Data breach: “Make independent and non-executive directors liable


NEW DELHI: Independent directors and non-executive directors in a leading company in the field of social media, the Internet or electronic material should also be subject to legal and criminal proceedings for willful misdemeanors related to data breaches and in cases of complicity or negligence, the parliamentary panel on the protection of personal data (PDP) said.
The committee, which went to the extreme in the various provisions of the Personal Data Protection Bill, 2019, advocated the inclusion of non-executive directors in cases of breaches committed by companies. “… The committee wishes that a reservation… can be inserted to cover these two categories of directors,” he said, while making the key recommendation.
However, the Joint Parliamentary Committee (JPC) – headed by the top BJP leader and former minister PP Chaudhary – said it should only be held responsible “if it is shown that acts of omission or commission of the company have taken place to his knowledge. or with his consent attributable to him or when he has not acted diligently.
The original PDP Bill had said that apart from actions against the company for the violations, those subject to an action for aiding or abetting would be the executive directors, director, secretary or others. company executives.
The JPC report, while broadening the scope of officials who will be prosecuted, nevertheless called for leniency when a person has succeeded in proving his innocence. “… the person will be free from” procedure “and” punishment “once he has proven his innocence … (and) that the offense was committed without his knowledge or that he did demonstrate all due diligence to prevent the commission of such offenses. ”
The recommendations of the panel – which also includes members such as Jairam Ramesh, Manish Tewari, Vivek Tankha and Gaurav Gogoi (from Congress), Derek O’Brien and Mahua Moitra (from Congress from Trinamool) and Amar Patnaik (from Biju Janata Dal) – also addressed the issue of companies that are required to report any data breach to the proposed Data Protection Authority (DPA) within 72 hours.
The original bill made no mention of a specific timeframe within which companies had to report data breaches to authorities, even though advanced laws such as the European GDPR prescribe 72 hours for such notifications. Stating that the current arrangements are open-ended and do not mention any specific timeline, the Committee said “there should be a realistic and limited time frame” for reporting a data breach to the Authority. “The Committee therefore recommends… 72 hours to report a data breach. ”


About Author

Comments are closed.