Naavi.org

WhatsApp has filed a petition in the Delhi High Court challenging the Intermediary guidelines of February 25, 2021 in a 224 page document, a copy of which is presented here.

The petition was expected and Naavi.org had indicated the possibility even on February 25th and suggested that the Government should make its moves before a stay is granted. 

However the Government waited for the whole 3 months without any action and now WhatsApp has taken advantage of the entire three months which was available to it for taking action and now filed the petition. It could be a strategy to act only when required and could have been a strategy to attack the Indian Government from a second flank while it is already busy in its fight against Twitter in another flank.

The Prayer in the petition is 

a) To restrain the Government of India from taking any coercive steps under Rule no 4(2) of the order of February 25th.

b) Grant of ex-parte ad-interim stay on the operation of the impugned rule

The rule 4(2) states as follows:

“A significant social media intermediary providing services primarily in the nature of messaging shall enable the identification of the first originator of the information on its computer resource as may be required by a judicial order passed by a court of competent jurisdiction or an order passed under section 69 by the Competent Authority as per the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009, which shall be supported with a copy of such information in electronic form:

Provided that an order shall only be passed for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years:

Provided further that no order shall be passed in cases where other less intrusive means are effective in identifying the originator of the information:

Provided also that in complying with an order for identification of the first originator, no significant social media intermediary shall be required to disclose the contents of any electronic message, any other information related to the first originator, or any information related to its other users:

Provided also that where the first originator of any information on the computer resource of an intermediary is located outside the territory of India, the first originator of that information within the territory of India shall be deemed to be the first originator of the information for the purpose of this clause.”

Petition allegations that are not sustainable

Now the petition of the WhatsApp makes the following allegations.

1. Introducing a treaceability requirement for end-to-end encrypted services will lead to breaking of such encryption and thus compromising the privacy of individuals making use of such services for their private communications”. (Based on the SFLC note submitted to MIT)
2. “Where speakers in the offline context were assured a limited degree of secrecy and obscurity in their communications, the proposed measure [to enable the identification of the first originator of information] renders encrypted and therefore secret communication impossible.” (Based on Centre for Communication Governance at National Law University Delhi note submitted to MIT).
3. To be clear, traceability is incompatible with end-to-end encryption. Encryption as a service is used by journalists and whistleblowers to legitimately protect their privacy and in that is an enabler of the right to privacy and the freedom of expression. Apart from protecting privacy, encryption also makes communications more secure and helps ensure integrity of information.” (unidentified note no MIT/79/087 submitted to MIT)
4.  This [tracing] obligation also undermines the use of encryption technology, which ensures that content is not accessible to the intermediary or third parties.” (COAI submission to MIT

It may be noted that all the above references are related to the public comments submitted in 2019 to the then published draft notification from which selective comments have been quoted. The petition has deliberately omitted submissions such as that of FDPPI, (MIT 79/016) a copy of which is available here . The entire set of comments are available here .

The endorsements given above are from people outside of WhatsApp and they are not privy to the technology used by WhatsApp. 

Since WhatsApp receives the message from some originating device on its server, the server does note the device identity of the incoming message. Then it forwards it to the next device. In the meantime it counts if the same message is forwarded 5 times. If it can do so, then it means that WhatsApp knows what is the message being forwarded and from whom. 

It is clear that the recording of the origination and counting the number of forwards  does not undermine the content encryption and hence the views expressed above are not sustainable. WhatsApp is aware that these views are incorrect but is quoting it in its petition to mislead the Court. 

Reference to Puttaswamy Judgement

The petition makes reference to the Puttaswamy judgement and debates the Legality, Necessity and Proportionality aspects. 

WhatsApp says that there is no statute requiring that the intermediaries need to identify the origin of the message and it cannot be introduced through subordinate legislation.

WhatsApp perhaps expects that every procedural aspect of compliance should be part of the statute. In such a case ITA 2000 would be bigger than the Indian Income Tax act or Companies Act. It is one of the objectives of ITA 2000 to prevent offences. Sending false information through any media, written or electronic to induce social unrest or affect national security is an offence under IPC read with ITA 2000 and Indian Evidence act. The procedural guidelines have to come through notifications and the argument of WhatsApp is unacceptable. 

As regards the necessity and proportionality the guideline specifies that it can be used only in certain circumstances which need to be recorded and will be subject to judicial scrutiny on post facto basis.

