It’s been reported that cloud kitchen platform Freshmenu has come under severe attack over allegations that it chose to keep under wraps a data breach two years ago that exposed the personal information of over 110,000 users. The incident from July 2016 was brought to light this week by data breach-tracker HaveIBeenPwned.com. As per HIBP, a breach in the systems of Freshmenu exposed personal data including names, email addresses, phone numbers, home addresses, and order histories.
Commenting on this, Tim Mackey, senior technical evanglist at Synopsys, said “With India’s Freshmenu withholding disclosure of a data breach for over two years, we’re reminded why the EU enacted GDPR and why India is in the process of enacting its own personal information law – currently known in draft form as Personal Data Protection Bill 2018. Customers place their trust in organisations for a variety of reasons, but given modern business involves the collection and processing of personal data, all organisations have a responsibility to safeguard their customer data. Part of the data safeguard process involves ensuring users are aware of when an event which compromises their data has occurred.
Historically, organisations experiencing data breaches attempted to protect their brand reputation by failing to disclose any breach. In doing so, these organisations permitted successful malicious activity to continue because other organisations were effectively prevented from learning the techniques used by successful attacks. Lack of disclosure further prevented their users from being an active participant in protecting their personal data from future attacks.
With GDPR, as described in Article 33(1), a 72 hour window was defined wherein the breached organisation is required to notify the appropriate regulatory body. The current draft of India’s Data Protection Bill lacks such a window, preferring instead for disclosures to the Data Protection Authority of India to occur when, as described in section 32(1), the breached organisation determines “such breach is likely to cause harm to any data principal”. Put another way, upon identifying that a breach has occurred, it is the breached entity’s responsibility to determine whether harm to a user or customer could occur and only then would disclosure to regulators be required.
Such requirements are in direct conflict with the stated purpose of the Bill “the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy”. It is my hope that India’s regulators will reconcile this disconnect and mandate disclosures to the Data Protection Authority upon any data breach. Doing so would both increase customer and user confidence, but also improve overall data security through sharing of learned experiences.”