Regulatory system needs a rethink after data breaches at Juspay and MobiKwik, say experts

The fintech and startup ecosystem that has emerged in recent years has a major governance issue: data breaches and leaks are not taken seriously. Unfortunately, the regulatory system has not woken up to the fact that the recent data breaches at Juspay and MobiKwik can significantly cause harm to idle users in the future.

The Indian government is yet to introduce a Personal Data Protection Law (PDP Law) in Parliament at a time when incidents of data breaches and personal information being sold on the darkweb are increasing year-on-year. The lack of a Data Protection Authority and a Personal Data Protection Law means that there is regulatory ambiguity in terms of who should respond to breaches and investigate them. Industry experts told MediaNama that the entire regulatory system needs to be strengthened, business models need a rethink and that companies need to be made more accountable, whether through the courts or through internal governance practices.

1) CERT-IN is the primary agency for data breaches

According to legal experts, it is the Computer Emergency Response Team (CERT-In) — the nodal agency under MEITY for computer security incidents — that is the primary agency responsible to investigate data breaches and not the Reserve Bank of India (RBI)

According to Mathew Chacko, Partner at the law firm Spice Route Legal, any server compromise or breach needs to be disclosed to CERT-In (under the IT Act) regardless of the sensitivity of the data leak. “There are no two ways about reporting the incident to CERT-in,” Chacko said.

After reporting to CERT-in, it’s the company’s decision to report the incident to its customers and the public, he added. “Not all data breaches are significant enough to be reported to the public, but in some cases, companies take it for granted that the public need not know,” he said.

Advertisement. Scroll to continue reading.

The RBI only steps in when it comes to financial data, but data breaches fall within CERT-In’s ambit, NS Nappinai, a Supreme Court advocate and founder of Cyber Saathi said.

“Non-reporting of such data breaches carries heavy penalties for such incidents. But the issue is that organisations tend to be lax in…