-by Atisha Sisodiya & Bodhisattwa Majumdar
The ongoing COVID-19 crisis and the nationwide lockdown has led to an unprecedented transition of a large proportion of the population to Work from Home (WFH). In the midst of such a crisis, accompanied by what the World Health Organization (WHO) calls an ‘infodemic’ – an over-abundance of information, some from reliable sources and some not, it is easy to lose sight of data protection and information security. This is unchartered waters for employees who are novice remote workers and for many organizations, which may have had little time to implement remote working setup for their employees.
The Dark Web and Covid-19:
While we are trying to protect ourselves from the threats posed by COVID-19, we are also increasingly at risk from the cyber-criminals who do not seem to be under lockdown. This new wave of opportunistic cyber-criminals coming up with new means of exploiting unsuspecting businesses and individuals during the COVID-19 crisis has been labelled by Europol as “Pandemic Profiteering”. In the past two months, almost 4000 fraud portals related to coronavirus have been created across the globe by cybercriminals and other mafia organizations, as reported by Lt. General Rajesh Pant, India’s National Cyber Security Coordinator(NCSC).The most preferred video-conferencing application, Zoom, has been labelled as ‘unsafe’ by the Ministry of Home Affairs in its press release dated 16th April for the recent instances of breaches of privacy and sale of data in the dark web. In the United States and Europe, it has been reported that over 2,500 cyber-attacks per day are that leverage information related to the virus. It is anticipated that these numbers will continue to rise as the virus reaches its peak.
With many employees using their personal devices and home internet networks with few or no security defences, organizations are more susceptible to cyber-attacks than they normally would be. Incidents that in the regular work environment would raise a red flag, now are likely to slip under the radar because of irregularities being attributed to the changes in work format. Hence, it becomes vitally important to adopt immediate protective measures, given the growing number of employees working from home and absence of a dedicated data protection law or specific legislation on cybersecurity and privacy law in India.
Transition to WFH and its impact on data security:
When the work is conducted from the office premises, there are several safeguards put in place by the employer/body corporate such as personal data cloud, whitelisted IP addresses, virtual private networks, secured networks, encrypted devices, pseudonymized data among other things, which ensures safe computing environment. As opposed to this, working from home poses myriad risks and challenges, particularly when it comes to data protection as home networks and personal devices do not have same security protocols as work devices, which intensifies the risk to data, whether personal data or confidential organizational data. In some cases, employees may be able to access websites/attachments which might normally be blocked on office networks.
Similarly, the use of personal email accounts rather than work-related emails also poses a grave threat to data theft as the former lacks data encryption. Further, with increasing usage of video conferencing applications and more exposure to e-commerce websites, cybercriminals will continue to innovate in the deployment of various malware and ransomware packages themed around the COVID-19 pandemic. Examples of such packages are – free at-home testing kits, donation platforms, alleged messages from WHO or random health experts, malicious coronavirus themed emails, deceptive financial aid emails, scam websites themed around pandemic etc. These instances are just the tip of a virtual iceberg of myriad security threats that are being created right now. Employees with unvetted personal devices and unsecured Wi-Fi networks may expose their organizational data to potential threats with every home device or wireless connection becoming a potential entry point.
Breach of Confidentiality and Remedies:
In such circumstances, with increased online activities and poor cyber hygiene, the likelihood of data breach also increases. It becomes hard for the employees and organization to know when the data is breached and even harder to identify how it happened, as there is no monitoring technology. In the legal sphere, law firms are prime targets as they hold valuable and sensitive client information and are perceived to have data security vulnerabilities. In the current scenario, when client data is being accessed outside of a secure office environment, it raises possibilities of either inadvertent or intentional disclosure or transmission and misuse of such confidential information. The possibilities are further enhanced by the fact that at present, India does not have any specific legislation for data protection.
