Cyber Laws For CxO
Be Aware... Be Empowered
February 2010
Editor
Naavi
www.naavi.org
Publisher
Ujvala Consultants Pvt Ltd
www.ujvala.com
Contents
News Snippets
Dislcosure of Data Breach Incidents
“The biggest surprise to computer-security experts isn’t that Google Inc was targeted by attackers from China. It’s that the Internet giant chose to disclose the incident.. There’s a culture of secrecy around any bad news..” so said a security expert in Wall Street Journal last week.
India is no different. We all know that “Phishing” is a daily crime reported in all major Banks. However, neither the individual Banks nor the RBI has taken efforts to apprise the Internet Banking public of the extent of the Phishing Risk on the Indian public.
However, this attitude appears to be headed for a change .. not voluntarily.. but by mandatory provisions in law.
Under the HITECH Act applicable to US Health information processors, “Data Breach Notification” provisions became effective from September 23, 2009. Under this provision, any Business Associate becoming aware of data breach must inform the Covered Entity. The Covered Entity needs to inform individual victims and HHS. In certain cases they also need to put up a notice on their website and also give advertisements in local news papers. HHS also needs to put up the information on the website and also report to US Congress once an year.
This will therefore be the norm in future. Will India follow suit?
The draft rules under Section 70B of ITA 2008 distributed for public response contained a requirement for periodical reporting of Security Breach Incidents from the private sector corporate sector. For the time being, the industry appears to have stalled this move.
May be …in due course when the rule is finally notified, there may be a surprise in store for the corporates. Data Breach/Cyber Crime Notification may become mandatory
Who Loses?
An employee of Infosys was recently arrested in Delhi for having made a hoax mobile call to the airport to delay a flight which he feared he would miss.
The employee was arrested on terrorist charges and would be tried and punished appropriately in due course. He would lose his job for the present and also for the best part of the future in the organized sector.
However, we should not lose sight that the Company also lost an employee on whom an investment had already been made in training and development. Though employee attrition is part of any Company’s woes, losing employees because of their tendency to take the law lightly, is perhaps avoidable through a well executed HR plan.
Some companies may feel, “I am anyway losing 15% of my employees every year to other reasons. What if there is one more?”. Unfortunately Cyber Crime related attrition is not that simple. The outgoing employee may actually create a huge damage to the company before he leaves. Hence, An employee saved is more than an employee recruited.
Perhaps HR departments need to do research on “Identification of Cyber Offence tendencies” in employees, training them to strengthen the internal defenses of “Cyber Ethics ” and in high risk cases, subjecting the chosen employees through a “Counselling and rehabilitative programme”
Bank Reimburses Lost Amount with Interest to a Phishing Victim
Phishing victims of Banks are often confronted by the Banks that the loss has to be boarne by the victim customer since the fraud was facilitated by his negligence. Despite the German Courts holding Banks liable for Phishing and Danish Banking Regulator specifying that Banks are responsible for any hacking into their systems, Indian Banks were often hiding behind the “Account Opening Form and Instructions contained there in” to avoid Phishing liabilities.
Though one of the Adjudication applications is kept pending in Chennai beyond reasonable time presumably because of the hesitation of the adjudicator to come to a decision, it was interesting to note that the Banking Ombudsman in Chennai recently ordered a Bank in Bangalore to repay the Phished amount along with interest to the complaining customer. The Bank also obliged without demur.
This has once for all sealed the position in India that “Phishing Liability is on the Bank”. This was not only evident in general Banking law but was specifically confirmed in Section 66A of the ITA 2008.
Media Disinformation on Prevalent Laws
Common man who does not have access to appropriate knowledge resources rely on the daily news paper for his education on what are the prevailing laws that affect him. So when Times of India carried a front page article on February 11th in all its editions stating that according to the amendments made to ITA 2000 with effect from October 27, 2009, “Government cannot ban porn websites”, the news was received in trust as an important point of education on the new ITA 2008.
Unfortunately, others were quick to disagree and point out that the report was not based on a proper assessment of the provisions and the Government in deed had the powers to ban porn websites. Naavi also pointed out that the TOI itself was even guilty enough to be accused of violations of ITA 2008. See www.naavi.org for more details. The motivation for the controversial article is unknown.
Will UID increase Identity Theft Incidents?
Fraud experts estimate that about 0.17% of the population in Europe fell victim to ID thefts in 2009 while in US, there were 3.39% of the population who fell victim to ID thefts. Even considering that Internet penetration in USA is around 90% while in Europe it is around 52% the increased incidence of ID thefts in USA is alarming.
According to one study, the reason for this is that in US any business can subscribe to the credit bureau and use the credit scoring instantly to assess some one else’s risk of default. In Europe the bureaus only allow negative information to be shared and the data base is otherwise is not easily accessible to any one.
Also in US, credit cards with magnetic strips are still is prominent use while Europe is moving to “Chip and Pin” technology with the use of Smart Cards.
More than these reasons, experts feel that the key problem lies in the fact that in US, the Social Security Numbers are used as a “Universal Identifier”. On the other hand the Europian counties use National Identity Cards which are not as universally used by all agencies as an Identifier.
These observations contain important lessons for India where we are in the process of introducing the UID (Unique Identity) for every “Resident of India” which will not only be used as an unique identifier by all credit agencies but even be created through such credit agencies. Though in India, Internet penetration is still around 7%, and hence the Identity theft concern may not be as high as in Europe or USA, it is necessary for UID Authority to consider that UID has a potential to be misused for stealing the identity of a person and used for committing financial frauds. It would therefore be necessary for UIDAI to ensure through its own security process that the system would not be amenable to abuse.
Since UIDAI would be handling “Sensitive Personal Information”, it would also be obligatory for UIDAI to follow “Reasonable Security Practices” as per Section 43A of ITA 2008. Techno Legal Information Security experts would be looking forward to the actions taken by UIDAI to ensure that UID does not become an easy source of Identity Theft.
Legal BPO s in India gets a Big Boost
Microsoft is reported to have assigned its US $ 800 million legal work on Intellectual Property and Patents to India through CPA India at Noida. This should be a catalyst for a quantum growth in LPO business in India.
[Collected from various sources]
A PDF Copy of the News Letter would be sent by e-mail to all persons who subscribe. Subscription is free.