3rd Party Risk Management , Anti-Phishing, DMARC , Email Threat Protection
Learning From Wipro, JustDial Post-Breach Mistakes
India Needs Strong Data Breach Notification LawIn recent days, two major Indian companies -Wipro and JustDial - did a poor job of communicating following data leaks. This points to the need for a strong breach notification law in India.
See Also: How Active Directory Security Drives Operational Resilience
When KrebsOnSecurity first approached Wipro regarding it being the victim of a phishing campaign, the company did not acknowledge it. But two days later, after many news media inquiries, it finally confirmed the security incident.
Meanwhile, JustDial reportedly failed to reply to a researcher who reached out to its security team to inform it about its old servers leaking data of its customers.
Computer Emergency Response Team for India, or CERT-In, plans to initiate strong action against both companies for not disclosing data leaks more quickly, sources tell me.
CERT-In requires that service providers, intermediaries, data centers and corporate entities issue prompt notifications of cybersecurity incidents, but does not specify a timeline. Also, the government has not set penalties for violations of this requirement.
A few months ago, a CERT-In official told me that relatively few companies report breaches as required. But so far, CERT-In has taken little action against the offenders.
Data Protection Bill
The Personal Data Protection Bill, which Parliament is slated to consider, could address the enforcement of breach notification requirements - if its provisions are expanded.
For example, the bill should make data breach notification a mandatory requirement under law. It should also impose penalties on companies that fail to report breaches. Although those specific provisions were not in a draft of the bill, they still could be added - if the Parliament steps up and takes prompt action.
To help prepare for timely breach notification, CISOs should ensure that their organization conducts tests simulating breach response situations.
Transparency following a breach reinforces a company's reputation for integrity and its willingness to learn from mistakes.