Star Health Insurance is facing regulatory scrutiny following allegations that a senior executive sold personal data of over 31 million customers. This incident has highlighted the urgent need for India to expedite the implementation of the Digital Personal Data Protection Act, 2023, which can impose heavy fines and stringent penalties on companies failing to secure data.

Legal experts emphasize the importance of regular audits and assessments of data security practices for businesses, aligning with global standards. The new Act mandates that data fiduciaries must protect personal data in their possession by taking reasonable safeguards to prevent breaches.

The breach has also brought attention to the need for timely disclosure of such incidents. The alleged data breach at Star Health Insurance underscores the vulnerabilities in data protection and the potential legal ramifications for companies that fail to secure personal data. https://legal.economictimes.indiatimes.com/news/corporate-business/star-health-faces-regulatory-scrutiny-over-alleged-data-breach-experts-warn-of-legal-ramifications/114176484 (Oct. 12, 2024).

Commentary

The above reported matter occurred in India. In the United States, federal laws exist to protect confidential user information including:

• Computer Fraud and Abuse Act: This law prohibits unauthorized access to computers and networks, which can include the theft or sale of confidential information stored on computer systems.
• Federal Trade Commission Act: Under Section 5(a)(1) of the FTC Act, it is considered an unfair or deceptive trade practice to misuse information collected in a confidential context for purposes not explicitly requested by the individual, without their affirmative express consent.
• Health Insurance Portability and Accountability Act: If the confidential information includes protected health information (PHI), selling it without authorization can violate HIPAA, which imposes strict penalties for unauthorized disclosure of PHI.

Several states in the United States have enacted their own privacy laws to regulate the sale and protection of confidential consumer information:

• California Consumer Privacy Act (CCPA): This law gives California residents the right to know what personal data is being collected about them, to whom it is being sold, and the ability to access, delete, and opt-out of the sale of their personal data.
• Virginia Consumer Data Protection Act (VCDPA): This law provides Virginia residents with rights like those under the CCPA, including the right to access, correct, delete, and opt-out of the sale of their personal data.
• Colorado Privacy Act (CPA): This law grants Colorado residents the right to access, correct, delete, and opt-out of the sale of their personal data, and requires businesses to conduct data protection assessments for certain processing activities.
• Connecticut Data Privacy Act: This law provides Connecticut residents with rights to access, correct, delete, and opt-out of the sale of their personal data, and requires businesses to implement data security measures.

The final takeaway is that the sale of a private information is a serious crime in the United States and many states. Organizations that store private information should take extreme care to safeguard it.