`India must have data breach notification laws'
The global organization that prescribes security standards for the payments industry has said that there is a need for data breach disclosure norms in India to improve cyber security in the country. At present, banks and other institutions keep any breach of their computer systems under wraps to prevent panic among customers.
Speaking to TOI, Jeremy King, international director at the PCI Security Standards Council, said that the absence of a breach notification law was detrimental to merchants and organizations. “If organizations think there are no breaches, they would not be taking things too seriously ,“ said King. He was in India to address the SISA Summit 2016 on security in payments systems.In India, the RBI requires all payments service providers to adhere to PCI DSS standards.
Some of the biggest data breaches in the world have come to light because of laws requiring breach notification.The breach that made the most news in 2015 was that of infamous dating website Ashley Madison which announ ced that information regarding 3.7 crore users were leaked. In December 2013, US retailer Target Corporation announced that data from 4 crore credit and debit cards was stolen.
The US has been a pioneer in enacting security breach notification laws, first in 2002 by California and then followed by other states. Europe is in the process of enacting similar laws. Notifying the breaches requires the target company to take remedial measures including perhaps reissue of cards. It helps other organizations to address the vulnerabilities used by hackers.
According to Nitin Bhatnagar, head of business development at SISA, a firm that certifies adherence to payments security standards, India already has rules for providing information on data breaches to the Indian Computer Emergency Response Team (CERT-In) which comes under the ministry of communications and information technology. But breaches are not reported because there is no one to implement this. “When we are moving toward Digital India, we need a data breach law where there is a push from the regulator for notification of the breach. The intention is to advise everyone on remedial action and address vulnerabilities,“ Bhatnagar said.
According to King, one of the positive aspects of the Indian payments industry is the regulator's support for electronic payments and the recognition that security of transactions is key to growing electronic payments. He said that the trade-off between security and convenience cannot be completely eliminated but technology was helping to make things easier.
Source | Times of India | 6 February 2016
No comments:
Post a Comment