Wake Up to ID Theft!

Indian politicians are yet to wake up to the threat posed by identity theft. Despite amendments to the IT Act 2000 last year, there are still not enough provisions in Indian laws that require commercial organizations to comply with measures to protect identifying information of individuals and consumers. This article focuses on the dangers that businesses and individuals face in the absence of such laws and the urgent need for enactment of such laws.

The only welcome aspect of the 2006 amendments to the IT Act 2000 is the introduction of a new section, namely, Section 43A which requires businesses to implement and maintain reasonable security practices and procedures with regard to sensitive personal data or information. To enable informed discussion we quote this section in full here:

bq. 43A. Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected.

As far back as March, 2002 noted corporate lawyer Saurabh Awasthi in an article styled “India: Privacy Laws in India – Big Brother’s Watching You – (and you can´t do a thing about it!)”:http://mondaq.com/article.asp?articleid=15723 and originally published in the Harvard Law Review made out a very strong case for the need for adequate privacy protection laws in India. In the article it was pointed out that any privacy protection legislation should address six different issues.

The 2006 amendment to the IT Act 2000 has addressed only one of these issues. Consequently despite the amendment, the existing Indian laws with regard to privacy protection remain highly inadequate.

The five issues that Awasthi had pointed out were:

* *Limited Purpose:* The particular purpose for gathering information by an organization must be specified at or before the time the information is collected.
* *Safeguards:* In the case of insurance companies or other customer service-related or data processing companies, the gathering and collation of personal information on individuals would need to be conserved and secured by a regulated data security system.
* *Accountability:* Corporates would need to establish a system whereby all information disclosure systems are duly audited/accounted and monitored, keeping in view the rationale/occasion for every disclosure made
* *Prior Consent:* Corporates could include express clauses in their agreements, which include an express authorization from the individual allowing the companies to use/disclose personal information for it’s own internal purposes or that of it’s affiliates or group companies.
* *Limits to Use, Disclosure and Retention:* Any information sharing with other members of the insurance industry or with other corporate entities should be made only after seeking an express authorization from the customer.
* *Information-Sharing:* The confidentiality and sensitivity of such information makes it necessary for corporates to avoid any data sharing arrangement or customer information disclosure agreements without the prior consent of the individuals.

The 2006 amendments have addressed only the second issue, namely, safeguards. While this may be “enough to earn the appreciation”:http://www.mondaq.com/article.asp?articleid=39770 of commentators for the time being and may assuage the concerns of overseas business process outsourcing clients, mainly from the US and the UK, privacy protection laws remain thoroughly inadequate.

The major reason behind this apathy towards enacting adequate privacy protection laws seems to be ignorance on the part of Indian law makers regarding the threat posed by identity theft. This claim is based on the fact that no Indian politician starting from the Indian Prime Minister Manmohan Singh himself have till date made any statement regarding the threat posed by identity theft to not only individuals but to corporates and businesses in general.

If the phrase “identity theft” has found a mention in any of the statements of top Indian politicians it has only been in passing and the only cyber crimes that these politicians can think of is with regard to crimes related to pornography or other “lascivious” material that may “deprave” or “corrupt” the Platonic citizens of the second most populated country in the world who in the mind of these censorial politicians get depraved and corrupted when exposed to adult material.

As for data protection, the only crimes that they can think of is old fashioned stealing of data online or through external storage devices. That sensitive personal identifying data being increasingly stored in the databases of mushrooming service industry entities could fall into the hands of criminal elements despite the implementation and maintenance of “reasonable security practices and procedures” on the part of these entities simply because of lax and inadequate laws and regulatory mechanisms seems to have completely escaped the attention of Indian law makers. Quite unfortunately, even some Indian legal eagles seem to be ignorant of the threat of identity theft. An article by learned counsel Praveen Dalal styled “Data Protection Law in India: A Constitutional Perspective”:http://ipmall.info/hosted_resources/gin/PDalal_DATA-PROTECTION-LAW-IN-INDIA.pdf is an excellent example of this insensitivity towards and ignorance of the threat posed by identity theft.

A few facts regarding identity theft, however, should highlight the danger that this crime poses:

* It is the fastest growing crime in the US and possibly across the world which would be confirmed if facts across the world are collated
* According to expert estimates identity theft was projected to be a “$2 trillion industry in 2005”:http://www.aberdeen.com/summary/report/perspective/05030013.asp and would be a much bigger enterprise by now
* Growth of losses has been projected at a rate of 300% per year
* The total losses arising from ID theft fraud in the US alone “was about $50 billion in 2007”:http://www.privacyrights.org/ar/idtheftsurveys.htm#Jav2007 down from about $56 billion in the previous year
* More comprehensive estimates of “worldwide losses put this figure as high as $221 billion”:http://www.aberdeen.com/summary/report/perspective/05030013.asp as far back as 2003. By now the figure must have risen substantially.
* Of this loss figure businesses and financial institutions bore over 90% of these losses.

These figures are only illustrative and go to show the possible magnitude of the problem. Experts believe deeper scrutiny is likely to provide an even more alarming situation.

It is in this context that experts are claiming that individuals and businesses can afford to ignore the threat posed by identity theft only at their own peril. It is high time that not only individuals and businesses wake up to this threat but politicians as well. The sooner we have a more comprehensive legislation to protect privacy the better. There is little doubt about that!