ARE INDIAN COMPANIES GIVING DUE IMPORTANCE TO DATA PRIVACY AND SECURITY?
Written by Ramnath Iyer
All of us know the potential dangers of data leaks and few of us have already suffered the consequences. As per CSO online, in the last few months itself, we have seen 4 major data leaks, to name a few:
- Trading platform Upstox resets passwords after breach
- Police exam database with information on 500,000 candidates goes up for sale
- COVID-19 test results of ~1500 Indian patients leaked online
Big Basket 20mn user accounts data for sale online Increasing sophistication of attacks, higher number of Zero day vulnerabilities require companies to constantly update their policies and practices, the paper evaluates the adequacy of institutional frameworks to protect data security and privacy.
INSIGHTS BY SECTORS
Data leaks could have serious consequences. It always results in numerous losses including, Intellectual property(IP), Financial and most importantly reputation. Data loss almost always impact the stock price and erodes investor wealth.
Our study shows alarmingly low adoption of both data privacy and data security strategies in Health Care and Hospitality industries. Given the quantum of personal information stored by esg scores for companies in these sectors, the absence of a cogent strategy can portend disaster. Hospitality sector is particularly surprising as they also have to comply with GDPR norms.
IS THERE ADEQUATE TRAINING?
The situation looks bleaker when we see that less than 20% of the companies in Hospitality and Healthcare provide data privacy and security training to employees .
Employees are the first line of defense against data loss. Absence of employee awareness can itself defeat all other defenses.
POOR DEFENSES INCREASES VULNERABILITY
The adoption of independent data security audits are poor across sectors.
It is alarming to see less than 13% of the companies in the financial sector go through systematic security audits. Hospitality sector numbers are even more concerning at 8%
TOTAL NUMBER OF COMPANIES REPORTING A DATA BREACH
Only 6 companies reported their Data breaches in their annual disclosures.
Our cursory study shows that 09 companies were actually impacted, but their annual disclosures do not mention either the impact or the remediation to prevent future breaches.
PSU VS PRIVATE DEBATE
To evaluate if either the private or public sector is better in data security, we analysed both individually.
Its natural to assume Private Banks might be faster and better in instituting controls but the data puts the debate to rest. Our evaluation shows shows public sector banks are equally proactive in creating the appropriate institutional framework. Employee training and data security audits however remains a concern with both public and private enterprises.
Companies need to be proactive and esg analysis improve their controls. Treating data security and privacy as a one time effort will lead to irreparable loss.
Investors need to to highlight this in every forum and we may need higher levels of regulation on data privacy and security practices.