Implementing Reasonable Security Safeguards: How India's DPDP Act Rules 2025 Leverage the BDSLCCI Cybersecurity Framework 3.0

January 8, 2025

According to Surfshark's analysis, in 2023, India experienced 5.3 million breached accounts, and in 2022 it was 12.3 million. Despite the decrease, India moved up in the global ranking of breached accounts, from 7th place in 2022 to 5th place in 2023. This indicates that while the number of breaches decreased, India still faced a substantial number of incidents compared to other countries. In Q1 of 2024 alone, 17.1 million online accounts were leaked. In Q2 of 2024, India experienced a significant increase in data breaches, with approximately 33.6 million online accounts being leaked. In Q3 of 2024, India experienced approximately 7.4 million data breaches. In Q4 of 2024, the number of data breaches in India was around 8.1 million.

In 2024, India experienced numerous data breaches, including a BSNL data breach compromising over 278 GB of sensitive data, a personal data leak affecting 7.9 million customers, a WazirX cyberattack stealing $235 million worth of investor holdings, and a BoAt India breach compromising 7.5 million users' personal data.

Also, it would be interesting to check the annual cyber attack analysis report prepared by the SecureClaw Cyber Threat Advisory team.

A data breach involving Personally Identifiable Information (PII) can lead to several types of crimes:

Identity Theft: Cybercriminals use stolen PII to impersonate individuals, open bank accounts, and take out loans.
Financial Fraud: Criminals can make unauthorized transactions, drain bank accounts, and commit tax fraud.
Phishing Attacks: Stolen PII can be used to craft convincing phishing emails or messages.
Blackmail and Extortion: Criminals may threaten to release sensitive information unless a ransom is paid.
Account Takeover: Access to PII allows criminals to take over online accounts, leading to further exploitation.
Social Engineering: Criminals can manipulate individuals or organizations into divulging more information or performing security compromises.
Corporate Espionage: PII breaches can be part of larger attacks aimed at stealing corporate secrets or intellectual property.

Protecting PII is essential to prevent these and other crimes, ensuring both individual and organizational security.

Below is the as-it-is copy of the "6. Reasonable security safeguards" from the Draft of rules proposed to be made by the Central Government in exercise of the powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), on or after the date of coming into force of the Act.

" 6. Reasonable security safeguards. — (1) A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach, which shall include, at the minimum,—

(a) appropriate data security measures, including securing of such personal data through its encryption, obfuscation or masking or the use of virtual tokens mapped to that personal data;

(b) appropriate measures to control access to the computer resources used by such Data Fiduciary or such a Data Processor;

(c) visibility on the accessing of such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence;

(d) reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised as a result of destruction or loss of access to personal data or otherwise, including by way of data backups;

(e) for enabling the detection of unauthorised access, its investigation, remediation to prevent recurrence and continued processing in the event of such a compromise, retain such logs and personal data for a period of one year, unless compliance with any law for the time being in force requires otherwise;

(f) appropriate provision in the contract entered into between such Data Fiduciary and such a Data Processor for taking reasonable security safeguards; and

(g) appropriate technical and organisational measures to ensure effective observance of security safeguards.

(2) In this rule, the expression “computer resource” shall have the same meaning as is assigned to it in Information Technology Act, 2000 (21 of 2000)."

Reference to rule 6-(2), under the Information Technology Act, 2000 of India, a "computer resource" is defined as any computer, computer system, computer network, data, computer database, or software. This broad definition encompasses all digital and electronic devices and systems used for processing, storing, and transmitting data.

A data breach involving Personally Identifiable Information (PII) can lead to several types of crimes:

Data Fiduciary: This is any person or entity that determines the purpose and means of processing personal data. Essentially, a Data Fiduciary decides why and how personal data should be processed. Examples include businesses, corporations, government bodies, and organizations that collect and control personal data.
Data Processor: This is any person or entity that processes personal data on behalf of a Data Fiduciary. Data Processors handle data based on the instructions of the Data Fiduciary and do not determine the purpose or means of processing. Typically, these are third-party vendors or service providers.

It is important for Data Fiduciary and Data Processor organizations to implement all recommended control areas as per DPDP Act of India.

