Security challenge: How start-ups will be affected by proposed data personal data protection bill

There is some tough business cropping up for start-ups. As the proposed Personal Data Protection Bill 2018 looms, these new-age firms have to work their way up in ensuring pricey data of all sorts is safeguarded.

Among its various clauses, the Bill makes individual consent to data sharing or processing its prime focus, ensuring the right to privacy is adhered.

For start-ups, adhering to the Bill would be a Herculean task, say experts.

"Nowadays, it is easy to get industry hosted servers, hosted source code management and related software infrastructure to start your company at low opex cost. These industry-grade hosted solutions come with their own robust security provisions that alleviate data protection concerns of a start-up. But they also lull them into a dangerously false sense of security. The start-ups stop thinking about security as a point of concern since they have signed up with vendors. This is where security breaks down," said Unni Nambiar, chief technologist at CASHe.

Nambiar said while source code and customer data on hosted servers are protected, data on individual laptops are grossly unprotected. "Weak employment contracts, flexible work-from-home options with non-existent IT departments and security policies, all combine to create a lethal combination that spells disaster when it comes to protecting intellectual property and consumer data."

Data protection has assumed tremendous importance in the wake of 87 million Facebook users' data being shared with Cambridge Analytica.

In India, over 3.24 million records across industries were stolen, lost or exposed in 2017, as per digital security firm Gemalto.

Failure to protect data of all kinds can prove expensive for start-ups in many ways.

Firstly, leakage of data leads to a loss of trust and confidence among stakeholders, which is detrimental for any business, said Manish Srivastava, co-founder and chief technology officer (CTO), LitmusWorld. "In monetary terms, the loss will be computed by start-ups differently on a variety of factors including loss of business determined by customer lifetime value, loss of brand name, etc."

The Bill has provisions to penalise companies who fail to adhere to the various clauses, with penalties going up to Rs 15 crore, or 4% of a company's total global revenues.

Furthermore, reactive measures to plug data leakage cost intense resources, said Virender Bisht, CTO and co-founder of fintech start-up NiYO.

"For every data leakage, there are additional costs of forensic audits that entities have to do. Sometimes, data hackers hold start-ups to monetary ransom. With the new changes, added penalties would become an additional burden," said Bisht.

Experts believe start-ups have a low to average level of preparedness for the Bill. They will need to have a robust security policy that addresses regulatory reporting, third-party audit regime, checks and balances, etc.

Nambiar said the corporate network of start-ups will need to be protected with adequate firewalls and threat protection devices. "A possible trend would be to completely virtualise the technology infrastructure. A fully virtualised desktop environment coupled with sandboxed mobile solutions would be step in the right direction."

But part of the problem is that the available security infrastructure is expensive and targeted towards larger and more established companies with deeper IT budgets. "Either a shift towards startup-level security infrastructure or an even more seamless virtualised infrastructure allowing for zero data footprint operations will be essential to allow start-ups to adhere to this Bill. Additionally, startup-grade security solutions will need to be priced at the same nominal pricing as the currently hosted infrastructures that had lowered the cost threshold and enabled the start-up ecosystem to thrive in the first place," said Nambiar.

ONE SIZE DOESN'T FIT ALL

• A part of the problem is that the available security infrastructure is expensive and targeted towards larger and more established companies with deeper IT budgets
   
• Startup-grade security solutions will need to be priced at the same nominal pricing as the current hosted infrastructures that had lowered the cost threshold, said an expert