Data Breaches and Legal Action

An alleged breach apparently exploiting a scheme that allowed Aadhaar agents to rectify errors in user information such as outdated addresses or the inaccurate spelling of a person's name has recently caused lots of debating about the safety of Aadhaar (Unique Identification) data. The discussion on the topic got wide public notice by the news on registration of an FIR by Delhi Police against the reporter of ‘The Tribune’. The tweet by Edward Snowden had a spiraling effect on the publicity which gave international attention to the alleged Aadhaar data leakage.

With this data leakage, the vulnerability of Aadhaar data is one the hot topics of discussion. However, in the days to come, issues related to privacy, information collection, data analytics and data security are going to get more and more importance. Data breaches of varying degrees are bound to happen on regular basis everywhere in the world irrespective of time and space. In conventional crime, it could be equated to thefts, robbery, misappropriation, breach of trust and so on which are regularly happening around us.  However, the points to ponder here are the responsibility of custodian of data and also whether the step of registering FIR was an action against the journalist or an attempt to start the law in motion.

It may be noted that after cybersecurity breaches across the world, very rarely legal action is initiated even in the name of unknown people. This is the case in spite of the fact that the cost involved because of such breaches is often millions and millions of US dollars. It could be seen that in almost all instances in the past, after the data leaks or ransomware attacks, all kinds of steps are taken and discussions happen except the legal measures. One may see how many criminals or civil cases were initiated after the ‘Wannacry’ attacks. Some may argue that if the culprits are not going to get caught, why to waste our time and other resources by initiating a legal process. It is akin to not registering a case after a serious crime stating that the criminals are unknown and are not going to get punished!

The recent judgment was given by the High Court (Langstaff J) UK  in Various Claimants Vs Wm Morrison [2017] EWHC 3113 (QB), held that Morrison’s as responsible for data leakage even if they have taken all adequate precautions to prevent the data breach. This judgment is going to be a precursor to the bigger issue of responsibilities with the custodian of data.

By registering a crime or setting the law in motion, it will be possible to set the government machinery into action. It will also bring systemic improvements as many a time policy decisions are driven by bureaucratic procedures and statistics. If a crime is registered, the law enforcement agencies have to take it to a logical conclusion, followed by scrutiny by the Court and follow up by the public interest ligation seekers. In the long-term, this will also give a boost to the efforts to strengthen the capabilities in preventing the commission of the crime as well as making the stakeholders more responsible to their statutory responsibilities.

Authored By - Jose Mohan
TCS Cyber Security Practice

Rate this article: 
Average: 5 (1 vote)
Article category: