POLICY PROMPT

Some of the problems of cyber security may be thought of as symptoms of market failure, a situation in which inefficiencies exist in the allocation of goods and services. The inability to correct a market failure can lead to negative externalities; for example, in a consumer data breach the consumers are potentially exposed to harm that they could not prevent, while the company responsible for the exposed data might not have had enough of an incentive or ability to provide better security. In another example of a negative externality, privacy often receives limited value in the cost-benefit analysis a private firm must make about investing in information security, and firms have more incentives to over-collect personal data than they do to safeguard it. Conversely, society seems to be relying on positive externalities with respect to critical infrastructure, because the security of critical infrastructure is a public good shared by all, while the costs of securing those systems are borne by the (mostly) private firms who own them. However, in case of a breach of a critical infrastructure such as the power grid, the society suffers a huge financial loss in terms of billions of dollars (cost of lost business, financial transactions, man hours lost, as well as the cost of fixing the physical damage to the infrastructure).

"While the Indian government is working on the issue of cyber security both from a policy and law perspective, it is believed that incidents of security breaches in India are still largely unreported making it difficult to analyze and create policy frameworks. Even though various regulatory bodies such as the Reserve Bank of India (RBI), Securities Exchange Board of India (SEBI) and National Critical Information Infrastructure Protection Center (NCIIPC) have been mandating that companies notify empowered regulatory bodies of breaches especially those companies, that collect, store and operate personal data, to report breaches and conduct risk assessments and audits, there are no significant penalties for compromised businesses. This means that the regulatory agencies do not have enough teeth under the current laws and policies.

However, Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (“Cert-in”) impose mandatory notification requirements on service providers, intermediaries and data centers if certain ‘cyber security incidents’ occur, e.g. compromise of critical information/system, unauthorized access, malicious virus or code attacks, identity theft, etc. The Information Technology Act, 2000 (amended in 2008) deals with the issues relating to payment of compensation and punishment in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data.

Besides existing legislation, the government is now working on evolving practices and policies regarding cyber-security as a central part of general security doctrine. Some of initiatives include establishing The National Critical Information Infrastructure Protection Centre (NCIIPC) and National Cyber Coordination Centre of India (NCCC) that will screen online threats and coordinate with the intelligence agencies to handle issues related to the national security. Given not only global cyber threats but India’s internal developments in the technology sphere, including such initiatives as Digital India or Aadhaar project, both assuming to accumulate world’s largest personal databases of people, the questions about Privacy Protection and Data Protection and an issue of having reliable and modern Cyber Security Infrastructure to support such projects are yet to be solved."

Creating new policies is definitely an important step for every government in every country not because it can stop cyber-attacks or eliminate the consequences of massive breaches – this is almost impossible and the experience of United States or some European counties where such policies had been adopted much earlier proves that. However, it can help put better security measures in place, predict attacks and their outcomes, because the government organizations and private sector companies will be bound to disclose information. This will help security experts study the cases while it will also increase the accountability of the parties for having strong IT security practices.

The current government has stated that "we believe the best case for government intervention is in the case of market failure." However, in absence of sufficient expertise in the government, they want to know how governments can correct the market failure leading to insufficient protections afforded by companies to personal data held by consumers. In the United States and elsewhere, this market failure has led to some of the biggest consumer data breaches in recent years--Target, Home Depot, J.P. Morgan, and others. The tools that governments have to correct market failures include legislation, regulation, taxation, and the provision of other economic incentives (loan guarantees, support for insurance and reinsurance markets, etc.). The government may also offer incentives unique to cyber security, such as licensing behavior against cyber intruders that would otherwise violate the Information Technology Act 2000 (amended in 2008) if companies take effective defensive measures.

In 3,000 words or fewer, develop a policy proposal designed to correct this market failure.

You need not confine yourself to the examples discussed, but you are bound by the current government's posture on intervention in case of market failure.

<-Back to Policy Competition