Star Health Faces Regulatory Scrutiny Over Alleged Data Breach Of Customers’ Policies

Star Health Faces Regulatory Scrutiny Over Alleged Data Breach Of Customers’ Policies

Experts suggest legal ramifications and recourse

India’s biggest insurer, Star Health Insurance is under scrutiny after reports surfaced of a senior executive allegedly selling the personal data of over 31 million policyholders.

It has led legal experts to highlight the urgency to expedite the new Digital Personal Data Protection Act, 2023, which can impose heavy fines and stringent penalties on companies failing to secure data.

The Exchange has sought clarification from Star Health And Allied Insurance Co Ltd on the security chief’s involvement in the matter.

Commenting on the matter, Ankit Sahni, a partner at Ajay Sahni & Associates said, “The recent data breach underscores the urgent need for the Indian government to expedite the notification of the DPDP Act. Without robust legal frameworks in place, consumers remain vulnerable to data exploitation.”

He added that in formulating the upcoming rules, emphasis should be placed on mandating regular audits and assessments of data security practices for businesses aligning with global standards.

Similarly, Hersh Desai, Counsel, Supreme Court stated that data fiduciaries were responsible for maintaining the accuracy, keeping data secure, and deleting it once the purpose was met.

"As per the DPDP Act, such a breach can spell a death sentence for the data fiduciary, i.e. the company. The Act specifies that data fiduciaries must protect data in their possession by taking reasonable safeguards. The buck will stop with the company to whom the personal data was entrusted. Timely disclosure is equally important,” he stressed.

Under sub-section (5) of Section 8, it’s an obligation of the data fiduciary to protect personal data in its possession or under its control, including any processing undertaken by it or on its behalf by a data processor. It must ensure reasonable security safeguards to prevent a breach, which may invite a penalty of Rs.250 crore.

Ashutosh K. Srivastava, Counsel, SKV Law Offices detailed that the website, created by a hacker identified as xenZen claimed that a senior executive of Star Health allegedly sold the data.

He explained, "Section 66 of the Information Technology Act, 2000, prescribes a punishment of up to three years, or a fine up to Rs.5,00,000 for 'hacking with computer system', while Section 66D penalizes 'cheating using a computer resource' with three years of imprisonment and a fine for Rs.1,00,000.”

Apart from the DPDP Act, the allegations can also invite prosecution under Section 43A of IT Act, which deals with compensation in case of failure to protect data.

"Section 43A of the IT Act makes body corporates liable to pay damages to the affected parties due to failure to protect data. Medical history records - a part of the data sets exposed in the breach are considered sensitive personal data under Rule 3 of the Information Technology (Reasonable Security Practices and procedures and sensitive personal data or information) Rules, 2011. Accordingly. it requires compliances for cyber security under the IT Security Rules,” he added.

Srivastava said that the liability (if any) for the insurance company would be subject to its compliance with the IT Security Rules and sectoral data protection and record maintenance laws, including the Insurance Regulatory and Development Authority of India (Maintenance of Insurance Records) Regulations, 2015.

Nakul Batra, Partner, DSK Legal, was equally vocal, “The prosecution can also be sought under Section 72A of the IT Act, which deals with punishment for disclosure of information in breach of lawful contract. Section 72-A provides remedies against the alleged employee for the breach of contractual obligations knowingly disclosing personal data without consent, with a penalty of up to Rs.25 lakh.”

The upcoming DPDP Act also authorizes the Data Protection Authority (DPA) to take suo moto action to prosecute and penalize the data fiduciary for not implementing security safeguards to prevent breaches, with fines up to Rs.250 crore.

Kritika Seth, the founding partner of The Victoriam Legalis stated that the DPDP Act contained stringent penalties. Failure to notify the Board of a breach could invite a penalty of up to Rs.200 crore, a breach in observance of special provisions regarding children invites penalty up to Rs.200 crore; breach in observance of obligations of Significant Data Fiduciaries (SDF) invites penalty up to Rs.150 crore; non-compliance with data principals invites penalty up to Rs.10,000; violations of other provisions invites penalty up to Rs.50 crore.

Therefore, the victims of the Star Health data breach have remedies available to protect their interests and personal information under the DPDP Act. One of the notable provisions of the Act is Section 8, which mandates that in the event of a personal data breach, the data fiduciary must notify the Board and each affected data principal of the breach in a prescribed manner, she explained.

However, Ankit Rajgarhia, the principal associate of Karanjawala & Co clarified that before DPDP rules are released for consultation, and notified, the remedy might be sought in the existing legal provisions that offer protection on the data breach.

"Under Section 316 of Bhartiya Nyaya Sanhita, the prosecution can be imitated for the offence of criminal breach of trust, which occurs when someone dishonestly misappropriates or uses property entrusted to them, where individuals in fiduciary positions misuse their authority to commit fraud or misappropriate confidential information. Thus, senior executives guilty of breaches may face imprisonment of up to 10 years and heavy fines.”

Rajgarhia added that the impending Data Protection Bill is expected to introduce stricter penalties, bringing India more in line with global standards such as the European Union's GDPR, where fines can reach 4 percent of a company's global annual revenue.

Alay Razvi, the managing partner, of Accord Juris noted there is no guarantee that the data would not be misused. In fact, it has far-fetching consequences.

He highlighted, "When Star Health filed a lawsuit against a hacker who leaked the information of the policyholders, it showed the company did not take precautions to protect the data. Such breaches could erode consumer trust, especially in sectors like healthcare where sensitive information is involved. Organizations must communicate transparently with customers about their data protection efforts and breach responses.”

Saurav Agrawal, an advocate of the Supreme Court stated that the remedy could be understood from the comprehensive cybersecurity and data protection laws that provide protection and penalties under the IT Act and the DPDP Act. However, the provisions were yet to be enforced. Besides, they needed updating for the evolving situations.

Subhash Bhutoria, the founder and principal of Law SB suggested a civil lawsuit could be filed by the customers for tortious claims and seek exemplary and punitive damages from the court. Since the company's KMPs were involved in the breach, the customers could consider action against the company and the employees for theft, criminal breach of trust, and financial fraud.

Meanwhile, the rules for the DPDP Act are awaited. The Ministry of Electronics and Information Technology has assured providing a consultation period for the rules before officially notifying the same. Until then, the existing data protection provisions will be significant for carrying out the investigation.