Recent developments in Indian cybersecurity policy have highlighted the government’s efforts to ensure a safe and secure cyberspace. The Indian Computer Emergency Response Team (CERT-In) recently issued information security guidelines for government entities, providing them with a comprehensive security strategy and an assessment guide for auditors. These guidelines cover various topics such as identity and access management, outsourcing, incident management, and security auditing.
Shri Rajeev Chandrasekhar, Minister of State for Electronics & Information Technology & Skill Development and Entrepreneurship, emphasized the government’s commitment to expanding and accelerating cybersecurity capabilities, systems, human resources, and awareness. This step aims to enhance the overall cybersecurity posture of government organizations and strengthen the country’s cyber defenses.
In another move, the Ministry of Consumer Affairs addressed digital commerce companies, urging them to refrain from using dark patterns to manipulate consumers. Dark patterns are deceptive design techniques that coerce consumers into making choices that may not be in their best interests. Practices such as creating false urgency and sneaking items into the shopping cart can mislead and exploit consumers.
The ministry emphasized that engaging in such deceptive and manipulative conduct through dark patterns is considered an unfair trade practice under the Consumer Protection Act (2019). E-commerce giants like Amazon, Flipkart, Nykaa, and BigBasket were specifically called out in the ministry’s letter. To curb these unethical practices, the ministry plans to develop official guidelines to counter dark patterns and protect consumers from unfair trade practices.
Furthermore, India’s Parliamentary Standing Committee for Finance has expressed concerns about the increasing occurrence of cyber and white-collar crimes in the banking sector. The committee has summoned senior officials from various banks, including Punjab National Bank, Bank of India, and Yes Bank, to discuss cybersecurity measures to defend against cyber threats. Notably, representatives from CERT-In will also be present at the meeting, highlighting the collaborative efforts between the government and financial institutions to enhance cybersecurity resilience.
Additionally, representatives from prominent technology and e-commerce companies such as Apple, Google, Paytm, and Flipkart have been invited to share their insights and strategies for addressing rising cyber threats. This collaborative approach aims to leverage the expertise and resources of both the public and private sectors to tackle cybersecurity challenges effectively.
In the United States, the Securities Exchange Commission (SEC) has faced delays in finalizing proposed changes to its cyberincident disclosure rules. The new rules, which were initially scheduled to be completed by April 2023, will now be finalized in October. The SEC’s proposed changes include a four-day disclosure period for material cyber incidents, enhanced board governance requirements, and increased transparency regarding board members’ cybersecurity expertise.
The delay in finalizing these rules may be linked to concerns raised by the Federal Bureau of Investigation (FBI) regarding their potential impact on ongoing cyberincident investigations. Nevertheless, the SEC remains committed to prioritizing the adoption of cybersecurity rules to address the evolving risks faced by public companies and investment advisors and funds.
Moving beyond India and the US, a biometric data privacy law in the state of Illinois is generating discussions about its potential federal applications. The Biometric Information Privacy Act (BIPA), enacted in 2008, mandates that companies inform individuals and obtain their written consent before collecting their biometric identifiers. Notably, BIPA allows private citizens to individually sue companies found in violation of the law.
This aspect of BIPA has sparked debates between privacy advocates and Big Tech companies. While tech giants have expressed concerns about the potential for abusive litigation resulting from a private right of action, privacy experts argue that it is an essential enforcement mechanism. Allowing private citizens to sue provides individuals with greater power when government agencies lack the resources to pursue cases effectively.
Despite support for federal privacy legislation, such as the American Data Privacy and Protection Act (ADPPA), progress has been slow. Last year, the ADPPA faced opposition, partly due to the inclusion of a limited private right of action. Efforts are now underway to redraft the bill, with a focus on scaling back the private right of action to make it more business-friendly. However, these changes may face challenges in a politically divided landscape.
In conclusion, recent developments in cybersecurity policies in India and the US highlight the ongoing efforts to enhance cybersecurity measures, protect consumer interests, and address emerging cyber threats. The collaboration between government entities, private companies, and financial institutions demonstrates a multi-stakeholder approach to tackle the complex challenges of cybersecurity. Meanwhile, debates surrounding biometric data privacy laws and federal privacy legislation reflect the ongoing discussions between privacy advocates and the business community on striking a balance between consumer protection and business interests.