Art and data

In May 2024, leading art auction house Christie’s faced a “technology security issue,” causing its website to go offline and forcing it to reschedule a major auction. While it worked with experts to identify and resolve the issue, Christie’s created a temporary website to provide information and catalogues for upcoming auctions.

A ransomware gang called RansomHub took responsibility for the hack and claimed it stole sensitive client information like address and passport numbers. The gang has not yet published any data, but is using it to extort money. While the Christie’s website and app are now fully functional, this was not the first breach it experienced. In 2023, ARTnews reported that a flaw had been discovered in Christie’s website because of which the GPS data of images of artwork uploaded by consignors were revealed accurate to a few feet from where the photo was taken. This essentially meant that the location of highly sort-after artwork would have been in the public domain, which, ordinarily, is considered extremely confidential.

How does the art industry work?

Art galleries have curators who select artwork based on artistic merit, theme and demand. These are showcased at exhibitions for prospective buyers. Often, these exhibitions are promoted online and offline. If a buyer expresses intent to purchase, the gallery facilitates the sale including all incidental tasks (paperwork, certificates of authenticity and delivery or shipment).

Auction houses follow a similar process. Artwork owners, including collectors, estates and galleries, contract with the auction houses to sell their art. Experts are appointed to value the art to get it ready for auction. A contract is executed between the seller and auction house to finalise key terms. The auction house then organises a physical or virtual venue to auction the artwork. The art industry has also seen its share of innovation. For example, many art museums and galleries in the US have implemented Apple’s iBeacon technology to enhance visitor experience and boost revenue by tracking smartphones and gathering analytics, including visual representations of interactions with exhibits.

In this process, art galleries/auction houses are often privy to and process extremely sensitive and confidential data. This includes but is not limited to (i) artwork documentation on history of ownership, exhibition history and authenticity records, (ii) personal details of visitors, donors, buyers, appraisers, curators and artists, (iii) sales records, (iv) correspondences with artists and clients, (v) cataloguing information such as titles, descriptions, dimensions, materials, creation dates and artist details, (vi) pre-sale valuation and estimates, reserve price and hammer price including any premium for the art work, (vii) sale records of an artist’s prior work, and (viii) sensitive data of bidders, buyers, consignors and collectors including their contact details, identification documents, past transaction records and preferences, website interactions and financial and bank information.

All this data, especially details of bidders, their bidding history, mode of payment and place of delivery, is extremely confidential. In fact, a lot of art collectors prefer to make purchases anonymously, especially if their interest in that specific artwork can result in an increase in price.

What are the legal consequences?

With the coming into force of the General Data Protection Regulation (GDPR) in the EU, the Digital Personal Data Protection Act, 2023 (DPDPA) in India, and other global data laws, art galleries and auction houses cannot merely focus on their “art”, but also have to implement reasonable security practices and deploy tools/software to prevent breach of personal data. Specifically in the Indian context, Section 2(t) of the DPDPA defines “personal data” as “any data about an individual who is identifiable by or in relation to such data”. Section 3(b) further states that DPDPA shall apply to processing of personal data outside India as well, “if such processing is in connection with any activity related to offering goods or services” to individuals in India. This means that if auction houses like Christie’s offer their services to clients in India, they will have to comply with the provisions of the DPDPA.

To ensure personal data is protected against cyber incidents, Section 8(4) requires art galleries and auction houses to implement “appropriate technical and organizational measures to comply with this law.” Section 8(5) further requires them to “protect personal data” by “taking reasonable security safeguards” to prevent data breach. However, should there be a breach of personal data, Section 8(6) mandates the art gallery/auction house to inform the data protection board as well as the affected individual. Lastly, Section 33(1) states that should the gallery/auction house fail to take reasonable security safeguards to prevent personal data breach under section 8(5), it shall be liable to pay a penalty of up to ₹250 crore (around USD 30 million approx). GDPR has similar provisions, with penalties that can go up to EUR 20 million or 4% of annual revenue from the preceding year.

Now, one can argue that data points such as pre-sale valuation, cataloguing information and auction pricing may not qualify as “personal data” under the DPDPA. However, these data points, when clubbed with other “non-personal data points”, could possibly identify the concerned individual. For instance, demographic information, GPS location and the bid placed for an artwork together could possibly reveal the identity of a bidder. Notwithstanding whether the data points qualify as personal data or not, a cybersecurity incident concerning any of these would mandate reporting to CERT-In within six hours of the incident identification/notification.

What preventive measures can be taken?

Given the sensitivity of data and the exposure to liability (not just under privacy laws but also under various contracts where the auction house has committed to keep data, personal or otherwise, confidential), it is critical that reasonable safety measures are adopted. Traditionally, the art business has not been known for taking initiatives to adopt and use technological solutions. Consequently, there have been multiple instances in the past where data has been compromised. For example, in 2017, hackers targeted several galleries in the US and UK. They gained access to email accounts of various art dealers and sent duplicate invoices to buyers after modifying the bank account details. While it is not clear how much money was lost, such system vulnerabilities certainly expose the gallery/auction house to significant losses (and lawsuits). In fact, when Christie’s data was compromised in 2023 (GPS data of artwork was leaked), two experts identified the flaw in minutes and offered to help. However, as reported by ARTnews, Christie’s refused on the pretext that it had a reliable internal team and comprehensive information security program. However, the vulnerability was reportedly fixed after three months.

Given that most data protection laws impose penalties by ascertaining the overall “harm”, it is critical for organisations to proactively mitigate damage. This often requires systematic collaboration with various stakeholders within and outside the organisation. The art ecosystem should periodically undertake data protection impact assessments and deploy tools and software to protect their system from avoidable cyber security incidents. Some key technical measures are encrypting sensitive data, implementing role-based access control, multi-factor authentication, firewalls, data loss prevention solutions, taking regular backups, having a disaster recovery plan, conducting regular drills and simulations (especially for phishing), etc.

It is also important to work with legal experts to create and implement comprehensive cybersecurity policies in accordance with applicable laws and governmental requirements that outline best practices for data protection, including regular updates and strong password protocols. These generally also mention the reporting procedure for data breach and cyber security incidents, allowing for immediate cognisance, response and accountability.

Dylan Sharma is an Associate at Priti Suri & Associates.