White paper on Breach Notification Law

I. Introduction:

Data can be defined as sensitive or non-sensitive information of any individual, institution or

organization which is stored, processed and accessed by any covered entity. Customer data, confidential
business information, government records and financial information has always been subjected to a risk
of data breach. The probability of cyber threat risk to data is now much higher than ever before
.According to Verizon there are 53,308 security incidents including 2,216 data breaches in 65 countries
and about 76% of breaches were financially motivated in 2018. Organizations find it harder to protect
their own confidential data. As data Breach has become more common in small and big organization,
there are still less understood reasons for data breach and what could be preventive measures to prevent
a breach.

In the current research paper the researchers examines:

 Need for breach notification law

 Current state of breach notification laws in India
 Comparison of similar laws by USA states and other countries
 Breach notification law components
 Compliance requirements for this law for governance.

II. Literature Review

2.1 Need for Breach Notification:

According to breach level index study by digital security firm Gemalto around 3.24 million records
were stolen, lost or exposed in India in 2017 also it has increased by 783% over previous year which
led to disclose of 3.7 million records globally. Security issues like misconfigured databases, improper
disposal of data and human errors are main reasons for a breach. For hackers Internet of things (IoT)
became primary target as well as launching mega data attacks like the mirai botnet attack. From 451
total research it is found that 71% corporates managed to gather information from IoT elements, as
security measures remain a major trouble for Iot deployments. Similar security concerns also apply for
SaaS in which (45% globally) data is stored outside of firewall. According to Times of India around
52% of Indians reported data breach in year 2017 which is above global average of around 36%.
James cook, sales director for south East Asia said, if compared globally, security breach is higher in
India because Organization and Government is spending their budget in wrong places.

In India there were 29 major data breach incidents in 2017, most common type were identity theft and
accounting for 58% of all data breach incidents, second most prevalent breach was access to
Government data, where most targeted sectors were government (62%) and technology (37%).
 statistics of Breaches in India

21%
27%

17%
7%

Retails Education Healthcare Others

Figure 1. Statistics of Breaches in India.

Source: www.Businesstoday.in

If data gets breached and isn’t notified on time or in appropriate manner it can compromise risk to
people’s rights and freedom. Data can be physical, material and non-material and if safety of data is not
mitigated properly it may result in loss of confidential data and if a breach is notified to effected victims
it would help them to take further steps to protect from breach aftermath.

Further extending this topic to an Aadhar used by Indian citizen as an identity proof which is been
linked with bank account, Pan Card and mobile number. Aadhar card contains complete detail
information of an individual like biometric, mobile number, signature, photo if this data get breached it
would be a heavy loss for human kind. Most of the Breached data are often sold on dark web by identity
thieves to make a good money off name or any number associated of effected victims.

Here are most common types of information being sold on Dark web:

Table 1. Information of data sold on Dark Web

Social security number $1

Debit or Credit card number $5-$110
With CVV number $5
Personal information (name, DOB) $30
Online payment information $20-$200
Loyalty account $20
Driver license $20
Medical reports $1 - $1000
 Passport information $1000 - $2000

The above facts emphasis the need of breach notification in India.

2.2 Current state of Breach Notification laws in India

Neither the IT rules nor IT act 2000 contains definition for term “data breach”
The Information technology act 2000 known as IT act was introduced in Indian Parliament on 17
October 2000 based on United Nations of Electronic commerce 1996. IT act 2000 is enacted to Data
carried out by means of Electronic exchange of data and other means.

If we compare IT act 2000 with GDPR, both act provides a provision to impose fines. Under IT act
sector 72A there is fine up to 5 lack rupees and 3 year imprisonment if proved that disclosure was with
intention to cause loss to the victim whereas under GDPR article 83 allows fines up to 10,000 000 EUR
or fine up to total 2% turnover of organisation. IT act imposes criminal liability whereas GDPR imposes
only civil liability.

