Cybersecurity Regulations In 2024 - What Should You Expect?
We are already in 2024, and, while India has made remarkable progress in multiple fields, it is yet to make a mark in the cybersecurity landscape. 2023 was a momentous year for the country in this realm. Marked by significant challenges, the past year has set a profound stage for new developments in cybersecurity.
For example, the Aadhaar data breach in October 2023, that posed a huge threat to the security of 815 million Indian citizens, jolted the nation’s cybersecurity system. This attack was reported by Resecurity, who mentioned in their blog that the threat actors, going by the name pwn0001, were willing to sell the data, which included Aadhaar numbers and passport details, for $80,000 on the dark web.
This data breach incident acted as a wake-up call for officials to put stringent cybersecurity regulations and laws in place at the earliest.
Now, as we set our sights on 2024, the cybersecurity business sector is expected to witness substantial transformations. In this year, organisations are likely to deal with increasing complexities, and evolving threats. However, this might also bring about an increase in awareness about the requirement for sophisticated and integrated security solutions. The focus for 2024, therefore, is to watch out for upcoming regulations to avoid being hit by new challenges.
Why Should You Stay Updated About Regulations?
It is imperative for your organisation to understand the legal nuances of cybersecurity regulations. With limited knowledge of these standards, your organisation might end up with a subpar cybersecurity infrastructure that doesn’t comply with federal laws. This could cause your organisation to experience huge financial setbacks through fines and penalties (even imprisonments), with reputational damage adding to your woes.
The Shared Objectives Of Data Privacy Laws
While you might feel intimidated by the number of data privacy laws your organisation needs comply with, you must know that they share similar objectives and fundamental principles. Irrespective of the laws’ origins, they are designed to protect individuals’ personal information. They also aim to seek a balance between promoting innovation and protecting privacy rights.
International Data Privacy Laws That You Must Know
Now, that you have an understanding of the importance of data privacy regulations, let us summarise a few important privacy laws across the globe whose compliance requirements apply to Indian organisations as well.
The General Data Protection Regulation (GDPR)
The GDPR is the toughest security law in the world that came into effect on May 25, 2018. It imposes obligations on any organisation in the world that collects or processes data related to residents of the EU.
It restricts organisations from collecting more personal data than necessary from their users. They are mandated to protect this data against unlawful or unauthorized processing, as well as accidental damage, loss or destruction. They must document how personal data is handled, and limit data access to people who actually need to access that information. It places significant emphasis on individuals’ rights to access, rectify, or erase their personal data.
The fines for violating the GDPR are very high.
📌 Less severe infringements may result in a fine of up to 10 million euros or 2% of the organisation’s worldwide annual revenue from the preceding financial year, whichever is higher. More serious infringements may result in a fine of up to 20 million euros or 4% of the organisation’s worldwide annual revenue from the preceding financial year, whichever is higher.
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The United States does not have a comprehensive privacy law like the GDPR. However, the state of California has passed the CCPA and its predecessor, the CPRA that gives Californian consumers more control over the personal data that organisations collect about them. It was passed in 2018 but amended by the CPRA in January 1, 2023. The CPRA applies to companies that meet the following requirements:
Have a gross annual revenue of over $25 million.
Share, buy or sell the personal data of at least 100,000 California residents.
Derive 50% or more of their annual revenue from selling or sharing personal data.
Like the GDPR, the CPRA gives consumers the right to:
Know who is collecting their personal information, how it’s used and to whom it is disclosed or shared.
Limit the use of their personal data.
Delete or correct their personal data.
The CPRA also establishes specific rules for the processing of data from minors. Parental consent is required for the sale of personal information for children under the age of 16.
📌 Organisations that fail to follow the CPRA’s requirements may be fined up to $7,500 per willful offense and $2,500 per unintentional violation.
The General Data Protection Law (LGPD) of Brazil
Brazil’s LGPD is closely modeled after the EU’s GDPR and is the largest data privacy regulation in the world after GDPR and CCPA. Its primary goal is to unify 40 different regulations, often industry-specific, and resolve conflicts that occur due to the sheer number of different data privacy regulations in the country.
The regulation applies to organizations that process data in Brazil, process personal data collected in Brazil, or process personal data while providing goods or services in Brazil. Like GDPR and CCPA, an organisation does not need to be headquartered in Brazil to be affected by LGPD.
Under LGPD, the holder or the person to whom personal data applies has several rights, that include, but are not limited to:
Access to one’s personal data
Correction of outdated or otherwise inaccurate personal data
Deletion or anonymization of personal data not in compliance with LGPD or processed without the consent of the holder
The ability to revoke one’s prior consent
Information about how one’s data is used and with whom that data is shared
Emerging Data Privacy Regulations In India - The Much-Awaited DPDP Act of 2023
With several data privacy laws operating across the world, India is not far behind in implementing one of its own. At present, the Information Technology Act 2000, and rules notified thereunder, largely govern data protection in India and the latest addition to this sector is the Digital Personalised Data Protection Act, 2023.
Enacted on August 11, 2023, this Act borrows its broad definition of personal data from the EU’s General Data Protection Regulation (GDPR) and aims to protect and restrict the free flow of data.
This Act does not only apply to individuals and organisations operating in India alone; it is also applicable to non-citizens living in India and non-Indian organisations that offer goods or services to individuals in India.
One significant development in this Act is the clause to include and process personal data only with explicit consent from the individual (except in specific circumstances pertaining to national security, law, and order). Before seeking consent, organisations like yours will be required to send a notice to users, that contains details about the data to be collected and its purpose.
The Act has also made these organisations more accountable for their data by making it imperative for them to report any breach to the Data Protection Authority of India (DPAI) and affected stakeholders within 72 hours of becoming aware of it.
Another noteworthy development is how the Act has specific provisions for child (an individual under the age of 18) data processing wherein, it does not permit the processing of any data that might have a detrimental effect on a child.
📌 Failure in compliance can lead to heavy fines that could reach up to ₹250 crore.
Despite coming into force in 2023, the Act is yet to be implemented in full force. Marked by multiple exceptions and ambiguous provisions, it is in need of specific guidelines for organisations to be able to fully comprehend and comply with its requirements.
Ensuring A Robust Cyberspace Is Difficult, Not Impossible
India already has various laws that mention monitoring, detection, prevention, mitigation and management of cyber incidents. With the introduction of the DPDP Act, reporting of such breaches has also been emphasized. However, this is not the end of the road, instead, there is still room for more development.
2024 is a pivotal year for cybersecurity, staying informed about emerging threats and leveraging the latest security technologies. Cybercrimes are increasing with every passing minute, but they can be controlled efficiently through collaborative efforts by governments, regulatory agencies, and organisations around the world. With cyberspace becoming more common, the need for cybersecurity laws and regulations governing each action and activity has never been higher. In the upcoming years, the government is expected to make considerable advancements with cyber laws whose effectiveness would ultimately depend on the users.