Using incognito mode and VPN may still not ensure total privacy, according to expert

Introduction

India’s digital growth journey has been moving at a tremendous pace. According to MeitY’s report, India’s digital economy is expected to rise to US$ 500 billion by 2025, up from US$ 200 billion in 2019. The digitisation drive that we are experiencing is likely to foster and boost a favourable business environment that will attract rapid investment and augment economic growth across sectors. This will, in turn, compel businesses to adopt digital platforms as solutions to meet customer expectations. Due to accelerated digitisation, cyber risks often deter business growth. Cybercrimes are becoming more rampant and complex and the costs associated with such breaches are not only increasing but also becoming more systemic.

Development of the Cyber Insurance Landscape

Digitization of businesses started in the 1980s with the use of mainframes. Personal computers entered the game and further modified the landscape from the 2000s along with LANs, the internet and the dot-com boom of the 2000s. In the late 1990s, cyber-insurance was developed as a risk management tool to ensure information security. Coverage was limited, and clients included SMEs in need of insurance to qualify for tenders, or community banks too small to hedge the risks of their online banking operations. The first cyber insurance policy was written in 1997 through AIG, against hacking as a third-party liability policy. 

The current trends in the cyber insurance space are focused on the prevention of cyber risks, which by nature are hard to outline and constantly evolving. The result is that the buyers have limited clarity on the types of cyber risks covered under cyber insurance, and even lesser visibility on the scope and amount of optimum coverage. Unfamiliarity with the claim procedure and resolutions, ambiguous claim thresholds during settlements, and confusion around exclusions and coverage of regulatory fines and penalties under a purchased scheme further discourage potential buyers from seriously investing in cyber insurance products. 

Key Factors in Cyber Insurance Evolution and Its Role in Risk Management

The cyber insurance market in India has three key influencing factors, namely the speed of achieving digital maturity, government initiatives to digitise and enforce stringent cyber laws, and the evolving landscape with technology giants and MNCs entering the cyber insurance domain. The latter  are the catalyst for intensifying competition in this market. 

Advancements in technology in terms of AI, machine learning, big data, robotics, blockchain, augmented and virtual reality, and IoT are expected to reshape the insurance industry and help reach untapped audiences in a more digital-forward manner. With the absence of a standard cyber insurance policy, regulators need to take the following variables into consideration while developing cyber insurance policies: the risk insured against, the scope of the loss covered and the limits/ sub-limits.

Challenges 

With the complexity of cyber risks increasing exponentially the challenges to counter the same are growing too which is leading to gaps in the coverage offered for cyber threats. Resultantly, the compliance regulations are dependent on the risks which exist and cyber threat actors adopt new technologies faster and exploit them to their benefit. A lack of historical data and predictability in future cyber risks, the possibility of large overwhelming loss events, uncertainties among market participants about what is specifically covered under such policies, and legal battles over fundamental issues are some of the challenges identified.

Future Outlook/ Recommendations

India's cyber infrastructure requires a multi-faceted approach that involves collaboration between government, industry, and academia should be developed. Some recommendations are:

• Risk assessments should be a general practice and the cyber insurance policies should be simplified, clearing the mismatch between the premium paid and insurance coverage and there should be standard verbosity across cyber policy language.
• Promoting R&D tailored to India focused on education programs that have public-private partnerships and global collaborations to share threat intelligence, best practices, and expertise in critical infrastructure protection.
• Cyber insurance can also be promoted as compliance with the DPDP Act, which would lead to better development of cyber infrastructure and cyber hygiene practices.
• Regular updates to cyber insurance policies to ensure relevance and effectiveness. Insurers could create and offer holistic cyber insurance risk management plans.

Conclusion

According to a report by Deloitte in 2023, the cyber insurance market in India is expected to grow by 27-30 per cent in the coming years and it is currently valued at USD 50-60 million, while maintaining a steady 27-30 per cent CAGR in the past three years. The Indian cyber infrastructure’s nature is challenging, however, it offers opportunities for growth, innovation, and collaboration. A proactive approach, supported by robust policies, advanced technologies, and skilled professionals, will be essential to building a resilient cyber infrastructure capable of withstanding evolving threats.

Reference

• https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/financial-services/deloitte-nl-fsi-demystifying-cyber-insurance-coverage-report.pdf
• https://www.dnaindia.com/business/report-what-s-cyber-liablity-insurance-and-why-you-may-need-it-2136556‍
• https://economictimes.indiatimes.com/industry/banking/finance/insure/cyber-insurance-gains-momentum-in-india-set-to-witness-exponential-growth-deloitte/articleshow/104189297.cms?from=mdr

Introduction

The Digital Personal Data Protection (DPDP) Act, of 2023, introduces a framework for the protection of personal data in India. Data fiduciaries are the entity that essentially determines the purpose and means of processing of personal data. The small-scale industries also fall within the ambit of the term. Startups/Small companies and Micro, Small, and Medium Enterprises (MSMEs) while determining the purpose of processing of personal data in the capacity of ‘data fiduciary’ are also required to comply with the DPDP Act provisions. The obligations set for the data fiduciary will apply to them unilaterally, though compliance with this Act and can be challenging due to resource constraints and limited expertise in data protection. 

