Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Dec. 11 — Although many of the cybersecurity issues facing India resemble those found in other countries, analysts say there are some aspects unique to India of which foreign companies operating there, particularly those with employees in country, need to be aware.
India's culture, laws and attitude of ordinary Indians towards the confidentiality of information may surprise companies seeking to bolster privacy and data security measures in line with other countries, analysts told Bloomberg BNA.
Making generalized statements about a country that hold true for more than 1.2 billion unique individuals and untold thousands of companies isn't truly possible, but local security professionals say that generally in India, there is:
• a casual attitude towards private information;
• little awareness of intellectual property rights;
• no dividing line between the personal and the public;
• a lack of regulatory oversight;
• the misperception that security risk is external, not internal;
• a lack of compliance; and
• low investment in security technology.
(Click image to enlarge.)
Privacy isn't paramount in anyone's mind in India, from the ordinary citizen to government ministers. For foreign companies this represents a challenge in that they have to realize the behavior of employees will be different to what they are accustomed.
“They can't change the way Indians instinctively behave and live but they do need to work on changing the behavior of employees in the workplace so that they stop disclosing private information,” Sivarama Krishnan, a partner at PricewaterhouseCoopers LLP Risk Advisory Services, said.
Information that in the West is seen as private isn't seen the same way in India, where information about one's health, income, investment, and family details are openly and easily shared. Strangers on a train often share private information about salaries and investments.
Cabinet ministers, doctors and chief executive officers easily share their mobile numbers. In shopping malls and restaurants hackers buy information from vendors who collect phone numbers, addresses and e-mail addresses. It is easy for them to get access to data in housing directories for a price.
India is the fourth most targeted country globally for phishing attacks, according to a report by information technology services company EMC Corp. In 2013, Indian companies lost around $53 million due to phishing scams with the country facing over 3,750 reported phishing attacks in July-September alone, according to EMC.
Intellectual property rights aren't well understood, with piracy widely regarded as acceptable to copy products, services, ideas, codes, information from websites and even the plots of Hollywood films—virtually frame by frame—without expecting any repercussions. This casual attitude makes Indians inadvertently susceptible to phishing attacks on companies.
A recent PwC report on cybersecurity found that almost 38 percent of corporate respondents claimed to have suffered a loss of “hard” intellectual property, which included strategic business plans, deal-related information and sensitive financial information.
Abbas Goddhrawal, Ernst & Young Advisory Services senior manager, said that the executives of companies that don't process or maintain customer credit card data or personally identifiable information tend to think they are safe. “They do not fully understand the severity of cybersecurity threats to their intellectual property and proprietary information such as product designs, source code, pending patents, formulations, manufacturing process instructions and procedures, research and development results and analysis, exploration data,” Goddhrawal said.
“The proprietory information they risk is customer lists, pricing, cost and sales information, pre-released financial results, merger and acquisition information, third-party contracts and bid plans.” Therefore, the risk of being compromised is high among companies that have a lot of intellectual property at stake, such as life sciences, retail, and defense companies, he said.
Personal versus public space isn't clearly separated in India, analysts said. They merge and mingle. Consequently, people frequently put out personal information about themselves—on social media and job searching sites—that can be misused.
“The inability to differentiate between what is work-related information and what is personal means that even senior people unintentionally reveal information about themselves—their movements, the hotels where they are staying, the projects they are working on when they give their profiles—that can be used by competitors,” Prasanto K. Roy, the head of media at Trivone Digital Services Pvt. Ltd., said. This kind of personal information should not be in the public domain, he said.
A tremendous amount of competitive business intelligence can, therefore, be found in the public domain because many Indians don't separate business information from personal information, he said.
Krishnan said that “the lesson for foreign companies is that they need to recalibrate how they use technology here, recalibrate how much effort needs to go into making Indian employees aware of the need for secrecy and caution and need to spend more on technology that may be intrusive but is needed to protect their data, i.e. technology which allows them to monitor their staff and what are they doing on social media or on job portals etc so that you can detect misbehaviour and correct it.”
Mumbai-based independent cybersecurity lawyer Prashant Mali said raising public awareness about privacy and confidentiality is an urgent need. “The government needs to allocate a budget for mass cybercrime awareness in the country and this should be in vernacular languages too to reach rural India,” Mali said.
One of the biggest gaps in cybersecurity and data protection in India is a lack of regulatory oversight, analysts said. In places all over the world with stronger cybersecurity regimes, it is regulators who have promoted awareness and pushed for compliance and disclosure, they said. But in India there is little enforcement.
Despite an amendment to the Information Technology Act requiring security breach reporting (209 PRA, 11/2/09)(8 PVLR 1574, 11/2/09), the provision hasn't been enforced because there is no enforcement mechanism in place, analysts said. Companies don't bother complying, out of fear that their reputation and valuation will be damaged.
A widespread perception exists among company management that the risk is only external, not internal, that a company's employees could not possibly harm the company. Experts say this believe is rooted in a culture that places a greater premium on trust and personal relationships than on contracts and rules. Nor is there much awareness of the possible risks from employees once they have left the company, either because of what they might do as individuals or what they might do if they are poached by competitors.
Many companies in India are very enthusiastic about gaining international certification for information technology best practices and security and privacy standards—such as ISO 9000—but many fail to then actually comply with these standards.
“India represents the second largest level of certification after the U.K, but these companies do not comply with the standards,” Krishnan said.
“Our society is not compliance-inclined. We tend to take short cuts. We circumvent processes. So companies have the standards certification but they do not comply. They don't even get the technology to enable them to comply,” he said.
The PwC report found that the average information security budget in India has increased by approximately 25 percent over the last five years. Its author, Krishnan, said that the growth rate isn't as impressive when one considers that the base it was growing from was very low.
“Overall there is a low use of technology for security and the result is that companies don't even know what is happening inside their offices because they haven't got the technology to detect lapses,” he said.
To contact the reporter on this story: Amrit Dhillon in New Delhi at email@example.com
To contact the editor responsible for this story: Donald G. Aplin at firstname.lastname@example.org
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)