New Opportunities open up for India thanks to Singapore PDPA

Posted on November 7, 2020 by Vijayashankar Na

When Singapore amended its data protection laws increasing the penalties for data breach to 10% of the annual  turnover, a window of opportunity has opened up for India to attract investments of data processing companies to India.

India presently is operating under the data protection regime of Section 43A of ITA 2000 and is not considered good enough for global companies to have their personal data processed in India. But once the Personal Data Protection Act is passed, India can on paper sport a data protection law which is on par with global laws.

At the same time, if some companies were considering setting up their operations in Singapore because there was a better industry environment there and a better “Ease of Doing Business”, they have been jolted by the recent amendment to PDPA 2012 increasing the penalties for data breach. The data breach risk will increase the cost of operations along with the  cost of risk mitigation and Cyber insurance cost both going up not to talk of occasional data breach which may escape all security measures.

The recent relaxation of OSP guidelines from DOT is another major positive development which could also attract some fence sitters to consider India as their investment destination.

Hopefully, the PDPB 2019 will be passed without further delay so that Government can spread the word around about the better business environment in India and attract investments.

At the same time, developments in the State of Maharashtra have set the industry back by a significant margin since the data protection industry look for a law and order situation where law enforcement works in protecting the industry rather than wage a war on the industry at the whims and fancy of the local Government and the Police. The inability of the federal Government and the Courts to intervene when it was required has put a doubt in the minds of international observers that if tomorrow, a data processing company is in the bad books of the local political party or the Police, then the operations of the company as well as the personal data entrusted to them for processing is not safe from being vandalized by the State.

Mumbai being a commercial hub with Pune being an important data IT hub, the impact of the developments regarding the Republic TV would cast a shadow on the lawfulness of  operations in the country. The developments have turned part of the country into a banana republic and going by the Schrems II decision of the EUCJ, India will not be considered a country which EU can rely upon.

In order to reduce the adverse impact of the Mumbai Police excesses, it is necessary for other States such as Karnataka to take extra efforts to attract the IT industries and more particularly the data processing industry that what is happening in Mumbai is an aberration and does not reflect the general status of lawfulness of the industry operations elsewhere in the country.

Perhaps to take the advantages from the two positive developments namely the amendment of the Singapore data protection act adverse to the industry, and the amendment of the OSP guidelines in India favorable to the industry as also to cushion the impact of the  misadventures of Mumbai Police and Government, the neighboring Governments in Hyderabad and Bangalore may undertake special projects to attract IT investors to these states.

Perhaps special economic zones such as ” Data Processing Zones” may be created for businesses involving the processing of personal data with support of employees working from home. Since the PDPB 2019 also provides that the DPA can notify a local data processing entity processing personal data of foreign citizens as being exempted from PDPA of India, if the local state Governments provide the assurance to the industries that they are not like the Maharashtra Government and will not behave like what Maharashtra is behaving in the case of Republic TV, then we can not only move some projects from Singapore to these states , but also move many projects slated for Pune and other parts of Maharashtra to Bangalore and Hyderabad.

Let us hope Karnataka Government seizes this opportunity and undertakes some programs on this theme during the Bengaluru Tech Summit due in the end of November.

Naavi

Posted in Cyber Law | Leave a comment

Security Incident Not amounting to Personal Data Breach-Lupin Incident

Posted on November 6, 2020 by Vijayashankar Na


Lupin Suffers Information Security Incident-Business Insider

The trend of Continuing cyber attacks on pharmaceutical companies, before the advent of the PDPA (Personal Data Protection Act of India) when companies are expected to have better security oversight seems to continue with the latest incident report from Lupin Laboratories Ltd.

According to the sketchy reports available in the media “Select IT Systems were affected”. Company has stated that the Core systems and operations were not affected and restoration of the impacted systems was underway.

Globally, it is known that data breach in Health Industry is expensive to a company (According to a study the average cost of data breach in a Pharma company is US$ 7.3 million). At the same time, the Health care industry is not so good in its IS practices as indicated by a study which states that it takes nearly one year to track down a Cyber Security issue in such a company. Hackers consider Health care industry to be a gold mine because the stolen health data may carry a price of around US $ 1000 per set in the darkweb. There is no surprise that most data breaches (nearly 50%) are due to malicious attacks.

