Read the following article and answer the question given :-Data Breach? Is it a big deal? On 4 March, a French hacker who goes by the name Elliot Alderson on Twitter wrote a thread on how he gained access to BSNL's intranet and got hold of details of over 47,000 employees. On 27 February, a Reddit user showed the vulnerability of servers belonging to Truecaller Pay and Tata Sky. Organisations delude themselves into thinking their data is secure if they have firewalls, a data leakage package and an antivirus. The gaps begin at the admin level. Something that often gets neglected is the process of provisioning and deprovisioningassigning privileges to IT admin users for performing tasks on the IT systems and removing them once the task is completed. As per the information reported to and tracked by CERT( Computer Emergency Response Team), over 53,000 cybersecurity incidents which included phishing, scanning/probing, website intrusions and defacements, virus/malicious code, ransomware and denial of service attacks etc were observed in 2018. This kind of negligence is the result of the lack of penalty or mandatory disclosure when a hack happens. So, companies are just sitting ducks. Also, they don't give every single data set the same degree of protection. While all data protection is important, every industry has unique data sets where the degree of sensitivity varies. Crucially, Indian companies don't actively report data breaches to their users. In India, if there is a cybersecurity incident, companies must report it to the Computer Emergency Response Team of India (CERT-In). But they have found ways to avoid this. The law says that any vulnerability that isn't defined as 'targeted scanning' or 'probing attack compromising critical database and systems' needn't be disclosed. So, if a company had a cybersecurity attack and if they believe that it is not a 'cybersecurity incident' they would not disclose it to CERT. There is a lack of a compulsory reporting mechanism in India for all data leaks, in contrast to the European Union (EU). In EU, in case data about a customer is breached then the company has to inform the customer about 'what data' has been breached and what are the steps they are taking to tackle the issue and provide a remedy. In India there are laws to hold these companies accountable, but they are practically unenforceable. Recent practice has shown that they don't lead to any tangible result due to the absence of a regulatory body in the country. Besides, as per the IT Act, any unauthorized access to a computer resource is punishable. This is why ethical hackers in India prefer to remain anonymous; because their bonafide effort might be rewarded with punishment. Also why "hacktivism" has not picked up in India the way it has in the US or EU. Essentially, companies can actually get the hacker who informed them about their vulnerability prosecuted. Indian companies also lack a redressal page, unlike with American or Japanese companies. If you are a friendly neighborhood hacker who found these data breach in an Indian company what would you do? Identify the three dimensions of your decision; prudential, legal and ethical. Examine your decision for various rationalization tests