32 lakh bank cards hacked: India needs data breach disclosure law and needs it now
All of this started around a month ago, when hundreds of thousands of people in India got an SMS telling them that they needed to reset the ATM pin for their debit cards. They were also told that the limit on international transactions on their cards was reduced to Rs 7,000. No other information was provided, even though customers of several banks, including the big ones like HDFC and ICICI, got these messages.
This was a very cryptic message and low on information. Why the PIN needed to be changed? What really happened? Were the customers at some serious risk from cyber criminals? Was the information related to their cards leaked? None of these questions were answered.
That is until today. Now we have some — but still fairly vague — information. There is a report that says the information related to 32 lakh debit cards has been leaked. These cards belong to a number of banks, including SBI, HDFC and ICICI. Although SBI has seemingly confirmed that the information of its six lakh cards has been leaked other banks are still not not talking, or at least not talking in the manner that clears the air.
Consumers kept in dark
This obfuscation and propensity to hide information is natural. Any bank that suffers a data breach will not like to tell its consumers that it can’t even keep their financial and key information safe. But even if the disclosure is not in the interest of the bank, it is imperative for consumers to know what is happening with their bank accounts, or for that matter any data that they share with companies. This transparency and disclosure forces companies to not only come clean on their cyber security practices but overall leads to greater accountability, which in turn, improves cyber security for all.
Unfortunately, the Indian government has been so clueless — this government and the others before it — that Indian consumers don’t have the same sort of cyber protection and right to transparency that people get in countries like the US, Australia or for that matter in the European Union states. Instead all they get is a cryptic message telling them to change the PIN of the card.
Even if the disclosure is not in the interest of the bank, it is imperative for consumers to know what is happening with their bank accounts, or for that matter any data that they share with companies
The banks in India, or for that matter any other company that deals in private and confidential data, has no obligation and no liability towards consumers for any data breach. The breaches happen in India all the time but no one really knows who is at fault or what sort of cyber security practices banks follow here. We don’t know how details of 32 lakh ATM cards leaked in this instances. We don’t know if the breach was at RBI or some private bank part of network. We don’t know if it was Hitachi’s systems that leaked information or if it happened due to some issue at Master Card or Visa.
Bring in a law
We just don’t know. And we wouldn’t know until India comes out with a law that makes reporting data breaches mandatory. In the US, most states have such laws for over a decade now. The European Union came out with a similar mandatory data breach norms in the last decade. In the places where there are relevant laws, a bank or a company like Yahoo needs to inform all the affected users in the case of a data breach. They just can’t hide it as soon as they come to know it. If the information is hidden from users who have suffered loss of privacy or data breach, these companies can be sued as well as penalised.
But India, despite being a so-called IT superpower, and despite having the dream of bringing over a billion people online, has not bothered to put in place something that can help people here have some sort of privacy and protection against data breaches.
May be it has something to do with our government’s believe that privacy is some sort of a anti-national concept. Or it has something to do with the fact that here in India we just don’t get the concept of privacy. Or may it is because in India anything that brings some sort of transparency in some place, or something, is usually resisted. We just love to keep it all opaque. Our government, and our institutions, including private bodies love to keep everything secret. Or may our government just doesn’t want banks and companies to be accountable to consumers.
But keeping things secret in the case of data breach also means missing out on the chance to improve the state of cyber security. And for a country that Dreams of Digital India, this is very very dangerous.