Legal Ramifications of a Data Breach Discussed in Light of the Star Health and Allied Insurance Breach

This article predominantly discusses the legal implications of a breach or leak of personal data, considering the law at present in force in India, with respect to: (i) the company which is responsible for the data; (ii) the perpetrators of the breach; and (iii) the parties affected. In doing so the recent case of the Star Health Insurance breach is used as an analogy where required to help the readers better understand the scenarios that may arise and the intricacies of the law. The legal remedies available to affected parties are also discussed in brief. Therefore, the probable legal interpretation and analogy is restricted to certain scenarios.

Summary of Star Health Insurance case (as available in the public domain)

A writ petition was filed before the Madras High Court by cybersecurity researcher Himanshu Pathak, calling for an investigation into a significant data breach at Star Health and Allied Insurance Co. Ltd. (SHAI). The petition highlighted the alleged exposure of personal data of around 3.1 crore customers, which includes mobile numbers, permanent account number (PAN) details, addresses, and medical conditions, following a cyberattack. It is also alleged that the hacker, known as “xenZen”, claimed the Chief Information Security Officer (CISO) of the company sold the data.

The petitioner urged the Court to direct the Union Government to investigate. The petitioner had also sought for the relief of suspension of SHAI’s online operations and investigation into the alleged sale of data to a Chinese hacker. Meanwhile, SHAI had filed a civil suit seeking to prevent the public disclosure of its data against the messaging platform, Telegram and a hacker who identified as “xenZen”. In the said suit, among others, one of the allegations was that the petitioner had hacked into their database and retrieved data. An interim order was in operation against the petitioner restraining him from making any information retrieved from the insurance firm’s customer database public.

In the writ petition, the petitioner alleged that there had been a deliberate attempt to sell the company’s data by the Chief Information Security Officer of the company (CISO — person responsible for securing and protecting the data in an organisation) to some third party which went out of hand at some point and resulted in a breach in a strict sense.

Further, the Insurance Regulatory and Development Authority of India (Irdai) in its press release titled “Press Release Information Security” dated 18-10-2024 disclosed and acknowledged that there have been reports of data leaks from two insurers, without mentioning the companies’ names. Further in its report it states that:

There have been reports of data leaks from two insurers recently. At the outset, it is stated that the Irdai considers data security as very important and takes data breach, cyberattacks on information technology (IT) systems of insurance companies, etc. very seriously.

Cyber security guidelines for insurance companies are in place which requires insurers to put in place robust IT and cybersecurity frameworks for carrying out their operations.

Later the Madras High Court dismissed the writ petition on the grounds that the suit filed by SHAI against the petitioner amounts to a parallel proceeding and an interim order was in operation against the petitioner. The Court also considered the submission made on behalf of the Union of India that the dispute was merely a case of “private dispute”. Whether it is a private dispute or if the suit amounted to parallel proceedings does open up legal discussion but will not be the topic of this article. Though the case stands dismissed, this article borrows the relevant facts to discuss the importance of investigation and the legal implications of a breach.

Role of investigation in deconstructing the breach

In the present world of artificial intelligence and machine learning, a swift and effective investigation is crucial for figuring out what went wrong in such data-breach cases that heavily depend on specific domain expertise like informational security. The information that has been allegedly breached or leaked is the personal and sensitive data of the customers with the insurer obtained for providing their service which includes names, contact details, health conditions, and financial details. No doubt the bulk data that has been breached is related to insurance services, but at the core of it, the issue is the underlying cause for the breach of data. To investigate the breach, one needs to understand what went wrong with the cybersecurity and information security measures that the company must have put in place to secure the data.

In the authors’ opinion, what should have been investigated is how the insurance data was either disclosed or leaked to a third party. To understand the underlying cause for the issues one needs to have domain expertise in the field of information security and cyber security and not about insurance. Therefore, it seems reasonable to assume that this technological know-how can be supplied by the MEITY and any organisation falling under its purview.