Information Technology Act 2000 and Rules thereunder, i.e. Rule 8 of Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information, provides that in case of an information
security breach, the body corporate shall be able to demonstrate that it has implemented security control
measures as per their documented information security programme and information security policies.
If personal data is a Fundamental Right of the Indian citizen, then, citizens should have a right to know
if such personal data has been subject to a data breach also according to GDPR if an Indian company is
processing data of an EU resident, then GDPR compliances become mandatory. In other cases, Indian
companies can adopt best practices such as having detailed policies covering above aspects, periodical
audit and availability of audit report to be shared to an external party, maintaining a log of what, how,
who, why, where, data is processed.

In IT Act 2000 mentions the law related to data protection & privacy, there is a law under section 71,
72 where they state about the breach.

Under section 71 if a person who makes any misrepresentation to crush or destroy any material from
the controllable data or the certifying authority for gaining access to any license or electronic signature
certificate, in this case, must be punished with custody or may extend to two years

Section 72 under penalty for breach of confidentiality and privacy, if any person performs any of the
unauthorized access to any electronic record, book register, correspondence ,information ,document
shall be punished under this act with the custody of the two years, or with fine which may be one lakh
rupees or both. There are many missing components in Government policy and breach laws in IT act
2000 are not clearly defined.
III. Methodology

3.1 Assessment of International Data Breach Laws

In the current research, the researchers have analysed the breach notification laws of 50 states in USA,
Canada, China, Australia, European Union and United Kingdom (Refer Appendix A).

While comparing the data breach notification law of different state in USA the researchers have
identified that California is the first state where data breach notification law got introduced. Other states
in USA referred the law of California to create their own laws. All-states cover entities that include,
first name or first initial and last name, Social Security or tax ID number, driver's license, state-issued
ID card, passport, military ID, or other unique government-issued ID number account, credit or debit
card number, financial account, health insurance information, username or email address plus a
password or security question etc. But New York is only state that define personal and private
information in different format. The method of sending breach notification information of some state is
common i.e. they send notification either in electronic form, written form or by email, whereas most
states send notification only in electronic form. For the consumer notification all the state refer the
California breach law, in that they explain when the breach should be informed to effected victims &
within how many hours to notify after a breach occurred. Alaska is the only state that allowed the
notification period of 45 days and other states are allowed to notify within 48 hours, they also mention
what type of content should be included in the notification. Third party notification of most states are
same. If the third party maintains the information of an entity then the party is responsible for sending
a notification within time to the customer and entity as well. The penalties for all the states are almost
the same, except Georgia, where they levy a fine of $100 & Florida up to $500,000. California is the
only state where they levy penalty for violation and health care data breach differently. On comparing
data breach laws of various countries, we found that almost all countries cover the same entities like
name, address, licence, identification number, phone number, bank detail etc. and they use electronic
and written form for notification. Most countries send notices within 72 hours. While the amount of
penalties for different countries vary.
IV. Framework for Data Protection Law for India.

Following are the components needed for data protection law.

4.1. Operational Definition of Data Breach

Data Breach Notification is defined as "Breach in security" which leads to unauthorized acquisition
or access of Data in Electronic medium or on paper which compromises the security, confidentiality
of personal information maintained by a person or agency, who is in course of business, owns or
Licenses Computerized data that includes personal information. And if breach is discovered, shall
notify Indian resident whose Personal Information was included in the breach.

a. "Unauthorized Acquisition" means access, use or disclosure of information which compromises

privacy and security of a person.

b. "Electronic medium" includes any data stored digitally or electronically on computer, in a secure
server, on secure drives or in a manner where access is restricted.

c. "Security" means protection of identity of a person.

d. “Confidentiality” means data which is not to be disclosed.

e. “Person” means a partnership, estate, company, Government and its subdivision, agency, corporation
or any individual.

f. “Notify” means notice:

1. Electronic notice

2. Telephonic notice.

3. Written notice.

g. “Personal Information” means information of a person’s like D.O.B, marital status, first name,
middle name, and last name or in combination with any Document identity linked with a person
includes:
1. Aadhar card number and Pan Card number.

