Mustafa Suleyman, in his book —‘The Coming Wave’ makes a compelling case for broad measures that the global community needs to urgently adopt to navigate the enormous creative as well as destructive powers of artificial intelligence (AI).
The Indian Computer Emergency Response Team (CERT-In) in its advisory dated May 9, 2023 has sounded a precautionary alarm against the possible adversarial threats that may arise from the use of AI language-based applications such as ChatGPT and Bard.
As per the ‘Cost of a Data Breach Report 2023’ released by IBM, the average cost of a data breach globally is pegged at US$4.45 Million while in India, it is estimated to be US$ 2.18 Million. The use of AI has made cyber-attacks easier to implement, scaled their volume and increased their complexity.
As a result, businesses today find themselves at an unprecedented risk of losses occasioned by cyber-attacks. There is accordingly a strong need to safeguard against such losses through appropriate regulatory compliance, internal policies, and specialised clauses in contracts.
Protecting Businesses
Here are some key regulatory areas where the businesses can implement effective measures to protect themselves from the dangers of potential cyber attacks.
Under Section 43A of the Information Technology Act 2000 (IT Act), a business handling ‘any sensitive personal data or information’ negligent in implementing and maintaining ‘reasonable security practices and procedures’ may be liable to pay compensation to an affected person.
As per rule 8 of the Information Technology Rules, 2011, ‘reasonable security practices and procedures’ are considered to be complied if the business has implemented such security practices and standards as they are commensurate with the information assets being protected with the nature of the business.
As per this rule, the ISO/IEC 27001 standard, which is a standard for information security management systems (ISMS), is being recommended. Therefore every business in India interacting with sensitive personal data must aim to implement a cost-effective ISMS through an ISO/IEC 27001 certification.
The obligation to ensure personal data protection and liability to pay compensation in case of breach would stand replaced by the rules governing data protection to be issued under Section 8(5) of the Digital Personal Data Protection Act, 2023 (DPDP Act) and the penalty imposed under Section 33(1) of the said Act, which is yet to be notified. However, in India, currently there is no statute specifically providing for security standards in relation to non-personal data.
There are also certain sectoral obligations for data protection which must be adhered to by businesses. Some sector-specific requirements include those provided for banks under the Cyber Security Framework in Banks issued by the Reserve Bank of India; owners and regulators of Critical Information Infrastructure (CII) of the nation under the Guidelines for the Protection of National Critical Information Infrastructure; stock exchanges, clearing corporations and depositories (Market Infrastructure Institutions – MIIs) under the Guidelines for MIIs regarding Cyber security and Cyber resilience; and insurers under the IRDAI Information and Cyber Security Guidelines, 2023.
It also include the quarterly disclosure requirement in relation to cyber security incidents provided for listed entities under Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015, as amended on June 14, 2023.
Use of AI by businesses involves data security and privacy concerns. Some of the risk mitigation techniques for organisations suggested by CERT-In include filtration and moderation techniques to prevent dissemination of malicious content generated using AI-powered tools, frequent security audits and system assessments and multi-factor authentication (MFA) usage to regulate employee interaction with AI-based tools. Business should consider formulating and implementing AI usage policies; sensitising employees on AI ethics and best practices; and ensure regular monitoring and auditing of AI usage for timely identification and rectification of potential threats.
Businesses need to ensure that their contracts with custodians of their data as well as with their clients in relation to data protection have well-tailored clauses in relation to disclosure, insurance and indemnity. Lack of adequate cyber protections by data custodians could result in huge liability for businesses in case of data breaches, which must be adequately insured and indemnified.
Conclusion
The self-learning nature of AI translates into an ever mutating and evolving threat of cyber-attacks. It is accordingly critical for businesses to review, adapt and upgrade their data protection measures to align them with the prevailing security standards. The Coming AI Wave is here, and it would be advisable for businesses to be prepared for it.
—The authors, Alina Arora and Lakshya Gupta, are Partner and Senior Associate respectively at legal firm Shardul Amarchand Mangaldas & Co. The views expressed are their personal.
(Edited by : C H Unnikrishnan)
First Published: Nov 6, 2023 9:09 AM IST
Check out our in-depth Market Coverage, Business News & get real-time Stock Market Updates on CNBC-TV18. Also, Watch our channels CNBC-TV18, CNBC Awaaz and CNBC Bajar Live on-the-go!
Lok Sabha Election 2024: What rural Delhi wants
May 16, 2024 10:10 PM
Over 50 onion farmers detained in Nashik ahead of PM Modi's visit
May 16, 2024 11:14 AM
Why Google CEO is cautiously optimistic about the election year
May 16, 2024 9:51 AM
Mark Mobius reveals how markets will react if NDA wins 400+ Lok Sabha seats
May 15, 2024 8:09 PM