Mustafa Suleyman, in his book —‘The Coming Wave’ makes a compelling case for broad measures that the global community needs to urgently adopt to navigate the enormous creative as well as destructive powers of artificial intelligence (AI).
The Indian Computer Emergency Response Team (CERT-In) in its advisory dated May 9, 2023 has sounded a precautionary alarm against the possible adversarial threats that may arise from the use of AI language-based applications such as ChatGPT and Bard.
As per the ‘Cost of a Data Breach Report 2023’ released by IBM, the average cost of a data breach globally is pegged at US$4.45 Million while in India, it is estimated to be US$ 2.18 Million. The use of AI has made cyber-attacks easier to implement, scaled their volume and increased their complexity.
As a result, businesses today find themselves at an unprecedented risk of losses occasioned by cyber-attacks. There is accordingly a strong need to safeguard against such losses through appropriate regulatory compliance, internal policies, and specialised clauses in contracts.
Here are some key regulatory areas where the businesses can implement effective measures to protect themselves from the dangers of potential cyber attacks.
Under Section 43A of the Information Technology Act 2000 (IT Act), a business handling ‘any sensitive personal data or information’ negligent in implementing and maintaining ‘reasonable security practices and procedures’ may be liable to pay compensation to an affected person.
As per rule 8 of the Information Technology Rules, 2011, ‘reasonable security practices and procedures’ are considered to be complied if the business has implemented such security practices and standards as they are commensurate with the information assets being protected with the nature of the business.
As per this rule, the ISO/IEC 27001 standard, which is a standard for information security management systems (ISMS), is being recommended. Therefore every business in India interacting with sensitive personal data must aim to implement a cost-effective ISMS through an ISO/IEC 27001 certification.
The obligation to ensure personal data protection and liability to pay compensation in case of breach would stand replaced by the rules governing data protection to be issued under Section 8(5) of the Digital Personal Data Protection Act, 2023 (DPDP Act) and the penalty imposed under Section 33(1) of the said Act, which is yet to be notified. However, in India, currently there is no statute specifically providing for security standards in relation to non-personal data.
There are also certain sectoral obligations for data protection which must be adhered to by businesses. Some sector-specific requirements include those provided for banks under the Cyber Security Framework in Banks issued by the Reserve Bank of India; owners and regulators of Critical Information Infrastructure (CII) of the nation under the Guidelines for the Protection of National Critical Information Infrastructure; stock exchanges, clearing corporations and depositories (Market Infrastructure Institutions – MIIs) under the Guidelines for MIIs regarding Cyber security and Cyber resilience; and insurers under the IRDAI Information and Cyber Security Guidelines, 2023.
It also include the quarterly disclosure requirement in relation to cyber security incidents provided for listed entities under Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015, as amended on June 14, 2023.
Use of AI by businesses involves data security and privacy concerns. Some of the risk mitigation techniques for organisations suggested by CERT-In include filtration and moderation techniques to prevent dissemination of malicious content generated using AI-powered tools, frequent security audits and system assessments and multi-factor authentication (MFA) usage to regulate employee interaction with AI-based tools. Business should consider formulating and implementing AI usage policies; sensitising employees on AI ethics and best practices; and ensure regular monitoring and auditing of AI usage for timely identification and rectification of potential threats.
Businesses need to ensure that their contracts with custodians of their data as well as with their clients in relation to data protection have well-tailored clauses in relation to disclosure, insurance and indemnity. Lack of adequate cyber protections by data custodians could result in huge liability for businesses in case of data breaches, which must be adequately insured and indemnified.
The self-learning nature of AI translates into an ever mutating and evolving threat of cyber-attacks. It is accordingly critical for businesses to review, adapt and upgrade their data protection measures to align them with the prevailing security standards. The Coming AI Wave is here, and it would be advisable for businesses to be prepared for it.
This article was originally published in CMBC TV18 on 6 November 2023 Co-written by: Alina Arora, Partner; Lakshya Gupta, Senior Associate. Click here for original article
Contributed by: Alina Arora, Partner; Lakshya Gupta, Senior Associate
This is intended for general information purposes only. The views and opinions expressed in this article are those of the author/authors and does not necessarily reflect the views of the firm.
The Bar Council of India does not permit solicitation of work and advertising by legal practitioners and advocates. By accessing the Shardul Amarchand Mangaldas & Co. website (our website), the user acknowledges that: