Even as global technology platforms are dealing with user data privacy concerns and Indian payment companies are trying to make sense of RBI’s guidelines to store transaction data in the country, Data Security Council of India (DSCI) maintains that rather than localisation it is accountability of data use that will address privacy and security concerns.
RBI recently issued a circular directing payment systems and banks to store transactional data within the country following the observation that not all system providers store the payments data in India. “Such systems are highly technology dependent, which necessitate adoption of safety and security measures, which are best in class, on a continuous basis,” said the circular.
“We don’t really believe that localisation will solve the problem of cyber security or privacy. Some of the recent cases that have got attention, the essential problem is that large organisations collecting personal data have broken user trust,” said Rama Vedashree, CEO, DSCI.
This move will help RBI have unfettered supervisory access to data stored with these system providers as also with their service providers and third party vendors and other entities in the payment ecosystem. It requires transactional payment data to be stored in systems in India only except in case of foreign leg of transactions, which may be stored in the foreign location as well.
She added that what is required is for any entity, be it government, global enterprise or startup that is using private data to be accountable for implementing basic privacy principles. DSCI is also keen on allowing developers and entrepreneurs to have some access to data to allow them to innovate and is thus pushing for greater user awareness programs around privacy and security.
Symantec's annual Internet Security Threat Report (ISTR) found India ranks among the top five countries as source for IoT attacks and third in global threat rank after US and China.
Some privacy watchdogs are also concerned that excessive stress on storing data within the geography will create a huge power requirement and expand the carbon footprint of organizations. RBI has given a six month window to organizations to implement the required storage which will be audited by Computer Emergency Response Team (CERT-IN).
Stakeholders like Visa and Mastercard have said they will evaluate the requirements before taking any action. Third party vendors like Netmagic who provide such infrastructure take around one week to complete implementation of such storage with security depending on the extent of requirement but unless exact audit guidelines are clear organizations are refraining from taking action.
CERT-IN director Tulika Pandey said, “It is becoming more and more pertinent for governments to start at least making the right mechanisms or regulations to somehow safeguard the data of its citizens within the strongholds of the country itself.”
DSCI and CERT-IN are however pushing for structured threat intelligence sharing among stakeholders like financial institutions and technology companies in order to promote better preparedness against attacks.
IBM’s X Force Threat Intelligence Index report suggested conducting a proper risk assessment, using data confidentiality controls and use reliable threat intelligence sources to keep updated on new threats as Indian enterprises leverage emerging technology more than ever before.