Legal challenges of Bank Data Breaches: Liability and Consumer Protection

Riya saha, Capital Law College

Preface:

A bank is a fiscal institution that provides colorful fiscal services to individualities, businesses, and governments. This financial institution plays a vital part in the financial intermediation process in advancing economic and societal development by connecting saviors and investors. Banks in India Comprise public Sector banks, private banks, foreign banks, Indigenous pastoral banks, and cooperative banks. They are marshaling term deposits from the clients. Banks are marshaling the deposits for their business and they are furnishing loans grounded on this quantum to their clients. Their part in profitable development is veritably much required, without bankers’ donations this is not possible. With all the heavy engagement of banks in all sectors of India, the more chances of breaches take place.

What is a Data Breach:

A banking data breach occurs when unauthorized individuals or groups gain access to a bank’s computer system or data. It exposes confidential, sensitive, and protected information to unauthorized individuals. The private data includes the client’s personal data (name, address, security number, etc), account number, credit card information, confidential business information, sale histories, financial records, etc. In the moment period, paperless transactions are dwindling of which only information is traded which in turn has increased the need to cover the information. 

In the banking assiduity sequestration violation can occur in no. of ways, such as:

1. Personal data is collected with a third party for marketing purposes without concurrence.
2. More personal data is collected than necessary
3. Banking information or card of the clients is lost
4. Personal data is participated with or given to a third party without the client’s knowledge
5. An existent is not adequately informed about how their data will be used. 

Data Security Measures Followed by The Banks:

Nearly every Indian has a bank account in India, and it is mandatory for them to partake some veritably non-public information with the bank while opening or updating their KYC. The banks must borrow each and every security strategy to cover the sensitive information participated by the client, or any internal or external data breach. A few ways have been suggested that might help the banks to protect their system from getting cluttered.

• Secure Structure:

Secure infrastructure then in banking security means upgradation of security in database systems. The database system is the place where the customer’s personal information is stored and has to be secured at any cost. Hence in most core banking systems, production data is encrypted. 

Important data such as bank account figures, clients’ names, and addresses must be masked, if testing is needed. Bank workers are generally handed technical accouterments that restrict access to social media, personal mail, etc. 

• Secure Processes:

Through the changing times, numerous processes have been established by banks to ensure that security is enforced and tested. This includes KYC (know your customer) requiring non-exposure agreements from the workers and vendors and using remote data centers. Additionally, processes related to global and national regulation are put into place, and risk analyses are done to make sure these processes comply with the rules. 

• Inspection trails:

A statement or a passbook is always handed over to the client by the bank to keep track and record of the client’s transactions. In addition to this, every bank also keeps an audit trail for every event that occurs during the client’s interaction with the bank’s server.

When a customer uses phone banking or online banking, the time and transaction of interaction and other details of the transaction are recorded in the audit trail. This data is backed up daily and never removed rather is saved in archived at a designated time interval 

• Authentication:

Every bank sale first must be authenticated then further sales should be allowed, this applies to clients who use online or mobile banking systems or credit/ debit cards. It is also applicable to the employees of the bank who have access to the data of the banks and their clients. 

• Use strong passwords:

Every database is defended with a password, which helps it to lock the sensitive information of customers. These passwords must be strong enough to hack and there should be a regular gyration of the passwords.

• Keeping system and software streamlined:

The software and the system that the banking institute is using should be streamlined, regular updates reduce the risk of breaches up to a limit.

Data breaches can occur despite best efforts, so being prepared and having robust incident response plans is crucial.

The Liability and Client Protection:

1. Liability: When there is a data breach in a bank both liability and client protection become the major issue to deal with. Again, liability is divided into three corridors- nonsupervisory, contractual, and class action lawsuits:
2. Regulatory liability: Banks are bound to cleave the various regulations such as the General Data Protection Regulation in the EU, and the GLBA Act of the U.S. failure may lead to significant forfeiture penalties by the bank.
3. Contractual Liability: Here the banks might be liable to third parties, such as businesses who use their services, following the terms and conditions of their service agreements.
4. Class Action Lawsuit: The clients who are affected by a data breach can join together to file class action lawsuits against the bank, seeking damages for any detriment caused.

