DATA LOSS: RIGHT TO COMPENSATION
The dawn of cyber age is upon us and we need to adapt or perish. All 1.3 billion of us in a way are connected through cyberspace. Every single conversation is being analyzed, monitored, and monetized, be it in spoken words or digitally. Never before in history has our data been so valuable and vulnerable. We blindly entrust the facilitators in cyberspace to keep our data safe from malicious actors. Despite ample security regulations for companies, there are data leaks. Companies are required to communicate said data leaks to government entities (CERT-In etc.) whereas they are not mandated by law to report data breaches to the public or even the affected parties. Further, the law does not provide express legislation to seek compensation from the negligent company for said data leaks. It is my opinion that the current legislature on cyber laws has failed the public.
Educate the masses
The general public needs to understand what we mean by data. Data has been defined under The Information Technology Act 2000 as "a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network". But for the layman, a simpler description may be warranted - data refers to all the information gathered about an individual. It could be as simple as your username and password or could be as intricate as your psychological profile and behavioral patterns. Data is continuously mined all around us. A simple example would be when we buy a robot vacuum cleaner. To use the room mapping feature of the cleaner via the app we are required to enter into an absolute agreement to let the proprietors of the vacuum to obtain a map of your household through the vacuum cleaner and use that data according to the whims of the said organization. Now, this data is extremely private to individuals and sensitive which is why the companies should maintain a higher standard of security than what is merely required by the law as a fiduciary duty.
The gravity of a data leak is not well understood in our culture. Therefore, the need for stringent laws is invisible. Since there is no express legislation for the victims of data leaks to be notified, one cannot be expected to be aware of the cause of damage that they sustain. Further, even if one were to ascertain that the damage caused could be attributed to the data leaked from a certain organization, then it would be an uphill battle to prove in court with evidence about the causation of the damage. For example, A's Pan card number and bank account details were part of Company X's recent data breach. Using said data, malicious actors perform a subsequent phishing attack and A sustains monetary damages. Now, A will have to prove in court that the data breach is the direct causation of the monetary damage sustained. However, A being an ordinary person, will not be able to garner the necessary digital forensic information that is required to prove a civil case against Company X in court. Without said digital forensic evidence, in the eyes of the court, the event would simply be considered as correlation. Now, this was an example where at least the affected party can reasonably show monetary damage for a claim against the breached entity. Most of the time, data loss is incapable of exposing a direct monetary loss because the value of the data cannot be ascertained in numbers even though it may be extremely valuable.
Domestic and International Legal Remedies
The law merely provides for the affected party to initiate a civil action against a negligent company to pay damages. But it is realistically impossible for an individual to succeed. In the age where data is more valuable than precious metals, our law has completely failed to provide redressal for the loss of such an asset. India became the most targeted country in the world during the second quarter of 2019. Throughout the year the country attracted attacks of relatively high quality. Critical infrastructure was attacked the most followed by sectors such as banking, defense, and manufacturing. The overall number of cyberattacks is growing at an exponential rate and with IoT (Internet of Things) devices all around us, the incidents and potential damage will also increase. We are in desperate need of express legislation by which affected parties may seek damages from the negligent party.
If we were to look overseas to guide us to create better legislation then we would find that law is very polarized. In most western nations, businesses are protected by a vendor agreement that excludes consequential damages and limits direct damages. In the majority of the cases, all damages emerging from a data breach of the data holder will be deemed consequential damages and excluded by a provision renouncing all liability for consequential damages. Under the EU’s General Data Protection Regulation 2018, one has a right to claim (data protection breach) compensation only if one has suffered damages as a result of an organization contravening data protection law. Further, recent rulings have favored the plaintiff's right to compensation even when there is no injury. In Zappos.com Vs Stevens (US Supreme Court 2018), it was decided that the customer has the right to sue companies when data is stolen even though the data is not used for anything sinister.
Filing the Lacunae in law
A mere provision for civil action against the company for failing to keep the data safe and compensation for the damages endured will not suffice. Exclusions shall have to be made in the laws of evidence, where the onus of proof needs to be on the company instead of the victims of the data breach. The breached company should demonstrate that it took reasonable and sufficient stratagems to prevent a breach. The company could prove that it has taken measures to protect data in the following ways:
Adhering to the prescribed security protocols
Deposing of the company's in-house IT Security professionals
Exhibiting blue team risk assessment reports
Offering an external IT security audit report
Presenting penetration testing reports
The onus of proof cannot be left on the individuals affected. On the other hand, the court should request the individual to prove if one has taken appropriate steps after having been informed of the data breach, such as:
changing the compromised information (passwords, credit or debit cards)
contacting their respective financial institutions for suspicious transactions
It should be noted that the majority of sensitive data cannot be changed. Recently Facebook incurred a data breach in which the data of 2 crores 67 lakh users were compromised. Hence, the legislature should also decide whether a single victim can pursue a case against the negligent party when a larger number of accounts have been compromised.
The implications of damage from sensitive data cannot even be fathomed. As technology progresses, there will be infinite ways of using breached sensitive data for malicious purposes. Quantifying damages in case of data breaches is a catch-22. The legislature needs to ramp up its efforts to address this multi-billion-dollar issue. It would be difficult to have a straightforward way of dealing with this issue. More likely it will have to be taken on a case by case basis. Irrespective of the Hercules task, the Legislature will need to take a leap here and get started. The Law will be refined as the years progress by.
Title Image Source: Cloud Recover
This article has been written by Shounak Shetty. Shounak is an Advocate practicing at the Bombay High Court. He is an avid follower of Cybersecurity and Data Protection Laws.