Understanding The Impact Of Cyber Threats On Data Privacy

A cyber security threat is any potentially destructive attack that seeks to contaminate information, disrupt digital operations, or obtain unauthorised access to data. Corporate espionage, hacktivists, terrorist groups, rival nation-states, criminal organizations, lone hackers, and disgruntled employees are just a few of the sources of cyber threats to data privacy. Cyber threats to data privacy result in power outages, equipment breakdowns, disclosure of sensitive information relating to national security, and the theft of valuable or private data.

Since cyber attackers may use sensitive data to steal information or access financial accounts, among other potentially harmful behaviours, it is essential to ensure the security of private data, by hiring cyber security experts for this purpose. 

Types Of Cyber Threat

Cyber risks and cyber threats to data privacy are ever evolving. Attack strategies and tactics continue to develop while becoming better. An attack vector is an approach that cybercriminals use to penetrate a computer or network server and cause damage.

The following are examples of cyberthreats to data privacy, an organisation should be aware of[1]:

• MALWARE: Malware/malicious software/malicious code is added to a system to jeopardise the confidentiality, integrity, or accessibility of data. Data, apps, or operating systems may be impacted by this covert activity. Malware may interrupt operations and inflict extensive harm, and it often necessitates significant resources from organisations. To monitor private activity and commit financial crime, spyware infiltrates several systems.
• RANSOMWARE: Malware-based ransomware restricts/prohibits users from accessing their systems. In order to regain access to your system or your data, ransomware requires that you utilise online payment channels to pay a ransom.
• DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS: A computer or network is subjected to a denial of service (DoS), which floods it with requests and stops it from responding. The same technique is used in a distributed denial of service (DDoS) attack, which attacks a computer network.
• MAN IN THE MIDDLE: A man-in-the-middle (MITM) attack occurs when hackers insert themselves into a two-party transaction, intercept the communication, and then sift through the data to steal it. These attacks often happen when a user connects to an unprotected public Wi-Fi network. Attackers can use MITM attacks to prevent access to the visitor and the network and then deploy malware to install malicious software and gain unauthorized access to data.
• PHISHING: Phishing attacks rely on fake correspondence, such as email, to con the recipient into opening it and following the instructions contained within, like entering a credit card number.
• CORPORATE ACCOUNT TAKEOVER (CATO): CATO is a type of business entity theft in which online criminals conduct fraudulent wire and ACH transfers while posing as the company.  Unauthorized finances are transferred to accounts under the cybercriminal's control. Institutions with little control over internet banking systems and poor computer security are easy targets. Online criminals employ malware to infect computers via email, websites, or malware that mimics software.
• AUTOMATED TELLER MACHINE (ATM) CASH OUT: ATM Cash-outs entail many simultaneous, sizable cash withdrawals from ATMs located in various locations. Small to medium-sized financial organisations are impacted by the Cash Out. This type involves alteration of web-based control panels for ATMs. The dispensing function control of the ATM is changed by cybercriminals to "Unlimited Operations." The "Unlimited Operations" setting permits withdrawals of amounts that are greater than the balance in the account of a person or than the ATM's cash capacity.
• SQL INJECTION: Structured Query Language (SQL) injection occurs when malicious code is inserted into a server that supports SQL. The server divulges information when infected. On a website that is susceptible, entering the malicious code into the search box will submit it.
• EMOTET: The Cybersecurity and Infrastructure Security Agency(CISA) describes Emotet as "an advanced, modular banking Trojan that primarily serves as a downloader or dropper of other banking Trojans.". Emotet is among most harmful spyware.

Overview Of Relevant Laws And Regulations Related To Data Privacy

1. The Digital Personal Data Protection Bill (DPDP Bill, 2022) currently governs all digital processing of private information, whether it is collected offline or online and handled digitally. The bill exempts data fiduciaries in India who process personal data belonging to Indian nationals from most of its protections, while also providing safeguards against data breaches.
2. The Information Technology Act of 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules of 2011 (the "IT Rules") are the principal laws that deal with data protection. \The IT Act and the IT Rules are the legal frameworks that the government has established for data protection and privacy through the following relevant sections: -
3. Section 43(a), (b), and (i) of the Indian Information Technology Act outline specific actions that are deemed as offenses under the law. These offenses include accessing or allowing access to a computer, computer system, or computer network without authorization; copying, downloading, or extracting data from a computer, computer system, or computer network without authorization, including data saved on removable storage media; and introducing or causing the introduction of computer viruses or other forms of computer contamination.
   Moreover, the law requires that individuals who tamper with or manipulate a computer, computer system, or computer network to charge services used by one person to another person's account be held responsible for compensating the affected individual. Under this provision, the offending party is required to pay damages of up to Rs 1 crore to the affected party.
4. According to Section 66C, individuals who engage in dishonest or fraudulent use of another person's electronic signature, password, or any other unique identification feature are liable to be penalized with imprisonment for a term extending up to three years and a fine of up to INR 1,000,000, in addition to any other punishment deemedappropriate by the law.
5. Section 72A of the law stipulates that any person, including an intermediary, who discloses confidential information about another person without their consent or in contravention of a legal agreement while providing services under a legal contract, with the intention of causing wrongful gain or loss, or knowing that such an outcome is likely, will be subject to imprisonment for a period of up to two years.
6. The most important clauses, in terms of internet trade and cybercrime are found in the IT (Amendment Act of 2008) and IT (Sensitive Personal Data or Information) Rules of 2011.

