The massive data breach of sensitive personal data from the Amazon Cloud storage of Dr Lal Path Labs raises many questions on how the Indian Health Care Industry is neglecting its responsibilities in securing data and how otherwise eminent professionals are exposing themselves to the liabilities under the stringent data protection laws.
According to available information, the information leak in Dr Lal Pathlabs occurred because the data was stored on Amazon cloud without password. It is possible that this may not be fully correct since Amazon is not expected to allow the creation of the account without a good password as a default configuration. It is possible that the password could have been broadcast over the internal networks to make the database accessible from it’s different units under a single access account. As a result, the password would have become public.
There have been suggestions that if the Data Protection Act of India (PDPAI) was in place as per the Personal Data Protection Bill 2019, the company could have faced a fine of upto 15 crores. But the Bill is still with the Joint Parliamentary committee and is only scheduled to be back in the Parliament in 2021.
While it is true that there would have been a Data protection authority which would have been pro active and made an enquiry followed by the imposition of whatever administrative fine it would have deemed fit, even now India has a decent law that can impose both civil and criminal penalties arising out of this incident.
Presently, protection of data is governed by the Information Technology Act 2000 (ITA 2000) under which any entity handling personal data is required to protect the information, failing which compensation becomes payable to the affected persons and in certain cases, the owners of the company may be prosecuted for imprisonment and fine.
The difference between PDPAI and ITA 2000 is that ITA 2000 can be invoked only if there is a cause of action which means that some affected person should complain to the Police for criminal investigation or to the Adjudicator (IT Secretary of the State Government) for monetary compensation. On the other hand, PDPAI can be triggered by the Data Protection Authority even when there is no complaint and in fact even when there is no breach itself.
It is unfortunate that PDPAI is getting delayed since the Joint Parliamentary committee has not been able to complete its study and present its findings to the Parliament so far. It is now slated to be completed only in early 2021.
This means that data breaches of the Dr Lal Pathlabs type may go unpunished. In last February, a similar major breach occurred in Breach Candy Hospital in Mumbai in which 12 crore personal data sets of patients became public due to the negligence of the hospital. At that time the authorities in the Government of India failed to initiate action even to warn the hospital.
Had the CERT-In or any other regulatory authority taken some action at that time, there would have been better attempt by other organizations to be compliant with law. The Dr Lal Pathlabs breach perhaps would not have occurred if CERT-IN had taken proper action at that time.
At least now CERT-In should not remain silent as it is their duty to take action in such data breach incidents.
Further, many are not aware that ITA 2000 also envisages that the Adjudicators may exercise Suo-Moto powers to conduct an enquiry on behalf of the public and therefore can order an enquiry on Dr Lal Path Labs. They can collect compensation on behalf of the affected public and either pay it out to the persons who may make a claim or use the funds for a public cause. This action can be initiated by any State Government where Dr Lal Pathlabs have its diagnostic centers. Apart from this, any interested party can also invoke a PIL in a High Court or Supreme Court to set up an “Enquiry” and “Payment of compensation to the affected members of the public”.
While it is utopic to expect the Adjudicators under ITA 2000 to take up the public cause, or the Supreme Court to spare time for such public interest litigations instead of other political cases of greater media interest like the gang rapes, caste feuds etc., it is essential to draw the attention of other bodies who can be more vigilant and take steps to reduce the possibility of a repetition of this kind of data breaches.
It must be recognized that this kind of breach could not have happened but for gross negligence of the management of the Company. This cannot be due to ignorance also since there are discussions all around us on data protection, cyber crimes etc which no sensible person can miss.
For example, the Health Ministry has provided the EHR (Electronic Health Record) guidelines that provide both Privacy and Security guidelines for the health care industry. An act called DISHA (Digital Information Security for Healthcare Act) was also once drafted and circulated for public comments. The Niti Aayog has published a Telemedicine guideline as part of the National health mission. There are discussions on GDPR, HIPAA and several other data protection related that is bombarding us from all sides.
If in such a scenario, a company like Dr Lal Pathlabs cannot be ignorant of basic information security measures that should have been in place for storing the customer data on the cloud. What is more logical is that the company was aware of the requirements but did not care.
It is a tragedy to observe that this company has been a recipient of several excellence awards and is managed by a team of apparently eminent persons. There are 5 independent directors to guide the Company. There is a designated Chief Information Officer, who is a person who has experience in several organizations as technical lead. Considering the background of the directors and the top management team, “Ignorance” can be ruled out as a cause of the data breach.
One can notice that the top management team does not have a designated “CISO” or “ITA 2000 Compliance Officer”. Hence the vicarious liability under ITA 2000 for the data breach goes directly to the Managing Director Dr Om Prakash Manchanda who should now be looking at the Baazee.com case law to understand how ITA 2000 treats “Negligence” causing wrongful loss to any member of public.
In simple words, the laws in India even now are strong enough to inflict a mortal blow on the organization in terms of a heavy fine and possible prosecution of the executives.
The incident has also exposed the failure of various certification organizations since the company claims that it is “NABL Certified”, Accredited by the College of American Pathologists. It is also said to certified under ISO 9001 standards.
It is necessary to question the methodologies used by these organizations in their accreditation/certification mechanisms which are obviously deficient and misleading the public.
Unless these certification bodies are made co-accused in this data breach incident, there will be more such cases in the future.
Dr Lal Pathlabs, therefore, has opened a can of worms and if thoroughly investigated it may lead to the exposure of negligence in many other organizations and help in the cleaning up of the system.
The writer – Naavi is Data Protection and Data Governance Consultant. He is Chairman, Foundation of Data Protection Professionals in India (FDPPI) and Founder of www.naavi.org