New Delhi: In one of the biggest medical data leak in India, Dr Lal PathLabs, among the country’s largest diagnostic chains, left data of millions of customers exposed in an unprotected cloud server.
Cybersecurity expert from Melbourne claimed that the data was exposed for around a year and he estimates the number of patients whose data was exposed could run to millions.
The matter of concern is that open data is sensitive information which includes booking details, names, gender, addresses, phone numbers, email addresses, digital signatures, limited payment details, doctor details and details of the tests taken. A large chunk of data was also related to Covid-19 patients. Dr Lal PathLabs was among the few private players which got approval for testing coronavirus patients.
The company now claims that the loophole has been patched but there is no explanation about the magnitude of information leaked online. With sensitive personal data leak happening every now and then, The420 team spoke to legal and cyber experts to find out legal liabilities and punishment in such cases.
All the cyber experts unanimously said it is the companies’ responsibility to ensure the safety of their customers’ data. Patching the loophole is the bare minimum expected from them. Experts highlighted that private companies are not serious about data protection which can also be gauged by the amount they spend on its security.
Explaining the legal action in such cases, Delhi based senior lawyer Karnika Seth said, “Section 43 A of the IT Act, 2000 requires companies to safeguard personal data and personally sensitive data. Health records are sensitive data. ISO 27001 certification is one of the standards required to comply with extant data protection measures.”
Explaining other legal provisions in such cases, Mumbai based Dr Prashant Mali, Cyber & Privacy Expert Lawyer said, “Section 85 of the IT Act, 2000 deals with the offence by companies and Section 72A deals with a contractual data breach. The law is stringent implementation after 19 years of law in force is pathetic and no awareness.”
Section 43 A of the IT Act, 2000 requires companies to safeguard personal data and personally sensitive data. Health records are sensitive data. ISO 27001 certification is one of the standards required to comply with extant data protection measures – Karnika Seth, cyberlaw expert.
Seth highlighted that there could be a criminal liability if such breach took place with intention or knowledge of directors pursuant to section 85 of the IT Act. Personal Data Protection (PDP) Bill is still underway. It’s imperative that the bill gets enacted to create a stronger privacy protection regime in India. “There are stricter compliance norms and punishments prescribed by PDP bill, damages up to 4 per cent of total worldwide turnover or 15 Crores,” said Karnika Seth, who is a cyberlaw expert and visiting faculty to National Police Academy and National Judicial Academy, CBI Academy and the National Investigation Agency.
Right to privacy is a fundamental right as per the Supreme Court of India’s nine bench judgment in KS Puttaswamy case.
Bombay High Court lawyer and cybercrime expert Dr Mali said cases like data leaks should not be taken lightly as it has a long term effect which can spoil and social and mental status of an individual. “Such leaks will kill the privacy of an individual. Leaked data can be used and manipulated in further attacking the victim,” Dr Mali said.
To still that fear of law, police and central agencies should work hard and set precedents of legal action. States should also formulate their own rules around data leakage with heavy penalties – Dr Prashant Mali Cyber & Privacy Expert Lawyer
He also said that presently there is no deterrent or fear of law amongst companies here in India. “To still that fear of law, police and central agencies should work hard and set precedents of legal action. States should also formulate their own rules around data leakage with heavy penalties,” Dr Mali explained.