Credit card storage rules and 72-hour breach notification deadline due to come into play next year
Authorities in India are set to clamp down on data breaches and tighten rules for holding sensitive data, according to local media reports.
Organizations will be forced to disclose data breaches within 72 hours, bringing India in line with territories such as the EU, which mandates breach disclosures under its General Data Protection Regulation (GDPR).
And Indian firms will no longer be able to store payment card information, with only card issuers and card networks – such as Visa or Mastercard – permitted to do so.
Payment card data
The Reserve Bank of India (RBI) is adding new restrictions on who can hold payment card data, starting from January 1, 2022. Under the new rules, only the card issuer and card network can hold full card details.
Others, including retailers, can only hold limited data for identification or “reconciliation purposes”. These data include the last four digits of the card number and the card issuer’s name. Any organization other than the card issuer or network that holds full card data needs to purge it.
The new rules follow moves over the last few years to permit card networks to allow tokenization services for payment card details.
Data breach disclosure
Organizations in India will be forced to disclose any data breach within 72 hours, with potential jail terms or fines being introduced for those who intentionally disclose personal data without the consent of the data processor.
Firms will need to report any leaks and take “appropriate remedial measures” to protect their customers following a breach.
The proposal comes as the Personal Data Protection (PDP) Bill, first proposed in December 2019, is being considered by a joint committee of the Indian parliament’s lower and upper chambers, the Lok Sabha and Rajya Sabha respectively.
According to local media reports, lawmakers expect India’s Data Protection Authority to start work on implementing the proposals within six months, and organizations handling data will need to register within nine months. The full bill is expected to be implemented in the next two years.
Penalties for breaches include jail terms of up to three years or fines of up to 200,000 rupees ($2,678) for anyone who intentionally discloses personal data without permission.
If an organization acting as a ‘data fiduciary’, or data controller, fails to disclose a breach, fails to register with the DPA, fails to conduct the required audits or fails to appoint a data protection officer, it faces a fine of up to 2% of worldwide turnover, or 50 million rupees (around $669,308).
The Joint Parliamentary Committee has also recommended that social media companies be treated as content publishers under the DPA, unless they “act as intermediaries”. This means social media firms will be held accountable for content from unverified accounts on their services.
The new regulations are being welcomed by cybersecurity experts in the subcontinent, for bringing data privacy and security in India in line with international norms.
“India is developing its approach to security to match or exceed other countries around the world and provide the right base for developing the country’s economy over time,” Deepak Naik, a Mumbai-based vice president at cybsersecurity firm Qualys, told The Daily Swig.
“By getting the right standards in place and enshrined in regulation, it will make it easier for companies to know what security they have to put in place to conduct their operations. This will also support the development of digital businesses in India as trustworthy, secure companies that consumers can trust.
“Looking at the PDP bill in particular, this will ensure that India has a standard set of rules and regulations with regards to data protection and governance, similar to those that were created for developed markets like the United States and the European Union.”
DON’T FORGET TO READ #12DaysofSwigmas – Happy Holidays from The Daily Swig