Data breach in Insurance Industry rampant in India


The regular data leakage of  personal and sensitive data of customers, raises several questions on the mismanagement of customers’ data by the insurance companies and inadequate action against non-compliance.

“There is increasing accountability of insurance companies and IRDA. This is so because insurance companies are now increasingly dealing with a lot of sensitive personal data of their users.

Further, insurance companies are intermediaries under the Information Technology Act, 2000 and are mandated to exercise due diligence under the said law,” said Pavan Duggal, Senior Supreme Court, Advocate.

Duggal highlighted that the coming of IRDA is like a breath of fresh air as it has become the industry regulator for the insurance sector. The IRDA Act provides substantial provisions and powers to IRDA. However, there is a need for more stringent accountability of insurance companies.

As more and more attacks are mounting on Indian data and as massive data leaks are leading to major economic losses, the time has come for India to come up with a dedicated new legal framework on cyber security. India must learn from the experiences of other nations and must come up with enabling effective legal provisions for protecting and preserving cyber security of data including personally identifiable data and also sensitive personal data,” Duggal said.

There is need for the due diligence must be adopted in keeping sensitive records, proper monitoring of such IT Assets and data controls such as DLPs must be deployed. There is deemed liability of directors under Section 85 of IT Act. Therefore, directors must take proactive measures for compliance with IT Act and rules. IT policies need to be revamped in WFH times and compliance requirements have changed during the pandemic and we have reviewed all IT related policies for various organizations.”

With this IRDA should impose exemplary fines on these insurance companies for not protecting clients’ sensitive personal data. Individuals can also file a complaint with the Adjudication officer and ask for compensation upto Rs 5 Cr.

To prevent data from further leaking, IRDA should do yearly audits and penalise these companies for data leakage. Cyber Awareness amongst sales employees and their call centres is also important, experts suggested.