Threats to data security and privacy are among the most important emerging exposures companies face. But it is not just companies in the United States that face these threats – these threats confront companies around the world. The purchase of insurance designed to deal with the liability exposures arising from these risks is an important way that companies around the world can confront these risk exposures. In the following guest post, Rohan Negandhi of Tata AIG General Insurance Company Limited takes a look at both the emerging cyber liability environment in India and the developing cyber liability insurance market in that country.

I would like to thank Rohan for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Rohan’s article.

************************************************************** 

Background :

It is a well known fact that with the advent of the Companies Act, 2013 the demand for Directors and Officers insurance in India saw an upsurge. The new Act for the first time introduced the concept of class action suits in India and also codified the duties owed by directors to companies and listed the applicable fines for breaches of such duty which could give rise to civil liability as well as fines and penalties. In another first, the Act also gave statutory recognition to Directors and Officers insurance.

But if the 2013 Act had such an impact on Indian body corporates, leading to an increase in demand for D&O insurance, why did the Information Technology Act, 2000 [amended in 2008] not have the same impact on the demand for Cyber Liability Insurance?

The only answer that seems plausible is that the body corporates do not feel immediately exposed to such risk.

I believe, both, the stock market and the insurance market, are driven by emotions. If the stock market oscillates between greed and fear, then the insurance market oscillates between comfort and fear. It is only when the media is flush with news of class action suits, a new law or amendment, or any other trigger events which cause fear or a sense of vulnerability, does the transition from a soft to a hard market begin. Premiums begin to rise, with the rise in claims, again displaying why the insurance industry moves cyclically, like the other commodities. Which is why like the principle advocated by value investors, of buying stocks when they are out of favour, can be applied to buying insurance – buy even when you think you don’t need it.

Legal Provisions:

Coming back to the Information Technology Act, 2000 [Amended in 2008], several provisions were laid down which make body corporates responsible for data breaches, in both cases – i.e. when holding the information directly on behalf of customers or in case when acting as an intermediary.

The relevant provision which expose the body corporates for such data breaches are as mentioned hereunder:

“S 43 A – Compensation for failure to protect data (Inserted vide ITAA 2006)

 Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees[1], to the person so affected. (Change vide ITAA 2008) Explanation: For the purposes of this section (i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities (ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit. (iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

Liability of Intermediaries:

Before the amendment, an intermediary was defined under the Act, as any person, who on behalf of another person, receives, stores or transmits that message or provides any service with respect to that message. However, with the Information Technology Amendment Act, the definition of  “Intermediary” is laid down by specifically including the telecom services providers, network providers, internet service providers, web-hosting service providers in the definition. Also included under the definition are search engines, online payment sites, online-auction sites, online market places and cyber cafés

Under the old Act, intermediaries were exempted only if they were able to prove that they possessed no knowledge of the infringement or that they had exercised all due diligence to prevent such infringement. Therefore, this approach made websites liable in cases where constructive knowledge was proved or the website lacked sufficient measures to prevent such infringement.

The Amendment act acknowledged the fact that it is virtually impossible for any website, having significant traffic, to monitor its all its content, which too would require the company to incur certain cost and hence, under the Information Technology Amendment Act, 2008, Section 79 has been modified to the effect that an intermediary shall not be liable for any third party information data or communication link made available or hosted by him.

This exemption is subject to the following conditions:

• the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored or hosted;
• the intermediary does not initiate the transmission or select the receiver of thev transmission and select or modify the information contained in the transmission;
• the intermediary observes due diligence while discharging his duties.

The direct consequence of this provision would be that social networking sites, would be immune from liability as long as they satisfy the conditions provided under the section.

Similarly, Internet Service Providers (ISP), blogging sites, etc. would also be exempt from liability. However, an intermediary would lose the immunity, if the intermediary has conspired or abetted or aided or induced whether by threats or promise or otherwise in the commission of the unlawful act.

Sections 79 also introduced the concept of “notice and take down” provision which is common in many foreign jurisdictions. It provides that an intermediary would lose its immunity if upon receiving actual knowledge or on being notified that any information, data or communication link residing in or connected to a computer resource controlled by it is being used to commit an unlawful act and it fails to expeditiously remove or disable access to that material.

This is one provision under which liability for the intermediary could arise. Several recent data breach cases in India display lack of maturity in terms of Cyber Security on the part of corporates. Even if the intermediary is not held liable as it has not abetted in the act, they may still be held liable if they, upon receiving actual knowledge or on being notified of such unlawful act, fail to remove or disable access to the same. For larger organizations which have forensic experts on their payroll, this may be possible, but for start-ups or other SMEs, the risk is comparatively high, as they are not well equipped to swiftly act in such circumstances.