Although the Supreme Court of India in the landmark judgment of Justice K S Puttuswamy (Retd) and Another v. Union of India and Others has recognized the constitutional right to privacy as one of the fundamental rights under the Constitution, the legal framework for data privacy in India stands at a very limited sense and perhaps too broad-based for being considered as a WFH safeguard. Further, the Personal Data Protection Bill, 2019 introduced in the Lok Sabha is yet to be enacted. In such circumstances, it becomes pertinent to appreciate the remedies available with the provider of information (data subject/employer/client) for breach of confidentiality by the receiver of such information (data collector/employee/firm).
Information Technology Act, 2000 (“IT Act”):
If a firm fails to implement a strong WFH policy with adequate cybersecurity measures, it would constitute ‘negligence’ in implementing and maintaining reasonable security practices and procedures to safeguard sensitive personal data under § 43-A of the IT Act. The firm would be liable to pay compensation for the breach. Additionally, § 43 of the IT Act penalizes data theft for which the imprisonment and fines have been prescribed regardless of the breach being intentional or unintentional. Further, under § 72A, any person disclosing personal information without taking the consent of the provider of information for any wrongful can face a punishment of three years imprisonment or five lakhs fine.
Indian Penal Code, 1860 (‘IPC’):
A breach in an agreement of confidentiality is also criminalized under various Sections of IPC such as §403 for Criminal Misappropriation, §408 and §405 for criminal breach of trust. However, for this remedy in order to move for criminal action, it is quintessential to prove the intent of the parties which makes the process hectic.
Indian Contract Act, 1872 (‘ICA’):
Almost all legal transactions take place after signing of a Non-Disclosure Agreement (NDA) and any breach of data would squarely fall under breach of the NDA under §73/74 of the Indian Contract Act.
Civil Procedure Code, 1908 (‘CPC’) and Specific Relief Act, 1963 (‘SRA’):
If a client apprehends that the confidential information provided by him has been breached, he can seek a prohibitory injunction under § 38 of the SRAagainst the person/company who was provided with the information. During the pendency of the case, interim relief in terms of a prohibitory injunction can also be sought under Order XXI, Rule 32 of the CPC.
Policy framework necessary to have a safe workspace at home:
In the current scenario, it becomes imperative for organizations to develop/review their WFH policies, particularly as regards security practices, and ensure that appropriate technical and organizational measures such as IT solutions and clear comprehensive usage and data security policies are implemented to protect against cyber threats. The organizations should promptly deploy all required security patches and implement current anti-virus or anti-malware software on computers and networks. Additionally, they should regularly implement upgrades and provide basic security knowledge to employees.There should be strict WFH policies which forbid using public networks or working in public places where their screen is exposed. Employees must also be mandated to save all organizational data on the cloud and any information must not be stored on hard drives. Some companies have adopted digital surveillance methods and are insisting employees keep their web cameras on during working hours.
To prevent cases of a data breach, it is of utmost importance that the employer should provide means to access through a safe connection enhanced by virtual private networks having end-to-end subscription which require multifactor authentication on each sign in.Law firms, particularly, should ensure they comply with their duties of confidentiality in protecting client data and confidential information as failure to implement adequate cybersecurity infrastructure could lead to financial, reputational and/or loss of personal data, which could have long-lasting detrimental effects.
While many organizations have adopted remote working in the current crisis, however, as part of more general flexible working arrangements, organizations need to ensure that they apply the same kinds of security measures that they would use in normal circumstances, while also reviewing new risks in light of the current situation. Applying best security practices to test for vulnerabilities, supervise access controls and password management, secure connections, and apply endpoint encryption will ensure data protection does not become a barrier to homeworking. It is important that we embrace and encourage digital transformation along with security.
The views are personal.
ABOUT THE AUTHOR
- Atisha Sisodiya is an Assistant Manager in the Legal-Regulatory Department at Bombay Stock Exchange. She is also the Editor for the International Review of Human Rights Law. Any discussion related to the article can be made via mail at email@example.com.
- Bodhisattwa Majumder is a penultimate year student at Maharashtra Law University Mumbai. He is also the Associate Editor for Indian Journal of Law and Public Policy. Any discussion related to the article can be made via mail at firstname.lastname@example.org.