Why Is No One Ever Penalised for Data Breaches in India?

No major organisation has been held responsible for disregard towards safeguarding personal data since the start of the millennium.

India is rapidly digitising. There are good things and bad, speed-bumps on the way and caveats to be mindful of. The weekly column Terminal focuses on all that is connected and is not – on digital issues, policy, ideas and themes dominating the conversation in India and the world.

Indian software service companies are some of the most profitable entities in the world. They provide technology solutions that power Fortune 500 companies and governments across the world, but is their code always secure?

The answer is never a simple binary response but more complex in the real world. The online website of Wired has reported a large-scale breach of millions of students and teachers’ private information through the Digital Infrastructure for Knowledge Sharing app (DIKSHA) app of the government of India.

This is not the first time data breaches have been reported at this scale and this won’t be the last either, but will this change even with the Digital Personal Data Protection law in place?

Wired and the researchers who discovered the security flaw with the DIKSHA app, tried to report it to the Ministry of Education and received no response. They were only able to get the issue fixed when they contacted the organisation that built DIKSHA – EkStep, a foundation co-founded by IT billionaire Nandan Nilekani.

Deepika Mogilishetty, the chief of policy and partnerships at EkStep, told Wired that while EkStep does support the development of DIKSHA, the responsibility of data and its security lies with the Union Ministry of Education.

This is not the first time that organisations linked directly to Nandan Nilekani are involved in data breaches, with their direct involvement in Aadhaar and security issues around its design. It is Nilekani’s organisations that have successfully lobbied how the government of India should be building and collecting Indians’ personal data, as designed in his TAG-UP report

Ideally when the security researcher reached out to the DIKSHA team, the Union education ministry should have alerted CERT-IN (the Indian Computer Emergency Response Team) and the flaw should have been fixed. CERT-IN is also ideally required to do a forensics analysis and determine whether the security flaws have been exploited by anyone. But unfortunately it takes more than having a privacy policy to actually follow it and secure information of people, especially when they are children.

CERT-IN, like the Ministry of Education, has been ignoring its statutory responsibility to citizens of India. While CERT-IN has minimal capacity to address security issues, there has been no reaction by CERT-IN to security incidents that have taken place in the past either. 

Neither EkStep, the Union education ministry or CERT-IN have officially issued any statements on the security incident. Which brings us to the question of liability. Whose responsibility is it and who should have acted on the issue?

EkStep has told Wired they are not responsible for it. As custodian of this data the responsibility then lies on the Union education ministry. As the nodal agency to respond to cyber security, CERT-IN too has a responsibility to look into the issue. But all the actors involved have no interest to look deeper into the problem as no one is holding them accountable for their continued disregard towards privacy.

Even though there is no data protection law in place to demand action by the state on violations that involve the fundamental right to privacy, the Information Technology Act of 2008 has provisions to hold liable parties accountable. The section 43A of the IT Act which allows parties affected by data breaches to demand compensation from corporate bodies has never been implemented and lies merely as a paper threat.

No major organisation has been held responsible for their disregard with respect to safeguarding personal data since the start of millennium. 

The Digital Personal Data Protection Law which is expected to be passed in the parliament sometime this year, will not change this issue either. Even though the law proposes significant monetary penalties on organisations that do not handle personal data with care, it might just remain another paper threat with the current version of the law. 

Data leaks and breaches will continue to occur in India and there won’t be an end to it as the regulators are not interested in penalising the government bodies or the actors who are producing the technology with a booming IT sector.

Most security incidents can be attributed to a lack of organisational capacity to address them and un-informed software developers who are producing the technology. The only way to address this problem is to increase awareness among the software developer community on producing safer software and push organisations to invest in better practices. Until organisations are incentivised to do this, it remains an issue. 

Srinivas Kodali is a researcher on digitisation and hacktivist.