While this situation is global, India is in the cusp of passing the PDPA and the current times may be the last opportunity for hackers to catch a negligent company.

First it was Breach candy hospital. Then it was Dr Lal Pathlabs and Dr Reddys. Now Lupin. May be others will also experience are have already experienced hacks yet to be identified and revealed.

Hopefully, Industry would wake up and fortify its defenses when the law is yet to impose the kind of fines that would be common place when the PDPA comes into operation.

We know that currently Indian law as in ITA 2000/8 has Section 43A which expects companies holding sensitive personal data maintain “Reasonable Security Practice”. Even those companies who are not handling sensitive personal data are liable under Section 43 along with other sections including Section 66 and 72A to ensure that “Prudent Security” is always available to protect data which has implications on the share holders or the public.

Fortunately, the implementation system currently is too weak to make the companies jump up and such incidents get buried from our memory soon.

We need to however take notice that so far we were considering that “Administrative fines” under GDPR and the proposed Indian PDPA at a maximum of 4% of global turnover as deterrent enough. But Singapore has come up with a shocker of an amendment in which the administrative fine in respect of a personal data breach can be as high as 10% of the turnover.

Considering the frequency with which data breaches are getting reported, if such fines are really imposed, many companies may need to file insolvency if confronted with a single data breach incident. In fact the “Risk of Doing Business in Singapore for a Company processing personal data” has now taken a quantum leap. This means Cyber Insurance costs in Singapore and salaries of DPOs  and CISOs will also jump through the roof.

We must however recognize that “Breach of Personal Data” is different from “Breach of Non Personal Data”. Many security incidents including ransomware attacks may stop at the level of denial of access or a compromise without exfiltration of personal data. Such “Information Security Incidents” may not qualify for the “Personal Data Breach” and hence may not come under the jurisdiction of the Data Protection Authority or the Supervisory Authority or the PDPC. It may just be a “Cyber Crime Incident” where the victim has to claim his personal loss as a damage and Police will have to pursue the crime incident.

It will therefore be necessary for us to classify the “Security Incidents” as involving or not involving personal data. Similarly the Cyber Insurance contracts need to distinguish the incidents as “Personal data Breach”, “Sensitive personal data breach” and “Non personal data breach” and fix premia and coverage separately.

Under IPC we have different offences such as “Murder”, “Culpable Homicide Not amounting to Murder” and “Causing death by Negligence not amounting to homicide” etc., with different punishments.

Similarly the Data Industry needs to recognize different types of Data Breaches and ensure that they donot report a “Data Breach which is of a Non personal data breach” is not reported wrongly as a data breach to a Personal data regulator and vice versa.

At the same time, the law is vague enough and Police like in Mumbai can have such innovative interpretations that most data breaches may fall under both Personal Data and Non Personal data breaches and hence companies need to prepare themselves for this new regime of Data breach Oversight from the Police and Personal data regulatory agencies.

Naavi

 

 

Posted in Cyber Law | Leave a comment

Singapore PDPA amended… Fines can be 10% of turnover

Posted on November 5, 2020 by Vijayashankar Na

Singapore passed some key amendments to the Personal Data Protection Act 2012 establishing a new norm for administrative fines at 10% of turnover.

Now companies, with turnover exceeding Singapore dollar 10 million per year,  responsible for data breaches face financial penalties upto 10% of their turnover or Singapore dollars 1 million which ever is higher. For companies with turnover less than S$10 million the maximum pernalty remains at S$ 1 million.

Additionally 

a) New offences related to the mishandling of personal data has been introduced

b) Deemed consent provision has been expanded

c) New Exceptions have been introduced in consent requirement

d) New Data Portability obligation has been introduced

e) Spam Control act has been expanded to cover instant messaging platforms.

f) In addition to the increase in the fines related to data breach, notification has been made mandatory.

g) The applicability of the law has been extended by removing the exemption provided for  Organisations acting on behalf of public agencies from the Act

New Offences

The new offences introduced include

  • any unauthorised disclosure of personal data that is carried out knowingly or recklessly;
  • any unauthorised use of personal data that is carried out knowingly or recklessly and results in a wrongful gain or a wrongful loss to any person; and
  • any unauthorised re-identification of anonymised data that is carried out knowingly or recklessly.

