India Urgently Needs a Robust Cyber Security Framework

As the Covid-19 pandemic disrupted economies and forced businesses to shift gears to a remote working mode almost overnight, companies facing cyber-attacks increased manifold with the bad guys too trying to maximize their financial gain. While India has reportedly encountered the third highest number of malware attacks after US and Japan due to the new normal, what makes it worse is that the country does not have clear regulations on data security or privacy.

In a recent interaction with CXOToday, G V Anand Bhushan, Partner at Shardul Amarchand Mangaldas & Co., discusses the need for India to urgently have a strong and effective data protection policy, and explains how law firms can cope with cybersecurity challenges during the pandemic and beyond.

 With an increase in data breach incidents in recent months, what are your views on this considering India does not have a dedicated law on data protection and data privacy yet?

As India gears up to become a digital economy, with its thriving ICT and ecommerce sectors, coupled with the rise in remote working and people spending more time online, data breaches and security threats have increased manifold. At present, India does not have a comprehensive data protection framework when compared to other countries. The IT Act and the SPDI Rules only offer minimal protection with respect to personal data and sensitive personal information. All of this makes it critical to implement an overarching data protection framework that adequately deals with data privacy and security.

Having said that, it is only a matter of time we have a comprehensive data protection framework in place. The draft of National Cyber Security Strategy 2020, that envisages creating a secure cyberspace in India provides for a watertight mechanism to ensure the protection of one’s data. The rights provided under the Bill are on par with the rights provided under the GDPR. Apart from dealing with rights concerning one’s data such as the right of access, right of erasure, right of correction, right of data operability etc., it also has specific provisions on the transfer of data, including data localization requirements and restrictions on cross-border transfer of data thereby ensuring a holistic protection of one’s personal data and information. Hence, we hope that the Bill will strike a balance between data privacy and fostering digital innovation simultaneously.

Ransomware attacks are on the rise in recent months where the operations of a company are crippled by hackers who deny access to computer systems or data until a ransom is paid. How should the CIO/CISO immediately respond to these threats?

At the very outset, it is imperative for organizations to implement adequate protocols to prevent the occurrence of ransomware attacks or any cybersecurity incident, for that matter. For instance, they should implement a Crisis Response Incident Plan (CRIP) that clearly lists down the strategy to be adopted in the event there is a cybersecurity incident. This response plan should clearly chalk out the responsibilities of employees, communication channels and disclosure requirements to be adopted in the event there is a cybersecurity incident. It is important to also have mock drills to ensure the effective implementation of the Crisis Response Incident Plan. This will ensure that the company, collectively, is made aware of the protocol to be followed in the event of a ransomware attack.

Further, in the event of a ransomware attack, the organization must first assess the level of breach and damage caused. Thereafter, undertake all mitigation steps, like detaching the infected system from rest of the unaffected system, involve legal team regarding notification requirements to data subjects and nodal agencies. If the incident is required to be notified to the nodal agency viz. CERT-In, then organizations should immediately inform to such agency to get their assistance immediately to resolve the attack. Once this is done, it is also the organization’s responsibility to inform its affected data subjects about the incident and provide information regarding the data that has been compromised. However, the most crucial step comes after the incident is resolved since the organization must mandatorily perform a complete security audit and update its security systems, where required.

Remote work infrastructure is being highly targeted, along with identity theft. How are Law firms tackling this menace while working remotely?

Data privacy and cybersecurity should always be a top priority for law firms, because they hold a lot of client sensitive and confidential information. In our firm, we have always had a stringent security measures and data protection policy even before they transitioned to the work-from-home model in light of the pandemic.

In India, very few law firms have virtual private networks (VPN) and cloud solutions so that basic security is taken care of even in a WFH environment. All security protocols such as, virtual desktop, unified access to files within a secure workspace, centralized data server, multi-factor authentication system,  not allowing transfer of files outside secured network, not sharing passwords, shredding of printed documents, not creating backups and not using unsecured networks, etc. are required to be followed to ensure the data protection by the law firms. All these systems have been put in place in our firm much before the pandemic to ensure data security and protection.

Most importantly, all such policies and protocols are constantly required to be communicated to attorneys since communication and training is critical for the success of maintaining both security and privacy in such an environment. Law firms have to be mindful that extra care, audits and penetration tests are provided to attorneys who do not have prior experience in such WFH scenarios.

What are some of the technology best practices legal professionals should adopt regarding safeguarding their data? Can you cite an example from your firm?

Legal professionals should ensure that they use only authorized hardware and software for work. It is imperative to ensure that the devices are not shared with spouses and children. This is because, there is a high possibility of inadvertent data leakage, especially if passwords are saved and shared devices are used.

Further, one should not be careless with screenshots, scan, printouts, etc. when away from the computer. Most importantly, it is absolutely critical to follow the standard cybersecurity guidelines when it comes to keeping your anti-virus up-to-date, not clicking and opening attachments from unknown sources, etc.

At our law firm, we have a dedicated IT and Security team that implements strong cybersecurity protocols and ensures that all of us follow the same strictly. We have a multi-factor authentication system in place, are provided with VPN access, and are constantly trained on how to respond to cybersecurity incidents.