2. Driving license number

3. Credit and Debit card number.

4. Bank passbook number.

5. Ration card issued by Government of India.

6. Birth Certificate issued by RBD

7. ATM card and voting card.

8. Passports.
4.2. “Covered Entity” includes the, government entity, proprietorship, corporates, estate, trust,
business entity, cooperative association, Banks (Government and private) and business that use or
access sensitive personal data.

a) “Proprietorship”-Is not a legal entity, here the person owns the business and is responsible
for its debts.
b) “Government entity”- It include the all the Department that comes under the Government
sector.
c) “Corporation”- Is a business entity that include a large company or group of companies
which act as single entity.
d) “Trust”- Is the term where individual allow third party or trust, to hold or access the assets
on benefited. Trust can be arrange in the many way.
e) “Estate”-The large area of a land in the country, which is own by a single individual or an
organization.
f) “Cooperative association”-Is independent association of a person’s unity where the meet
their common economic, social and cultural need and jointly-owned controlled
organization.
g) “Business Entity”-Is form by the administrator by Corporate law for the engage business
activity.

h) “Banks” –Bank are big financial institute where people or an organization deposited the
money and get credited or debited.

4.3. Good faith acquisition means sensitive information accessed by an employee or agent of covered
entity unless the information is used for any lawful investigation, intelligence agency activity, law
enforcement or any political division of India or information which is publically available on local
government record or widely distributed media is not considered as a breach.

4.4. Third-party agent is an entity who is been contracted by the covered entity to store, process and
maintain data, if a third party suffers any loss or breach, agent is liable to third party and he cannot
escape by claiming he is under authority. Third party agent should inform to third party agency,
individuals effected and well as covered entities if a breach occurs. Third-party agent should maintain
and implement security measures protecting sensitive personal information against breach.

V. Cross Border Components

5.1. Data Localization:

Data localization can be defined as data which is stored, processed and accessed within borders of same
country. In fact India will have over 2.3 million petabytes of data by 2020 than previous of 40,000
petabytes of data in 2010 which is double in speed on global rate. As data is new oil, there should be
localization of data of 1.3 billion Indians. world is at its edge for an another world war, data centers can
be shut down only if data centers are located within country also Indian court laws demand evidence
related to cybercrimes the department of Mutual legal assistance treaty (MLAT) which is an agreement
to exchange and gather information takes months and even years to get data to be presented at courtyard.
Some companies and law enforcement agencies in India are supporting data protection law for data
localization as it would give rise to business opportunities. Data localization equally has its own
disadvantages too as growing MNC companies in India and Indian companies in foreign countries
would be at loss because of restrictions on free trade and transactions. When judgment was passed for
the safeguarding of data by Supreme Court, led the government to mandate the localization in the
provision. Localization of data won't improve privacy as breaches can happen from any country.
Companies should focus more on securing data to reduce risk of a breach. Loss due to Data breach can
also be solved by having 2 data centers within same country.

5.2. Data mirroring: Mirroring of data can be implemented efficiently if there is safeguard of data in
other countries. Data mirroring will actually increase cost of storing and processing data, as quality of
the data is more important than the quantity many companies need quality rather than storing unused
data and increasing cost. Any covered entity who stores data should implement Data honeypot system
where if an identity thief tries to steal data, he may obtain sets of fake data from the data base which is
of no use and even if he misuses data, Individual or any businesses won’t be in loss after that identity
thief can be charged under cyber offense.

5.3. Implementing cyber insurance Government should make a strict law in favour of Cyber
insurance of covered entity which helps businesses against loss from data breach. Even if any
company doesn’t have any exposure just because it is not popular, it is still more likely at risk of a data
breach if company store data or allow credit card payments. Data breach Insurance covers both first
part and third party’s breach including personal identifiable information and health information.

