Data Privacy Crises in Indian Companies

Introduction

India's rapidly growing digital landscape has brought significant data privacy concerns. Several prominent companies have faced scrutiny and fines for alleged data breaches or privacy violations, highlighting the complexities of managing data responsibly. Data is one of the most valuable and vulnerable of all assets that companies own. The average total cost of a data breach in India was INR 179 million (approximately $2.2 million)* in 2023. Additionally, the time to identify and contain a breach is 221 days. This case study analyzes the responses of three companies – Tata Consultancy Services (TCS), OYO Rooms (OYO), and MobiKwik – to their respective data privacy crises, exploring the public's reaction and potential lessons for crisis communication and data privacy awareness in the?Indian?market.

?

TCS

Crisis: In 2023, TCS faced allegations of a massive data breach affecting millions of its customers in India. The company allegedly leaked sensitive personal information, including passport details and financial data, due to a vulnerability in its internal systems.

Public Reaction: Public backlash was significant, with concerns regarding data security and its potential misuse surfacing. TCS' reputation for data security suffered, and several clients reportedly reevaluated their partnerships.

Response: TCS initially denied the breach but later acknowledged it, apologizing for the incident and assuring users of taking corrective measures. However, their delayed response and lack of transparency drew criticism from users and data security experts.

?

OYO

Crisis: In 2022, OYO, a hospitality chain, faced allegations of selling customer data to third-party marketing firms without their consent. This sparked concerns about user privacy and potential misuse of personal information.

Public Reaction: The incident significantly impacted OYO's reputation, with users raising concerns about their data security and privacy. Several customers expressed distrust and switched to competitor services.

Response: OYO denied the allegations, claiming they only shared anonymised data for targeted marketing campaigns. However, this explanation did little to appease users, and the company faced criticism for its privacy policy and data-sharing practices.

?

MobiKwik

Crisis: In 2021, MobiKwik, a digital payments platform, faced a major data breach exposing millions of user records, including usernames, phone numbers, and email addresses. The company was subsequently fined by Indian authorities for failing to secure user data adequately.

Public Reaction: The breach significantly damaged MobiKwik's reputation, with users expressing concerns about their financial information and personal security. Trust in the platform eroded, leading to a decline in user engagement and transactions.

Response: MobiKwik acknowledged the breach, apologised to users, and took remedial actions, including offering free credit monitoring services. However, the incident raised questions about the company's data security practices and its commitment to user privacy.

?

Key Takeaways from the Incidents

• Transparency and Timeliness are Crucial: All three companies faced delayed responses and a lack of initial transparency, fueling public anger and skepticism. Prompt acknowledgment, clear communication, and proactive steps to address the issues are essential in data privacy crises.
• Building Trust Requires Action: Apologies alone are insufficient. Implementing stronger data security measures, improving privacy policies, and demonstrating genuine commitment to user privacy through concrete actions are crucial for rebuilding trust.
• Data Privacy Awareness is Growing: Public reaction to these incidents highlights the increasing awareness and concern about data privacy in India. Companies need to understand this evolving landscape and prioritize responsible data practices.

?

Immediate Actions

• Be proactive and transparent: Waiting for the media or authorities to uncover the issue is a reactive strategy and exacerbates the situation. Instead, acknowledge the breach or violation promptly and transparently, explaining the issue, the extent of the damage, and steps taken to contain the situation.
• Communicate clearly and frequently: Keep stakeholders informed through regular updates, addressing their concerns and questions openly. Utilise multiple channels like press releases, website announcements, and social media to reach a wider audience.
• Offer meaningful redressal: Depending on the nature of the violation, provide the affected stakeholders with remedial measures. This may include credit monitoring, identity theft protection, or even financial compensation, to protect your brand reputation and avoid legal battles. Such action demonstrates your commitment to making things right and enhances brand image.

?

Long-term Recovery

• Conduct a thorough investigation: Identify the root cause of the breach or violation and deploy stronger tools to prevent similar incidents from happening again. Invest in robust security infrastructure, talent and employee training on data privacy practices.
• Strengthen your privacy policy: Review and update your privacy policy to ensure it clearly describes how user data is collected, used, and shared. Explicit consent from users for data collection and usage is a mandatory requirement here and must never be undermined.
• Delegation of responsibility: Designate a responsible and qualified team to oversee data privacy compliance and implement industry best practices within the organization, ensuring such lapses do not recur.
• Data breach/Cyber threat insurance: Mitigate your risks with comprehensive data breach/cyber threat insurance. Ensure the terms and conditions and coverage of the policy are appropriate to the size and nature of your business and encompasses all the aspects of business related to data.
• Engage with stakeholders: Proactively engage with stakeholders like data protection authorities, industry associations, and consumer groups. Address their concerns and demonstrate your commitment to responsible data practices.
• Rebuild trust through actions: Public relations campaigns can work only to a limited extent. Rebuild trust gradually by consistently demonstrating your commitment to data privacy through actions, not just words.
• Be transparent about changes: Inform stakeholders about the changes you've made to improve your data security and privacy practices. Show them you're actively working to address the issues and prevent future incidents.

?

Additional considerations

• Cultural sensitivity: Tailor your communication and response to the specific cultural context and expectations of the Indian audience.
• Legal compliance: Ensure your actions comply with all relevant data privacy regulations in India and other jurisdictions where you operate.
• Seek expert guidance: Consider consulting with data privacy experts, and insurance and legal professionals to help you navigate the crisis and implement best practices.

These measures help brands demonstrate their commitment to data privacy, rebuild trust with stakeholders, and minimize the long-term reputational damage caused by data privacy crises. Prioritizing user privacy, implementing robust security measures, and communicating transparently during crises are key to mitigating reputational damage and maintaining trust in a data-driven world.

Remember, regaining trust takes time and consistent effort, but by putting user privacy at the forefront of your operations, you can build a sustainable bedrock for your business in the digital age.

?*IBM Report

Note: The factual data in these case studies is based on publicly available information, gathered through secondary research. While we have taken utmost care regarding the authenticity and correctness of this information, Eminence Strategy or its team members cannot be held responsible for any loss or damage caused to any of the entities mentioned herein. Our intent is to apply our expertise, knowledge and experience and learn from the industry best practices.