Covid-19 Data Breaches and the Rise of Regtech

Especially In A Society That Is Dependent More And More On Technology, Crimes Based On Electronic Offenses Are Bound To Increase And The Law Makers Have To Go The Extra Mile To Keep The Cyber Criminals At Bay...

The Corona Virus ("COVID-19") outbreak declared a global health emergency by World Health Organization has forced both Governments and private entities across the world to adopt innovative approaches to deal with the health crisis and has led to work disruptions due to the lockdowns as people try to maintain social distancing. Majority of corporate operations and even some governments have adopted the work-from-home model, compelling people to operate in less secure environments. These include adoption of new technologies and means to conduct business 'as usual' remotely via online collaborative tools and video conferencing apps like Zoom. The cyber networks at home usually do not have due security measures like web filtering, required encryption, anomaly detection monitors or firewalls in place.

Weakened security barriers have opened up avenues for hackers, spammers and scammers to thrive. These nefarious actors are using varied techniques of social engineering, spoofing or phishing to gain access to confidential and sensitive information. While the world struggles with the impact of COVID-19, cybercriminals see it as an opportunity. The International Association of IT Asset Managers (IATAM) has recently warned he Corona Virus ("Covid 19") outbreak declared a global health emergency by World Health Organisation has forced both Governments and private entities across the world to adopt innovative approaches to deal with the health crisis and has led to work disruptions due to the lockdowns as people try to maintain social distancing. Majority of corporate operations and even some governments have adopted the work-from-home model, compelling people to operate in less secure environments. These include adoption of new technologies and means to conduct business 'as usual' remotely via online collaborative tools and video conferencing apps like Zoom. The cyber networks at home usually do not have due security measures like web filtering, required encryption, anomaly detection monitors or firewalls in place.

Weakened security barriers have opened up avenues for hackers, spammers and scammers to thrive. These nefarious actors are using varied techniques of social engineering, spoofing or phishing to gain access to confidential and sensitive information. While the world struggles with the impact of COVID-19, cybercriminals see it as an opportunity. The International Association of IT Asset Managers (IATAM) has recently warned that work from home due to the COVID-19 pandemic is leading to a spike in data breaches that are greater than anticipated.¹

Spike in Data Breaches

More recently, on July 17, 2020, some of the world's richest and most influential politicians, celebrities, tech moguls and companies were the subject of a massive Twitter hack involving hijacking 130 high-profile Twitter accounts that were used for the purpose of tweeting messages that solicited cryptocurrency scams.² As a result, 12.58 bitcoin or close to $116,000, went to addresses mentioned in fraudulent tweets. According to an official tweet³ by Twitter, the social-networking service fell victim to "a coordinated social engineering attack." This illustrates that a system is only as strong as its weakest link.

Earlier in July 2020 itself, Cyble, a US-based global cybersecurity firm has claimed that over 5 million records of Religare users have been leaked and posted on the Dark Web⁴.

In March 2020, the Indian Computer Emergency Response Team⁵   advised Indian users with regard to Secure Usage of the Zoom video conferencing application. This followed the FBI warning for users conducting meetings and online classrooms against "Zoombombing" where interrupters broke into live classes and disrupted the sessions.

The most recent  NortonLifeLock Cyber Security Insights Report (NLCSIR) revealed that four out of every ten Indians surveyed had become victims of identity theft in the year 2019. The risks in 2020 will be far greater, given the heightened dependence on digital tools and platforms.

Covid-19 and Cyber exploitations

In recent months, 'thousands' of COVID-19 scams and malware sites have mushroomed  disseminating malware files, hosting phishing attacks, or committing financial fraud, including tricking individuals into paying for forged COVID-19 cures, kits, vaccines or supplements. These attacks have not just been limited to monetary gains, but have also been related to more insidious operations. Android applications positing as a genuine COVID-19 tracking map from the Johns Hopkins University, for instance, was found to be a spyware linked to a surveillance operation against mobile users in Libya.

Since February, IBM X-Force has observed a 4,300 percent increase in corona virus-themed spam. While organizations worry about newly pressing concerns–workforce well-being, shift to remote work, finance availability, and the resiliency of operations and supply chains–cyber security focus is being overshadowed and risks are rising.

The pandemic has created a visible surge in cyber exploitations. Remote connections make it difficult for most of the threat detection tools to differentiate the genuine from the malicious.

Data Breaches and the Law in India

In the absence of any specific data protection legislation, the Information Technology Act 2000 ("IT Act"), is the general law that governs issues relating to data breaches in India. The IT Act contains provisions relating to the collection, processing, protection and transfer of data.

The IT Act under Section 43 penalizes acts like accessing or extracting data from a computer system without the permission of the owner or any other person in charge of a computer system. Deleting or altering data from a computer system is also covered under this provision.

Further, Section 43A of the IT Act clearly provides that anybody corporate that possesses, deals or handles any "sensitive personal data" or information in a computer resource is required to maintain reasonable security practices and procedures relating to such data. Such entities shall be liable to pay compensation to the affected person in case of any negligence in implementing such measures resulting in a wrongful loss or wrongful gain to any person.