5.4. “Data minimization” for the covered entity is necessary to implement as personal data should be
relevant, adequate and should not be in excess amount, personal data should be used in minimum
quantity to fulfil purpose of covered entity. Also Data minimization reduces cost for company or
Governments for data storage as there is no business who has finite budget so there is very less
requirement storing excessive data. Adding further point Personal Data brings risk and can destroy a
business if they are caught of criminal negligence. Covered entity need to conduct a data audit to
identify exactly what type of sensitive personal data is been processed and stored. If the covered entities
implement Data minimization it will Benefit Government, Companies and Individuals too

5.5. “Destruction of electronic data” currently In India there is no provision in laws for Discarding
and Disposal of records which compromises personal information which is of no use for Government,
Companies, third-party or an individual. Government should take an initiative and implement a separate
law to properly destroy unused data by overwriting the media, magnetic erasure of media or by
physically destroying the media in some cases. Companies, Corporates and Government agencies
should remove hard drives from the servers and CPU’s before they are forwarded to another authority.

5.6. Condition to notify:

a) The Notification is given only when there is data breach involving information which can lead
to “serious harm” to any individual, organization or any Government entity then it will be
referred as the “Data Breach”.
b) The notification must be clear, in a plain language and content must be well defined on what
actual data is breached and it should also include date and time and proper description of the
breach.
c) Notification is generally send after the breach is discovered.
 5.7. Data Breach Response procedure (Notifiable Data Breach reporting)

Figure 2. Methodology to notify breach

Step 1-Has a data breach occurred? No further action is

required

YES NO

Step 2- Contain the data breach

Step 3- take
Step 3- Is serious harm likely? remedial action
(where possible)
YES NO
AND
Step 4- Do you reasonable ground to believe or suspect a data breach has
occurred and serious harm to individuals is likely? Select from one of three
options

Yes, reasonable ground Yes, Reasonable

No
to believe grounds to suspect

OR OR

Step 4(a): Conduct assessment of

whether serious harm is likely

YES NO
Are there reasonable grounds to
believe that serious harm is now
likely?

Step 5- Does an exemption

apply to notification

YES
NO

Step 6- Notify the officer and effected individuals

and, if necessary the public

Step 7-Review the breach and take steps to prevent future breaches
5.8. Disclosure of the breach

Any covered entity which licenses computerized data that include the sensitive or non-sensitive
information of any resident in India whose encrypted personal information has been acquired by
unauthorized person shall disclose the breach with:

1) The disclosure of the breach of the security shall be notified without any delay.
2) A description is required on type of sensitive personal data which was acquired by
unauthorized person as follows:
a) Date, estimated date or range of breach
b) Actions taken by covered entity to restore confidentiality information of person.
c) A general precaution steps to take by an affected individual.
d) Approximate number of affected individuals.

5.8. Alternate or substitute form of notice

If direct notice cost to affected individuals for the covered entity exceeds or if affected subject
individuals to be notified exceeds then alternative form of notice can be provided:

1. Email –The Covered entities should send an email if they have email addresses of affected
individuals.

2. Conspicuous notice – Conspicuous notice must be posted on the internet website of covered entities
for 100 days, if the covered entity maintains a website. Notice on homepage of the website must be with
contrasting font and colour and text must be larger than surrounding texts.

3. State wide media- Notification of the breach must be send to major state wide media.

5.9. Whom to notify:

In India currently there is no special division in government for covered entities to notify if a breach
occurs. There are department in Indian government like Indian Cyber Crime Coordination Centre
(I4C) which deal with the cybercrime which is set up in New Delhi; they monitor cyberspace and social
media and other sensitive content. National Crime Record Bureau (NCRB) National crime Record
Bureau (NCRB) is an Indian government agency that collects and analyse the criminal data that define
by the Indian Penal code also CERT-IN which handles security cyber threats. Government should
initiate special division who would further notify the effected victims and investigate the breach.