Letter by Internet Freedom Foundation of India

Recently, as soon as the breach was made public, the Internet Freedom Foundation of India wrote a detailed letter on 20-9-2024 to the MEITY to deploy Indian Computer Emergency Response Team (‘CERT-In’) to investigate the underlying cause which seems to be the right course of action. However, in the writ petition (dismissed) the Central Government took a stand that the investigation should be handed over to Irdai. At best Irdai can only support the investigation performed by CERT-In, but can never take the lead. In the alternative, external digital forensics companies can be engaged to perform the investigation. Thorough and prompt investigation is required to understand the reason for breach or leak as it will pave the way for the law that is applicable and in turn, decide the liability of the parties.

CERT-In Guidelines

Further, it is pertinent to refer to the Notification No. 20(3)/2022 dated 28-4-2022 of the MEITY which mandates reporting of cyber incidents within 6 hours of noticing such incidents or being brought to notice about such incidents. This mandate applies to service providers, intermediaries, data centers, body corporates, and government organisations. At this stage, it is unclear if this requirement was complied with by SHAI.

Cyber Security Guidelines, 2023

When looking at the regulations of the Irdai Cyber Security Guidelines, 2023, it provides certain security practices that are applicable to all insurers including Foreign Reinsurance Branches (FRBs) and insurance intermediaries regulated by the Irdai. This Guideline does not provide any specific provisions for violation of the Guidelines however a non-compliance may result in the regulatory action. We observe that this Guideline establishes preventive and reporting requirements for data breaches, however, they do not specifically address legal implications for non-compliance or remedies for affected parties.

What legal framework is triggered

As the Digital Personal Data Protection Act, 2023 has not yet come into action and as its rules are yet to be drafted, one needs to fall back on the existing laws in force to determine on whom the liability lies and redressal for the damage caused. Currently, the Information Technology Act, 2000 is the sole legislation that addresses these breach scenarios. The following discussion will throw light on the possible scenarios as to the party that may become liable and the provisions that may be applicable to the case at hand along with the remedies prescribed therein.

When looking at the alleged facts through the lens of the Information Technology Act, 2000 (IT Act), at the outset three broad scenarios are possible:

(1) The company Star Health Insurance becomes liable due to its negligence in efficiently securing the data and allowing the breach to take place.

(2) The CISO becomes personally liable along with the company in case his/her role is proved to have contributed to the leak/breach of data.

(3) The CISO solely becomes personally liable for the breach/leak.

For Scenario 1, Section 43-A fixes the liability for the breach upon the body corporate. The same is extracted below for convenience:

43-A. Compensation for failure to protect data.—Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Explanation.— For the purposes of this section —

(i) body corporate means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

(ii) reasonable security practices and procedures means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;

(iii) sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

The section uses the term “sensitive personal data”, though it has not been defined in the Act. Its meaning can be gathered from the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, a subordinate legislation flowing from the IT Act. These specialised rules define sensitive personal data under Rule 3 as:

Sensitive personal data or information of a person means such personal information which consists of information relating to—

(i) password;

(ii) financial information such as bank account or credit card or debit card or other payment instrument details;

(iii) physical, physiological and mental health condition;

(iv) sexual orientation;

(v) medical records and history;

(vi) biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service; and

(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise….

From reading Section 43-A and the rule together the key ingredients that triggers this section are:

(a) the data involved (in breach) is sensitive personal data;

(b) and when the body corporate has been negligent in implementing reasonable security practices and procedures; and

(c) causes wrongful loss or wrongful gain to any person.

In the illustration case at hand, the data involved is sensitive as mentioned previously. Only a proper investigation would reveal if the company had implemented reasonable security practices and procedures to prevent usual breaches. Ideally adopting and deploying measures dictated by information security standards like ISO 27001, 27018, and 27019 will satisfy this criterion when the certifications are kept active and all non-conformities addressed. In case the company had adopted prevailing industry standards and still had a zero-day vulnerability that could not be identified by due diligence, the liability may be reduced as the negligence on the company’s part is absent. Nevertheless, the company cannot escape liability under this section. In addition, the immediate mitigating steps taken by the company to contain the breach or leak as soon as it came to light may also be factored in when deciding the liability. Prompt responses to contain a breach reflect positively on the preparedness of a company to protect its data and customers and may show the company in a good light.