"Cybersecurity is right for every business, regardless of its size, location, or revenue! We invite and recommend small and medium-sized businesses to utilize the BDSLCCI framework."

by Dr. Shekhar Ashok Pawar

Visit www.BDSLCCI.com today to know more features and benefits!

SecureClaw’s Business Domain Specific Least Cybersecurity Controls Implementation (BDSLCCI) framework 3.0 provides defense in depth (DiD) as well as Mission Critical Asset (MCA) cybersecurity.

As shown in figure, it has mappings with various policies, and guidelines lowering the risk of cyber threats for data privacy in accordance with the rules of the DPDP Act of India. BDSLCCI is more suitable for Micro, Small, and Medium Enterprises (MSMEs) being low costly compared to existing standards or frameworks in global market, easy to implement, and along with DPDP act kind of requirements it also protects business while providing cybersecurity controls for MCAs.

BDSLCCI Version 3.0 has been available for the organizations since January 2025 Jan 1, 2025 BDSLCCI Framework 3.0

Implementing Reasonable Security Safeguards Jan 8, 2025 How India's DPDP Act Rules 2025 Leverage the BDSLCCI Cybersecurity Framework 3.0

Learnings from the Industry Targeted Cyber Attack Statistics of 2024 Jan 1, 2025 Cyber Attack Statistics

BDSLCCI-Version-2-0-has-been-available-as-an-enhanced-Cybersecurity-Framework-January-2024

BDSLCCI 2.0 Jan 1, 2024 Modified Version of Cybersecurity Framework

BDSLCCI Framework Control Areas mapped with EU's GDPR and India's DPDP Act requirements Nov 11, 2024 GDPR, DPDP Act

What is BDSLCCI? Oct 27, 2022 Cybersecurity Framework

BDSLCCI-Defense-in-Depth-DiD-contribute-to-PREVENTIVE-DETECTIVE-DETERRENT-RECOVERY-CORRECTIVE-Control-Areas

Controls Coverage Feb 21, 2024 How does the BDSLCCI Framework's Defense in Depth (DiD) contribute to the distribution of PREVENTIVE, DETECTIVE, DETERRENT, RECOVERY, and CORRECTIVE Control Areas?

How-does-the-BDSLCCI-help-small-and-medium-businesses-or-startups-with-the-pre-requisite-of-cyber-insurance

Cyber Insurance Mar 21, 2024 BDSLCCI Framework helps in pre-requisite of cyber insurance

Cybersecurity Innovation Award Feb 10, 2024 SecureClaw received the Award for Excellence in Innovation in Cybersecurity from AACCI

How to Become a BDSLCCI Auditor? Aug 29, 2023 BDSLCCI Auditor

How to make ChatGPT secure for business use? Sept 1, 2023 ChatGPT Security

How BDSLCCI Cybersecurity Framework can help organizations to adopt DIGITAL PERSONAL DATA PROTECTION (DPDP) requirement? Aug 9, 2023 Data Protection

How to use BDSLCCI Web Platform? Nov 28, 2022 Cybersecurity Framework

Cyber Attacks on the Manufacturing Sector Nov 21, 2022 Manufacturing Security

CNC Machines can be Vulnerable to Hijacking, Data Theft, and Damaging Cyberattacks Oct 27, 2022 Manufacturing

Insider Threats recall that the Weakest Link in Cybersecurity is Humans Dec 18, 2022 Insider Attack

What is Dynamic Application Security Testing (DAST)? Oct 27, 2022 Audit

What is Endpoint Audit and Protection? Oct 29, 2022 Endpoint Security

What is Network VAPT? Oct 30, 2022 Network Security

What is Static Application Security Testing (SAST)? Nov 1, 2022 Software Security

What is Cloud Security Audit? Oct 28, 2022 Cloud Security

Password Policy Best Practices for Active Directory Nov 3, 2022 Secured Password

What is Ransomware cyber-attack? Nov 7, 2022 Ransomware Info

What is Vulnerability Assessment and Penetration Testing (VAPT)? Nov 7, 2022 Security Audit

What is Phishing Attack? Nov 11, 2022 Cyber-attack Preventon

The G20 encourages all industries to build resilience, including India June 8, 2022 BDSLCCI