5.10. Time to notify:

Notification of the data breach must be send within 72 hours after the breach is discovered, without
any unreasonable delay.

5.11. Penalties:

If any Covered entity deny to send any notification of breach occurred to the effected individuals within
in a span of 72 hours or if any Covered entity fails to notify after a breach on time, then they are liable
to pay civil penalty of $ 2 million or 20% annual turnover as a fine, if covered entity fails to take suitable
actions to notify.
VI. Key findings:

In this section of the IBM report provide a brief summary of the most salient findings from the research
and how costs have changed over the past year.

The global cost of data breach increased.

The average total cost of data breach increased by 6.4 percent and the per capita cost increased by 4.8
percent. The average size of a data breach (number of records lost or stolen) also increased by 2.2
percent.

Data breaches are the most costly in the United States and the Middle East and least costly in
Brazil and India.

The average total cost in the United States was $7.91 million and $5.31 million in the Middle East. The
lowest average total Cost was $1.24 million in Brazil and $1.77 million in India. The highest average
per capita costs were $233 in the United States and $202 in Canada.

Notification costs are the highest in the United States

These costs include the creation of contact databases, determination of all regulatory requirements, and
engagement of outside Experts, postal expenditures, email bounce-backs and inbound communication
setups. Notification costs for organizations In the United States were the highest at $740, 00 whereas
India had the lowest at $20,000.

The United States and the Middle East spend the most on post data breach response.

Post data breach response activities include help desk activities, inbound communications, and special
investigative Activities, remediation, legal expenditures, product discounts, identity protection services
and regulatory interventions. In the United States, these costs were $1.76 million and $1.47 million in
the Middle East.

Canada has the highest direct costs and the United States has the highest indirect costs.

Canada had the highest direct cost at $81 per compromised record. Direct costs refer to the expense
outlay to accomplish a given activity such as engaging forensic experts, hiring a law firm, or offering
victim’s identity protection services. The United States had the highest indirect per capita cost at $152.
Indirect costs include employees’ time, effort, and other organizational resources spent notifying
victims and investigating the incident, as well as the loss of goodwill and customer churn.

The faster a data breach can be identified and contained, the lower the costs.

For the fourth year, our study reports on the relationship between how quickly an organization can
identify and contain data Breach incidents and the financial consequences. For our consolidated sample
of 477 companies, the mean time to identify
(MTTI) was 197 days, and the mean time to contain (MTTC) was 69 days. Both the time to identify
and the time to contain were highest for malicious and criminal attacks and much lower for data
breaches caused by human error. Companies that identified a breach in less than 100 days saved more
than $1 million as compared to those that took more than 100 days.
Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to
those that took more than 30 days to resolve.

Hackers and criminal insiders cause the most data breaches.

Forty-eight percent of all breaches in this year’s study were caused by malicious or criminal attacks.
The average cost per record to resolve such an attack was $157. In contrast, system glitches cost $131
per record and human error or negligence is $128 per record. Companies in the United States and
Canada spent the most to resolve a malicious or criminal attack ($258 and $213 per record,
respectively). Brazil and India spent far less ($73 and $76 per record, respectively).

Incident response teams and the extensive use of encryption reduce costs.

In this year’s research, an incident response (IR) team reduced the cost by as much as $14 per
compromised record. Hence, companies with a strong IR capability could anticipate an adjusted cost of
$134, down from $148 per record. Similarly, the extensive use of encryption reduced cost by $13 per
capita, for an adjusted average cost of $135, down from $148 per record.

Third party involvement in a breach and extensive cloud migration at the time of the breach
increases the cost.

If a third party caused the data breach, the cost increased by more than $13 per compromised record for
an adjusted average cost of $161, up from $148 per record. Organizations undergoing a major cloud
migration at the time of the breach saw the cost increase to per capita cost by $12, for an adjusted
average cost of $160, up from $148 per record.

The loss of customer trust has serious financial consequences.

