Onus to prove security breach on customers

Though you could get back up to Rs 5 crore, it is difficult to notify the government

Last week, eBay Inc said between February and March, hackers had secured access to data of 145 million customers. Such instances could happen anywhere and at anytime, even with Flipkart and Amazon.

Online shopping sites have many registered customers. To be able to buy online, it is mandatory to have an account with these sites. To make shopping easy, these sites store customers' data, including sensitive information such as card details. Though these sites assure security of data, customers might never come to know whether their data is under threat.

In eBay's case, passwords were stolen. After this, the company asked its users to also change passwords for other sites on which they used the same password.

If a customer realises his mail or financial account is misused, she/he should notify the cyber nodal agency, Indian Computer Emergency Response Team, the police and the service provider (such as eBay), says Pavan Duggal, a cyber security advocate.

Advocate and cyber law expert Prashant Mali says, "The (eBay) breach compromised database containing a list of encrypted passwords which, once released, could potentially be decrypted through publicly available tools."

Cyber law experts say when attackers access passwords, they often try to check whether these can give them access to other avenues such as personal mails and net banking accounts. This is because many have similar passwords.

In addition to passwords, databases have basic log-in information such as name, e-mail address, phone number, address and date of birth. This allows access to a larger database of customers.

PayPal data wasn't compromised, as that data was on a separate network, with higher levels of encryption.

Mali says, "Typically, in such situations, credit card information can be compromised and attackers can make purchases using the card. If the PayPal database was compromised, even debit card and net banking details would have been accessed, exposing many more customers."

Other than using sensitive data to their advantage, hackers also sell such crucial information to other hackers. This might lead to multiple spends from cards or net-banking accounts, said an e-commerce executive.

Mali says in such situations, a user can file a complaint to the adjudicating officer of the state — the state infotech secretary — and seek compensation up to Rs 5 crore under non-compliance of Section 43(A) — failing to guard customers' sensitive personal data or information such as passwords/financial details. For compensation of more than Rs 5 crore, users can move the relevant civil court, under the Information Technology (IT) Act, 2000.

Duggal says in India, passwords are considered "sensitive personal information". So, a party might seek unlimited compensation for breach of such information from the company or the perpetrator (if his/her identity is known). Breach of sensitive data is a criminal and punishable offence under Section 66 of the Act. It might amount to three years of imprisonment for the service provider, with a fine of Rs 5 lakh.

But, an offence under Section 66 is bailable and so this isn't much of a deterrent. And the onus of proving breach of data is on the user.

In the US, a consumer can secure a court order against a company that fails to protect customer data, forcing the company to provide details of the breach.

In India, it is very difficult to notify the government about such instances.