Key Legal Considerations For Preventing Data Privacy breaches

• Establishing and Enforcing Data Privacy Policies: In order to prevent data privacy breaches, a company must establish a comprehensive set of data privacy policies and implement them effectively. This involves employing roles and permissions to control access to specific types of data, creating copies of data and storing them separately to enable restoration in case of loss or alteration, and utilizing backups as an essential approach for maintaining business continuity in the event of data loss, destruction, or corruption.
• Ensuring Compliance with Data Protection Regulations: Employers and the State must ensure that employees comply with data protection laws such as the IT Act and related regulations, as well as the company's internal data protection policies. It is essential that employees understand these laws and policies to prevent data privacy breaches.
• Conducting regular privacy audits and risk assessments: An internal security audit examines a company's security policies and procedures to enhance its operations. Regular internal audits are crucial to avoid data privacy breaches. Internal audits ensure that staff are taking reasonable efforts to secure sensitive information, that company security standards are being followed, and that network vulnerabilities are being addressed.
• Providing employee training on data privacy and security: Employers must ensure that their staff receives necessary data privacy training to prevent cybersecurity and data hacking attacks. Companies in India need to actively implement data security training programs and required consumer privacy courses for their staff members, similar to companies in states like Ohio and Utah. Product developers and staff members who handle personal data should have access to security awareness training to prevent data privacy breaches. By receiving sufficient privacy training, the HR department can ensure that the business complies with data protection rules. Privacy awareness training aims to educate the general staff to ensure that the company's rules and the laws regulating data privacy are upheld.
• Implementing appropriate technical and organizational security measures:To ensure the security of personal data that is processed, it is crucial to implement appropriate technical and organizational security measures (TOMs). Organizational measures to guarantee the protection of personal data include establishing policies for information security, planning for business continuity, developing risk evaluations, and having clearly defined roles and procedures for workers. Education and training for employees is also important to help them understand their responsibilities and what to do in specific scenarios. Regular reviews and audits should be conducted to ensure the effectiveness of the implemented measures. Additionally, due diligence should be exercised to select reliable third-party service providers and ensure their compliance with data protection regulations.

Preventing Data Privacy Breaches

To protect a business/company against Cyber-security, the following measures must be taken[2]

• Educate employees: Regular employee training on data security is crucial to prevent data privacy breaches. Teach them how to generate secure passwords, recognize and avoid phishing schemes, and report suspicious activities. Conduct frequent security trainings to ensure that all staff members are aware of established standards.
• Limit access to valuable data: By limiting access to specific documents, the number of workers who could unintentionally click on hazardous links is reduced. Grant access only to those who explicitly require it.
• Establish data security standards and strategies: Implement security patches, define a baseline for all ICT systems, establish anti-malware defenses, and put an incident management strategy in place.
• Remotely monitor network and user activities: Continuously monitor network and user activities through remote monitoring. Devise a monitoring strategy and monitor all ICT systems and networks. Additionally, limit user privileges and keep a check on user activities.
• Update software and data backup: Update operating systems and application software regularly. Install available patches. Keep data backups for emergencies.
• Develop a cyber breach response strategy: Create a thorough breach preparation strategy to reduce lost productivity and stop bad press. Assess precisely what was lost, determine who is accountable, and develop a sound reaction strategy.
• Destroy data before discarding: Properly destroy anything that could contain sensitive information before discarding. Use software designed to completely erase data from outdated smartphones, computers, or hard drives.
• Encrypt data: Encrypt any private information you send via email. Create a private, exclusive network solely for your team if using a Wi-Fi network.
• Protect portable media: Secure mobile phones, tablets, flash drives, and other portable electronics with difficult-to-guess passwords, anti-theft applications, and other safeguards so that only authorized people can access them.
• Set up Vulnerability and Compliance Management: Use a vulnerability and compliance management (VCM) solution or conduct a vulnerability assessment to find flaws, weak points, and security misconfigurations in physical and virtual environments. Continuously check infrastructure and IT assets for compliance, configuration best practices, and vulnerabilities. Develop an action plan to address these vulnerabilities and delegate it to the proper staff members with the help of a good VCM.
• Conduct regular audits: Conduct routine audits to validate your security posture and find any potential weaknesses in compliance or governance. Security audits provide a more detailed evaluation of security practices and take into account the organization's dynamic character and approach to information security.

Conclusion

India needs to take urgent measures to prevent data privacy breaches. A nationwide strategy must be implemented to enhance the cyber security posture of the nation's assets. To ensure effective cybersecurity and crisis management, a clear governance structure must be established to evaluate current policies, practices, and capabilities. This structure should have a suitable mandate that specifies the responsibilities of different authorities. To establish baseline security standards and evaluate them through frequent security exercises, stakeholders such as various state and federal government departments, law enforcement agencies, and corporations should be widely consulted.

FAQs

[1]https://www.mass.gov/service-details/know-the-types-of-cyber-threats

[2]https://www.niti.gov.in/sites/default/files/2019-07/CyberSecurityConclaveAtVigyanBhavanDelhi_1.pdf

King Stubb & Kasiva,
Advocates & Attorneys

Click Here to Get in Touch

New Delhi | Mumbai | Bangalore | Chennai | Hyderabad | Mangalore | Pune | Kochi | Kolkata
Tel: +91 11 41032969 | Email: info@ksandk.com