The liability of the company in default under Section 43-A is towards the affected parties, almost 3.2 crores people in the case at hand. The section does state that the company should compensate the affected parties, but is silent on the criteria for assessing the compensation to be paid. It looks like courts have to fill this lacuna left by the legislature.

Scenarios 2 and 3 are covered by Section 72-A. The section is extracted here for convenience:

Section 72-A of the IT Act, 2000:¹

72-A. Punishment for disclosure of information in breach of lawful contract.— Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.

For the above section to kick in, the following criteria must be satisfied:

(a) There should have been access to personal information under lawful terms of contract (lawful contract with the insurance customer).

(b) Such personal information should have been disclosed to other person (in violation of lawful contract with the customers).

(c) Such disclosure should have caused wrongful loss or wrongful gain.

(d) There must have been intention or knowledge that such disclosure will cause wrongful loss or wrongful gain.

The reason that this section covers for both scenarios is the language used in the provision — “any person including an intermediary”. The word “intermediary” is defined in Section 2(1)(w)² of the IT Act, 2000, and also takes into its purview the company in default. It goes without mentioning that the CISO is the owner of the security systems in an organisation and will sometimes have ownership of data, in this case, customer data, depending on the organisational structure and the business processes. Hence, this section makes the company and the person responsible for the data has been breached liable for wrongful disclosure of data.

Though Section 43-A may appear to be similar to Section 72-A in the sense that it fixes the liability on the company, the requirement of an element of intention or knowledge under this section is the most significant differentiating factor from Section 43-A which merely requires negligence on the part of the company. If the leak or breach happens with the tacit or express approval of the company, then both the company and the person responsible can be penalised under Section 72-A. There also seems to be no restriction on the employee personnel that can be brought within the purview of Section 72-A, unlike Section 43-A which applies only to a body corporate. Section 72-A also does not award any compensation to the affected parties as it is drafted specifically for punishing the perpetrators.

In all of the breach situations, the investigation will decide the course of law and the liability that perpetrators ultimately get saddled with under prevailing laws. From the investigation, if it turns out that the SHAI was hand-in-glove with the CISO, Scenario 2 wherein both are liable for the breach of data will arise. However, if the investigation points only at the CISO for the leak as in Scenario 3, then he/she becomes solely liable.

There is one other aspect to be understood and appreciated that is even if the investigation reveals Scenario 3 wherein just the CISO is liable under Section 72-A, it may not absolve the liability of the company under Section 43-A. Weak information security systems or apparent unfixed zero-day vulnerabilities that are exploited by someone will make the company liable under Section 43-A for being negligent. Section 72-A can be applied in parallel for the punishment of the perpetrator.

As mentioned previously, Section 72-A is penal in nature and gives the Courts power to imprison the perpetrator for up to three years or impose a fine of up to five lakhs rupees or both.

Another very interesting section is Section 43 of the IT Act, 2000 which is triggered only when investigation leads to Scenario 3. This provision is interesting because it has been included by the legislature to allow the affected party (not the end customers) to be compensated by the perpetrator. The legislature has not forgotten that any company must not be left high and dry and allowed to suffer for actions that are out of its control. For the sake of simplicity, only the parts relevant to the SHAI case are discussed and extracted here as the scope of these provisions goes beyond the point to be highlighted:

43. Penalty and compensation for damage to computer, computer system, etc.— If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network —

(a) accesses or secures access to such computer, computer system or computer network 7 (or computer resource);

(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(d) damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

* * *

(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;

* * *

(he shall be liable to pay damages by way of compensation to the person so affected.)

Explanation.— For the purposes of this section —

(i) computer contaminant means any set of computer instructions that are designed—

(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer network.

(ii) computer database means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;

(iii) computer virus means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;

(iv) damage means to destroy, alter, delete, add, modify or rearrange any computer resource by any means;

(v) computer source code — means the listing of programme, computer commands, design and layout and programme analysis of computer resource in any form.

