NEW DELHI: The thriving illegal business of insurance scams is being fueled by leaked personal and sensitive data of customers. Such multi-crore scams have raised some direct questions on the mismanagement of customers’ data by the insurance companies and inadequate action against non-compliance.
The420.in spoke to the country’s top advocates to understand the provision in such cases of insurance fraud and accountability of insurance companies and IRDA in such cyber crimes.
“There is increasing accountability of insurance companies and IRDA. This is so because insurance companies are now increasingly dealing with a lot of sensitive personal data of their users. Further, insurance companies are intermediaries under the Information Technology Act, 2000 and are mandated to exercise due diligence under the said law,” said Pavan Duggal, Senior Supreme Court, Advocate.
Duggal highlighted that the coming of IRDA is like a breath of fresh air as it has become the industry regulator for the insurance sector. The IRDA Act provides substantial provisions and powers to IRDA. However, there is a need for more stringent accountability of insurance companies.
Sharing a similar opinion, another senior Supreme Court, Advocate, Karnika Seth said, “Health-related and financial data such as insurances and investments are sensitive data and ought to be protected as per IT Act, 2000 and rules. If reasonable security practices are not adopted in securing data or there is fraud /collusion, companies collecting customer data are liable to pay damages under Section 43A and criminal liabilities may also be attracted under section 72A of IT Act, 2000.”
Explaining the legal process, Duggal said if personally identifiable data is found with cyber criminals, then clearly victims of such an act would have legal remedies under the Information Technology Act, 2000. “The affected person could potentially sue the insurance companies for unlimited damages by way of compensation under Section 43A of the Information Technology Act, 2000. Further, if the insurance company has been negligent in dealing or handling sensitive personal data resulting in a cyber security breach, the victim could also file criminal prosecution proceedings under Section 66 read with Section 43 of the Information Technology Act, 2000, along with various provisions under the Indian Penal Code, 1860,” he added.
Duggal also said that there is a case made out for IRDA to enable regulating the accountability of insurance companies in the context of data leaks. We need to realise that India doesn’t have a dedicated law on cyber security. Hence, we have to resort to the ambit of the Information Technology Act, 2000 and the rules and regulations made there under. Under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, all insurance companies as intermediaries are mandated to report breaches of cyber security to the national nodal agency on cyber security – the Computer Emergency Response Team (CERT) of India.
SOLUTION & WAY FORWARD
Stressing on the need for stricter action Duggal said the forthcoming data protection law could also create far more new responsibilities of compliances for insurance companies. IRDA will have to take strong action against all insurance companies who are found to be negligent in the context of the protection of data. Till the time a dedicated law on cyber security or on data protection comes up in India, due diligence, care and caution will have to be the mantra for all insurance ecosystem stakeholders.
“As more and more attacks are mounting on Indian data and as massive data leaks are leading to major economic losses, the time has come for India to come up with a dedicated new legal framework on cyber security. India must learn from the experiences of other nations and must come up with enabling effective legal provisions for protecting and preserving cyber security of data including personally identifiable data and also sensitive personal data,” Duggal said.
Suggesting a slew of measures to keep a check on insurance-related fraud, Karnika Seth said, “Due diligence must be adopted in keeping sensitive records, proper monitoring of such IT Assets and data controls such as DLPs must be deployed. There is deemed liability of directors under Section 85 of IT Act. Therefore, directors must take proactive measures for compliance with IT Act and rules. IT policies need to be revamped in WFH times and compliance requirements have changed during the pandemic and we have reviewed all IT related policies for various organizations.”
Mumbai-based senior cyber crime lawyer and expert Prashant Mali explained that insurance companies have already lost data of existing HNI clients which is further sold in markets to telemarketing agents. This is data theft on these unsuspecting clients whose financial data is free-floating in the market.
Suggesting legal action, Mali said IRDA should impose exemplary fines on these insurance companies for not protecting clients’ sensitive personal data. Individuals can also file a complaint with the Adjudication officer and ask for compensation upto Rs 5 Cr.
“To prevent data from further leaking, IRDA should do yearly audits and penalise these companies for data leakage. Cyber Awareness amongst sales employees and their call centres is also important,” Mali advised.
Follow The420.in on