“Mandatory Sanctions” as a part of the Information Security policy has been advocated by HIPAA way back in 1996 and is being increasingly accepted as a necessary part of a good Information Security policy. The theory of Information Security Motivation advocated by the undersigned also provides an important role for mandatory “Sanctions” to ensure that intended information security measures are implemented in practice.
Now the EU has issued a directive that indicates that employersSupervisory employees of organizations who donot take appropriate measures when cyber crimes are committed by their employees could themselves have to face the consequences. The rules allow member states to serve punishment even if an employee carried out hacking without bosses’ knowledge.
The detailed text of the directive is available here.
Basically the directives impose a responsibility for “Due Diligence” and failing which criminal liability may attach on the executives of the company.
This is the concept of “Vicarious Liability” inherent in ITA 2008 both under Section 85 and Section 79.
The directive expects that member states shall impose penalties that are effective, proportionate and dissuasive criminal penalties. An interesting provision is
Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 10(1) is punishable by effective, proportionate and dissuasive sanctions, which shall include criminal or non-criminal fines and which may include other sanctions, such as:
(a) exclusion from entitlement to public benefits or aid;
(b) temporary or permanent disqualification from the practice of commercial activities;
(c) placing under judicial supervision;
(d) judicial winding-up;
(e) temporary or permanent closure of establishments which have been used for committing the offence
Naavi writing on “Will RBI disclose “Sanction Mechanism” to enforce sanctity of Banking license conditions?” in the context of the new Banking licenses in India had highlighted the need for RBI to disclose what sanctions it would impose on the Banks for failing to meet the regulatory requirements.
In the past RBI has not been able to impose its own regulations on the Banks and hence Banks in India openly indulge in money laundering, flout ITA 2008, flout RBI guidelines on Internet Banking and force customers to accept illegal operating conditions. These have been increasingly exposed in some adjudication proceedings against leading Banks such as ICICI Bank, Punjab National Bank, Axis Bank etc. Violations of RBI guidelines and law have been brought to the attention of RBI also with a request for cancellation of the licenses of the erring branches. RBI however has failed to respond with such strict sanctions and allowed the weak information security in Banks to continue and take the toll of the customers.
RBI should now observe the clear directives in the EU guideline and see the merit in the demand of the undersigned that closure of a few erring branches of Banks will make them realize that they cannot continue to take the customers for granted.
Similarly when it comes to the norms for licensing that RBI has set up for the 26 applicants, RBI should ensure that along with the licensing norms, the sanctions for non compliance should also be disclosed and implemented without fear or favour.
Naavi