For identifying the first Indian originator in a chain, WhatsApp can maintain the data of Indian customers in an Indian server so that the import of data can be identified without difficulty. This will also serve the Data Localization requirements.

WhatsApp argues that compelling the platform to change its structure for compliance is not legal. By this kind of argument, we can say GDPR should not ask companies to implement “Privacy by Design” since it would be necessary to change the current architecture. 

WhatsApp also argues that ITA 2000 preamble says that that there is an intention to achieve “Uniformity of the law” and there is no other global law requiring traceability and hence India cannot introduce such a law. The petitioner does not know that this was in reference to the legal recognition to be given to electronic documents and not to say that India will pass only such laws which USA or another Government passes.

It is shameful that the learned counsels who have drafted the petition thinks that India does not have the right to pass a law which is different from laws of other countries. 

The logic presented by WhatsApp is therefore completely untenable and looks childish. The same arguments are repeated again and again to make the document run 224 pages.

The fundamental issue here is whether the Government of India has the right to notify a regulation under an existing Act which was enacted in 2000, amended in 2008. WhatsApp is one of the parties which has a vested interest in diluting the due diligence. 

By refusing to accept the regulation even though the power to demand the identity of the originator is highly restricted as per the reasonable exceptions under Article 19(2), WhatsApp is challenging the sovereign powers of the Government of India. The technical difficulties in compliance are fake claims and even if present cannot be an excuse to comply with the law.

It is unclear why WhatsApp needed 3 months to realize that they will not be able to comply and did not come up with this petition immediately after February 25th. Was it because raising the issue in the Court was an after thought and prompted by Twitter? in which case it will be part of a conspiracy towards the regime change. There is therefore a suspicion that WhatsApp wants to be a supporting platform of efforts to destabilize the Indian Government through distribution of anonymous fake messages through the platform as it has happened on many occasions.

The intention of WhatsApp in approaching the Court on the last day of the 3 month dead line is therefore suspect. 

The petition is speculative since the Company has not sufferred any damage on account of the proposed notification. The Government of India is under no obligation to provide a safe harbor under Section 79 on an unconditional basis. If the company does not want to comply, with the due diligence requirements, it will be free to do so by giving up the protection available under Section 79 which would be available for organizations that would be compliant with the due diligence.

As regards WhatsApp being the champion of Protecting the Privacy of Indian citizens, the track record of WhatsApp is indicative that it collects personal information in the form of profiles, tracks the messaging behaviour and shares it with Face Book for monetization in a deceptive manner. In its recent Privacy policy change it has not provided any grievance redressal option in India and wants to do business in India without accountability.

If any person in India sends a message through WhatsApp which is 

“related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order, or of incitement to an offence relating to the above or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years:“

the Right to Privacy as a fundamental right is not applicable since the above provision comes under Article 19(2) of the Constitution. 

Hence the argument that the notification infringes the constitution of India is not valid and has to be rejected forthwith.

If in any specific case where the Government asks for the information about the originator of a message appears prima facie unreasonable, disproportionate, WhatsApp is having a right to approach the Court and seek a stay. 

In view of the above the petition does not deserve to be admitted particularly with any interim stay. 

We hope that the Court will take a view of the petition in the context where the international social media giants like Twitter and Face Book/WhatsApp wants to take control of the news narratives in India and manipulate the public opinion for a regime change.

I hope the Government of India brings to the notice of the Court the conspiratorial aspects of this petition.

P.S: Meity has issued a press note and a  notice  to the intermediaries to explain its stand. Ministry of I& B has also issued a press note.

Naavi

Previous Reference Articles:

New Intermediary Guidelines- February 25, 2021

The New Digital Media Regulation and the New Media War: March 2, 2021

Can Twitter be tamed under ITA 2000?..February 12, 2021

Twitter high on Technology Intoxication…February 3, 2021

Quit Twitter..February 4, 2021

Let Indians go for a “Twitter Silence” and move over to “Tooter” or “Koo”

In the last few days there have been two important developments about which we need to discuss.

1. 1. 1. Twitter continues its resistance against the Indian Government in the Toolkit controversy
      2. WhatsApp files a case in the Delhi High Court against the Union of India challenging the IT Rules of February 25, 2021

The two developments appear to be the launching of a “War Against Indian Sovereignty in Cyber Space”. While Twitter appears to be clearly working on a regime change in India, it is not yet clear if  the real intentions of WhatsApp are restricted to commercial implications arising out of the new Intermediary Rules and Digital Media Ethical Code notified by the Government on 25th February 2021.

