As a result, businesses today find themselves at an unprecedented risk of losses occasioned by cyber-attacks. There is accordingly a strong need to safeguard against such losses through appropriate regulatory compliance, internal policies, and specialised clauses in contracts.

Protecting Businesses

Here are some key regulatory areas where the businesses can implement effective measures to protect themselves from the dangers of potential cyber attacks.

Security standards compliance

Under Section 43A of the Information Technology Act 2000 (IT Act), a business handling ‘any sensitive personal data or information’ negligent in implementing and maintaining ‘reasonable security practices and procedures’ may be liable to pay compensation to an affected person.

As per rule 8 of the Information Technology Rules, 2011, ‘reasonable security practices and procedures’ are considered to be complied if the business has implemented such security practices and standards as they are commensurate with the information assets being protected with the nature of the business.

As per this rule, the ISO/IEC 27001 standard, which is a standard for information security management systems (ISMS), is being recommended. Therefore every business in India interacting with sensitive personal data must aim to implement a cost-effective ISMS through an ISO/IEC 27001 certification.

The obligation to ensure personal data protection and liability to pay compensation in case of breach would stand replaced by the rules governing data protection to be issued under Section 8(5) of the Digital Personal Data Protection Act, 2023 (DPDP Act) and the penalty imposed under Section 33(1) of the said Act, which is yet to be notified. However, in India, currently there is no statute specifically providing for security standards in relation to non-personal data.

There are also certain sectoral obligations for data protection which must be adhered to by businesses. Some sector-specific requirements include those provided for banks under the Cyber Security Framework in Banks issued by the Reserve Bank of India; owners and regulators of Critical Information Infrastructure (CII) of the nation under the Guidelines for the Protection of National Critical Information Infrastructure; stock exchanges, clearing corporations and depositories (Market Infrastructure Institutions – MIIs) under the Guidelines for MIIs regarding Cyber security and Cyber resilience; and insurers under the IRDAI Information and Cyber Security Guidelines, 2023.

It also include the quarterly disclosure requirement in relation to cyber security incidents provided for listed entities under Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015, as amended on June 14, 2023.

AI usage polices:

Use of AI by businesses involves data security and privacy concerns. Some of the risk mitigation techniques for organisations suggested by CERT-In include filtration and moderation techniques to prevent dissemination of malicious content generated using AI-powered tools, frequent security audits and system assessments and multi-factor authentication (MFA) usage to regulate employee interaction with AI-based tools. Business should consider formulating and implementing AI usage policies; sensitising employees on AI ethics and best practices; and ensure regular monitoring and auditing of AI usage for timely identification and rectification of potential threats.

Adequate contractual protections:

Businesses need to ensure that their contracts with custodians of their data as well as with their clients in relation to data protection have well-tailored clauses in relation to disclosure, insurance and indemnity. Lack of adequate cyber protections by data custodians could result in huge liability for businesses in case of data breaches, which must be adequately insured and indemnified.

Conclusion

The self-learning nature of AI translates into an ever mutating and evolving threat of cyber-attacks. It is accordingly critical for businesses to review, adapt and upgrade their data protection measures to align them with the prevailing security standards. The Coming AI Wave is here, and it would be advisable for businesses to be prepared for it.

This article was originally published in CMBC TV18 on 6 November 2023 Co-written by: Alina Arora, Partner; Lakshya Gupta, Senior Associate. Click here for original article

Read Less-