India, set to become a trillion-dollar digital economy by 2026, faces significant data security needs and challenges. With over a billion people, digitization and burgeoning internet usage, India must protect its citizens’ data from vulnerabilities and breaches. However, despite a digitally-forward government and robust IT sector, the country lacks critical infrastructure, comprehensive data protection laws, and effective cybersecurity regulations. Consequently, India grapples with increased cyber threats, placing a spotlight on the urgent need for robust data security measures and the challenges in implementing them.  

Data security breach of CoWIN data

• Data security breach:There have been recent allegations surrounding a data security breach of CoWIN, the centralized digital platform used in India for COVID-19 vaccination registration. The claims suggest that unauthorized access to the personal data of millions of CoWIN registered users occurred, with this data then being reportedly displayed via a Telegram bot.  
• Sensitive information leaked:The leaked data is said to include sensitive information such as names, contact details, Aadhaar numbers, and the vaccination status of users. The situation has raised serious concerns about privacy and data protection in India, and highlights the need for robust cybersecurity measures.  
• Indian government response:The Indian government, and specifically the Ministry of Health and Family Welfare, have denied any data breach. They insist that their security measures for CoWIN are stringent and that no data has been compromised. Despite their assurances, this incident underscores the urgent need for more comprehensive data protection legislation in India.  

India needs to focus on Data Security

• Rapid digitization:India’s rapid digital transformation, especially in government services and the financial sector, necessitates a stronger focus on data security. India’s digital public infrastructure, known as India Stack, handles vast amounts of personal data that could be targeted by cybercriminals.  
• Large-scale data breaches:Over 80 million Indian users were reportedly affected by data breaches in 2021. These breaches can undermine user trust in digital systems, negatively impact the transition to digital services, and cause significant financial damage.  
• Increasing cybersecurity threats:India witnessed over 674,000 cybersecurity incidents in just the first half of 2022, as reported by CERT-In. This signals an escalating trend in cyber threats.  
• Poor ranking in “Global Cybersecurity Index”:India’s low ranking (17 out of 20) in the MIT Technology Review CyberDefense Index 2022/23 is indicative of its inadequate cybersecurity preparedness. The report cited a lack of critical infrastructure and weak cybersecurity regulation as key areas of concern.  
• Data protection legislation gap:Despite the Supreme Court’s ruling in 2017 that privacy is a fundamental right, comprehensive data protection legislation is still missing in India. This leaves the digital rights and privacy of users exposed.  
• Global tech presence:Most Indian citizens use foreign-owned social networking sites and mobile devices dominated by foreign manufacturers. This, coupled with the push towards data localization, adds layers of complexity to India’s data security landscape.  
• National security concerns:Governments need access to personal data for national security reasons, but without appropriate data security, this can lead to misuse or compromise of sensitive information.  

Data Security ensured in India

• Digital public infrastructure:India has established a digital public infrastructure (DPI), known as India Stack. This DPI ensures secure and privacy-respecting digital access to public and private services.  
• Computer Emergency Response Team (CERT-In):It is the national nodal agency that deals with cybersecurity threats in India. It responds to cybersecurity incidents and strengthens India’s response to cybersecurity threats.  
• Regulatory measures:Even though comprehensive data protection legislation is still pending, India relies on regulations within the Information Technology (IT) Act of 2000 and sector-specific regulations for data privacy and protection.  
• National cybersecurity policy:India has a national cybersecurity policy that provides a framework for securing cyberspace in the country. It aims to create a cyber-secure environment that allows the robust growth of the IT and digital sectors.  
• Public-private partnerships:India works with private sector companies to enhance cybersecurity capabilities. The government has established institutions to ensure the continuity of India Stack’s operations, acting as a catalyst in developing India’s cybersecurity ecosystem.  
• Data localisation:Some drafts of data protection bills have proposed stringent data localisation provisions, requiring data fiduciaries to store a copy of personal data collected in India. This could help enhance control over data and its security.  

