Emergence of IoT in Manufacturing Sector raises Data Privacy Concerns

May 22, 2025
Manufacturing Sector raises Data Privacy

By Anuradha Gandhi and Rachita Thakur

Introduction

In April, 2024, an Indian consumer wearable manufacturing company suffered a data breach when personal data of approximately 7.5 million users was posted on Dark Web. The breach, allegedly executed by a hacker, exposed sensitive personal information, including names, addresses, phone numbers, email addresses, and customer IDs. Approximately 2 Gigabytes of personally identifiable information (PII) of the users were released on dark web forums.[1] Globally, as per the ‘Sophos State of Ransomware in Manufacturing report’ for 2024, 60% of the Manufacturing companies, after suffering a ransomware attack, decided to pay the demanded sum of money. The average of the ransom paid by manufacturing companies was calculated at USD 1.2 Million.[2]

Developments raising concerns of Data Privacy in the Manufacturing Sector

  1. Ransomware attacks: According to a study, 76% of the surveyed manufacturing entities reported that they were hit by a successful ransomware attack since 2022 which makes the manufacturing sector, one of the top three sectors must susceptible to ransomware attacks both in India and worldwide.[3]
  2. Disruption of Business through Denial of Service Attacks: In November 2024, a malicious actor, “Matrix” exploited IoT devices to create a global botnet for distributed denial-of-service attacks. Matrix targeted devices with known vulnerabilities, deploying the ‘Mirai’ botnet malware on compromised machines.[4]
  3. Emergence of ‘Internet of Things’ in the Manufacturing Sector: Internet of Things (hereinafter referred to as ‘IoT’) technology is being used to create smart infrastructure in various sectors such as Power, Automotive, Safety & Surveillance, Health, Agriculture, and Smart Cities etc.[5] The IoT in manufacturing aims to revolutionize both traditional and emerging industries, making them more innovative and cost-efficient. By leveraging new technologies, manufacturing businesses can optimize their processes and gather valuable data to enhance efficiency.[6] The global growth rate of IoT in manufacturing sector is estimated at 11.9%[7].
  4. Risks associated with IoT devices: In a research by Palo Alto Networks, it has been found that approximately 57% of IoT devices are running on outdated operating systems or lack of encryption and uses weak credentials.[8]
  5. Large Scale Security Threats: With the exponential growth of the IoT, the number of connected devices in civilian and military contexts is surging. This ecosystem links billions of devices, from smart homes to military-grade equipment, all vulnerable to exploitation. In modern applications, this vulnerability extends to smart cities, critical infrastructure, and defense systems. A simple command could cause widespread disruption or destruction, akin to the havoc caused by tampered pagers.[9]

How does India regulate Data Privacy in the Manufacturing Sector?

  1. Prescription by Bureau of Indian Standards (hereinafter referred to as ‘BIS’) – On November 20, 2020, the BIS established IS 17428[10] standard for personal data protection for entities for different industry domains to adopt.
    1. Applicability –
      The standard is applicable on management and engineering operations of organizations that process personal data in electronic form in any industry domain, where the individuals in business association provides their personal information, which includes the Manufacturing industry.[11]
    2. Scope – It is a voluntary certification, however, the central government, from time to time, has made complying with various BIS standards compulsory under different considerations including public interest and prevention of unfair trade practices.
      [12]
      It can help manufacturing companies to align with baseline requirements conforming to global standard and best practices.
    3. Privacy in Engineering Operations – This includes the development life cycle of any product, service or solution that involves processing of personal data. The entity shall introduce the data privacy aspects which shall cover the entire personal data life cycle including data collection, processing operations, decommissioning, archival stages, etc.[13]
      These aspects shall include –

      • Privacy Notice – Provide Privacy Notice to the individual prior to collection of personal data
        [14]
      • Choice – Provide choice on the data intended to be collected
      • Consent – Obtain lawful and fair consent[15]
      • Accuracy of Personal Information – Ensure that personal information is kept accurate throughout the life cycle of personal data, and any incorrect information is promptly corrected.[16]
      • Confidentiality – Adopt and implement an information security program to ensure confidentiality, integrity and availability of personal information.[17]
      • Disclosure to third party – Disclosure shall be made only when necessary, and with consent of individual unless required by law.[18]
      • Data Retention – Ensure that personal information is retained only for the duration as required by the law or business purpose according to a documented personal data retention policy.
      • Right to Erasure – Deletion of personal data shall also be done on specific request from individual unless applicable regulations do not permit.
      • Data Anonymization – Use of irreversible de-identification techniques such as anonymization shall be adopted by the organization when data needs to be preserved for statistical, or research purpose.[19]
      • Rights of Data Subjects – Ensure that Right to personal data Portability, Right to Object to Profiling and Automated Decision Making and the Right to Object to processing is not violated.[20]
    4. Privacy in Management operations – The organization shall implement certain privacy aspects in its management operations[21]:
      • Data Privacy Function – It mandates creation of a data privacy function by identifying a competent and qualified person to be accountable on data privacy for the organization.[22]
      • Data Privacy Management System –The organization needs to establish a data privacy management system (hereinafter referred to as ‘DPMS’) that would act as a baseline and reference point for determining the data privacy requirements for such organization.[23]
      • Privacy Policy – The organization must formulate a privacy policy including Commitment of the top management towards fulfilment of data privacy objectives and requirements and the Privacy principles that the organization adopts to guide all activities related to personal information processing.[24]
      • Processes and Guidelines – Define, document and implement processes, procedures and guidelines on how the organization intends to achieve privacy objectives and comply with privacy policies.[25]
      • Records and Documents Management – Maintain records of processing activities that demonstrate accountability towards its data privacy compliance.[26]
      • Privacy Impact Assessment – Conduct privacy impact assessment for various changes that get triggered from time to time and which may impact data privacy of individuals.[27]
      • Data Processor Management – Define and document how data processors which process personal information on behalf of the organization are evaluated, determined to be suitable and made accountable to minimize the risk of a personal data breach or data privacy incident.[28]
      • Privacy Incident Management – Establish and document mechanism to manage data privacy incidents and personal data breaches.[29]
      • Grievance Redressal – The organization must implement a grievance redress mechanism to handle grievances promptly.[30] The organization must also establish and document mechanisms to respond to and serve requests from an individual.[31]
      • Employee sensitization – Ensure that the staff and contractors handling personal information shall be competent, kept aware and their accountability is established for any actions related to processing of personal information.[32]
      • Monitoring and Review – Put in place mechanisms such as periodic audits that allow management to periodically monitor and review the DPMS.[33]
        The IS 17428 standard further describes the procedural obligations and essentials for the aforementioned compliances making the data privacy standards across industries water tight.[34]
  2. Code of Practice for securing Consumer Internet of things, 2021[35] (hereinafter referred to as ‘COPSCIT, 2021’) – In August 2021, The Telecommunication Engineering Center (hereinafter referred to as ‘TEC’) and Department Of Telecommunications (hereinafter referred to as ‘DoT’) released the COPSCIT, 2021 to regulate data privacy concerns related to IoT and Manufacturing of Smart devices.
    1. What is IoT?: It is a seamless connected network of embedded objects or devices, with identifiers, in which Machine to Machine communication without any human intervention is possible using standard and interoperable communication protocols. However, Phones, Tablets and PCs are not included as part of IoT.[36]
    2. Applicability and Scope: The COPSCIT, 2021 lays down a set of advisory guidelines for IoT Device Manufacturers, IoT Service Providers, IoT System integrators, Mobile Application Developers and Retailers to align with baseline requirements conforming to global standard and best practices.[37]
    3. Who are IoT Device manufacturers? Entities provides an assembled final consumer IoT product that contains the products and components of other suppliers.
    4. Who are IoT Service Providers and System integrators: Companies that provide services such as networks, cloud storage and data transfer which are packaged as part of IoT solutions.[38]
    5. Data Privacy obligations for IoT device Manufacturers:[39]
      • Disclosure – IoT device manufacturers must transparently inform consumers about the personal data processed, its usage, responsible parties, and purposes. This includes third-party involvement, such as advertisers. If telemetry data is collected, consumers must be informed about the specifics of the data, its usage, responsible parties, and purposes.
      • Consumer Consent and Manner of obtaining Consent – When processing personal data based on consumers’ consent, consent must be obtained in a valid way. This means providing consumers with a clear, explicit, and voluntary opt-in choice, ensuring they understand how their personal data will be used for a specific purpose.
      • Right to Withdraw Consent – Consumers who have given consent for the processing of their personal data should have the option to withdraw it at any time. They should be able to maintain their privacy by appropriately configuring the functionality of IoT devices and services.
      • Data minimization – The processing of personal data should be limited to the intended functions
      • Security Measures: IoT devices must not have universal default passwords. Manufacturers must maintain means to manage reports of vulnerabilities, keep the IoT Software updated and ensure software integrity, securely store sensitive security parameters, and minimize surfaces exposed to cyber-attacks.[40]

Rishabh Gupta, Junior Associate Advocate at S.S.Rana & Co. has assisted in the research of this article.

[1]https://www.business-standard.com/companies/news/boat-suffers-data-breach-personal-data-of-75-lakh-users-leaked-on-dark-web-124040801022_1.html

[2]https://www.manufacturingtodayindia.com/manufacturing-and-production-industries-are-facing-a-41-increase-in-ransomware-attacks-over-four-years-with-no-end-in-sight

[3]https://manufacturing.economictimes.indiatimes.com/news/hi-tech/empowering-the-indian-manufacturing-sector-with-cyber-sresiliency/118537101#:~:text=According%20to%20an%20IDC%20Ransomware,both%20in%20India%20and%20worldwide.

[4]https://asimily.com/blog/the-top-internet-of-things-iot-cybersecurity-breaches-in-2024/

[5]https://www.meity.gov.in/sites/upload_files/dit/files/Draft-IoT-Policy%20%281%29.pdf

[6]https://katanamrp.com/iot-in-manufacturing/

[7]https://www.marketsandmarkets.com/Market-Reports/iot-manufacturing-market-129197408.html#:~:text=The%20global%20IoT%20in%20Manufacturing,projected%20to%20reach%20%2487.9%20billion.

[8]https://www.infosecurity-magazine.com/news/iot-data-breach-exposes-27-billion/#:~:text=Risks%20of%20IoT%20Data%20Breaches&text=Research%20by%20Palo%20Alto%20Networks,need%20for%20better%20security%20protocols.

[9]https://www.expresscomputer.in/exclusives/lessons-from-the-lebanon-pager-bombing-attack-threats-by-remote-execution-and-activating-sleeper-devices-in-the-context-of-iot-and-connected-devices/116217/

[10]https://archive.org/details/gov.in.is.17428.1.2020/page/n9/mode/1up?view=theater

[11] Clause 1, IS 17428 (Part 1):2020, Bureau of Indian Standards

[12]https://www.bis.gov.in/wp-content/uploads/2021/07/Guidance-document-on-QCOs-Revised-1.pdf

[13] Clause 4, IS 17428 (Part 1):2020, Bureau of Indian Standards

[14] Clause 4.2.2, IS 17428 (Part 1):2020, Bureau of Indian Standards

[15] Clause 4.2.3, IS 17428 (Part 1):2020, Bureau of Indian Standards

[16] Clause 4.2.5, IS 17428 (Part 1):2020, Bureau of Indian Standards

[17] Clause 4.2.6, IS 17428 (Part 1):2020, Bureau of Indian Standards

[18] Clause 4.2.7, IS 17428 (Part 1):2020, Bureau of Indian Standards

[19] Clause 4.2.8, IS 17428 (Part 1):2020, Bureau of Indian Standards

[20] Clause 4.2.9, IS 17428 (Part 1):2020, Bureau of Indian Standards

[21] Clause 5, IS 17428 (Part 1):2020, Bureau of Indian Standards

[22] Clause 5.2, IS 17428 (Part 1):2020, Bureau of Indian Standards

[23] Clause 5.3, IS 17428 (Part 1):2020, Bureau of Indian Standards

[24] Clause 5.4.1, IS 17428 (Part 1):2020, Bureau of Indian Standards

[25] Clause 5.4.2, IS 17428 (Part 1):2020, Bureau of Indian Standards

[26] Clause 5.5, IS 17428 (Part 1):2020, Bureau of Indian Standards

[27] Clause 5.6, IS 17428 (Part 1):2020, Bureau of Indian Standards

[28] Clause 5.7, IS 17428 (Part 1):2020, Bureau of Indian Standards

[29] Clause 5.9, IS 17428 (Part 1):2020, Bureau of Indian Standards

[30] Clause 5.11, IS 17428 (Part 1):2020, Bureau of Indian Standards

[31] Clause 5.10, IS 17428 (Part 1):2020, Bureau of Indian Standards

[32] Clause 5.12, IS 17428 (Part 1):2020, Bureau of Indian Standards

[33] Clause 5.13 and 5.14, IS 17428 (Part 1):2020, Bureau of Indian Standards

[34] https://archive.org/details/gov.in.is.17428.2.2020/page/n5/mode/1up?view=theater

[1] https://www.tec.gov.in/pdf/M2M/Securing%20Consumer%20IoT%20_Code%20of%20pratice.pdf

[2] https://www.meity.gov.in/sites/upload_files/dit/files/Draft-IoT-Policy%20%281%29.pdf

[3] Chapter 1, Pg. 4, Code of practice for securing Consumer Internet of Things (IoT), TEC 31318:2021, Department of Telecommunications

[4] Chapter 5, Pg. 14, Code of practice for securing Consumer Internet of Things (IoT), TEC 31318:2021, Department of Telecommunications

[5] Chapter 4, Pg. 13, Code of practice for securing Consumer Internet of Things (IoT), TEC 31318:2021, Department of Telecommunications

[6] Chapter 3, Pg. 6-12, Code of practice for securing Consumer Internet of Things (IoT), TEC 31318:2021, Department of Telecommunications

 

More Articles

  1. The Silent Heroes: Understanding Whistleblowers in India
  2. RCB bowled out: Court dismisses plea over Uber moto’s Travis head ad”
  3. Sanitary Napkins v. Medicines: Delhi High Court on Dissimilar Goods in Same class
  4. CORP CONNECT (JUNE, 2025)
  5. From Fashion to Courtroom: House of Masaba Strikes Back!
  6. Brief Customer confusion enough to prove trademark infringement: Delhi High Court
For more information please contact us at : info@ssrana.com