Apart from that, the costs which would be incurred in monitoring the breach once it has occurred would be considerably high for the company to pay from its own pocket. In India, notification in case of a breach is not mandated under any law as of now, but it would be advisable as good governance practice to have a process in place so as to avoid derivative D&O claims resulting from the same.

Possible Triggers:

Recently India has been witness to several cases of cyber breach. In one recent case, when the managing director of a popular ice cream manufacturing company in Hyderabad turned on his computer to access his company’s database, was startled to read – “Pay $1,000 to get your data back and do the payment in Bitcoins.”[2]

Another recent data breach was that of an Indian cyber security firm Cyberoam, which confirmed a cyber attack on its systems, resulting in possible leakage of its database that contained personal details of its customers and partners.[3]

According to the latest KPMG Cybercrime survey report nearly 72% of Indian companies faced cyberattack in 2015. More than 250 respondents from the likes of CIOs, CISOs, CAEs, CROs, COOs and related professionals from across India participated in the survey. [4]

The KPMG in India Cybercrime Survey Report states that 94% respondents indicated that cybercrime is a major threat faced by organisations, but surprisingly only 41% indicated that it forms part of the board agenda.

74% respondents believe that the BFSI sector is a top target for cybercrime with 63% indicating these crimes more often than not amount to gross financial loss. Another important revelation was that 54% of the respondents indicated that spend on cyber defences is less than 5% of IT spend with only 2% organisations spent more than 20% of their IT budget on information security and cyber defences.

A similar report by PwC revealed that incidents of cybersecurity breach in India, during the period under consideration (July 2014—June 2015) surged by a record 117 per cent as compared to an increase of just 39 per cent globally.[5]

According to the 2014 Cost of Data Breach Study by IBM that was done in association with Ponemon Institute, India is one of the countries/regions that have the highest number of average data breaches, but its cost per capita is low. This study was conducted using qualitative questionnaires in 314 major companies across 10 countries.[6]

Why should a company buy Cyber Insurance?:

Considering the above scenario, a Cyber Insurance policy not only acts as an insurance against data breach, but also helps in mitigation of such risk because the policy offered by some leading insurers come with certain value added services such as a risk assessment call with forensic experts, an analytics report and a shunning device to block unwanted IPs. These services make Cyber Insurance a wholesome product, which may appeal to a lot of corporates, especially the e-commerce players in the country, whose revenue and reputation is solely dependent on their online presence, which needs to be closely protected.

Future Outlook:

It can be reasonably concluded from the findings of the reports cited above, that the Indian Insurance market is poised to see a significant increase in demand for Cyber Insurance if the trend continues. Currently, the total number of Cyber Insurance policies issued in India are still around 100-150, premiums are high, and claims are rare and few. But if the reports are to be relied upon, it can be said that most of the companies which face a breach either do not come out in the public and admit it, or worse, are not aware of the same. In either situation, there is a lot at risk. With the governments vision of 100 Smart Cities and the push to make India more Technologically advanced, the members of the insurance fraternity should keep their eyes and ears open and as Confucious said – “May you live in interesting times.”

______________________________

[1] USD 735,000 approx.

[2] http://timesofindia.indiatimes.com/tech/tech-news/Cyber-extortion-New-crime-on-the-block/articleshow/49038656.cms

[3] http://www.thehindubusinessline.com/info-tech/security-firm-cyberoam-turns-victim-in-cyber-attack/article8054964.ece

[4] https://www.kpmg.com/IN/en/IssuesAndInsights/ArticlesPublications/Documents/Cyber-Crime-Survey-2015-30Nov15.pdf

[5] http://www.newindianexpress.com/business/news/Incidents-of-Cybersecurity-Breach-Shoot-up-117-Percent-in-India-PwC/2015/10/14/article3079825.ece

The author of the article is a Bachelor of Business Administration and a Bachelor of Law from Symbiosis International University. The author also holds a Diploma in Cyber Laws from The Asian School of Cyber Laws.

Currently the author is working with Tata AIG General Insurance Company Limited, which is an Indian General insurance Company, and a joint venture between the Tata Group and American International Group (AIG)., as a Financial Lines – Underwriter.

The views expressed in this article are solely of the author and are not representative of the organisation where he currently works.