(This does not include public officers, who are subject to the Public Sector (Governance) Act 2018.)

It will also be an offence for a person to fail to:

  • comply with an order to appear before the PDPC or an inspector of the PDPC;
  • provide a statement in relation to any investigation; or
  • produce any document specified in a written notice.

Deemed Consent

The definition of “Deemed consent” is  expanded to include:

  • for contractual necessity, i.e. where data processing is reasonably necessary to perform a contract; and
  • where individuals have been notified of the purpose of the data processing and given an opportunity to opt out.

Exceptions

New exceptions are being provided for Consent in the following instances.

Now consent will not be required where the legitimate interests of the organisation and the benefit to the public (or any section thereof) together outweigh any adverse effect on the individual.

This could include where data is processed for the purposes of detecting or preventing illegal activities (e.g. fraud or money laundering) or threats to physical safety and security, ensuring IT and network security, or preventing the misuse of services.

Organisations must however conduct a risk and impact assessment, and disclose any reliance on legitimate interests and  cannot use the provision to send direct marketing messages to individuals.

Tthere will be a business improvement exception to consent, where there is a need to:

  • carry out operational efficiency and service improvements;
  • develop or enhance products/services; or
  • know more about the organisation’s customers.

The use of personal data must be what a reasonable person would consider appropriate in the circumstances, and the data must not be used to make a decision that is likely to have an adverse effect on any individual. This exception also applies to a group of companies, including subsidiaries within an organisation.

Also, the research exception to consent will be available, provided that, among other things:

  • the use of personal data or results of the research must not have an adverse effect on individuals; and
  • results must not be published in a form that identifies any individual.

There will also be exception  to institutes carrying out scientific research and development, or arts and social science research, or to market research aimed at understanding potential customer segments. However, disclosure for research purposes will continue to be subject to more stringent restrictions relating to impracticality and public interest.

Additionally the scope of the business asset transaction exception in the PDPA will be extended to the personal data of independent contractors, in addition to that of employees, customers, directors, officers and shareholders of the organisation.

Data Portability

Data portability right will now be available to individuals, giving them the right to request the transmission of their data to another service provider.

An organisation’s portability obligation will only apply to:

  • user-provided data and data on user activity held in electronic form, including business contact information, this data may include third-party personal data, where the request is made in the requesting individual’s personal or domestic capacity;
  • requesting individuals with an existing, direct relationship with the organisation; and
  • receiving organisations with a presence in Singapore; however, data portability could subsequently be extended to like-minded jurisdictions offering comparable protections and reciprocal arrangements.

The PDPC will work with industry and sector regulators to establish and set out further requirements under regulations, including:

Exceptions to the data portability obligation will be provided, similar to those for the access obligation.

Personal data that is derived by an organisation in the course of business from other personal data will not be covered by the portability obligation.

Refusals of porting requests must be notified to individuals, together with the reasons for the refusal, and within a reasonable time. The PDPC will have the power to review these refusals and any fees for the porting of data.

Data retention

Organisations will be required to preserve personal data requested under an access or porting request for at least 30 calendar days after rejection of the request, or until the individual has exhausted their right to apply to the PDPC for reconsideration of the request or appeal to the Data Protection Appeal Committee, High Court or Court of Appeal, whichever is later.

Spam Control

The Spam Control Act 2007 will now cover the bulk sending of commercial text messages to instant messaging accounts. ‘Do not call’ (‘DNC’) provisions will prohibit the sending of specific messages to telephone numbers obtained through the use of dictionary attacks and address harvesting software.

Third-party checkers will be required to communicate accurate DNC register results to the organisations on behalf of which they are checking the DNC register, and the checkers will be liable for DNC infringements resulting from any erroneous information provided by them.

The DNC provisions will be enforced under the same administrative regime as the other data protection obligations in the PDPA, as opposed to being enforced as criminal offences.