However together Twitter and WhatsApp (which includes Face Book) appear to have launched a war cry against the sovereign power of the Government of India to make laws for the Cyber Space that affects the citizens and residents of India.

One thing is certain. If the Indian Government backs out of this fight, it would like the Indian army yielding to the Chinese aggression on the borders. They need to stand their ground and possibly take the fight into their grounds.

In both these fights the role of the Indian Courts becomes very important. Like the Indo-Pak dispute going to the UN, the Indian Government vs Twitter/Face Book will also go to the Supreme Court.

While in the border issues, India has taken a stand that this is a bilateral issue between India and Pakistan, we donot know if the Government can convince that the dispute with Twitter and WhatsApp is also a bilateral business issue and the Supreme Court should limit its role appropriately.

In the Rafael case, the Supreme Court took a stand keeping the national interest in mind. Now under the new CJI, Justice N V Ramanan, Supreme Court has to prove if it will function to defend the Indian National interests or will  be considering it as a fight against Modi’s regime.

It is OK for the media to project these disputes as between Modi Government Vs Twitter or WhatsApp and carry Twitter hash tags for debates. But it requires a high level of statesmanship for the CJI to remain neutral.

If  Congress party and their  team of lawyers led by Abhishek Manu Singhvi, Kapil Sibal, P Chidambaram etc., with the assistance of Mr Prashant Bhushan and Dushyant Dave could convert the dispute as between Mr Modi vs Protectors of Indian constitution, then Supreme Court will pave the way for the Outside-Election regime change.

The strategy of the opposition is to use Indian Constitution as the tool to bring about the  change of Government without winning elections, just like the Kashmir Terrorists who fight within the Indian Constitution against the Indian constitution. They will also engineer an internal strife by instigating RSS and other leaders like Mr Nitin Ghadkari to challenge the leadership of Mr Modi.

This is the background under which the Delhi High Court will take up the WhatsApp case. It is in this context that the recent interim order of the Delhi High Court making reference to the “Right to Forget” also becomes relevant. At present it remains a purely academic issue but it could soon be dragged into the political controversy.

The decision of the Delhi High Court has both positive and not so positive aspects of academic interest which requires a separate debate. We shall take up this academic debate separately after the discussions of the War at hand.

For the time being we shall restrict our discussions to the role of the Indian Courts in the current dispute.

….to be continued

Naavi

On February 25, 2021, the Government of India notified the new rules for the Intermediaries under Section 79. The new intermediary guidelines were discussed in detail in this website . Naavi.org also suggested that a “Digital Media Compliance Guidance Center” would be activated to help the digital media comply with the requirements of the “Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021” .

This notification had two parts. The first part was related to the due diligence to be practiced by intermediaries to be able to invoke the safe harbor provisions of Section 79 of ITA 2000. The second part consisted of the ethical guidelines that the digital media were expected to follow as a self regulation.

Non Compliance of the guidelines had the effect of disallowing the safe harbor provisions under Section 79 of ITA 2000 and make any digital publication liable for any offence committed with the use of a message posted in the platform.

A time has come now for the Government to show if the notification was only a paper tiger.

On the one hand, no digital media organization has come up with either a self regulatory guideline as suggested or created a self regulatory body at the industry level. The Meity/I & B ministry also has also not specifically  announced the formation of the Inter departmental committee or an “Authorized officer” for issuing the directions.

The industry has completely ignored the joint press meeting of Mr Ravi Shankar Prasad and Prakash Javdekar as if they are a no body.

Twitter has now gone a step further to declare that the tweets published by some BJP leaders are “Manipulated”. In other words, when there is an FIR registered for a similar charge, Twitter has come to a conclusion that the allegations made in the FIR are true.

It was therefore natural for the Police to summon Twitter and share with it the evidence that Twitter may have to come to a conclusion that the “Tool Kit” referred to by the tweets were “Manipulated news”. This actually is a charge of “Forgery” for which the verified tweeters can be prosecuted. 

When the Police issued the summons to Twitter, it appears that they have re-directed the Police to their US office and washed their hands off the responsibility to explain the process behind the tag “Manipulated” assigned to some of the tweets.

