Exploit attempts, cyber-defense, threat blocking, firewalls and encryption codes—are you being able to digest these terms as fast as they are thrown at you? Whether you realize it or not, you, me, us—we're all in the middle of a data war from the time that we wake up—and sometimes while we're sleeping too (or supposed to be).

Information has always been valuable, especially secret, strategic data. Whether in the form of gossip used for social bonding, or corporate espionage used to subvert stock prices—data and its corresponding actionable insights—has and will be the most marketable commodity any of us will ever possess. This becomes more pronounced in today's digital environment where personal and business data can be easily stored, and therefore easily hacked.

The Supreme Court's 265-page 2017 judgment seems like a step in the right direction, but is it enough? Does it clarify the ethos companies must apply when collecting and using citizens' data? According to the 2016 ACFE Report to the Nations on Occupational Fraud and Abuse, the average organization loses 5% of their revenues to fraud, and as NAMO pushes India to get more digital, digital crime is likely to increase.

So, how does India's Information Technology Act (ITA) come into play in enforcing more robust data security measures? ITA 2000/8 emphasizes "Contract" with the data subject. This gets translated into "Informed consent", which means communicated consent, and exists as a thin line between legal and moral consent mutually decided between the user/employee and employer.

Take for example, Section 72A of the Information Technology Act, 2008, which lays down punishment for data breaches under contract—you can get either 3 years in jail or pay a Rs. 5 lakh fine, or both. This does not seem adequate considering that employee-to-company contracts lay down fines that are ten times this amount for accidental NDA breaches.

When we receive cases in pertaining to Sec 72A violations, we immediately require cyber experts to track data breaches and related deleted data through the dump memory log file. If that does not yield substantial results, we employ other more aggressive tracking and recovery protocols.

Interestingly, for years, bank executives presumed that the biggest risk facing the industry was bad credit. But that axiom is changing, as cyber criminals become more sophisticated and data security becomes more essential.

To this end, companies can follow these basic measures to ensure zero accidental and minimal deliberate breaches of proprietary data:

  1. Make sure you have your own floor policy to customize the implementation of laws in your jurisdiction.
  2. Create an actionable list of Dos and Don'ts for your employees to follow.
  3. Audit all employees with access to company's proprietary data to ensure that they are aware of your internal protocols.
  4. Limit access to social media in the workplace with blocking and privacy protocols, only allowing access to smartphones during breaks (outside the office premises).

Originally published ‎18‎ ‎December‎ ‎2019

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.