India's Cybersecurity Policy: Disclosure of Data Breaches
Posted on Aug 30, 2020 | By Sumeetha
In his Independence Day address, the Prime Minister said that he dreams of a digital India where cybersecurity is an integral part of national security a push at the right as the country ranks second as target of cyber attacks
Echoing the Prime Minister's push for a national policy, Reliance Industries Chairman, Mukesh Ambani, said that data is the new oil and that data needs to be controlled and owned by the people and not by corporates.
While the anticipation is high among the cybersecurity professionals and the industry in India to see the new National policy in place, there are also many questions. Foremost among them is whether it will include a responsible disclosure policy for security breaches.
Ram Movva, President and Co-founder of Cyber Security Works asks, “Will the new national cybersecurity policy include a disclosure policy similar to what the west has?”
One of the many reasons why this question is at the top of the industry’s minds could be the events that are unfolding in Uber’s CSO case.
Recently, Uber’s former CSO has been charged with obstruction of justice, and felony charges have been levied because he allegedly covered a security breach incident in 2016. The data breach resulted in the theft of 57 million records of passengers and drivers. If proven guilty, the CSO could go to prison for eight years!
Commenting on this incident, George Do, CISO, Gojek said, "CISO's are consistently challenged with trying to keep their organizations secure. An incident like this reminds us that in addition to having a capable cyber incident response and vulnerability management program, security leaders also benefit from documenting accountable decision-makers."
Uber makes a classic example of what a company should not do in the event of a security breach.
It also raises many other questions in the context of India’s Cybersecurity policy. Critical among them are –
1. Will organizations in India voluntarily disclose a security breach and alert their customers about it?
2. Will the management and the board take moral responsibility, and will the company bear the financial losses due to the breach?
We will have to wait and watch.