Twitter has also challenged the Government of India and has refused to follow the directions issued by the Government. They have not been in compliance with the February 25 guideline which require that there has to be a “Chief Compliance Officer”, “Grievance redressal officer” and a “Nodal officer ” all of whom have to be located in India. They should be able to redress the grievance within 15 days. These were expected to be done within a period of 3 months from the date of notification, which expires today. (Please refer para 4 in page 5 of the notification available here)

Since we donot see any announcement from Twitter which is classified as a “Significant Data Fiduciary”, Twitter is not in compliance of this guideline. 

Further, by resisting the notification of the Government to remove the “Manipulated” tag, Twitter has declared itself to be out of the safe harbor provision of Section 79 which states that the provisions that “intermediary shall not be liable for any third party information” in respect of any law applies only if 

 -the function of the intermediary is limited to providing access to a communication system over which information made available by third parties  is transmitted or temporarily stored;  and 

-the intermediary upon being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary expeditiously removes or disables access to that material on that resource without vitiating the evidence in any manner.

Twitter is placing its faith in the support of the opposition parties in India and trying to project itself as the “Champion of Freedom of Speech”. It fancies itself as a media that will bring about a regime change in India.

The Government on the other hand is behaving cowardly as if it has no powers under the  law of the land and trying to be sub servient to the corporate entity of Twitter which has proved to be a manipulator of political systems in different countries including USA itself.

In the given context the action of Delhi Police who were investigating the FIR against Mr Sambit Patra summoning Twitter to provide evidence in its hands was absolutely justified.

However, since Twitter is likely to manipulate any evidence which may be lying within the systems in its office in India including the personal laptops of the key officials, it is necessary for the police to seize all the computers used by the key persons in Twitter India responsible for deciding whether the “Toolkit Document” was forensically examined and found to be “Manipulated” and whether there was any other process involved in tagging the tool kit as “manipulated”.

It may be necessary to even temporarily close the Twitter office and bring in forensic investigators to do their investigations. Merely roaming around Twitter office and issuing a summons is not sufficient.

At the same time, since Twitter is not fulfilling the February 25 guidelines, it has no protection as an “Intermediary” and hence if there is any complaint from BJP that Twitter is indulging in a conspiracy to destabilize the political system in India, it has to be investigated under the appropriate sections of IPC. If there is any evidence of tampering of evidence, then they should also be charged under the relevant provisions of IPC. 

In this “Conspiracy”, the earlier tweets of “Greta Thunberg” to fuel the farmer’s unrest should also be investigated.

There is no doubt that by the time you read this article, you may find that our honourable Supreme Court might have been moved and a stay might have been obtained by Twitter for any further enquiry by the Delhi Police. Hence the issue of whether Twitter is behaving like an extra judicial authority more powerful than a Government body will be decided by the Court. Given the TRP value of this case, the Judiciary is likely to be soft on Twitter and the Government of India does not have a reasonable chance of a fair trial.

Hence Government should also think of other measures to discipline Twitter and establish the “Rule of Law” in India.

This requires that all Government agencies including Mr Modi , the PMO and ministries and ministers should immediately delete their accounts and also ask for “Porting of the data” back to them. The Government/Police have every right to ask the registration details of all relevant Twitter accounts which have posted messages in support of the “Manipulated” tag as they could be fake accounts.

If the Indian Data Protection Act was in place, Government could have asked for exercising the “Right to Forget” for all tweets of individuals connected with the Government and imposed a fine upto 4% of global turnover if they had failed to do so.

If the Government of India and its ministers etc take a stand to withdraw from Twitter, even the millions of fake accounts of the trolls of the opposition also have to withdraw since there will be no audience for their trolls.  This should be a significant enough blow to Twitter.

But it does not appear that the Government has the courage to go anywhere beyond issuing a summon. Probably they will be too happy if the Supreme Court obliges Twitter by issuing a stay on the proceedings since there will be an excuse for inaction. 

We the people of India are used to colonial powers calling shots on our lives and therefore are not uncomfortable with Twitter branding supporters of our Government as “Manipulators” and placing faith on the views of opposition members. We will therefore be comfortable to absorb this insult and our Courts would also be too happy to tag themselves “Champions of Freedom of Expression” and let Twitter kind of organizations dictate the law enforcement in India.

The question therefore is “Was the February 25 notification meant to be only a paper tiger? or was the Government serious?”. Let us hope we will get an answer today. 

Naavi

Also refer:

Should we revisit  Safe harbor principle?..rssr.in

Facebook, Twitter to be blocked in India?… Deccan Herald

We all use the term “Data is an Asset” and many companies have structured their business around data analytics. But very few companies have developed a method with which we can value the data and represent it in our disclosed financial accounts.

