At a glance.
- Recent developments in Indian cybersecurity policy.
- SEC delays changes to incident reporting rules.
- Private right of action and data privacy.
Recent developments in Indian cybersecurity policy.
Last week the Indian Computer Emergency Response Team (CERT-In) issued a slate of information security guidelines for government ministries, departments, secretariats, and offices. Shri Rajeev Chandrasekhar, Minister of State for Electronics & Information Technology & Skill Development and Entrepreneurship stated, “The Government has taken several initiatives to ensure safe & trusted and secure cyberspace. We are expanding and accelerating on Cyber Security – with focus on capabilities, system, human resources and awareness.” India Education explains that the document is intended to serve not only as a security strategy for the covered government entities, but also as an assessment guide for internal and external auditors. Topics addressed include identity and access management, third-party outsourcing, incident management, and security auditing.
Also last week, India's Ministry of Consumer Affairs submitted a letter to digital commerce companies urging them to refrain from using dark patterns to coerce consumers into making purchases, ETCIO.com reports. Dark patterns, defined as using design and choice architecture to convince consumers to make choices that go against their best interests, include practices such as creating false urgency, sneaking items into the shopping cart, and subscription traps. "Engaging in such deceptive and manipulative conduct by using dark patterns in online interfaces unfairly exploits consumers' interest and constitutes 'unfair trade practices’ under the Consumer Protection Act (2019),” the letter states. The letter is aimed at e-commerce companies like Amazon, Flipkart, Nykaa, and BigBasket, and Rohit Kumar Singh, secretary of the department of consumer affairs, said the ministry is also planning to write official guidelines for impeding dark pattern practices.
And yesterday India’s Parliamentary Standing Committee for Finance announced it has plans to meet with senior officials in the banking sector to discuss "Cyber security and the increasing occurrence of cyber/white collar crimes." The banking representatives will be asked to present measures to defend against cyber threats and attendees will include Punjab National Bank, Bank of India, Yes Bank, as well as representatives from CERT-In. Livemint adds that representatives from Paytm, Flipkart, Google, and Apple have also been asked to present at the meeting.
SEC delays changes to incident reporting rules.
The US Securities Exchange Commission (SEC) announced it will be delaying the finalization of proposed changes to its cyberincident disclosure rules. Originally scheduled to be completed by April 2023, the changes will not be complete until this October, Gibson Dunn explains. When the changes were first mooted in March 2022, SEC chair Gary Gensler stated, “Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cyber security is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.” The proposed changes include a four-day disclosure period for “material” incidents, board governance requirements, and increased transparency about the expertise of board members. CyberSecurity Connect asserts that one possible reason for the delay could be the Federal Bureau of Investigation’s concerns over how the four-day disclosure window could impact active cyberincident investigations.
Private right of action and data privacy.
A biometric data privacy law in the US state of Illinois has privacy advocates and Big Tech debating over potential federal applications, the Record reports. Passed in 2008, the Biometric Information Privacy Act (BIPA) requires companies that collect a resident’s biometric identifier to inform the individual and obtain their written consent. What makes this measure stand out is that it allows for companies found in violation to be individually sued by private citizens. Tech giants fought against the federal American Data Privacy and Protection Act (ADPPA) last year partly because the measure’s inclusion of a limited private right of action could encourage, in tech industry group NetChoice’s words, “abusive litigation.” On the other hand, privacy experts say a private right of action is an essential enforcement mechanism, giving private citizens more power when state and federal agencies lack the bandwidth to pursue cases at the government level. Despite overwhelming bipartisan support in the House Energy and Commerce Committee, the ADPPA didn’t advance last year, and Committee Chair Cathy McMorris Rodgers, a Republican out of Washington, is attempting to redraft the bill by scaling back the private right of action. A source stated via email, “The Chair is apparently working through the provisions that are most controversial — preemption, private right of action — with the design of making them more business friendly, which probably means it will be DOA with the Dems.”