Activists may drag cybersecurity regulator to court

Cybersecurity activists may drag the country’s cybersecurity watchdog to court for not taking any action against companies that have seen data breaches and not providing clarity on steps being taken to protect customers amid a surge in cases of personal information leaks.

Their grouse is that Indian Computer Emergency Response Team (CERT-In) has not taken any action despite the country witnessing a number of data breaches from big corporates such as Air India, Big Basket and Domino’s over the last few months.

“Cybersecurity activists are exploring all possible options, including legal, to demand better accountability and transparency when it comes to data breaches,” said Suman Kar, CEO of Banbreach, a cybersecurity company specialising in network security, data breach management, and forensics.

“Efforts to reach out to CERT-In both at individual and organisational levels have met with limited success,” he said.

At least one petition is likely to be filed in the Delhi High Court in a few days, people familiar with the development said.

Activists are mulling whether to collectively file one petition or move different high courts on an individual basis. The electronics and IT ministry (MeitY) may also be made a party to the petition, they said.

“Since making the IT Act in 2000, there has not been a single penalisation of any company which has faced a data breach,” said Srinivas Kodali, a researcher at Free Software Movement of India (FSMI) who has been tracking data breaches.

“We want to ask what measures are taken by CERT-In. We are not seeking compensation but want to know why the government bodies have not reacted so far,” he said.
The development comes on the back of increased data breaches and cyber hacks, especially since the start of the Covid-19 pandemic last year.

Recently, data of 4.5 million passengers of Air India was breached and another attack exposed the order details of 180 million customers of Domino’s Pizza. In March, independent cybersecurity researchers warned that personal details of more than 100 million customers of fintech startup MobiKwik was available on the dark web. The company though had denied the leak.

Cybersecurity attacks impacted 52% of organisations in India over the last 12 months, according to a report by cybersecurity solutions provider Sohphos and IT analyst, research and consulting firm Tech Research Asia (TRA). As many as 71% of these firms termed it “serious or very serious attack” and 65% said it took more than a week to fix, the report said.

As per CERT Rules, 2013, the government body is supposed to provide services including response to cybersecurity incidents and analysis and forensics of cybersecurity incidents, digital rights think tank Software Freedom Law Centre (SFLC.in) said.

“CERT-In has the function of collection, analysis and dissemination of information on cyber incidents as per Section 70-B of the IT Act,” said Prasanth Sugathan, technology lawyer and legal director at SFLC.in. “However, there has not been any response to various requests sent to CERT-In. Aggrieved persons could approach courts for relief against the inaction on the part of CERT-In,” he said.

Kar of Banbreach said the activists want “to start a conversation around what steps are being taken to protect customers, and any new checks and balances that may be required”.
The cybersecurity watchdog had recently asked users of Facebook to secure their profile information on the social networking site after it was flagged that personal data of 533 million users globally, including details of 6.1 million users from India, had been allegedly leaked online and posted for free on hacking forums. VNExplorer