Accountability

There will be a higher level of accountability for the Organisations who will be expected to demonstrate compliance.

Thus the law in Singapore has become more stringent and at the same time brought in more clarity.

Naavi

Details of the amendment are available here

Posted in Cyber Law | Leave a comment

Data Disputes Mediation and Arbitration Center to start under FDPPI

Posted on November 4, 2020 by Vijayashankar Na

FDPPI (Foundation of Data Protection Professionals in India) is the Champion organization in Personal Data protection in India. Started in September 2018 under the leadership of Naavi, FDPPI has made significant strides in establishing itself as the torch bearer of Data protection in India to the extent that its byline “Think Data, Think FDPPI” makes real sense.

In its bid to provide End to End data protection services, FDPPI today provides “Certification in Data protection laws of India and other major laws” through two programs titled Module-I and Module-G.

FDPPI also is working on the “Unified Personal Data Protection Framework” namely PDPSI (Personal Data Protection Standard of India” so that organizations may be compliant with Personal data protection Act of India as at present and as proposed with extensions for GDPR and other data protection laws to which an organization in India is exposed.

The third leg of serving the Data Protection community namely providing a “Grievance Redressal mechanism” for

a) Data Principals (Data Subjects) and the Data Fiduciaries (Data Controllers)

b) Data Principals and Consent Managers  or

c) Data Principal and another Data Principal

d) Data Fiduciary and Data Processor or a sub contractor

e) Data Processor and a sub contractor etc

Now FDPPI has started work on establishing a “Data Disputes Mediation and Arbitration Center” to address Alternate Dispute Resolution Mechanism required by the industry.

Initially the “Mediation” wing will start operations. Subsequently, a “With Recourse Arbitration” meaning Arbitration without prejudice to the Adjudication proceedings provided under the legacy system would be introduced.

The arbitration and mediation would meet the expectations of Indian Arbitration Act as amended and will also be in tune with the technical standards indicated by UNCITRAL.

The entire infrastructure for the same is available under odrglobal.in which will be made available for online arbitration. The professionals to conduct the arbitration would be drawn from the trained senior professionals who are experts in the field of Data Protection with more than 10 years of legal and technical expertise.

Hopefully, with this FDPPI will be able to provide the required support to the Data Protection industry even before the Personal Data Protection Bill becomes an Act.

Cyber Law College is also organizing the necessary mandatory training in Indian Arbitration Act to those who are participating in this activity.

More details will be made available through FDPPI.

Naavi

 

Posted in Cyber Law | Leave a comment

Pharma data breaches should stop once data protection law comes into force

Posted on November 2, 2020 by Vijayashankar Na
hack

Three major cyber attacks in the Indian pharma industry in the last few months have left people wondering whether there is a pattern indicating the reason for this spurt. First was the Breach Candy Hospital one in February 2020 where over 121 million medical records were compromised. Of these, 120 million were images stored in the Digital Imaging and Communications in Medicine system consisting of X-rays, scan reports, etc. One million records contained Aadhaar information, medical history, etc. The data breach reportedly occurred because the access system of the hospital was compromised. Though this was an alarming data breach, the matter was hushed up and there was no apparent investigation by the Indian Computer Emergency Response Team (CERT-IN) or any further announcements in the media.

In October 2020, Dr Lal PathLabs reported a data breach of millions of records because their Cloud records reportedly did not have a password for access. Again, this was brushed under the carpet and no action was initiated by CERT-IN.

More recently, Dr Reddy’s Laboratories, which was testing a Covid vaccine from Russia, was attacked. Questions must be asked whether the lack of prompt action by CERT-IN earlier emboldened the criminals to continue their attacks on these pharma companies, which are soft targets holding highly valuable data assets.

The first reaction when such cyber incidents are reported is to find out how the breach occurred, whether there were any vulnerabilities in the technical architecture or whether there was failure of controls. But the possibility of insider frauds causing such breaches cannot be ruled out since negligence and failure of information security are easily visible to the extent that ignorance alone cannot be the cause of these attacks.

