Data Breach at Star Health Sparks Regulatory and Legal Concerns
On October 11, The Exchange sought clarification from Star Health and Allied Insurance Company Limited regarding a troubling news item detailing an alleged data breach. Reports indicate that a senior executive at the company improperly sold the personal data of over 31 million customers to hackers, raising serious questions about data security protocols within the organization. Ankit Sahni, a partner at Ajay Sahni & Associates, emphasized the importance of urgent government action to expedite the implementation of the Digital Personal Data Protection (DPDP) Act, highlighting that without robust legal mechanisms, consumers are left vulnerable to data exploitation.
The gravity of this situation underscores the significant responsibilities held by data fiduciaries, who are required to ensure data accuracy, implement security safeguards, and delete data once it is no longer needed. Hersh Desai, counsel at the Supreme Court of India, noted that under the new DPDP Act, breaches could severely impact the data fiduciary—potentially leading to penalties reaching up to ₹250 crores for failing to protect personal data as mandated by sub-section (5) of section 8.
As the investigation unfolds, it has been revealed that the breach was allegedly linked to a hacker known as xenZen, who claimed that the executive’s actions facilitated the data sale. The legal ramifications are severe; under Section 66 of the Information Technology Act of 2000, penalties include up to three years of imprisonment or fines of up to ₹5,00,000 for hacking offenses. Additionally, Section 66D addresses computer resource-related cheating, enforcing similar penalties. Moreover, due to the sensitive nature of medical history records involved in the breach, these incidents could provoke charges under Section 43A of the IT Act as well, potentially leading to further legal liabilities.
A more profound concern is that the Data Protection Authority (DPA) may soon have the ability to take suo moto action against the data fiduciary for not implementing adequate security measures to prevent data breaches, with fines up to ₹250 crores. Legal experts, including Nakul Batra from DSK Legal, assert that the DPDP Act could impose stringent penalties for various forms of non-compliance, presenting a framework that imposes clear obligations on data fiduciaries.
As the legal landscape develops, contributions from various stakeholders highlight the need for stronger accountability and consumer protection. Kritika Seth, a founding partner at The Victoriam Legalis, pointed out that the DPDP Act enforces clear duties for data fiduciaries, including mandatory notification to affected parties in case of a breach, ensuring transparency and swift communication.
The anticipated DPDP rules are still under consultation; however, existing laws provide significant avenues for remedy in data breach events. Ankit Rajgarhia of Karanjawala & Co. noted that current provisions offer substantial protection, enabling affected individuals and organizations to pursue legal recourse while emphasizing the need for persistent updates to these protections given the rapidly evolving cybersecurity environment.
The incident at Star Health Insurance serves as a stark reminder of the vulnerabilities that persist in data management practices, particularly within sensitive sectors like healthcare. Legal experts agree that as governments worldwide, including India, navigate this complex landscape, there’s a growing necessity to establish a culture of transparency regarding data protection practices and breach responses, as breaches not only undermine consumer trust but may also lead to dire reputational consequences for organizations.
In conclusion, as this case unfolds, the implications are poised to resonate significantly across the cybersecurity domain, necessitating a reevaluation of current practices and legal frameworks that govern data protection, ensuring they align with global standards while safeguarding consumer interests.
