RECENT DOMINOS DATA LEAK AND ITS LEGAL IMPLICATION
Whenever we install an app, we are prompted to provide permissions via a pop-up window. The majority of us are in a rush and accept anything without even reading it.
You are allowing the concerned firm access to your data saved on your device by doing so. You may knowingly offer companies your data, such as your phone number, account number, and personal information, in order to use their services. With greater digitization and the convenience of the process, it is impossible to avoid surrendering our data totally, and the organisations who collect it must secure and maintain it secret. Individuals are exposed to viruses, financial loss, and dangers to sensitive information as a result of data leakage.
Dominos Data Breach
Domino's is one of the most well-known pizza delivery services. This year, the organisation had a data breach. The firm states that no financial data was stolen as a result of the data breach. Data from 18 crore Domino's pizza orders, as well as roughly 13TB of staff and customer information, was exposed online. The hackers have made the material public, claiming that payment information and personnel files would be released soon.
What is a data breach?
According to the Indian Personal Data Protection Bill, data is defined as "a representation of information, facts, concepts, views, or instructions in a form suitable for transmission, interpretation, or processing by people or automated methods." Personal data also includes information about or relating to a natural person who is directly or indirectly identifiable based on any characteristic, trait, attribute, or other feature of their identity, whether online or offline, or any combination of such features with other information, as well as any inference made from such data for profiling purposes. As a result, a data breach occurs when an unauthorised user reveals, gets shares in, edits, destroys, or loses access to data, jeopardising its confidentiality and integrity.
The stolen material is frequently made available on the dark web, also known as the dark net, which is encrypted online information that is not monitored by traditional search engines such as Google, Yahoo, and others. It's a component of the deep web, which contains a variety of other services such as online banking, payment, and so on, and whose websites aren't found by traditional search engines.
Because it provides a high level of anonymity for users, it is being used as a medium for carrying out illegal activities such as child abuse, murder, and unethical transactions. Crypto currencies are commonly used to carry out transactions, and there is no strong regulatory law for the crypto currency. The irony is that, while the dark web provides great privacy to individuals, it is also widely used to breach the privacy of others, resulting in sensitive information such as photographs, bank account numbers, passwords, and other personal information being taken and used unethically.
Data Breaches in the past
The data leak at Domino's Pizza is only the latest in a long line of firms that have had data breaches in recent years. While it continues to happen on a regular basis, putting more and more individuals in danger, there are no repercussions for the firm. A few firms that have had a data breach are listed below.
Mobikwik Data Breach – 8.2TB data of around 110 million MobiKwik Indian users have been leaked, among which about 3.5 million users’ KYC, phone numbers, and 100 million users’ bank account details, email IDs, geolocations, etc. have been put on sale on the dark web for merely 1.5 bitcoins or approx.
LinkedIn – During the year 2012, 165 million users’ data was breached from the social networking site of business professionals, LinkedIn by a Russian hacker.
Marriott International - In 2014, a Chinese intelligence group stole data that includes passport numbers, credit card numbers among others, of 500 million customers of Marriott International.
How can you protect your data?
If you have accounts with any banks or financial institutions, contact them if your financial information has been compromised.
All of your passwords should be changed.
You might want to consider putting a credit freeze in place. This prevents someone from exploiting your information to steal your identity or borrow money in your name.
Check your credit report to see if somebody is applying for credit with your information.
Try to figure out exactly what information was taken.
Don't answer immediately to a company's request for personal information following a data breach; it might be a social engineering assault.
If you don't maintain an account, close it rather than leaving it inactive. As a result, you're less vulnerable to a security compromise.
Keep your phone safe. Use a screen lock and make sure your phone's software is up to date.
Make sure you're accessing your accounts over the secure HTTPS protocol rather than the insecure HTTP standard.
Previous judgements related to data privacy
Individuals' personal and sensitive data are protected by The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The goal and use of the acquired information must be disclosed in plain and plain language under these guidelines, and the purpose must be legitimate and absolutely required. Before exposing or exchanging personal information with a third party, you should get permission from the persons affected, unless you have a legal need to do so.
These policies have a serious flaw in that they are poorly implemented and have minimal penalties, and they only apply to Indian corporations.
Section 43,66 (punishment for hacking), Section 66E (imprisonment for violation of privacy), Section 72A (penalise for illegal use of personal data), and other sections of the IT Act, 2000, aim to safeguard people's privacy.
In K.S Puttaswamy and Others v. UOI and Others (2017) 10 SCC 1, the Hon'ble Supreme Court of India decided that the Right to Privacy is a basic right under Article 21 of the Indian Constitution. According to the court, every individual has the right to control their commercial identity and to use and control their identity, personal information, and other related information exclusively on the internet, as well as the right to allow others to use that personal data for a limited purpose only. That means that a person has a basic right to control how, where, and to what degree their data is utilised. Individuals' Right to Privacy is being violated and threatened by the rising number of data breaches.
There is no doubt about the importance of an individual's personal data, and it has become unavoidable to withhold it because managing and regulating our financial, health, business, and other activities requires this information. As a result, expecting a proper and strict regulating system from companies is legitimate, and holding them accountable is necessary. Although efforts have been taken to avoid data breaches, our legal system still lacks the strictness and strength required to combat the dark web's and hackers' notoriety.
K.S Puttaswamy and Another vs UOI and Others (2017) 10 SCC 1
The article is authored by Samarth Jain from Institute of Law, Nirma University