You are here: Home » PF » Features » Spending
Business Standard

Onus to prove security breach on customers

Though you could get back up to Rs 5 crore, it is difficult to notify the government

Neha Pandey Deoras  |  Mumbai 

Last week, eBay Inc said between February and March, hackers had secured access to data of 145 million customers. Such instances could happen anywhere and at anytime, even with Flipkart and Amazon.

Online shopping sites have many registered customers. To be able to buy online, it is mandatory to have an account with these sites. To make shopping easy, these sites store customers' data, including sensitive information such as card details. Though these sites assure security of data, customers might never come to know whether their data is under threat.

In eBay's case, passwords were stolen. After this, the company asked its users to also change passwords for other sites on which they used the same password.

If a customer realises his mail or financial account is misused, she/he should notify the cyber nodal agency, Indian Computer Emergency Response Team, the police and the service provider (such as eBay), says Pavan Duggal, a cyber security advocate.

Advocate and cyber law expert Prashant Mali says, "The (eBay) breach compromised database containing a list of encrypted passwords which, once released, could potentially be decrypted through publicly available tools."

Cyber law experts say when attackers access passwords, they often try to check whether these can give them access to other avenues such as personal mails and net banking accounts. This is because many have similar passwords.

In addition to passwords, databases have basic log-in information such as name, e-mail address, phone number, address and date of birth. This allows access to a larger database of customers.

PayPal data wasn't compromised, as that data was on a separate network, with higher levels of encryption.

Mali says, "Typically, in such situations, credit card information can be compromised and attackers can make purchases using the card. If the PayPal database was compromised, even debit card and net banking details would have been accessed, exposing many more customers."

Other than using sensitive data to their advantage, hackers also sell such crucial information to other hackers. This might lead to multiple spends from cards or net-banking accounts, said an e-commerce executive.

Mali says in such situations, a user can file a complaint to the adjudicating officer of the state — the state infotech secretary — and seek compensation up to Rs 5 crore under non-compliance of Section 43(A) — failing to guard customers' sensitive personal data or information such as passwords/financial details. For compensation of more than Rs 5 crore, users can move the relevant civil court, under the Information Technology (IT) Act, 2000.

Duggal says in India, passwords are considered "sensitive personal information". So, a party might seek unlimited compensation for breach of such information from the company or the perpetrator (if his/her identity is known). Breach of sensitive data is a criminal and punishable offence under Section 66 of the Act. It might amount to three years of imprisonment for the service provider, with a fine of Rs 5 lakh.

But, an offence under Section 66 is bailable and so this isn't much of a deterrent. And the onus of proving breach of data is on the user.

In the US, a consumer can secure a court order against a company that fails to protect customer data, forcing the company to provide details of the breach.

In India, it is very difficult to notify the government about such instances.

Dear Reader,

Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor

First Published: Thu, May 29 2014. 22:35 IST