DPDP Act, 2023 Section 17(3) gives power to the Central Government to exempt Startups from being obligated to comply with the Act, taking into account the volume and nature of personal data processed. It is the nation's first standalone law on data protection and privacy, which sets forth strict rules on how data fiduciaries can collect and process personal data, focusing on consent-based mechanisms and personal data protection. Small-scale industries are given more time to comply with the DPDP Act. The detailed provisions to be notified in further rulemaking called ‘DPDP rules’.

Obligations on Data Fiduciary under the DPDP Act, 2023

The DPDP Act focuses on processing digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. Hence, small-scale industries also need to comply with provisions aimed at protecting digital personal data.

The key requirements to be considered:

• Data Processing Principles: Ensuring that data processing is done lawfully, fairly, and transparently. Further, the collection and processing of personal data is only for specific, clear, and legitimate purposes and only the data necessary for the stated purpose. Ensuring that the data is accurate and up to date is also necessary. An important part is that the data is not retained longer than necessary and appropriate security measures are taken to protect the said data.
• Consent Management: Clear and informed consent should be obtained from individuals before collecting their personal data. Further, individuals have the option to withdraw their consent easily.
• Rights of Data Principals: Data principals (individuals) whose data is being collected have the right to Information, the right to correction and erasure of data, the right to grievance redressa, Right to nominate.the right to access, correct, and delete their personal data. Data fiduciaries need to be mindful of mechanisms to handle requests from data principals regarding their concerns.
• Data Breach Notifications: Data fiduciaries are required to notify the data protection board and the affected individuals in case a data breach has occurred.
• Appropriate technical and organisational measures: A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act and the rules made thereunder.Cross-border Data Transfers: Compliance with regulations in relation to the transfer of personal data outside of India should be ensured.

Challenges for Small Scale Industries for the DPDP Act Compliance 

While small-scale industries have high aims for their organisational growth and now in the digital age they also need to place reliance on online security measures and handling of personal data, with the DPDP act in the picture it becomes an obligation to consider and comply with. As small-scale industries including MSMEs, they might face certain challenges in fulfilling these obligations but digital data protection measures will also boost the competitive market and customer growth in their business. Bringing reforms in methods aimed at better data governance in today's digital era is significant. 

One of the major challenges for small-scale industries could be ensuring a skilled workforce that understands and educates internal stakeholders about the DPDP Act compliances. This could undoubtedly become an additional burden.

Further, the limited resources can make the implementation of data protection, which is oftentimes complex for a layperson in the case of a small-scale industry, difficult to implement. Limitations in resources are often financial or human resources.

Cybersecurity, cyber awareness, and protection from cyber threats need some form of expertise, which is lacking in small enterprises. The outsourcing of such expertise is a decision that is sometimes taken too late, and some form of harm can take place between the periods by which an incident can occur.

Investment in the core business or enterprise many times doesn't include technology other than the basic requirements to run the business, nor towards ensuring that the data is secure and all compliances are met. However, in the fast-moving digital world, all industries need to be mindful of their efforts to protect personal data and proper data governance.

Recommendations 

To ensure the proper and effective personal data handling practices as per the provisions of the act, the small companies/startups need to work backend and frontend and ensure that they take adequate measures to comply with the act. While such industries have been given more time to ensure compliance, there are some suggestions for them to be compliant with the new law.

Small companies can ensure compliance with the DPDP Act by implementing robust data protection policies, investing in and providing employee training on data privacy, using age-verification mechanisms, and adopting privacy-by-design principles. Conduct a gap analysis to identify areas where current practices fall short of DPDP Act requirements. Regular audits, secure data storage solutions, and transparent communication with users about data practices are also essential. Use cost-effective tools and technologies for data protection and management.

Conclusion

Small-scale industries must take proactive steps to align with the DPDP Act, 2023 provisions. By understanding the requirements, leveraging external expertise, and adopting best practices, small-scale industries can ensure compliance and protect personal data effectively. In the long run, complying with the new law would lead to greater trust and better business for the enterprises, resulting in a larger revenue share for them.

References

• https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1959161 
• https://www.financialexpress.com/business/digital-transformation-dpdp-act-managing-data-protection-compliance-in-businesses-3305293/ 
• https://economictimes.indiatimes.com/tech/technology/big-tech-coalition-seeks-12-18-month-extension-to-comply-with-indias-dpdp-act/articleshow/104726843.cms?from=mdr 

‍

Introduction:

The Federal Bureau of Investigation (FBI) focuses on threats and is an intelligence-driven agency with both law enforcement and intelligence responsibilities. The FBI has the power and duty to look into certain offences that are entrusted to it and to offer other law enforcement agencies cooperation services including fingerprint identification, lab tests, and training. In order to support its own investigations as well as those of its collaborators and to better comprehend and address the security dangers facing the United States, the FBI also gathers, disseminates, and analyzes intelligence.

