India Insights with Suparna Goswami

3rd Party Risk Management , Anti-Phishing, DMARC , Email Threat Protection

Learning From Wipro, JustDial Post-Breach Mistakes

India Needs Strong Data Breach Notification Law
Learning From Wipro, JustDial Post-Breach Mistakes

In recent days, two major Indian companies -Wipro and JustDial - did a poor job of communicating following data leaks. This points to the need for a strong breach notification law in India.

See Also: When Every Identity is at Risk, Where Do You Begin?

When KrebsOnSecurity first approached Wipro regarding it being the victim of a phishing campaign, the company did not acknowledge it. But two days later, after many news media inquiries, it finally confirmed the security incident.

Meanwhile, JustDial reportedly failed to reply to a researcher who reached out to its security team to inform it about its old servers leaking data of its customers.

Computer Emergency Response Team for India, or CERT-In, plans to initiate strong action against both companies for not disclosing data leaks more quickly, sources tell me.

CERT-In requires that service providers, intermediaries, data centers and corporate entities issue prompt notifications of cybersecurity incidents, but does not specify a timeline. Also, the government has not set penalties for violations of this requirement.

A few months ago, a CERT-In official told me that relatively few companies report breaches as required. But so far, CERT-In has taken little action against the offenders.

Data Protection Bill

The Personal Data Protection Bill, which Parliament is slated to consider, could address the enforcement of breach notification requirements - if its provisions are expanded.

For example, the bill should make data breach notification a mandatory requirement under law. It should also impose penalties on companies that fail to report breaches. Although those specific provisions were not in a draft of the bill, they still could be added - if the Parliament steps up and takes prompt action.

To help prepare for timely breach notification, CISOs should ensure that their organization conducts tests simulating breach response situations.

Transparency following a breach reinforces a company's reputation for integrity and its willingness to learn from mistakes.

About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.