The year 2018 was considered as the year of data breaches as many global websites such as Facebook, Rupeeredee, Oyo, complained of data breach. As per reports, yet again, another company named Ixigo, a travel and hotel booking e-commerce website based in Gurugram, also complained about the data breach and also, issued a notification to its users to reset their passwords as a safety measure.
As per reports, Ixiogo is backed by China’s Fosun, and had over 20 million monthly active users in November last year. It was alleged in the reports that the data of almost 18 million users, mostly, Email Ids, full name, IP address, username, and hashed passwords were stolen from the online website. However, the reports also say that Ixigo had denied any such act and had stated the investigation of the matter concerning breach of data was under process.
As per Indian law, Section 43A of the Information Technology Act, 2000 (hereinafter referred to as the ‘IT Act’) regulates dealing with or handling sensitive personal data. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules 2011 define ‘sensitive personal data’ as personal information relating to:
- financial information such as bank account or credit card details;
- physical, physiological and mental health;
- sexual orientation;
- medical records and history; and
- biometric information.
Section 43A of the IT Act provides for compensation in the event when a company fails to use reasonable security practices and procedures in order to protect sensitive personal data and such negligence results in a wrongful gain or loss. However, the statute provides for compensation only when a wrongful gain or loss results from the failure to observe reasonable security practices and procedures.
Initiative has been taken through introduction of the draft Personal Data Protection Bill 2018, to focus on the issues related to data privacy.