Organizations that lost less than one percent of their customers due to a data breach resulted in an
average total cost of $2.8 million. If four percent or more was lost, the average total cost was $6 million,
a difference of $3.2 million
 VII. Calculate cost of Data breach:

How to calculate the cost of Data Breach

Detection and escalation Notification costs

Activities that enable a company to Activities that enable the company to

detect and report the breach to notify individuals who had data
appropriate personnel within a compromised in the breach as
specified time period regulators activities and
communications.

Example- Example-

 Forensic and investigation  Email, letters, outbound

activities. telephone calls or general
 Assessment and audit notice that personal
services information was lost or
stolen.

Lost business cost

Post data breach response

Processes set up to help individuals or

Activities associated with cost of lost
Customers affected by the breach to
business including customer churn,
communicate with company, as well
business disruption and system
as costs associated with redress
downtime.
activities and reparation with data
subjects and regulators.

Example-

 Help desk activities/inbound Example-

communications
 Cost of business disruption
 Credit report monitoring and
and revenue losses from
identity protection services
system downtime
 Legal expenditures
 Cost of lost customers and
 Product discounts acquiring new customers
 Regulatory
interventions(fine)

Figure 3. Calculate cost of data breach

Repercussions of breach notification:

A business suffers in many ways when it falls victim to a data breach, one of which is dealing with the
financial repercussions. There are a range of different costs associated with a data breach, such as
paying back any money taken as a result of the breach, compensating affected customers, share value
plummeting and having to pay for the right protection to ensure a breach doesn’t happen again. In
addition, breached companies can be fined by the Information Commissioner’s Office (ICO), with
penalties reaching a maximum of £500,000. This figure drastically increased when the General Data
Protection Regulation (GDPR) took effect in May 2018.

After paying off fines, the breached company also has to deal with reputational damage. Breaches
have a massive negative impact on a company’s customer base, particularly if the breach involved
sensitive data. Customers lose confidence in the brand and don’t feel that their data is secure. A
breach also puts off many potential customers. Most downturns for firms and organizations are
usually caused by data breaches and cyber-attacks that could have been prevented. According to 90%
of CEOs, striving to rebuild commercial trust among stakeholders after a breach is one of the most
difficult tasks to achieve for any company – regardless of their revenue.

 Loss of Productivity – 50%

 Loss of Customer Loyalty – 41%
 Legal Action – 34%
 Unfavourable Media Coverage – 30%
 Customer Turnover – 28%
 Decline in Company’s Share Price – 25%

The impact of a breach is tied to the type of data involved. If the organisation’s confidential data has
been exposed, it can have catastrophic effects. If personal and financial details of staff and customers
are breached, those people are left open to the risk of identity theft.

IRCTC Data Breach

According to The Economic Times, in August, security researcher Avinash Jain discovered the bug in
IRCTC's website and mobile app link that connects to a third-party insurance company for free travel
insurance. The latter, introduced in December 2016 to encourage customers to book their tickets
online, entailed IRCTC sharing passenger details of all travellers with third-party insurers to take the
cover. The bug would have given hackers unfettered access to passenger details such as name, age,
gender and insurance nominees without their knowledge or consent. Given that the IRCTC handles a
huge number of e-tickets daily, this bug could have led to a massive data breach.

As per IRCTC's annual report for 2016-17, e-ticketing accounted for 62% of reserved railway tickets
in India, with more than 573,000 tickets sold daily through the IRCTC website. The daily could not
verify whether any data had been compromised during the nearly two years that IRCTC was clueless
about the vulnerability. "Within 10 minutes (after finding the bug) we were able to read almost 1,000
passenger and nominee information," Jain told the daily. On August 14, he wrote to IRCTC alerting
them about the problem, which was acknowledged and fixed on August 29. That's just two days
before the Indian Railways decided to discontinue offering free mandatory travel insurance and
instead allow travellers to choose to pay for the same.
The Indian Computer Emergency Response Team (CERT-In), the agency that handles cybersecurity
threats, had 53,081 reported incidents in the country in 2017. According to Jain, less than 1% of the
reporting to CERT-In comes from security researchers. "Responsible disclosure of flaws is not
rewarded by the government," said Jain, adding that Indian researchers received over $1.8 million in
bounties last year.