The essence of this section is that when anyone unauthorisedly:

(i) accesses or takes control of a computer system or network; or

(ii) gives access to some third party or aids in giving such; or

(iii) damages computer system or computer network in any way including the data; or

(iv) introduces virus into to the computer system or network.

becomes personally liable to compensate the damages suffered by the affected party. This section is applicable to any external third party, who is not a part of a company, as it is to anyone that is a part of the company but acts outside their role. However, the company can maintain a proceeding against the perpetrator only if it is shown that it had no role to play in the breach or leak. In light of the case in discussion, if the investigation leads to the outcome of Scenario 3, the company SHAI can take refuge under this section and seek compensation from the CISO.

A closer reading of this section will reveal another surprising element: the company will be able to recover from the perpetrator the compensation it paid to all the affected parties (its customers) under Section 45-A too. The beauty of this section is that it can be used by an individual person whose computer system is damaged/affected by a hacker or a cyber miscreant. However, the section is silent on the criteria for awarding damages.

It is still premature to comment on the effectiveness of the IT Act in remedying the damage done to the affected parties as the courts are yet to interpret the provisions and bridge the gaps left by the legislature. But one thing is clear that the affected parties are addressed in some way though the real perpetrator in most of the breach cases may never be identified due to technological complexities.

Recent history from foreign jurisdiction

Instances from foreign jurisdictions sometimes will give guidance on the path to be traversed. Two famous breaches happened consecutively in the United States of America (USA) — the Yahoo breach and the Equifax breach. Both breaches brought into light the vulnerability of the lack of stringent regulation and the importance of protecting sensitive and personal information. This subsequently resulted in a scrutiny of the data protection practices and regulations that increased the safety practices through amendments and implementation of new legislation.

Breach at Yahoo

In the Yahoo matter, a data breach of 3 billion users of the United States and Israel has been leaked and the breach includes the names, email addresses, phone numbers, date of birth, and hashed passwords. That breach incident took place in the years 2013 and 2014 per contra the disclosure of the same was made only in the year 2016. In the said matter Yahoo was fined to the tune of $35 million by the Securities and Exchanges Commission and a settlement of $117.5 million has been made before the Court.

Breach at Equifax

Further, in the Equifax data breach matter the incident took place in the year 2017 which ultimately affected 147 million consumers. This breach has compromised sensitive personal and financial information including social security numbers, birth dates, addresses, and some driver’s licence and credit card numbers. This data breach resulted in multiple class action lawsuits and government investigations. This matter resulted in a settlement of around $700 million, including the restitution for affected consumers.

Breach at MOVEit

We cannot ignore the recent data breach that happened in MOVEit, a business unit of progress software, by a ransomware group that discovered the vulnerability in 2021. The breach affected organisations across industries that included government agencies, British Airways, British Broadcasting Corporation (BBC), Ernst & Young, the US Department of Energy, and other major companies. This breach has resulted in multiple class action suits and investigations which are pending before the courts.

It can be seen that the courts in the USA have been harsh on the companies in default and also remedies the affected customers where possible. Such measures will invariably drive the companies to be vigilant about the security of their customers’ data.

Moving forward

It becomes evident that the application of law comes into play after the investigation is complete in information security breach cases. Efficient and effective investigation is the most crucial step in such cases. Such forensic investigation reports guide courts in understanding the underlying cause for the breach and form the basis for identifying liable parties and applying the laws in force. It would also be a very good practice to make the investigation report public, especially the parts that discuss the existing vulnerability that was exploited leading to the breach, as it would allow others to step-up their security systems.

To guide the court through technical complexities in the investigation report, appointing an amicus curiae who has subject-matter expertise may go a long way in reducing the burden on the system and will aid in rendering justice. In fact, this may be required in all major information technology-related issues. In the authors’ opinion, the SHAI case had the possibility of becoming a precedent on how future data breach cases may be handled. If India were to become a technological hub in the coming years, it is time our courts start laying down strong legal foundations to support future technological advancements.