India Needs Better Cyber Police

India Needs Better Cyber Police is a Business Standard report published on 23 May 2014 by Surabhi Agarwal. The article examines India’s data breach notification and enforcement mechanisms following eBay’s revelation that cybercriminals accessed 145 million customer records, featuring analysis from Sunil Abraham, then Executive Director of the Centre for Internet and Society, and cyber law expert Pavan Duggal on regulatory weaknesses, consumer awareness deficits, and corporate non-compliance.

Article Details
Full Text
Context and Background
External Link

Article Details

📰 Published in:: Business Standard
📅 Date:: 23 May 2014
👤 Authors:: Surabhi Agarwal
📄 Type:: News Report
📰 Article Link:: Read Online

Full Text

On Wednesday, one of the largest online shopping and auction portals, eBay, revealed that earlier this year, cybercriminals accessed details of 145 million of its customers.

Even though eBay's customers' financial details are said to be safe, the incident is being termed a "historic breach" given the enormity of the data compromised. Globally, eBay is being criticised not just for its laxity in securing the digital perimeter but also for reacting too late. The company has said that it first came to know of the breach "two weeks" ago. Records that have been accessed contain passwords as well as email addresses, birth dates, mailing addresses and other personal information.

The situation is worse when it comes to reporting such instances in India, say cyber security experts. The Indian Information Technology Act requires companies to adopt "reasonable security measures" to protect consumers' sensitive personal information such as passwords and financial details. It also makes companies duty bound to report breaches and also defines liabilities in case a firm is found not to be adhering to best data security practices. However, implementation is patchy and most such instances go unreported.

Pavan Duggal, an advocate specialising in cyber security, says most users do not come to know if there has been a breach. "Awareness is also low among consumers about the legal recourse available in case their data has been compromised," he adds. Unlike in the West, lack of a proper data protection and privacy law in India is to be blamed for this. "Companies, too, are inclined not to report such instances as they fear being negatively impacted in the market," he points out.

In case of a breach, a user can contact the adjudicating officer, which is the state infotech secretary, for legal recourse. However, the onus is on the user to prove the breach. In the US, a consumer can get a subpoena (court order) issued against a company that makes it duty bound to provide details of the breach. "In India, the regime is too lax. It is very difficult to notify the government," says Sunil Abraham, executive director of the Centre for Internet and Society.

"There are stringent compliance requirements in countries such as the US. The laws in India need to come tougher if we want companies to become more serious about this," adds Duggal.

eBay has advised consumers, many of whom could be Indians, to immediately change their passwords. While people tend to use the same password across many sites, emails and phones numbers act as verifying tools for several financial transactions and could be misused. Moreover, unlike India, the US does not require additional authentication apart from credit card and CVV number, which makes transactions slightly more vulnerable. "It may be a good idea to include a one-time password as a security layer," says Abraham.

Over 200 million Indians are online. The Indian e-commerce market is estimated at $2 billion (Rs 12,000 crore) and is expected to cross $20 billion over the next four years.

"There is no such thing as 100 per cent protection in the digital world. The choice is between transacting online or not," says Akhilesh Tuteja, executive director of consulting firm KPMG. "Technology is becoming so sophisticated that what was good yesterday is not good today." A bigger dialogue is needed on people treating theft of digital assets just as they would physical assets, he adds.

The last big breach was reported at software maker Adobe Systems in October 2013, when it was uncovered that hackers accessed about 152 million user accounts. Last December Target said some 40 million payment card numbers and another 70 million customer records were hacked into.

How to play it safe online

Keep a strong password and change it regularly
Try to keep unique passwords for each website
Save as little personal information as possible online, especially financial data
Have multiple email ids; don't use the primary email id for online transactions
Consider getting online purchases delivered to your office address, not home

Context and Background

This article appeared on 23 May 2014, the day after eBay publicly disclosed that hackers had compromised a database containing 145 million user records between late February and early March 2014. The breach affected passwords, email addresses, birth dates, and physical addresses, though eBay maintained that financial information remained secure. The company faced criticism for delaying public notification until mid-May despite discovering the intrusion in early May, violating emerging norms around timely breach disclosure that consumer advocates and data protection regulators increasingly demanded.

The Information Technology Act’s Section 43A and the accompanying Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 required companies handling sensitive personal data to implement “reasonable security practices” and notify affected individuals of breaches. However, as both Abraham and Duggal noted, enforcement remained weak. The rules lacked clear timelines for notification, specified penalties proved modest compared to international standards, and regulatory oversight by the Indian Computer Emergency Response Team (CERT-In) focused more on coordination than enforcement.

Abraham’s observation that “it is very difficult to notify the government” in India highlighted procedural ambiguities around breach reporting. Unlike jurisdictions with mandatory breach notification laws specifying clear reporting channels, timelines, and threshold criteria, India’s framework left companies uncertain about notification obligations. The designation of state IT secretaries as adjudicating officers created fragmented enforcement across states with varying technical capacity and regulatory appetite. The burden of proof falling on individual users rather than companies reversed the accountability structure that international data protection regimes established.

Duggal’s point about corporate reluctance to report breaches due to reputational concerns reflected a persistent challenge. Without mandatory disclosure requirements backed by significant penalties for non-compliance, companies rationally chose silence over transparency. This information asymmetry left consumers unaware of risks, unable to take protective measures like password changes, and prevented market mechanisms from penalising poor security practices. The contrast with US state-level breach notification laws—which by 2014 existed in 47 states—demonstrated India’s regulatory gap.

Sunil Abraham’s suggestion to adopt one-time passwords as additional authentication reflected recognition that India’s requirement for two-factor authentication on card-not-present transactions provided stronger consumer protection than US practices relying solely on card numbers and CVV codes. The Reserve Bank of India’s 2009 mandate for additional authentication factors on online transactions had initially frustrated e-commerce companies citing friction and abandoned transactions but proved prescient as payment fraud accelerated globally.

The article appeared as India’s e-commerce sector entered rapid growth, with the market projected to expand from $2 billion to $20 billion within four years. This growth trajectory—ultimately exceeded as platforms like Flipkart, Snapdeal, and Amazon India raised billions in venture capital—made data security frameworks increasingly urgent. However, comprehensive data protection legislation remained stalled despite the Justice AP Shah committee’s 2012 draft privacy bill, leaving India dependent on IT Act provisions designed primarily for IT service providers rather than consumer-facing digital platforms.