CoWIN data breach a national emergency: Cyber law expert Pavan Duggal

Calling out for an immediate criminal investigation in the alleged data leak of users registered with CoWIN, the Covid-19 vaccination platform, Supreme Court advocate and cyber law expert Pavan Duggal said action has to be taken to create deterrence against such incidents. Here are the excerpts from a telephonic interview with Sourabh Lele:

Personal and sensitive details of those who took Covid vaccines were being leaked by a Telegram bot. What legal action does this attract?

The bot is ultimately managed by someone else. The minimum action that is required is a criminal investigation. CERT-IN doesn’t have penal investigation powers. It is at best a cybersecurity nodal agency.

Even if you invoke provisions under the IT Act, 2000, it is only a bailable offence. Section 66 (of the IT Act) will be attracted in this case, but it’s a minor offence. There is no deterrent impact, while you are exposing lakhs of Indians’ data and exposing it for the lifetime. Therefore, this needs to be taken more seriously.

What could be the possible implications of a data breach in a platform that stores sensitive information like health data?

What has been leaked is phenomenally humongous in its impact. The leaked elements can become ammunition in the hands of criminals. We have a unique situation where there is a policy vacuum in the country. India doesn’t have a dedicated law on data protection and privacy, nor a dedicated law on cybersecurity.

The onus has to be on the government to investigate. The approaches in terms of response mechanism need to be more proactive and there is no harm in acknowledging that any breach has taken place. An incident like this coming immediately on the heels of the AIIMS ransomware attack tells us that we need to go the extra mile to secure the health data of Indians.

Do you think the breach could have any legal consequences against Telegram?

Telegram as an intermediary has failed to exercise due diligence to prevent such kind of unauthorised leakage. It cannot wash its hands away. But we must have a political will to go forward in this matter. The problem is we are always in a denial mode that we have the most secure system, without realising that absolute security does not exist.

In a scenario like this, rather than covering it up, it’s important we take this as a national priority and investigate it. We must take this as a wake-up call. If such a big leak has happened, people whose data has been compromised can become potential victims of a variety of cybercrimes individually.

The bot that leaked information has been disabled. Will it put an end to the debate?

The chatbot has been disabled, but the said data is continuing to be on Telegram. The government needs to investigate the platform as to how this data came on it and what steps it took to prevent its misuse. Because under the IT Rules 2021, as amended, the intermediaries are bound to make sure that they take appropriate steps to prevent the users from doing an activity, which violates the law.

It needs to be understood that this is not a normal hacking matter. This is the matter that impacts the security, sovereignty and even integrity of India. Therefore, this is a national emergency. All stakeholders need to immediately cooperate with the government and let appropriate responsibility be fixed.