Additionally, Section 72 of the Act penalizes breach of confidentiality and privacy, where data has been accessed or leaked against the will or without the permission of the owner or in charge of the computer system.

Under section 72A of the Act, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable with imprisonment for a term extending to three years and fine extending to Rs 5,00,000 (approx. US$ 8,000).

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules") provide reasonable security practices and procedures, which the body corporate or any person who on behalf of the body corporate collects, receives, possess, store, deals or handles information is required to follow while dealing with "Personal sensitive data or information".⁶

The international standard ISO/IEC 27001 on "Information Technology – Security Techniques – Information Security Management System - Requirements", or any standard issued by an industry association and approved by the government to be Reasonable Security Practices and Procedures, has to be incorporated by the body corporate or any other person acting on behalf of such body corporate to comply with reasonable security practices and procedures as prescribed under Rule 8.

The Personal Data Protection Bill, 2019 ("PDP Bill") which was tabled before the Parliament in December 2019 , and is currently in the process of being enacted into a legislation aims to "protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection Authority for overseeing processing activities".

The PDP Bill proposes a new regime under which a breach has to be notified to the Authority, who will then assess whether a notification to the individual is needed. Section 25 of the PDP Bill requires every data fiduciary to inform the Data Protection Authority of India ("Authority") by notice about the breach of any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal.⁷

The draft Bill lays down penalties under chapter XI of the bill, ranging from INR 5,00,00,000 (i.e. approx. USD 728,600) or 2%  of total worldwide turnover to INR 15,00,00,000 (i.e. approx. USD 2,185,800) or 4% of the total worldwide turnover. Further, the Draft Bill lays down certain offenses under chapter XIII, which are punishable with imprisonment (ranging from 3-5 years) for intentional, reckless acts and damage caused with knowledge, such as: 

a) obtaining, disclosing, transferring or selling (or offer to sell) of Personal Data, causing significant harm to a Data Principal; 

b) obtaining, disclosing, transferring or selling (or offer to sell) of Sensitive Personal Data, causing harm to the Data Principal; 

c) re-identification and processing of previously de-identified Personal Data, without the consent of the Data Fiduciary or Data Processor. 

RegTech – Transforming organizations cyber risk and compliance to combat data breaches

Regulatory Technology (RegTech) is an emerging industry of companies leveraging machine learning, natural language processing, blockchain, AI, and other technologies to solve the challenges of regulatory compliance and promises to disrupt the regulatory landscape. It has in the recent past emerged as having an impact on regulatory compliance globally by providing technologically advanced solutions to the ever increasing demands of compliance including data privacy and cyber risk across the industry spectrum.

RegTech solutions, use data analytic tools and biometrics to make sense of vast quantities of data and technologies like blockchain to keep data secure and enable flexible requirement based manipulation and re-organization of data sets to meet multiple customer requirements or when regulatory obligations change. Such solutions can facilitate real-time compliance and risk assessment and don't have to be entirely new solutions and are often integrated into existing systems.

From the Data Protection and Privacy compliance prespective, RegTech offers a way to leverage the big data of regulatory compliance to help solve the problems of data privacy regulation. Although there are numerous opportunities for RegTech based Data Protection and Privacy compliance, some of the most promising applications include the following:

• Compliance: RegTech based solutions can be used to quickly review all relevant regulations (including jurisdictional data privacy laws) and report on their potential impact on the user, especially in cases on GDPR Impact Assessments.

• Risk Management: RegTech solutions through the use of big data analytics can be used to conduct scenario analysis and data breach risk monitoring on internal business operations to identify and evaluate cyber security risks.

• Identity Management and Control: RegTech in the financial sector can be used to efficiently conduct customer onboarding and monitoring activities involving Anti-Money Laundering (AML) and the Know Your Customer (KYC) obligations and will allow for greater transparency and quick client identity authentication.

• Regulatory Reporting: RegTech solutions can assist in the generation and distribution of reports and information required by regulators and in sharing required data between regulated entities and regulators and enable faster processing of huge amounts of data required to prepare such regulatory compliance reports.

• Transaction Monitoring: RegTech through blockchain technology and cryptocurrency can be used to monitor financial transactions for quick identification of suspicious activity and with a high degree of accuracy by leveraging the benefits of distributed ledger.

The operational benefits achieved through RegTech will depend on the specific solutions implemented. RegTech that creates automated reports through the use of AI and machine learning could lead to significant cost and time reductions and should this information be made available in real time, organizations can reasonably predict vulnerabilities and respond to data breach threats spontaneously or in real time.

To sum up, Technology is always a double-edged sword and can be used for both the purposes – good or bad, as ever, with disruptive and emerging technologies, the ability to flourish depends not just on a willingness to innovate but on the ability to operate within the law. Just because RegTech solutions are designed to facilitate regulatory compliance, does not mean that they are immune from regulatory scrutiny, it should be constant endeavor of regulations and regulators to keep the crimes lowest. Especially in a society that is dependent more and more on technology, crimes based on electronic offenses are bound to increase and the law makers have to go the extra mile to keep the cyber criminals at bay.