What does the law provide for security of your private data that you entrust to various service providers?
On the night of March 7, 2020, Foodmandu, an online food delivery platform, suffered a security breach with over 50K user records stolen. Foodmandu issued a statement regarding the breach on 8th March 2020 and notified its customers that it suffered a data breach and that it is committed to protecting all forms of customer data. Foodmandu stated that it had fixed the loophole in its web application immediately after identification of the incident on March 7, 2020 and that its team is investigating the issue proactively. Foodmandu had contacted the Cyber Crime Division of the Government of Nepal and sent a takedown request to relevant authorities regarding the private data that was uploaded. Over fifty thousand user data was breached and privacy of users encroached, but the culprit is yet to be found. The person engaged is yet to be found and punished.
Yet again, on 2nd April 2020, a news published in the website of Kathmandu Press (kathmandupress.com), an online news portal, that was critical of the actions of the government, was removed allegedly by the IT consulting firm engaged by the portal without authorization from the concerned portal. The IT firm, Shiran Technologies Pvt. Ltd., a company owned by Asgar Ali, IT consultant to the Prime Minister. Shiran Technologies, issued a public apology for accessing the portal without authorization. This was an attack on the constitutionally guaranteed right to free speech and of the press. The alleged party apologized and will probably escape any further investigation and possible sanction .
On 8 April 2020, Vianet Communications Pvt. Ltd., a leading internet service provider in Nepal issued a press release acknowledging that it suffered a data breach. Personal details including names, locations, emails, phone numbers and addresses of around one hundred and seventy thousand customers were breached and leaked into the internet. Its statements were the same as that of Foodmandu, no apology issued, no hacker traced. It did however try to alert its service seekers on suspicious emails or calls they might be receiving from the hackers and not to give out their private information.
Then after, there have been a series of data breaches and cyber attacks. Data of 400 customers of Prabhu Bank Ltd. was leaked online. Access to government websites were leaked online. These series were however organized ones. “Satan” (@satan_cyber _god) on twitter claims to conduct such actions as “demo” to inform everyone about how weak the system is. It further claimed that informing through a demo is not a breach.
What constitutes a data breach?
A data breach occurs when there is an unauthorized entry into a database which is either sensitive, or protected, or confidential i.e. viewed by someone who should not have access to such data.
Data that are private or that are related to persons, their residence, property, document, correspondence and matters regarding their character are inviolable except in accordance with law. This right, the right to privacy of every person regarding their residence, property, document, data, correspondence and matters relating to their character is a constitutionally guaranteed fundamental right under Article 28 of the Constitution of Nepal, further affirmed by the Privacy Act, 2018 (“Privacy Act”).
Section 12 of Privacy Act provides every person with the right to keep their personal data or details confidential. It further provides that no person shall without obtaining consent provide data of a person to anyone else or publish them or cause to be published except when asked for by the court or officials authorized by law in the course of investigation. Section 19 of Privacy Act further clarifies that no one shall obtain the notice, information, correspondence of any person remaining in electronic means in unauthorized manner, violate or provide its privacy for anybody in unauthorized manner.
Section 23 provides that no one except the official authorized under the law or the person permitted by such official shall collect, store, protect, analyze, process or publish the personal information of any person and Section 26 restricts the use of such information collected without consent of concerned person. So, any unauthorized access to the private data and publishing them causes data breach and a violation to the right of privacy. It shall be held as an offence under Section 29 of the Privacy Act.
Also, if a person makes an unauthorized access to any program, information or data stored in any computer, or damages information system, or publishes illegal materials in electronic forms, or divulge confidentiality or privacy, such shall be held as a breach and a violation under Section 45, 46, 47 and 48 of Electronics Transaction Act, 2008 (“ETA”).
The data breach in Foodmandu, Vianet, Prabhu Bank therefore accounts for violation of the legal provisions under the Privacy Act and the ETA.
Can creating awareness and informing the relevant authorities about the weakness of security systems be a defense to these acts of data breaches?
Satan claims that all its acts of data breach is for the purpose of informing the authorities and the public about how weak the system is. However, such unauthorized access and publication of unauthorized data accounts for severe breach and violation to the privacy and cyber security of so many individuals and body corporate. Publication would be allowed only when permitted by law. In this instance, the acts are wrong ab initio even if the intention was pure. So, that will not constitute a defense. Actions of Satan shall still constitute breach.
Responsibility to Protect Data and Cyber Security
Privacy Act allots certain duties to the data collectors or the ones who maintain records of the data. The data collectors cannot collect any data without consent of the concerned person and they cannot use the collected data except for the purpose they were collected for.
Section 25 of Privacy Act notes down the responsibility to protect the data collected, upon the public body or corporate bodies that have stored or controlled the data under their responsibility. Such public bodies or corporate bodies shall have to make appropriate arrangements against unauthorized access likely to occur to personal information, or against the possible risk of unauthorized use, change, disclosure, publication or transmission of such information, or in other words maintain cyber security if data are being stored in computer systems or networks as such. Cyber security is the protection given to the computer systems, networks, programs from digital attacks or cyber attacks. However, Privacy Act does not recognize failure to follow this responsibility as an offence and hence, there is no sanction to such body corporate even if they fail to maintain cyber security or if their data is breached for their own negligence. Though Foodmandu, Vianet, Prabhu Bank among others failed to conduct their duty under Privacy Act, it looks that they will face no sanction, as such.
The Privacy Act provides for two modalities where certain offences are tried as criminal cases while some may be instituted as civil suits at the concerned district courts. The data breaches in the aforementioned cases of Foodmandu, Vianet and Prabhu Bank, are acts contrary to Section 26 of the Privacy Act and hence will be tried as criminal cases. Such instances should be reported to the nearest police station for further investigation and action.
If any complaints are to be made under ETA, then one can file FIR at the nearest police station within 35 days of notice of the incident. Cases will be tried as criminal cases at the Information Technology Tribunal and the appeal lies at appellate tribunal.
It must be kept in mind that cases under Privacy Act are filed for violation of privacy rights whereas cases under ETA are filed for offences relating to computers (where electronic mediums are used to violate ETA).
Punishment and Compensation:
Privacy Act has provisioned for victim compensation from the offender and punishment of imprisonment for a term not exceeding three years or fine not exceeding thirty thousand rupees or both for the offender.
ETA has sanctioned for data breach with a fine not exceeding two hundred thousand rupees or imprisonment not exceeding three years or both. For publication of illegal materials including the materials which are prohibited to publish or display by law, in electronic form: fine not exceeding one hundred thousand rupees or imprisonment not exceeding five years or both. Repetition of the conduct will be added with half of previous punishment. For divulging confidentiality or privacy recorded in any records, books, register, letters, notices, documents as such, then it shall be sanctioned with fine not exceeding one hundred thousand rupees or imprisonment not exceeding two years or both.
If the victim suffered any damages, then they shall be provided with appropriate compensation by the tribunal.
Amidst the increasing incidents of data breach and many people using various online platforms for their services during this lockdown, including the courts of Nepal, who will be responsible for the safety and security of all the data that is to be put out there on the internet? Clearly, the ones who are held responsible by the law are not taking matters seriously; the lack of investigation and sanction seems to be the primary reason. A lack of awareness of law, which is itself vague, seems to be another. Given these situations where the general public entrust their private information to various online service providers, the government should focus on specific cases of data security and accordingly formulate or amend the existing provisions to specifically address these issues. In addition, implementation of the law has always been an issue, so the Government should also look towards effective implementation of legal provisions. In these cases, the police should initiate investigations even if no complaints are filed when the organizations themselves accept the data breach.