Today is the 15th anniversary of the Digital Society Day which marked the beginning of the legal recognition of electronic documents in India.
In order to mark the day, Naavi has been initiating new activities in different years basically to spread the awareness of Cyber Law in India.
This year, Naavi will rededicate his efforts towards better Cyber Law Awareness through the following two projects.
1.Cyber Law Compliance Center for Mobile Apps
2.Techno Legal Information Security Awareness workshops for Corporates in Bangalore
Both projects are initiated by Naavi but its implementation depends on others joining the initiative.
My thoughts on the projects are explained below.
1.Cyber Law Compliance Center for Mobile Apps:
Technology practitioners have a general dislike for regulation. Most Indians believe that India developed into a significant IT power because of the lack of regulation. The fact that Internet itself is an example of growth without regulation is a vindication of this belief.
However, once Internet usage crossed into the business domain, regulation became a necessity to prevent the “jungle Raj” setting in. ITA 2000 was born because e-Business and e-Governance could not be conducted in an unregulated environment.
But the fight between Regulation and Freedom continues unresolved. One example of such fight is between Privacy and Freedom of Expression with the Social media users demanding “Freedom” even to misuse while some are wary of reputation loss due to irresponsible defamatory posts.
Today is 17th October, the “Digital Society Day” first declared and celebrated by Naavi through specific activities geared towards better awareness of ITA 2000. It is now 15 years since ITA 2000 became effective with legal recognition of electronic documents, enabling contract formation online and introducing the concept of Cyber Crimes, vicarious liabilities on intermediaries etc. It is more than 6 years since ITA 2000 was amended and the concept of “Reasonable Security Practice” and other enhancements to mandated Information Security prescriptions became effective.
But the question remains.. Do we have adequate awareness of ITA 2000/8 ? Let’s forget Police who make mistakes and Judges who are not cyber savvy. Let’s us reflect whether there is adequate knowledge of ITA 2000/8 at professional levels in Companies? My own impression is a firm No.
We have miles to go before we sleep ..with the comfort that “All is Well”.
I recently referred to Indian Financial System being at the “Napster Moment” indicating the possibility that lack of Cyber Law Compliance may force businesses to shut down when business prospects may otherwise be booming.
The present situation as I see it is that a company doing business with the use of electronic documents is exposed to “Techno Legal Risks” which could be crippling at times. They may manifest as a “Cyber Attack” leading to reputation damage, data theft etc or as a “Regulatory Ban” leading to closure. In either case, there could be a risk of both civil liabilities to the company and also a criminal liability on the CEO, the Directors etc.
A prudent business manager should therefore ensure that this “Techno Legal Risk” is assessed well in time and addressed before it manifests into a liability.
The best time for a business owner to look at Techno Legal Risks is right at the beginning of the project, namely at the “Start Up” phase. This however is also the time when a company would be starved for funds and would like to focus only on essentials such as building the technology infrastructure. It is therefore natural for entrepreneurs to ignore any activity or expense which is not directly related to the functionality of the project and its early take off.
However, there are some Cyber Law issues which are better sorted out right at the beginning in the “Feasibility Evaluation” stage of the project itself. Hence along with the traditional four dimensions of project feasibility, such as Market Feasibility, Technical feasibility, Financial feasibility and the managerial feasibility, a fifth factor namely “Techno Legal Feasibility” needs to be undertaken so that the Start Up does not spend time, effort and money only to find at the take off stage or soon after, an unsurmountable legal hurdle.
Also, just like it is prudent to attend to security right at the software architectural level, even the legal aspects of security should be attended right at the time when the business architecture is taking shape. Any attempt to ignore this at this stage and go for patching up the systems later would be less efficient and more expensive.
While this is the wise advice which security professionals always provide, the entrepreneurs do not always appreciate the advice and go ahead with their own ideas of “Business First, Compliance Later”. As long as our Police are ignorant and can be managed both by bullying them with technology terms as well as other influential factors, it was possible for businesses to do what it wants and manage the mistakes if it was found out later.
But the times are changing. Police are becoming more knowledgeable and can catch omissions and transgressions of law even under complicated concepts such as “Reasonable Security Practice” or “Due Diligence” and question the corporate officials why they should not be held liable.
The emerging Cyber Insurance industry will also demand “Proof of compliance” before and after a Cyber Insurance contract is written.
In view of these developments, it is not possible for businesses to ignore Cyber Law Compliance any longer.
With most businesses now moving onto the mobile platform and some companies preferring to offer services in the “Mobile Only” mode, the need for Cyber Law Compliance for “Mobile Start Ups” has become a necessity.
Unlike other industry start ups, mobile start ups are normally a single techie venture and often lack the benefit of an adequate managerial infrastructure to guide them on what is required for compliance of Cyber Laws.
Recognizing this emerging need, Naavi has started a new service aimed at making mobile business start ups Cyber Law Compliant.
The service is aimed at providing consultancy to companies to develop “ Cyber Law Compliant Apps” for their business. Since an App is actually an enterprise level business management tool, it is a micro replica of an ERP system. It has several sub functionalities and all the legal risks arising out of the use of the app for business cannot be covered by a one page privacy permission statement when the app is installed. Further, the app based business model is likely to keep modifying rapidly as the business grows and hence the legal risks need to be dynamically assessed and patches applied without much delay.
Some of the apps like the payment bank apps such as Paytm or Pockets are functionally as huge as an independent Bank itself. If these apps are to be made Cyber Law Compliant, it is like rendering a Banking institution cyber law compliant. It is a massive job which requires continuous attention. If the organization is big and the business is critical, there needs to be an in-house team attending to this.
“Naavi’s Cyber Law Compliance Center for Mobile Apps” will try to provide necessary support to start ups through its development phase to be Cyber Law Compliant from day one.
Companies which will be using Finance and Health care apps need this service immediately.
Before the market is flooded with non cyber law compliant apps making it difficult to weed out non conforming apps, it is better for the mobile eco-system to adapt to being compliant so that the environment will be healthy from the beginning.
Naavi will try to carry this thought and put it into action and hopefully the companies will realize the need and make proper use of the services.
This will be the new project of Naavi initiated on this 15th anniversary of Digital Society of India. I invite other professionals who would like to be part of this initiative to contact me so that we can together help build a Cyber Law Compliant Mobile App eco system
2.Techno Legal Information Security Awareness Workshops for Corporates in Bangalore
This is a simple program where on invitation Naavi would like to conduct half day workshops for companies both in the IT and non IT sector explaining the provisions of ITA 2008 and its impact on Information Security Management in the corporate environment.
The idea is to conduct 100 such workshops in the next one year (This was the rate of my awareness activities in the first five-six years after ITA 2000 came into being before tapering off) as part of the Secure Digital India initiative.
Obviously, this is the intention and self imposed target. First of such meetings should start next week. But it all depends on how the industry responds and if there can be any sponsors for this program from commercially sound stake holders in the information security industry including the Cyber Insurance industry who are the likely beneficiaries of such largescale awareness programs.
Naavi