Whenever a data breach is reported, we speak in terms of the number of data sets lost and the nature of data lost such as whether they contain financial data, health data, credit card information, biometrics, or e-mail address or mobile number etc. But we often forget to say the financial value of data that was compromised. Also we donot know how to calculate the depreciation in the value of the data asset on account of its compromise of confidentiality or exfiltration and re-sale to another competitor.

In ransomware cases, we have a “Ransom demand” which is an indication of how much a thief is expecting as the value of the data he has stolen. When the same data is made available on the dark web, we get another value perception the data set.

When confronted with a ransom demand, many members of the Board of Directors may be surprised to know that there was actually so much of valuable data within their organization worth stealing and being bought and sold in the dark web.

For example, in the recent Air India-SITA PSS data breach, 45 lakh full data sets that contained the Name, Date of birth, Contact Information, Passport information, ticket information, frequent flyer data and credit card data (without CVV) were supposed to have been lost or compromised.

In the Jubilant Foods (Domino’s Pizza), 18 crore order information and 1 crore credit card data consisting of information such as Name, Mobile Number, E Mail address, location, payment data etc were supposed to have been lost. In the dark web these were offered for sale for Rs 4.5 crore.

According to this Forbes Article PrivacyAffairs.com created an index of the averge prices for a range of specific products in the Digital Chor bazaar called Dark Web. According to this report, a full set of data was valued at $1010, online banking log ins cost an average of $40, credit card data about $14 to 30. There was also a difference in the value of credit cards of different countries. For example US credit card data was valued at $17 while Israeli credit card data was valued at $65.

There are many data breach statistical surveys where data breaches have been valued from the perception of the loss suffered by an organization on account of the data breach. According to a detailed survey of dataprivacymanager.net,and the Ponemon data breach report the average cost per data lost was $150/-

Does this mean that the cost of 45 lakh data lost by Air India-SITA PSS was around Rs 4725 crores as per Ponemon study or around Rs 33000 crores as per Forbes report?.

There are also studies which look at the total data sets owned by companies like Facebook or Google and compare it with the market capitalization and try to arrive at a valuation of data elements owned by them.

While we may not come to an agreement on the amount over this wide range, all of us agree that there has been a loss which could be substantial.

It is time for us to therefore think of some method through which we can bring a value of data to the balance sheet of a company so that there is “Visibility” to the value of the data owned.

In every balance sheet view, the directors should recognize that there is data asset in the company worth a few thousand crores and they need to keep asking questions of the operating executives how is this asset protected and beneficially used.

Coming from the Banking background, the undersigned is used to seeing “Contra” entries in the balance sheet of Banks where “Contingent Liabilities” are represented both on the asset side and the liabilities side. In such representation we have no impact on the profit of the organization but there is a value in the balance sheet as an asset or liability that everyone can see. If a Bank has signed guarantees worth say Rs 100 crores, it is a liability that may arise at some point of time in future and hence has to be represented as a liability. But it may also never arise because the contingency may not fructify or is recoverable from the client. So a contra entry is shown as an asset.

I had once worked out an entire Broking Software architecture based on the financial principle of double entry book keeping with each stage of processing such as order booking, order execution, delivery of security etc in terms of liability and asset transactions so that the liability in progress gets reflected in the books of account.

Presently therefore I have tried to develop a methodology for valuation of data and bringing it to the books of account. The methodology tentatively called “Naavi’s Data Valuation Model” tries to suggest a method for valuing Personal data for the purpose of bringing it to the balance sheet.

Some time back the undersigned discussed the “Theory of Data” in which the difficulty of assigning ownership for “Value Addition” to data during the life cycle of its processing was discussed as “Additive value hypothesis” .  On a similar consideration the Naavi’s Data Valuation method contains some suggestions on how personal data can be valued. It is a paper under development and the first version of the same is available here.

FDPPI has constituted a Special Working Group to discuss the suggestions and the PDP Codes Committee of FDPPI will develop a code of practice that will guide organizations on a method of valuation. It may be recalled that PDPSI framework for audit of PDP-CMS  (Personal Data Protection Standard of India framework for audit of  Personal Data Protection Compliance Management System) adopts a model implementation specification that requires provision of visibility to the value of data held by an organization.

When the report is finalized it will be released for comments from the public. In the meantime, comments based on the Naavi’s initial suggestions are welcome.

