A Call For Regulatory Shift & Invoking No Fault Liability

In the digital age, the security and resilience of critical infrastructure has become a paramount concern for nations worldwide. The recent Microsoft cloud outage, which caused widespread disruptions to various services and applications, has highlighted the world’s uninhibited dependency on private companies and the urgent need for policymakers to mitigate the risks of such data outages with a regulatory framework.Critical infrastructure refers to the essential systems or sectors of any nation, which if faced by any disruption, whether physical or virtual, would debilitate a nation’s public health, safety and security, and economic stability. When a global data outage of the scale we saw in Microsoft’s case occurred, it took down with it the functioning of key sectors like aviation, healthcare, banking, trading, federal agencies, etc. What is more unfortunate is that this is not a one-off incident. This risk is inherent to any cloud-based system. Examples of this can be seen in 2023 global disruption in Microsoft 365 apps; X Corp’s outage in 2023; and other significant data outages reported year on year. Why regulatory framework?The Microsoft outage apparently stemmed from a software update of Microsoft products, pushed by cyber security firm Crowdstrike. In the current scheme of things, their operations are predominantly governed by private agreements, formally referred to as ‘Service-level agreements’. These agreements are typically focused on business development and not security measures. Undisputedly, system failures can result in significant financial losses for clients and end-users. Companies should bear some of this cost to incentivise better practices. Holding companies accountable encourages investment in robust architecture, testing, and disaster recovery plans. Therefore, it becomes increasingly imperative for policymakers to explore measures to strengthen the protection of critical information infrastructure and hold corporations accountable for their negligence.Currently, there are minimal penalties for such outages, with little to no consequences unless they are a result of a cyber or terrorist attack on the critical information infrastructure. This seems like an escape route for big corporations, emphasising the need for a comprehensive framework to ensure that they are taking the necessary precautions to avoid such disruptions to the critical infrastructure of nations.Preventive measuresBhavish Aggarwal’s decision back in May to move the workload of his company OLA Cabs out of Azure, Microsoft’s cloud computing platform which was central to the outage, is nothing short of a precognition. “Govt needs to recognise the risk of our data residing globally and bring more stringent data localisation norms,” he said after the global crisis.“Sovereign nations must drive localised data & tech stacks, sectoral foreign ownership/mgmt norms etc, to mitigate such risks,” Jay Kotak said.Data localisation restricts data storage and processing inside a country’s borders. It is not a novel concept to India. Post liberalisation in 1991, the Central government enacted the Public Records Act 1993 to regulate the management, administration, preservation and security of public records (of government and its agencies). It includes material produced by a computer or by any other device and Section 4 thereof specifically prohibits taking of public records out of India, without the prior approval of the Central Government.The Insurance Regulatory and Development Authority of India has issued Regulations mandating insurance companies to store electronic data, with respect to policies and claims, at data centres located and maintained in India. The Reserve Bank of India has also issued Directives, requiring organisations to store payment data within India. This includes end-to-end transaction details and information that the system provider collects or processes in carrying out the payment instruction. The Ministry of Electronics and Information Technology also released Guidelines for government departments executing contracts providing cloud services to incorporate clauses for data localisation.Given the existing literature, it will not be very challenging for the government to introduce data localisation laws in the private sector. However, developing the infrastructural maturity in different regions is a time and resource-constrained task. Measures must be taken to implement a more rigorous legal framework, and ensure that big corporations prioritise the security and stability of critical information infrastructure, reducing the risk of such outages occurring in the future. One key element of this framework should be the enforcement of best in class security standards and risk management protocols for critical infrastructure operators.The Government may mandate regular security audits to ensure companies handling critical information infrastructure properly maintain redundancy and backup mechanisms– to diminish disaster recovery time and ensure business continuity. This includes imposition of multi-cloud strategies, establishment of multiple data centres, regular backup cycles and mandatory off-site storage.Beta testing is another safety net which the Government may wield to protect critical information infrastructure against potential outages. Further, mass deployment of a software or its update may clog roll back strategies, as was the case with Microsoft. Thus, the Government may consider mandating blue/green deployment, where experts keep the current application version running till the new application version is successfully released in an identical environment.Mandatory load balancing is another feature, whereby the Government may stipulate that fresh deployments will not include critical infrastructure, until they are successfully deployed for non-critical infrastructure.The National Critical Information Infrastructure Protection Centre may impose sanctions and penalties for non-compliance of such regulatory framework.Penalties in case of outageIn the age of cyber civilisation, we propose that the environment must be read to include the digital ecosystem of every nation. If that be so, companies handling critical information infrastructure should come under the ambit of absolute liability, as do enterprises engaged in hazardous or inherently dangerous substances or objects. Even the US Director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly had suggested holding tech companies liable for selling “vulnerabilities”.At global level, Governments may borrow from international law, utilising notions of No-Harm principle to hold Corporations accountable for causing disruption to the functioning of critical infrastructure of nations. These are recognised principles of international customary laws that bind States to ensure that any risk to the environment of other States is prevented, controlled, or mitigated.Adoption of such principles is however effective only when the Governments ensure that limitation and exclusion clauses incorporated by companies in service agreements to limit their liability do not override. Companies should be directed to maintain appropriate insurance coverage and establish compensation policies for affected customers.Governments may also mandate a termination clause, empowering the affected client to exit the contract and seek damages for business interruption losses. Dispute resolution clauses will further position the client at a tactically advantageous position to exert pressure, without formally ending the contract.Concluding RemarksThe larger question that demands investigation is if nations can continue to stir away from cooperating on global cyber security and stability issues in the guise of national priorities and technical incompatibility. Needless to say, power concentration in a select few big corporations can create fragile ecosystems. By investing in these alternative approaches, we can reduce the vulnerability of critical infrastructure and mitigate the impact of potential data outages. Policy makers must address this issue comprehensively and prioritise the security of critical information infrastructure. By implementing both legal and technical measures, we can safeguard critical infrastructure from potential data outages and ensure the stability of our digital ecosystem.Akshita is a Senior Associate Editor with LiveLaw. She can be reached at [email protected] Anamika is a tech law enthusiast and an Assistant Professor of Law at the Gujarat National Law University. She can be reached at [email protected] Views personal.

Source link

  • Thiruvenkatam

    Thiru Venkatam is the Chief Editor and CEO of www.tipsclear.com, with over two decades of experience in digital publishing. A seasoned writer and editor since 2002, they have built a reputation for delivering high-quality, authoritative content across diverse topics. Their commitment to expertise and trustworthiness strengthens the platform’s credibility and authority in the online space.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.