Sony Pictures Entertainment Inc Vs. Superior Court of Los Angeles Country 2015:

Sony Filmland suffered a data breach in 2014, resulting in the leftover of sensitive data including hand social security numbers and embarrassing emails between the executives. The court ruled that companies have a duty to protect employee data and can be held liable for data breaches.

• Dittman Vs. UPMC (2017):

UPMC suffered a data breach in 2014, performing in the theft of sensitive data, including social security numbers. The court held that companies have a duty to apply robust cybersecurity measures and can be held liable for data breaches. 

• Client Protection:

Client protection has been divided into 3 sections: credit monitoring, announcement, and payment programs.

1. Credit monitoring: Banks offer free credit monitoring services to affect clients to help decry fraudulent actions.
2. Announcements: Banks are required to notify affected clients, which allows clients to take steps to protect their identities such as monitoring their account regularly for unusual exertion or by finding their credit.
3. Payment Program: banks usually have their programs in place to repay clients for unauthorized sale, provided they are reported in a timely manner.

Legislations and Regulations Governing Data Protection in the Banking Sector:

In India, data sequestration is governed by the Information Technology Act,2000 (IT Act) and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). The SPDI rules impose a no.of score on corporate bodies that collect and process personal information of an existent. 

According to section 45A of the IT Act, the Data Collectors (also known as corporate bodies) will be held liable for negligence in enforcing and maintaining reasonable security practices and procedures related to sensitive personal data. In addition to the IT Act certain banking secretiveness laws and other nonsupervisory laws in India impose obligations to keep data secret and confidential. 

1. The Credit Information Companies (Regulations) Act, 2005

The CICR regulated the manner in which credit information companies handle data. The CICR act specifically gives backing to the credit information, companies’ obligations regarding data access, data fidelity and secrecy, data dedication and secretiveness, the obligation to maintain confidentiality, and accuracy. The CICR act empowers the Regulatory Authority to establish data retention norms from time to time.

• Wyndham Worldwide Corp. Vs. Federal Trade Commission (2014): 

Whydham suffered a series of data breaches between 2008 and 2010, performing in the theft of credit card information. The FTC sues Whydham, professing that the company had failed to apply reasonable security measures. The court ruled that the FTC has the authority to regulate cybersecurity practices and that companies must implement reasonable security measures to protect client data. 

1. Reserve Bank of India issuances:

Data collectors must always follow the RBI data sequestration policy, which are regularly streamlined. The RBI has Issued instructions requiring all banks and payment system providers to localize payment sale data in India and limit the storage of such data. 

Additionally, the RBI has issued guidelines regarding the protection of client’s data and the possible agreements that bank and non banking fiscal companies may have with third parties. 

• Home Depot.Inc. Vs. Banks (2016):

Home Depot suffered a data breach in 2014, performing in the theft of credit card information then the court held that the companies have a duty to implement robust cybersecurity measures and can be held liable for data breaches.

• Carefirst, Inc Vs. Attias (2017):

Carefirst suffered a data breach in 2014 resulting in the theft of sensitive data, the court held that the complaint shows actual detriment in order to have a standing data breach case.

1. The Banking Regulation Act, 1949:

The Banking Regulation Act, 1949 and its associates’ regulations also contain sequestration in relation to regulating the collection, retention, and security of customers.

1. The Bankers’ Book Evidence Act, 1891:

It prohibits the officers of a bank from making exposure of bank records to anyone unless ordered by a court of law for specific reason.

Conclusion:

In conclusion, the whole composition can be summarized as the fact that data breaches are serious pitfalls for individuals, associates, and businesses. They can result in significant financial losses, character damage, and legal arrears. It is essential to prioritize data security and apply robust measures to help respond to data breaches. The above-mentioned case laws punctuate the significance of enforcing robust cybersecurity measures, seller threat operation, and incident response planning to alleviate implicit legal and fiscal consequences.

Data security is an ongoing process that requires continuous monitoring, evaluation, and enhancement. By prioritizing data security and perpetration of robust measures individuals and associates can reduce the threat of data breaches and cover sensitive information.