CYBERSECURITY AND PERSONAL DATA PROTECTION

Rapid digitalisation has made us prone to cyberattacks which is of grave concern.The world has indeed shrunk in size with the advent of digital technologies but it has made cybersecurity of utmost importance. Earlier computers were protected against physical access, but with development of the internet in 1990s the scope of cybersecurity broadened considerably. However protection of personal data is not a new concept, privacy laws have existed since long. Due to digitalisation tons of data is being stored and shared online, this data consists of crucial information like name, address, bank account details etc which could be jeopardised by cybercriminals.

Personal data is at risk due to phishing attacks, data breaches, ransomware etc. The growing threat to personal data also impacts individuals psychologically, affecting mental well-being, emotional stability, and trust in both digital and personal spaces. In extreme cases, individuals may develop symptoms of post-traumatic stress disorder (PTSD), especially if the breach has resulted in monumental personal or financial loss. We see deepfake videos of prominent personalities being circulated on social media frequently which poses threat to personal data like voice recordings and images.In a high-profile case of financial fraud, criminals used deepfake technology to impersonate the face and voice of a company CEO on a video call. They conducted a virtual meeting with junior employees, instructing them to transfer large sums of money to a fraudulent account, claiming it was for a legitimate business deal. The employees, believing they were communicating with their real CEO, unknowingly followed through with the transactions. The growing number of incidents involving the exploitation of personal data has instilled fear in individuals. Whether through identity theft, deepfake technology, unauthorized surveillance, or privacy breaches, people are distressed about losing control over their personal information.

The concepts of the right to privacy and personal data protection are very crucial in the digital landscape.They intersect significantly, as protecting personal data is essential for safeguarding individuals’ privacy rights. In a landmark judgement in 2017, the Supreme Court of India also recognized the right to privacy as a fundamental right under Article 21 of the Indian Constitution, which guarantees the right to life and personal liberty. The recognition of privacy as a fundamental right establishes a constitutional basis for personal data protection laws. It emphasises the necessity for legislation that safeguards individuals’ personal information from misuse, unauthorised access, and surveillance.

There was one notable data breach in April 2024 that targeted boAt, a popular electronics brand, exposing the data of 7.5 million customers. The leaked information, including names, addresses, and email details. Similarly in early 2023, renowned snack giant Haldiram’s faced a ransomware attack. Cybercriminals had targeted the company’s IT systems, compromising personal and financial data of customers and vendors, Air India and Dominoes met with the same fate in 2021. The cybercriminals don’t spare anyone whether its an individual or a well established company. These breaches accentuate the increasing threat to personal data in India, emphasising the dire need for enhanced cybersecurity measures. When personal data falls into the wrong hands, the consequences can be harsh. Data breaches can lead to identity theft, financial fraud, reputational damage, and psychological stress. For organisations, a breach can result in legal repercussions, financial losses, and a loss of trust among consumers.

According to a 2022 report by IBM Security, the global average cost of a data breach reached $4.35 million, underscoring the financial impact of inadequate data protection measures.A personal data breach can potentially even contribute to cyberterrorism. In this way, while a personal data breach is typically criminal in nature, the stolen data could be used to facilitate larger-scale acts of cyberterrorism. This makes the protection of personal data not only a matter of individual privacy but also national security.The increasing number of cyberattacks around the world has paved the way for comprehensive cybersecurity laws. General Data Protection Regulation (GDPR) effective since May 2018 is an EU law that applies to any organisation handling EU citizens’ personal data. It grants individuals rights to access, correct, and delete their data, requires explicit consent for data collection, and mandates reporting data breaches within 72 hours. Non-compliance can result in fines up to €20 million or 4% of global turnover.

Similarly California Consumer Privacy Act (CCPA) was enacted in January 2020 for protection of personal data of citizens. Several other countries have developed their own data security laws. From 2000 to 2024 various cybersecurity laws have been enacted in India to address threats posed by cybercrime and to protect sensitive data. The cybersecurity laws in India have become more extensive in response to growing cyber crimes.India has enacted enhanced laws for safeguarding personal data by introducing Digital Personal Data Protection Bill (DPDP), which was approved by the Indian Parliament in August 2023.

This act aims to regulate the collection, storage, processing, and transfer of personal data. It focuses on protecting individuals’ privacy and preventing data breaches in India.This act stands out from all others as it is stricter and more centered around personal data protection. According to the act hefty penalties for data breaches, non-compliance, and failure to protect personal data. These penalties can go up to ₹250 crore, making it one of the most financially strict data protection act in India, no previous act had such penalty before. It ensures the creation of a Data Protection Board to oversee, enforce, and adjudicate matters related to data protection which will prove effective in curbing data breaches. This act also delineates stringent rules on cross border transfer. Compared to international frameworks like the EU’s GDPR (General Data Protection Regulation), the DPDP Act, 2023 is less complicated.However, it draws inspiration from GDPR by emphasising individual rights, transparency, and consent. A striking feature of it is allowance for government agencies to be exempt from certain compliance requirements, particularly in cases involving national security and public order. This type of exemption is not as significantly seen in other data protection laws, such as the GDPR. By implementing effective cybersecurity strategies,  and adhering to laws like the Digital Personal Data Protection Act 2023, individuals can safeguard their personal information and mitigate risks. A pragmatic approach to data protection not only empowers individuals but also builds trust in digital interactions, enabling a secure environment where people can engage confidently in an increasingly interconnected world.

Cyber resilience is essential for businesses to maintain robust security in the face of evolving cyber threats. Its main goals include ensuring continuous cybersecurity preparedness, preventing or minimising business function compromises, and maintaining essential operations during disruptive incidents. This involves continuous monitoring to detect and address attacks that cannot be blocked, as well as the quick restoration of critical functions after a breach. In today’s environment, cyber resilience is even more important due to widespread disruptions and the rapid expansion of remote work, which have heightened security challenges. Organizations must develop cyber resilience plans based on thorough risk assessments, addressing both internal threats and external risks like data breaches and ransomware attacks. The plan should empower workers to remain secure and productive from anywhere, using any device, and optimize their experience for performance, cost, and security. Moreover, it should extend enterprise-level operations to the home, laying the groundwork for a secure and adaptable hybrid workforce for the future, enabling teams to work effectively both in-office and remotely.

With our growing dependence on data the practice of securing our computers, and mobile phone is becoming increasingly complex. Security is not the only imperative. The aftermath – data recovery and continuity of business is equally relevant. In most cases cybersecurity threat is unpredictable. But a constant alertness and awareness campaign can go a long way in protecting everyone. The global cyber threat continues to evolve at a rapid space with rising number of data breaches each year. A report by Risk Based Security revealed that a shocking 7.9 billion records have been exposed by data breaches in the almost whole of 2019 alone. And these figures grow manifold each year.

The most vulnerable were medical services, retailers and public entities. The most malicious criminals were behind this. These sectors appeal to cybercriminals the most as the data stolen can be sold at very high prices and can be used for espionage or attacks. The global spending on cybersecurity solutions is also naturally increasing. Gartner predicts cybersecurity spending to reach $1998.3 billion in 2024 and surpass $360 billion mark by 2026. Governments across the globe have responded to the rising cyber threat with guidance to help organizations implement effective practices.

Author: Ms.Aashna Gupta, Student Economics honors with Political Science, Motilal Nehru College, University of Delhi

Disclaimer – The views and opinions expressed in the commentaries/blogs/articles are those of the authors and do not necessarily reflect the official policy or position of the Forum for Global Studies.

Share: