Blockchain is a relatively new form of technology that acts as an incorruptible digital ledger and keeps a record of all data or transactions virtually[]. Broadly, as a digital ledger, blockchain can record a wide range of quantities, from physical assets to electronic cash.
In our understanding, the technology is being widely considered to be applied to varying extents across various industries for purposes such as book keeping and preventing common frauds perpetrated by manipulating the history of data or transactions. As the data entered on the blockchain provide a clear trail to the very start of the blockchain, any individual record or transaction can be investigated and audited fairly easily.
Is the Technology (and underlying Data) Secure?
Once a blockchain is designed and put into place, we understand that all its data becomes decentralized. The records it contains are then verifiable by all machines on the network, and no centralised version of this information exists for any party or hacker to corrupt. Thus, no single person controls the contents of a blockchain[].
It is interesting to note that there are presently no recorded events of data loss or collapse due to the failure of this technology in the public domain. Since a blockchain, much like the Internet, is comprised of a vast network of independent machines, robustness is built-in to the extent that identical blocks of the same information stored across this network can neither be controlled by any one entity, nor can they have a single point of failure, even if a majority of the servers are taken offline.
Existing implementation in India
Pursuant to the widespread acknowledgement of its possible utility, blockchains are now being adopted by companies and governments across various countries. Sources in the public domain indicate that in the USA, the Department of Homeland Security has discussed the potential of blockchain in countering mis-information and foreign propaganda[]. In other places, the Brazil government has recently announced its intention to move electoral voting and community petitions onto a blockchain, while Chile is already using the technology to track data and finances from the energy sector through digital ledgers[], which are available for citizens to review.
India has also seen a few segmental adoptions of the technology, with some public authorities and private entities acknowledging its potential benefits. Press reports indicate that while specifically speaking about digital currencies, the Finance Minister of India was recently reported to have remarked on how the government was looking to "explore [the] use of blockchain technology proactively". The Andhra Pradesh Government has also signed a MoU with various technology companies to implement a blockchain ecosystem in the State. It has proposed to move all its department data relating to property titles and vehicle ownership records of the State onto a blockchain based platform to prepare a unified register, accessible to authorised personnel[]. Almost 100,000 land records in the state are now stored on blockchain.
Adoption in the Insurance Industry
Insurance business is built in large part on policyholders' trust vis-à-vis the accountability of insurance companies. Incidents that compromise the protection of personal and proprietary data of its policyholders may not only result in regulatory consequences for the defaulting parties, but also in undermining the policyholders' confidence in the sector. Since the technology and design of a blockchain is broadly believed to be considerably secure, the integration of blockchain into insurance companies' databases may help cater to the sector's need for data integrity and management.
Recent press reports indicate that some Indian insurance companies have already started contemplating various forms of implementation of the technology. It is reported that a consortium of the 15 leading Indian Life Insurers have partnered with a global technology firm, to develop a blockchain solution facilitating cross-company data sharing for the specific purposes of reducing fraud and money-laundering in the sector[].
Blockchain & the Cyber Security Guidelines
Notwithstanding the foregoing, we note that not all blockchains are created equal, and it is imperative to consider if the technology could be considered at odds with the existing data protection and security regime in India.
The IRDAI has on more than one occasion stressed the need for data security and storage in the insurance sector and issued various circulars and guidelines from time to time in this regard. In 2015, the IRDAI laid down the "Guidelines on Information and Cyber Security" of 7th April 2017 (Cyber Security Guidelines). The Cyber Security Guidelines require all Insurers to have in place governance mechanisms and requisite IT infrastructure to ensure the security of any and all data created, collected, maintained and shared, irrespective of their form or place of storage.
However, implementation of a new technology such as blockchain may not necessarily be completely compliant with the extant insurance statutory and regulatory framework. We have thus analysed the contours of blockchain technology vis-à-vis the provisions of the Cyber Security Guidelines, with respect to the potential usage in the Indian insurance sector in the future:
- Per ¶5.17 of the Cyber Security Guidelines, Insurers are expected to identify and address any possible risks to their organizational systems and information while engaging vendors and third parties. ¶184.108.40.206 additionally requires the Insurer to share information with third parties only on a "need-to-know" basis. Since an encryption key may protect each blockchain, we understand that access to its data may be restricted for only the permitted purposes of such data by granting the key to authorized individuals, thus controlling access to data by an unidentified third party.
- For ensuring the security of information systems, ¶12.8(a) of the Cyber Security Guidelines stipulates that "direct back-end updates to database should not be allowed except during exigencies...". However, based on our understanding of the technology, we note that blockchain by its very nature hinges on automatic updation of records in tandem with on-going transactions or data entries. Although sufficient controls may be built-in ensuring that an audit trail is maintained [per ¶12.7(d) of the Cyber Security Guidelines], no unauthorised modification is carried out [per ¶12.8 (c) of the Cyber Security Guidelines], and the regulatory intent of restricting the unauthorized use of data may be satisfied, it is unclear if the inherent working of the technology could be considered to be a back-end updation. Therefore, it will be interesting to see how this is viewed if blockchains were to be implemented on a wider scale.
- ¶21 of the Cyber Security Guidelines sets out the norms on maintenance of the Insurer's data on cloud infrastructure, stipulating that Insurers are required to have a framework for regulating its data hosted on "on cloud or on any external hosting infrastructure". Additionally, Insurers are required to implement appropriate access control mechanisms, such that there is a logical segregation of duties between the service providers and third parties, and data is not shared accidently with other users. Broadly, since blockchain technology is designed to store data in a manner that restricts access to or meddling by any unauthorised persons, its integration across all forms of storage infrastructure utilised by an Insurer may reduce the chances of manipulation and misuse.
- Considering the trend of cybercrimes, consumerisation, rise in cloud computing systems, significance of business continuity, and an increase in internal threats such as relating to employee fidelity, ¶11.1 of the Cyber Security Guidelines requires Insurers to implement a data security policy. In this regard, ¶11.1 requires that "consistency & accuracy of data entered into the system should be verified through a maker checker process[] wherever applicable..." and "...Audit trails should be secured to ensure the integrity of the information captured, including the preservation of evidence". Since each blockchain is understood to provide a comprehensive audit trail, and be self-correcting in nature, introduction of the technology may possibly eliminate or minimise the need for additional people involved in verifying the integrity of data.
- Per ¶16 of the Cyber Security Guidelines, Insurers are required to define the data retention and destruction schedules, and ensure that multiple copies of data stored across different locations are destroyed post the retention timeframe or upon request. This could serve as an interesting point of difference to be addressed in the event of introduction of blockchain, since per our understanding, a blockchain is immutable and the data stored in each block can neither be modified nor deleted.
In the wider data protection context, there are certain additional challenging questions that are brought up by this technology:
- While blockchains where the origin of the data is hidden, may offer anonymity to parties and the individual records could be made private and encrypted, it is concerning that where a party loses its access key to such encrypted blockchain, it also loses all its data.
- A blockchain ledger allows for addition of data across a network of machines, but in order to prevent data tampering and fraud, we understand that the data can neither be deleted nor modified. As an illustration, where any personal data is stored on a blockchain by an insurance company, it is unclear if a party will be able to exercise its "right to rectification" or "right to be forgotten" under Articles 16 and 17 of the General Data Protection Regulation 2016/679.
While the collective effect of the existing Indian insurance statutory and regulatory framework on data security is to minimize misuse and unauthorized tampering of any organizational data belonging to Insurers and other entities, it would be interesting to see if the new technology is discussed and/or accommodated within the existing guidelines.
It is still early to comment on whether and to what extent the insurance sector would assess this technology to meet its data security and integrity requirements, going forward.
For further information on this topic please contact Tuli & Co
Tel T +91 11 4593 4000, fax F +91 11 4593 4001 or email email@example.com
 Blockchains are comprised of a linear chain of blocks, created by linking new blocks of validated entries to older blocks, which successively reveal each transaction made in the history of that blockchain. Subsequently, this chain is continually updated so that every database in the network is the same.
 Marco Iansiti and Karim R Lakhani, 'The Truth About Blockchain' (Harvard Business Review, January-February 2017) https://www.goldmansachs.com/our-thinking/pages/blockchain/> last accessed on 30 July 2018.
 'S&T Leading Blockchain Solution R&D for DHS Components' (DHS Gov, 22 May 2018) https://www.dhs.gov/science-and-technology/blog/2018/05/22/st-leading-blockchain-solution-rd-dhs-components> last accessed on 30 July 2018.
 Helen Partz, 'Chile's National Energy Commission Launches Ethereum-Based Pilot For Energy Data' (Cointelegraph, 7 April 2018) https://cointelegraph.com/news/chiles-national-energy-commission-launches-ethereum-based-pilot-for-energy-data> last accessed on 30 July 2018.
 'This Indian City Is Embracing BlockChain Technology (Forbes, 10 October 2017) https://www.forbes.com/sites/outofasia/2018/03/05/this-indian-city-is-embracing-blockchain-technology-heres-why/#3ab2cfa78f56last accessed on 30 July 2018.
 'Leading Indian Life Insurers Partner with Cognizant to Develop Industry-Wide Blockchain Solution for Secure Data-Sharing and Improved Customer Experience' (Cognizant, 16 April 2018) https://investors.cognizant.com/2018-04-16-Leading-Indian-Life-Insurers-Partner-with-Cognizant-to-Develop-Industry-Wide-Blockchain-Solution-for-Secure-Data-Sharing-and-Improved-Customer-Experience, last accessed on 30 July 2018.
 In the maker-checker process, while one individual may create a transaction, another individual is to be involved in confirmation/authorization of the same.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.