How Can Businesses Respond Legally After A Cyber Attack?

Pursuing a cyber-attack in India, companies need to react cautiously and take into account some legal issues prescribe by the local legislation as well as some legal standards. The primary legal approaches to dealing with cyber events in India remain under the IT Act 2000 with rules and the PDPB 2018 (still in the draft stage) and sector-specific legislation (banking, insurance, and telecom).

Here’s a step-by-step guide on how businesses in India can respond legally after a cyber-attack:

• Immediate response to the cyber-attack in the IT industry:

• Contain the breach: The first stage is then to contain the systems hit by the attack so as to ensure that other systems are not infected. Make sure that the possibility of the same incident repeating is container, and your network is safe.

• Engage of cyber security experts: Engage internal IT personnel or outsourced cyber security personnel to evaluate the breach, determine the impacted regions, and conduct remediation.

• Document everything: Report writing must also be done in detail formats such as what time the incident was discoverer and what have been done, who was communicate with and when.

• Recent amendments to the legislation through the IT Act strongly protects and addresses information technology rights.

Section 43A: According to this section of the IT Act, a corporate body which creates, receives, uses or processes any sensitive information shall be under a legal obligation to implement reasonable security measures. Otherwise it can lead to liability in case of data breach as seen in court of law.

Section 72A: This section imposes contractual duties on individuals or companies to declare personal information in breach of contract. Business entities should be aware that they are processing and storing personal information legally and with permission.

• Performance Standard: Notification and Reporting

Report to CERT-In (Indian Computer Emergency Response Team):

• According to Rule 12A of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 any concern which is holding SPDI must inform CERT-In concerning the breach within 6 hours of its occurrence.
• CERT-In is the nodal agency that deals with cyber security threats and breaches and in case of any such eventuality, delay in informing this agency could cost a business legal fees and non-compliance penalties.
• CERT-In offers guidelines and support regarding managing cyber breaches and generally leads the response to large cyber-attacks.

• Filing a First Information Report (FIR): If the cyber-attack is criminal (Hacking, phishing, ransomware outbreak) companies should report to the police, by filing an FIR. The sections 66C and 66D of the IT Act concerns cyber-criminal activities and the police will take necessary action in this regard.

• Informing Those Concerned Individuals (if any).

• Data breach notification: Whenever the personal data is involve particularly the sensitive data, the businesses are require to inform the data subjects within a reasonable time.
• In fact, though no such provision for notification to the individuals has been made under the IT Act, the proposed bill that is awaiting approval, the Personal Data Protection Bill, 2019, does require breach notification. Once PDPB is implement, companies will also have to notify those affect in a reasonable amount of time, probably 72 hours.
• Even if there is no legal obligation in this regard, Merely due to ethical reasons, any institution that falls victims to a cyber-attack should ensure that they inform the affected individuals to do the following; They include, but not limited to the following; Reset your passwords immediately, monitor your financial accounts for fraudulent activities, etc.

• Engage Legal Counsel

• Cyber-security lawyers: Any company concerned with data privacy and cyber law should seek legal advice from an attorney with an understanding of these laws.
• Assess liabilities: Legal advisors in the organisation can assist the assessment of risks and the extent of practising the envisaged corrective measures. This counts for the IT Act’s Section 43 A that holds organisations responsible for negligence in securing information in their system or contractual liability if the firm has contracts with clients or third parties respecting data protection.
• Third-party vendors: When the breach was in relation to a third party, the business people should look at their service provider or contractor’s/consultant’s contracts to find out if there are provisions on liability for indemnification.

• Cyber Insurance and Risk Management

• Contact your cyber insurance provider: If your business is insured against cyber risks inform your insurer as soon as possible. Cyber insurance can also rebuff part of the expense resulting from data breach including legal, notification expenses and forensic analysis.

1. Public relations and communication

• Prepare public communications: In the case of a major violation, the firm may be forced to release a press release. Consult your legal advisors and your public relations personnel in crafting a response that will not compromise the business but also does not leave the company wide open to more legal implications.
• Internal communication: Notify employees of the security breach, where possible and about any loss of data or their personal details.
• Avoid making specific admissions: Still, it remains important to be as transparent as possible, but businesses should not accidentally confess liability or specifically discuss the occurrence to the public without their attorney. This is important to stop the possibility of getting involve in any future legal or insurance implications.

• Examine Data protection and Cyber security Policies

• Review security practices: Any opportunity that was exploit by the attackers to get into a business and compromise data should be review properly and its corresponding policies and protective measures adjust as need.
• Implement stronger controls: Make sure that only such categories of personal data become collected that can be protected based on reasonable security measures as necessary under the IT Act. This may include measures like using encryption, accreditation, audits, and training the employees on cyber-security.
• Vendor assessments: If the breach was via a third-party vendor, consider your third-party risk management reassess. Parties entering into supply chain relations should consider examining their cyber-security stances before engaging in a contract.

1. Mitigating Reputational Damage:

• Offer affected individuals support: Follow up with the affected persons and let them know measures they can take to prevent further loss, for example, free credit reporting services or identity theft protection especially if the data leaked was of a sensitive nature for instance financial or even health information.
• Address customer concerns: Always expect customers to have queries with their concerns in mind, more so where their trust has been violate.

• Observance of the Specific Business Laws

• Financial Sector: The financial service suppliers – from concept born industry start-ups to conventional banking entities will have no option but to adhere to Reserve Bank of India guidelines on cyber security and protection of data. Cyber security framework prescribed by RBI requires banks and every other financial entity to inform RBI of any attack in a specific time.
• Telecom and IT: TRAI has certain reporting responsibilities related to cyber incidents that affect telecom data and DoT might also have the same requirement.
• Healthcare: As technology advances, healthcare providers are suppose to respect privacy of data including medical data under Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rule, 2011 as health data are referrer to as sensitive personal information.

• Prepare for Litigation

• Third-party claims: If a breach is going to impact third parties including customers, business partners, or service providers, legal action should be expected. Business could be legally liable to shareholders for negligence, for breach of contract and for breach of data protection laws.
• Data protection lawsuits: In case of serious violation Companies might be sued under the IT Act or the PDPA (when effective). People who suffered certain losses may demand monetary compensation for the incurred losses.

Key Legal Frameworks And Considerations:

1. IT Act, 2000 (as amended): Regulates numerous elements of cyberspace, protective data, and cyber security criminal offences in India. 
2. CERT-In: The body in India solely responsible for security that has to be informed when there has been a data breach. 
3. Draft Personal Data Protection Bill (PDPB): The PDPB will make the necessity of the data breach notification and personal data protection even more rigorous when enacted. 
4. RBI Guidelines: For the financial institutions, RBI has its specific rules and regulation of c and management of risks. 
5. Through these actions businesses in India can handle the legal consequences of a cyber-attack, reduce the associated risks, and satiate legal requirements.

Lead India Law offers a range of information, legal services, and free legal advice online to solve the issue. Ask a legal question for free online and talk to a lawyer to receive the best advice in this situation.