The FBI’s  Internet Crime Complaint Center (IC3) Functions combating cybercrime:

1. Collection: Internet crime victims can report incidents and notify the relevant authorities of potential illicit Internet behavior using the IC3. Law enforcement frequently advises and directs victims to use www.ic3.gov to submit a complaint.
2. Analysis: To find new dangers and trends, the IC3 examines and examines data that users submit via its website.
3. Public Awareness: The website posts public service announcements, business alerts, and other publications outlining specific frauds. Helps to raise awareness and make people become aware of Internet crimes and how to stay protected.
4. Referrals: The IC3 compiles relevant complaints to create referrals, which are sent to national, international, local, and state law enforcement agencies for possible investigation. If law enforcement conducts an investigation and finds evidence of a crime, the offender may face legal repercussions.

‍

Alarming increase in cyber crime cases:

In the recently released 2022 Internet Crime Report by the FBI's Internet Crime Complaint Center (IC3), the statistics paint a concerning picture of cybercrime in the United States. FBI’s Internet Crime Complaint Center (IC3) received 39,416 cases of extortion in 2022. The number of cases in 2021 stood at 39,360.

FBI officials emphasize the growing scope and sophistication of cyber-enabled crimes, which come from around the world. They highlight the importance of reporting incidents to IC3 and stress the role of law enforcement and private-sector partnerships.

About Internet Crime Complaint Center IC3:

IC3 was established in May 2000 by the FBI to receive complaints related to internet crimes.

It has received over 7.3 million complaints since its inception, averaging around 651,800 complaints per year over the last five years. IC3's mission is to provide the public with a reliable reporting mechanism for suspected cyber-enabled criminal activity and to collaborate with law enforcement and industry partners. 

The FBI encourages the public to regularly review consumer and industry alerts published by IC3. An victim of an internet crime are urged to submit a complaint to IC3, and can also file a complaint on behalf of another person. These statistics underscore the ever-evolving and expanding threat of cybercrime and the importance of vigilance and reporting to combat this growing challenge.

What is sextortion?

The use or threatened use of a sexual image or video of another person without that person’s consent, derived from online encounters or social media websites or applications, primarily to extort money from that person or asking for sexual favours and giving warning to distribute that picture or video to that person’s friends, acquaintances, spouse, partner, or co-workers or in public domain. 

Sextortion is an online crime that can be understood as, when an bad actor coerces a young person into creating or sharing a sexual image or video of themselves and then uses it to get something from such young person, such as other sexual images, money, or even sexual favours. Reports highlights that more and more kids are being blackmailed in this way. Sextortion can also happen to adults. Sextortion can also take place by taking your pictures from social media account and converting those pictures into sexually explicit content by morphing such images or creating deepfake by miusing deepfake technologies.

Sextortion in the age of AI and advanced technologies:

AI and deep fake technology make sextortion even more dangerous and pernicious. A perpetrator can now produce a high-quality deep fake that convincingly shows a victim engaged in explicit acts — even if the person has not done any such thing. 

Legal Measures available in cases of sextortion:

In India, cybersecurity is governed primarily by the Indian Penal Code (IPC) and the Information Technology Act, 2000 (IT Act). Addressing cyber crimes such as hacking, identity theft, and the publication of obscene material online, sextortion and other cyber crimes. The IT Act covers various aspects of electronic governance and e-commerce, with providing provisions for defining such offences and providing punishment for such offences.

Recently Digital Personal Data Protection Act, 2023 has been enacted by the Indian Government to protect the digital personal data of the Individuals. These laws collectively establish the legal framework for cybersecurity and cybercrime prevention in India. Victims are urged to report the crime to local law enforcement and its cybercrime divisions. Law enforcement will investigate sextortion cases reports and will undertake appropriate legal action.  

How to stay protected from evolving cases of sextortion: Best Practices:

‍

• Report the Crime to law enforcement agency and social media platform or Internet service provider. 
• Enable Two-step verification as an extra layer of protection.
• Keep your laptop Webcams covered when not in use.
• Stay protected from malware and phishing Attacks.
• Protect your personal information on your social media account, and also monitor your social media accounts in order to identify any suspicious activity. You can also set and review privacy settings of your social media accounts.

Conclusion:

Sextortion cases has been increased in recent time. Knowing the risk, being aware of rules and regulations, and by following best practices will help in preventing such crime and help you to stay safe and also avoid the chance of being victimized. It is important to spreading awareness about such growing cyber crimes and empowering the people to report it and it is also significant to provide support to victims. Let’s all unite in order to fight against such cyber crimes and also to make life a safer place on the internet or digital space.

References:

• https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3ElderFraudReport.pdf
• https://octillolaw.com/insights/fbi-ic3-releases-2022-internet-crime-report/
• https://www.iafci.org/app_themes/docs/Federal%20Agency/2022_IC3Report.pdf

‍