draft rules are released. Some of our observations are as follows.
We refer to Rule 7 of the draft rule copy of which is available at www.dpdpa.in/dpdpa_rules for this purpose. This rule refers to intimation of personal data breach. The Rule prescribes a two stage reporting one to be made immediately on being aware of the personal data breach and the other within 72 hours with more details. It is noted that the rules donot make any mention of the Data Breach rules notified under ITA 2000 by the CERT IN. (Refer: https://cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf).
It is necessary to recognize that every personal data breach involving loss or damage to data is also a data breach under ITA 2000 and is reportable under CERT IN guidelines even after the repealing of Section 43A. Consequences of non reporting could be initiation of criminal proceedings for imprisonment upto 1 year and fine of Rs 1 crore.
Hence clarity should be brought in about need to copy the data breach report to CERT IN. There should be a process where the DPB and CERT IN work in harmony dealing with the breach report.
In case DPB would like to exercise its right of investigation into the causes of a data breach, it would require additional technical investigation capabilities to be built up. On the other hand, CERT In already has the necessary expertise with a team of scientists and can also have access the CERT IN auditors.
There is a need to recognize that DPB would be more interested in identifying non compliance of law which may affect the rights of the data principal and hence would like to track even such personal data breaches which donot result in exfiltration of data that causes irreversible damage to the data principal. On the other hand CERT IN is more interested in prevention of Cyber Crimes and hence focussed on data breaches involving exfiltration/loss/damage of personal data.
Hence there is a need for a re-look at this rule and a simultaneous change in the CERT IN rules related to data breach.
Further, it is necessary to recognize that organizations monitoring security incidents diligently do observe several instances of whistle blowing reports which if confirmed may become breaches but could also turn out to be false.
The draft rule under DPDPA currently requires the report to be submitted “Forthwith”. This will force the organizations to either report all intrusion alerts captured by their systems as data breaches or ignore the provision. While companies may classify such intrusion alerts as not amounting to data breach, there is still a requirement to give some time to organizations to determine if an internal data breach alert is really a data breach or a false alarm. Hence such observations should be termed as “Provisional” at the time of reporting. The confirmed report filed within 72 hours may be called “Personal Data Breach Report”.
Hence there is a need to recognize three categories of personal data breaches namely
- Provisional Data Breach
- Data Breach not resulting in loss of data
- Data Breaches resulting in loss/damage of data
The rules should treat these differently in terms of reporting, mitigation and penalisation.
Since CERT IN has an infrastructure to provide technical guidance of remediation, there is no need to duplicate the efforts at DPB. Regulatory investigation of technical nature if required should be left to CERT IN and adopted by DPB before going in for determination of penalties.
CERT In has its own powers of quasi judicial nature which is more powerful than the powers of DPB. Hence co-ordination of the two entities is essential to prevent confusion in the industry. For this purpose, a “DPB-CERT IN Data Breach notification and investigation policy” should be announced which may specify a time bound completion of investigation and a non overlapping ruling on penalties. (Similar arrangements can also be worked out with RBI/IDDAI/SEBI)
Alternatively, changes should be notified under ITA 2000 stating CERT IN would refrain from investigating such cases which are taken up for investigation by the DPB under DPDPA 2023.
Wishing away the powers of CERT In may require amendment of ITA 2000 and is not feasible in the short run.
Hence CERT-IN and DPB need to build a method of working together without conflict and this should be done concurrently with the passage of DPDPA Rules.
We also suggest that the “Provisional Data Breach Notification” need not be sent to data principals and the complete notification is posted prominently on the website. The data principals may be sent an email notification but the possibility of many not being reached is high. Hence the website notification should be considered as sufficient notification unless DPB or CERT In specifically instructs individual notifications.
Comments welcome.
Naavi
