Interviews

Data Breach investigations should be prioritized in Digital Data Privacy Law and Digital India Act

The upcoming bills on Data Privacy, Telecom, and over all matters related to Digital data will build a secure ecosystem for India in the future. Not only this, it has the potential to make India a global leader, setting an example for other countries. However, we need to focus on qualitative data breach investigations to do Diagnostic analytics to reduce the possibility of similar intrusive attacks in the future. Mr. Amit Jaju, Senior Managing Director, Ankura Consulting Group (India)  shares mare insights on the same.

  1. How Ankura is helping multiple organisations to comply with data privacy and security law?

Over the past few years, we have assisted clients in a variety of industries such as managing new risks related to data privacy, data governance, localization, and cyber security. Indian businesses too began to examine these sectors from a domestic and global perspective.

Though we serve a wide range of businesses, the majority of our clients operate internationally or in highly regulated industries like pharmaceutical and financial services. With the launch of our India operations in 2021, we set up a Center of Excellence in the country for Data Analytics and adjacent technology services. We also focus on machine learning and artificial intelligence, to provide relevant services to our clients in the areas of monitoring and early identification of non-compliance, risk and fraud.

Data privacy solutions are fast evolving and our global experience of helping Clients in other geographies around data privacy advisory and incident response has helped us bring tailored solutions for Clients in India. We also introduced some unique data discovery, classification, inventory and remediation technologies in the Indian market.

 

  1. How Ankura is ensuring digital data forensic practices pre- and post-breach in an enterprise?

Today, it has become critical for businesses to take a comprehensive and holistic approach towards emerging digital risks. No defences can guarantee complete protection from such risks. Thus, it becomes important for enterprises to follow a cycle of avoiding, detecting, and responding to cyber disasters. In such situations, digital forensics plays a crucial role in collecting, preserving, and analysing incident-related digital data. Cyber incident investigation and digital forensic analysis together can apprise companies about vulnerabilities, risks and their impacts. These results are crucial information for developing a strong defence strategy for an enterprise.

 

  1. Overall growth and future road-map of the Ankura in India

To meet the specialised needs of our current and future clients, we are constantly expanding our service offerings and creating solutions tailored to the industry. We welcomed over 100 new clients in only our first year, and we’re still adding fresh clients and cutting-edge solutions to our portfolio.

In our first year in India, we launched Relativity One eDiscovery offering along with our digital platforms around Pharma Data Integrity and Software license compliance and cost optimizations.  With our new global acquisitions of technology platforms, we are actively assisting Clients around emerging threats that come from social media, such as misinformation/disinformation, surface web threats, and dark web risks, such as cyber-attacks.

We have robust plans to grow our workforce in India in the months ahead as we are continually growing our clientele and find it easier to identify qualitative tech talent in India. By providing each client with a customized approach for future-ready outcomes, we hope to establish a significant benchmark in the technology consultancy sector.

 

  1. How 5G network could increase the possibility of DDoS attacks?

5G has the potential to provide greater bandwidth to mobile phones, IoT devices and end-user computing devices. One of the major cyber risks emanating from 5G would be Distributed Denial of Services attacks. Millions of mobile phones could be infected with malware, which could further be misused to launch DDoS attacks on targets. Such a high-speed network with low latency connectivity would ultimately result in a rise in DDoS attacks.

 

  1. What would be the need and relevance of data breach investigation in the upcoming Digital India Act and Digital Data Privacy Law?

Everyone gets breached at some point. The important aspect is about investigating these breaches, reporting to the regulators and data subjects about the impact of the breach and taking corrective steps proactively. In data breach cases, the world founds out and may forgive the first instance. But repeatedly breached companies who do not investigate the breach and build defences around the vulnerable areas are bound to be punished by law and will also lose customers. Under the digital India act and digital personal data protection act, reporting the breach within a set time frame would be mandated. This will help identify data subjects who are victims and help take corrective steps to contain the damage including notifications.

 

  1. Key aspects related to data accessibility, privacy, security laws and regulations?

On November 18, the Indian government released the new Digital Personal Data Protection Bill, 2022. This new version is focused on personal data and incorporates hefty penalties for non-compliance. It also relaxed rules on cross-border data flows and has provided for easier compliance requirements for start-ups. Financial penalties of as much as Rs 200 crore, multiplied by the number of users impacted are announced to be imposed per breach.

For similar violations globally, fines are pegged at a percentage of revenues, or turnover whichever is higher. The value of 150-200 Crores for Indian companies seems very high to a point where it may become impractical to enforce. Keeping the fines as a high percentage of turnover looks more practical and feasible to implement. It would be better if GOI also emphasizes investments in training and awareness campaigns for enterprises in India which would lead to an organized security compliance environment in the country.”

 

  1. Views and expectations from the upcoming/ current bills from the Government of India: Telecom, Data privacy, VPN regulations, etc.

The government of India not only wants to build a robust digital ecosystem but also wishes to provide a favourable environment to support the same.  To achieve this, the government must ensure the protection of personal data and ease of data access. The India Data Accessibility & Use Policy is important because it will help build a digital ecosystem that enables ease of data access and use, while also protecting people’s data.

In terms of implementation of this policy, there are certain areas where there is a scope for improvement such as coverage of policy should be extended to all the states. The policy will be more beneficial if all state and central government systems come under the ambit of the policy. In terms of integrity, there is a lack of provision to ensure data integrity management as it is transferred between different departments. Also, the role of third parties is a bit unclear, though the draft policy talks about the inclusion of third parties to assist with data processing, it doesn’t talk about the responsibilities and penalties that will be levied on third parties if they mishandle the data or if there is a breach. It is also not clear if third parties will be asked to ensure data localization whilst they are handling the data.

The recently updated digital personal data protection bill of 2022 is introduced for public review but looks highly simplified and lacks several important components. It may take several iterations to fix these issues. However, many Indian companies are already working at an international level and are adopting privacy by design to be able to manage compliance against varied global data protection legislation. Such companies continue to conduct proactive assessments and breach responses to safeguard their reputation and critical data.

Leave a Response