While an acceptable method of absolute valuation has to come from an organization such as the ICAI, individual organizations can take their decisions on bringing out approximate representations either as contra entries in the balance sheet or as accountant’s foot note to the audit report or at least as a part of the Director’s report. PDPSI tries to drive companies towards this.

In particular, we invite the views of the Chartered Accountants and the office bearers of ICAI in this regard.

Naavi

Reference Articles:

Darkweb Price Index 2021 from PrivacyAffairs.com

Darkweb Price Index 2020 from privacyaffairs.com

What your personal identity and data are worth on the darkweb-Techrepublic.com

Best Identity Theft Protection Services of 2021 -reviews.org

You are worth $1010 on the Darkweb… prsnewswire.com.

About a month back, it was reported that Dominos India had suffered a data breach. The data appears to have now been available on dark web.

In the context of this breach we the professionals need to discuss

a) The extent of harm caused

b) The cause of data breach

c) Remedies to mitigate the damage

d) Preventive measures

The above article in livemint.com provides some details about the incident. There are many other articles in the media giving similar information.

Let’s place some brief thoughts for further discussion based on the information presently available in the media.

Data Compromised

1.Number of Data Sets compromised :

18 crore orders, 1 crore credit cards

2.Total value as sold in the Dark Web :

Rs 4.5 crore (10 bitcoin)

3.Type of data:

Full data set consisting of Name, Address, Mobile number, E Mail address, Geo location at the time of order as well as payment related data which may include credit card data. Whether the credit card data was masked and whether CVV data was also compromised is not yet known.

4. Possible Harm

Th email address and Spam can be used for spamming, further phishing, resetting of passwords in Bank accounts etc. Credit card information may be used for cloning of cards. Geo location can be used for further spying. The identity theft may be used for many other offences also. In case CVV has been stored and also compromised there is a need for all users to replace their cards.

The potential harm is of financial loss, reputation loss, harassment, stalking, bullying etc.

It appears that the data breach was discovered in April when perhaps the hackers demanded the ransom. It is not known whether the ransom was paid or rejected. But now the data appears to have been put up for sale for a price of 10 bitcoins.

There is no information on reporting of the data breach either to CERT-In or to the data subjects.

The organization admits the data breach but says that the customer’s financial data is safe.

As per one report  ,the data was taken from the internal files of the company between 2015 and 2021. If so, it could be an employee hack which went undetected for a long time due to the gross negligence of the security system. Jubilant Food works which is the Indian listed company responsible for the security of this data has not yet disclosed the breach information on its website.

JFL website also reports that it won a Golden Peacock award in FY 16 which included “Risk Management”. Probably the “Risk” here referred to food related risks. It would be interesting to see if the award providing agency provides any clarifications.

The independent directors of the Company need to also come out with their view on the cause of the data breach, its impact, the remedial measures to be taken etc.

The company needs to now budget the cost of providing a “Identity theft Protection” to the 18 crore affected data principals. They can thank their stars that there is no DPA to breath down their neck. The CERT In is a more accommodating regulator and could be satisfied with the press statements that “No adverse impact has been there on the customers”.

Surprisingly the stock market has not reacted to the possible consequences of the breach in financial terms. The company has to come out with its annual report and being a listed company the listing requirements mandate that the CFO and the CEO disclose the financial impact of the breach in the balance sheet.  The Stock markets also should expect a report.

In the event Jubilant has paid ransom in the form of Bitcoins, it would be necessary to account the source of the payment made for the purchase of Bitcoins and since the Bitcoin transfer would have happened through one of the Indian Bitcoin exchanges , the top Bitcoin Exchange companies in India need to be subjected to transaction audit to identify the destination of the bitcoin payments.

Since most of the Bitcoin lobbyists claim that they are law abiding and Bitcoin is not a currency of criminals, they should be cooperating the Police in investigating if any ransom was paid and if so how.

It is also time for Cyber Insurance companies such as Tata AIG to structure a policy for “Protection of Identity theft consequences of customers of a Company which suffers a data breach”.

Naavi’s Ujvala Consultants has a policy incorporated in its model data breach management policy that “The possibility of obtaining a cyber insurance to cover the risks of the affected data principals shall be explored”.

I urge organizations like FDPPI to develop in their code of practice for handling data breach incidents which includes purchase of a Cyber Insurance policy to protect the affected customers.

Let’s watch further developments.

Naavi