Global nations are ensuring Data Security

• Data protection regulations:Many nations have established comprehensive data protection laws. For example, the European Union implemented the General Data Protection Regulation (GDPR), which offers stringent guidelines for the collection, storage, and use of personal data. In the United States, individual states like California have rolled out their own privacy laws such as the California Consumer Privacy Act (CCPA).  
• National cybersecurity strategies:Countries like the United States, the United Kingdom, Australia, and Canada have outlined national cybersecurity strategies. These documents detail government approaches to managing cyber threats, protecting critical infrastructure, and ensuring the security of digital services.  
• Establishing cybersecurity agencies:Specific agencies handle cybersecurity in various countries. For example, the United States has the Cybersecurity and Infrastructure Security Agency (CISA), while the United Kingdom operates the National Cyber Security Centre (NCSC).  
• International cooperation:The European Union, through its cybersecurity agency ENISA, promotes cooperation between member states in the cybersecurity field. Similarly, the “Five Eyes” alliance – comprising the United States, United Kingdom, Canada, Australia, and New Zealand – regularly share intelligence, including cybersecurity threats.  
• Incident response teams:Many nations, including India with its Computer Emergency Response Team (CERT-In), and South Korea with its Korea Internet Security Agency (KISA), have teams dedicated to handling cybersecurity incidents.  
• Regulation of cybersecurity products and services:Governments are also putting stricter regulations on the cybersecurity products and services used in their countries. This includes setting minimum security standards and certifying products for their security.  

Challenges in ensuring Data Security in India

• Infrastructure and regulation deficiency:The MIT Technology Review Cyber Defense Index indicates India has a significant deficit in critical infrastructure, weak cybersecurity regulation, and limited national digital economy adoption, despite having a digital-forward government and one of the world’s largest IT-enabled service sectors.  
• Lack of national cybersecurity law and dedicated ministry:Despite the rising number of cyberattacks and the urgent calls for stronger cybersecurity measures, India currently lacks a comprehensive national cybersecurity law and a ministry dedicated to cybersecurity.  
• Inadequate data protection law:India’s Personal Data Protection Bill of 2019 was withdrawn due to severe criticism over its potential to infringe upon personal data privacy. The country’s data protection remains under the IT Act of 2000, which only provides for punishment in cases of negligent data handling. This approach is insufficient for the modern digital era, with its complexities and new types of threats.  
• Resource constraints and firefighting:Often, resources dedicated to cybersecurity are insufficient, leading to a constant firefighting mode, leaving little time for learning, strategizing, or improving defenses.  
• Reliance on foreign infrastructure: Most Indian internet users rely on foreign-owned social networking sites and hardware, creating unique national security challenges. This reliance could expose the country to additional cyber threats and data breaches.

Ensuring Data Security in India

• Establish strong legal frameworks:As in the European Union’s GDPR model, India needs comprehensive legal frameworks to protect personal data and prevent breaches.  
• Cybersecurity Ministry and laws: Like Australia, India could establish a dedicated Cybersecurity Ministry to oversee and respond to cybersecurity threats. Similarly, robust national cybersecurity laws would strengthen India’s ability to respond to cyber threats.  
• Invest in infrastructure:There’s a need to build robust digital infrastructure similar to the Netherlands, which is a nerve center for pan-European cybersecurity.  
• Upskill and cross-skill:To meet evolving threats, India needs to invest in skills development in emerging tech cybersecurity domains. Experts could be trained in adaptive security, cloud security posture management (CSPM), Zero Trust Architecture (ZTA), and quantum cryptography, among other areas.  
• Public-private partnerships:In line with global best practices, fostering partnerships between government, industry, and academia can help to develop innovative solutions to cybersecurity challenges.  
• Adopt zero trust models:As recommended by global cybersecurity experts, adopting a Zero Trust Architecture (ZTA) approach, which assumes that no users or devices are trustworthy by default, regardless of their location or network, can help bolster security.  
• Awareness and training:There should be continuous efforts to increase awareness and training among internet users about data privacy and the steps they can take to protect their own data.  
• Regular cybersecurity audits:Like many developed nations, India should implement regular and rigorous cybersecurity audits for both public and private entities to ensure that they’re adhering to the best practices in data security.