CIO

Where Prime Focus lost the Game of Thrones plot

The GoT episode leak aggravates the problem of insider threats in enterprises. Cybersecurity expert, Prashant Mali elaborates on the legalities of data protection and employee monitoring.

Major dramas were recently unveiled at the HBO office, Star India, and Prime Focus. One was season seven of Game of Thrones and the second was its leaks before the scheduled air time. In a cyber-crime that made the entertainment and media industry wake up and take notice, the focus was shifted to India.

Mumbai police arrested four employees—three present and one former—of Prime Focus, an independent agency that manages data for Star India, for allegedly leaking 'Spoils of War', the fourth episode of the seventh season of Game of Thrones. The allegation: accessing the episode without authorization and subsequently releasing it unlawfully.

When the popularity of the show, credibility of the channel, and huge investments are at stake, such cyber crimes bring back the question of employee and third party trust. Insider threats have been the major cause of cyber attacks and panic among CISOs in recent times.  

In an exclusive interview with CSO Online, Prashant Mali, a lawyer at Bombay High Court, and a cybersecurity expert discusses how third party sources can be trusted with sensitive data and ways of strengthening employee monitoring.

Read more: Game of Thrones: The leaks that made headlines

With Prime Focus' employees getting arrested, how much can independent companies be trusted with sensitive data?

Poor employee-awareness about the law, and weak service level agreements lead to such big incidents of data theft and leakage. I feel Star is equally responsible if they have not followed reasonable security practices.

Trust is a factor in the corporate world, which should be protected by indemnification agreements. The company has to trust its outsourcing vendor and the vendor has to trust its employees. This can be achieved by signing cascading agreements and making parties responsible. But many a times, a human being is the weakest link, who doesn't care about agreements.

Employee awareness programs about data theft laws needs to be undertaken. Agreements should be vetted for checking how the indemnification is provided against such losses. Cyber insurance should be taken, guarding against data theft/leakage.

Read more: HBO hack: A lot more than just Game of Thrones

With insider threat on the rise and former employees stealing data, what precautions can private companies adopt?

Companies can secure themselves for data breach incidents where the damages and compensation claimed by victims or losses thus incurred can be recovered from insurance companies, thus limiting the losses. These policy documents should always be vetted from a specialist lawyer before paying the first premium.

How can employee monitoring be strengthened in India? How can companies ensure that employee privacy is maintained too?

Employee monitoring can only happen to the limit as specified in employee agreements, or rules and regulations to which employees agree to. CCTV real-time monitoring, monitoring data upload and download in real time, disallowing storage devices, and disallowing mobile internet dongles in sensitive premises can be few steps.

Organizations need to have efficient log-monitoring processes and systems in place which gives real-time analysis of employees. The best would be to top up with machine learning algorithms.

What are the legal remedies for data theft in India?

Data theft can be handled in both criminal and civil domains. The victims can file an FIR in the police station under Section 43(a), read with Section 66 of the Information Technology Act, 2000. Victims can file a civil suit for compensations up to Rs. 5 crore with an Adjudication Officer who is the principal secretary of the state. It can also be filed with the High Court, if the compensation exceeds Rs. 5 crores. Victims can go to arbitration in case of damages and compensation.

What immediate steps should CISOs take when informed of the breach?

CISOs should inform CERT India, or the relevant sectoral CERT, if any. They should inform the insurance company if cyber insurance is taken and file an FIR so the law is put in motion.

Data Protection manual

Standardize clauses in agreements

Track data at rest, data in motion and data in use, if possible, real-time

Have periodic audits at the vendor location to check for authorized or unauthorized data leakages

Always announce data leakage in industry, as your peers can take precaution from such vendors

CISO's guide to tackling insider threat

Revoke permissions when users change designations

Permit on a “need to know” basis

Occasionally swap responsibilities of security managers

Closely watch outside access

Use monitoring systems for sensitive files

Have an audit trail of events