Data centres, or companies that are working in conjunction with them, face three kinds of challenges. The first are reputational risks related to customer trust. These are tied up with the compliance posture of the company with respect to regulatory and statutory requirements. The second is compliance, which affects most data centre players. The third is downtime. The industry wants it to be minimised to as low as four seconds in a year. However, this is not possible. Because of these challenges, in 2022, the Ministry of Electronics and Information Technology is still coming up with draft legislations regarding privacy, as well as the Digital India Act.
Since 2012, data privacy has been a key focus area globally. Since the launch of the General Data Protection Regulation in Europe, there has been a lot of focus on keeping information private and secure. A number of compliance requirements have been introduced in India this year for virtual private network (VPN) service providers and data centres, such as having robust infrastructure and measures for the extension of record keeping. These measures are so intrusive that they require companies to keep data, records and logs of when a subscriber is logging on to their platform, and more.
Service providers that are reliant on data centres have three areas of focus: continuity, downtime and security. In terms of security, one of the issues is that while there is a lot of emphasis on making infrastructure security robust from an IT point of view, physical security is more complex. The physical security of data centres is a major area of concern. Further, there is no clarity regarding the monitoring of virtual access controls shared with data centre clients. Data centre companies should verify the reasons behind a client requesting multiple access, whether it is role-based access or authorisation-based access, etc.
Because there is a lot of discrepancy between the different levels of access granted within an organisation to its own information, there is always the potential for unwarranted exposure. This is something that is beyond the control of data centre players, but they should still be concerned with this as they need to secure their data accordingly. Another key issue is that the level of vetting by companies while onboarding service providers or vendors or subcontractors is not stringent enough. This should not be the case, as they create that first level of defence for data centre operators.
Finally, there has to be network segmentation from a data centre’s point of view. As data resides in silos and multiple compartments are created even for the same client, if data centre operators are able to create that segmentation depending on the end-point identity, then one would be aware if an entity is snooping on the systems. This would call for an additional barrier for security.
In terms of initiatives that the government needs to take, three aspects need to be considered. First is privacy, which is a burning issue right now. Recently, the government released the draft Digital Personal Data Protection Bill, 2022. Seen from the implementation point of view, it is not a good draft. For data centre operators, a lot of investments focus on the cost of the data residing on a server. The draft does not talk about the right to be forgotten, or erasure, or deletion in a proper manner. The government thus needs to come up with more robust data privacy legislation.
The second aspect is that law enforcement agencies are seldom aware of what a ransomware attack is. In such scenarios, they usually consider that fraud has been initiated on the service provider’s network – perhaps even facilitated by the service provider themselves. They forget about payment gateways, payment aggregators, banks, etc. and only consider the victim. As such, law enforcement agencies need to be made aware of data localisation, data sovereignty and data residency in order to enable smooth implementation. Therefore, the government, as well as other stakeholders, need to collectively start creating awareness among law enforcement agencies.
The third aspect is ensuring uniformity of law, so that it is suitable for clients in India as well as globally. While we are creating a robust atmosphere for data centres in India, these data centres do not just service Indian clients. They also service Indian organisations offering services outside the country. To this end, it is essential that laws for the sector are tailor-made to suit everyone’s needs.
Based on remarks by Bagmisikha Puhan, Associate Partner, TMT Law Practice