Conclusion:

As Data breach is higher in India as compared to global average, which puts into consideration to
implement provision of law in the Indian constitution, to notify people on premises of a breach. During
the research we found that Data breach has become prominent & that a specific law is required for India.
As they say “Where there is money, there is corruption” and where there is "Data” then the probability
of a breach is higher. We have already entered in a new world where data is more powerful than any
form of currency, hence, it needs to be secured. After analyzing different laws the researcher reached a
conclusion on importance of Data, the risk and impact of a breach in this modern world & thus Data
breach notification law for India comes into picture. And the researcher also identified important
components to be considered while framing the data breach law for the Indian context.
Reference

Data Breach Notification Laws: Canada, U.S, & Europe (4/5)

Available at https://www.hitachi-systems-security.com/blog/data-breach-notification-laws/

(Access on -7th Oct 2018)

NCSL (National Conference of state Legislatures)

Available at http://www.ncsl.org/research/telecommunications-and-information-technology/security-
breach-notification-laws.aspx

(Access on – 8thOct 2018 and 9th Oct 2018)

Summary of U.S state Data breach notification statutes

Available at https://www.dwt.com/statedatabreachstatutes/statelist/(Access on – 9th Oct 2018)

Senate Bill No. 1386 CHAPTER 915 An act to amend, renumber, and add Section 1798.82 of, and to
add Section 1798.29 to, the Civil Code, relating to personal information

Available at http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-
1400/sb_1386_bill_20020926_chaptered.pdf

(Access on - 10th Oct 2018)

ARTICLE 29 DATA PROTECTION WORKING PARTY EU

Available at https://iapp.org/media/pdf/resource_center/WP29-Breach-notification_02-2018.pdf

(Access on-10th Oct 2018)

Art.33 GDPR Notification of a personal data breach to the supervisory authority

Available at https://gdpr-info.eu/art-33-gdpr/

(Access on -11th Oct 2018)

Guidelines on Personal data breach notification under Regulation 2016/679(wp250rev.01) (data

breach guidelines Europe)

Available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052

(Access on -12th 2018)

Important new rules for mandatory Privacy breach notification, reporting and Record keeping in
Canada.

Available at https://www.fasken.com/en/knowledgehub/2018/04/important-new-rules-for-mandatory-
privacy-breach-notification

(Access on – 12th 2018)

Notifiable data breach scheme in Australia

Available at https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

(Access on -13thOct 2018)

Data Protection laws of the world China

Available at https://www.dlapiperdataprotection.com/index.html?c=CN&c2=&t=law

(Access on -13th Oct 2018)

Australia’s new breach notification law

Available at https://www.reedsmith.com/en/perspectives/2018/02/australias-new-breach-notification-
law-in-effect

(Access on -14th Oct 2018)

Data protection laws of the world

Available at https://www.dlapiperdataprotection.com/index.html?t=breach-notification&c=US

(Access on -14th Oct 2018)

Single National Data Breach Notification Standard Proposed

Available at https://healthitsecurity.com/news/single-national-data-breach-notification-standard-
proposed

(Access on -14thOct 2018)

The Data (Privacy and Protection) Bill, 2017

Available at http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/889LS%20AS.pdf

(Access on -14th Oct 2018)

The Gazette of India Extraordinary Part II –Section 1

Published By Authority

Available at http://www.wipo.int/edocs/lexdocs/laws/en/in/in024en.pdf

(Access on – 15th Oct 2018)

Data theft increased by 783% in India in 2017, says study

Available at https://www.businesstoday.in/technology/news/data-thefts-increased-783-percent-india-
2017-gemalto-breach-level-index-study/story/277905.html

(Access on – 13thOct 2018)