The Delhi High Court has sought the government’s stand on a petition by the Free Software Movement of India (FSMI) seeking CERT-In investigation into large scale data breaches on various platforms. On August 13, Justice Rekha Palli granted time to the Centre’s counsel to seek instructions on the petition. The order of the court stated:
Learned counsel for the respondents, who appear on advance notice, prays for time to obtain instructions. List on September 23, 2021.
The Petition and the Call for Investigation into Data Breaches
As per the petition, Yarlagadda Kiran Chandra, the General Secretary of FSMI wrote to the CERT-In on many occasions about various incidents of data breaches. He avers that the data that these companies collect through mobile or web applications has resulted in data breaches. Consequently, the breaches have compromised the sensitive and financial information of millions of users of these services.
Such incidents include data breaches at Big Basket, Mobikwik, Domino’s, and Air India platforms. As per the petition, the petitioner wrote to CERT-In to investigate these incidents and inform citizens. However, CERT-In has refused to take any action against the complaints.
The Law on Data Breaches
Section 70B of the Information Technology Act, 2000 lays down that CERT-In is responsible for gathering and analyzing information on cybersecurity incidents. The law also tasks the agency to implement emergency steps to handle cybersecurity issues. Any individual, organisation or corporate entity affected by cybersecurity incidents can report the incident to CERT-In.
As such, the petitioner filed complaints with CERT-In concerning these data breaches. He called on the agency to issue guidelines and also to call for information from the service providers, intermediaries, data centres, body corporate and any other persons in this regard.
Further, the petition mentions that the aggrieved users do not have any legislative recourse against such breaches in absence of a data protection law. Therefore, an investigation by CERT-In on frequent data breaches at the mass level is important to safeguard user privacy.
However, the petitioner received a response from the agency saying it does not require his directions to investigate data breaches.
“We would like to inform you that CERT-In is aware of its responsibilities and does not require your client’s directions to investigate data breaches as highlighted by you. Organizations named in your notices have been directed to comply with the relevant provisions of law.”
You can read the order here.