Most of these companies are certified by various agencies under ISO 27001 standards or other quality ratings and the incidents highlight the failure of these systems to protect data. Indian lawmakers have provided undue legal recognition to ISO 27001 as if it is “deemed compliance” under Section 43A (ITA 2000). These incidents highlight the folly of those who wrote these rules. Hopefully, this will be automatically obliterated after the passage of the Personal Data Protection Act in India.

But a closer look at the incidents indicates that we should not see these incidents only as an information security issue and the responsibility of the ministry of electronics and information technology alone. This is the result of the failure of many other ministries such as finance, health and law. All these divisions must collaborate in taking steps to reduce the risk of such cyber attacks in future.

There are many studies of data breach incidents in the world which have indicated that designating a chief information security officer in an organisation has the effect of reducing the cost of data breaches significantly. Similarly, operationalising the Data Protection Law and the Data Protection Authority is expected to have its own effect in reducing such incidents. In fact, it appears as if the hackers are in a hurry to complete their hacks before India passes the Personal Data Protection Bill, (PDPB) 2019. Had the law been in force, companies such as Dr Reddy’s Laboratories, Dr Lal PathLabs or Breach Candy Hospital would have fortified their data protection system and possibly prevented the attack or mitigated its impact.

Incidentally, the finance ministry has two kinds of responsibilities associated with the mitigation of risks in such incidents. These are often completely out of our radar. The first is to ensure that every company holding valuable data should see its value in the financial statements and balance sheets by tweaking the principles of accounting and disclosure.

It is estimated that the black market rate for medical data sets in the dark web is $250. Hence, a loss of one million data sets in a company like Dr Lal PathLabs means that the total value of assets compromised could be around Rs 1,750 crore.

Today, the fact that a company may hold that value of data as its asset is not visible either to it, the shareholders or SEBI. Hence, allocation of resources to secure this invisible asset would suffer. Like in the case of “goodwill” and other intangible assets, or “contingent liabilities” that are brought into balance sheets as “special reserves” or “contra entries”, there is a need to bring the value of data asset of a company into the balance sheet for public disclosure.

If this system is followed, then the company management would be aware of the value of assets they hold, which have to be secured and insured even if it has a cost. If the value is visible, the company would also realise the value of following data protection principles such as restricting the collection of data to the purpose for which it is required and deleting used data after the purpose of its collection is accomplished.

If the data can be segregated into “personal” and “non-personal data” (including anonymised personal data) in the balance sheet, then the company can have an even better visibility of its data assets from the data governance principle and unlocking the value of non-personal data or the value of anonymising the personal data.

The finance ministry should, therefore, work with the Institute of Chartered Accountants to initiate a system of bringing data value into the books of accounts from the next financial year. It should also make data breaches less remunerative for data thieves.

Incidentally, the entire dark web economy is based on the use of cryptocurrencies like Bitcoin. Hence, if financial cyber crimes are to be reduced in the world, there is no option but to demonetise cryptocurrencies and criminalise their use. We need to recognise that Bitcoin is like the menace of narcotic drugs and can compromise bureaucracy, the government and even the judiciary. There is no cyber security without banning of Bitcoins and cryptocurrencies and the ministry of finance needs to realise this and act without further delay. The law ministry should assist the finance ministry and the RBI in bringing the necessary law for banning cryptocurrencies so that even the Supreme Court cannot legitimise this evil.

The health ministry has already introduced Electronic Health Record (EHR) guidelines which are as stringent as Health Insurance Portability and Accountability Act regulations in the US followed by hospitals. Though the passage of PDPB 2019 would bring in similar regulations, the ministry can notify all private hospitals and large healthcare agencies to start implementing the suggestions of the EHR guidelines as a sectoral regulation which can be adopted as a ready “Code of Practice” under PDPB 2019.

The responsibility of CERT-IN has already been set under the Information Technology Act as the nodal agency for cyber security in the country. Cyber security cannot be complete without properly responding to data breach incidents in the private sector, for which there are enough directions and powers under Section 70B.

Questions have been raised in the media about why Dr Reddy’s Laboratories chose to shut down production of its facilities in the UK, the US, Brazil and India because of the cyber attack and whether this would be the trend in future. It must be recognised that when a major data breach occurs in a life critical industry like pharma, action should be initiated to contain the damage first, then identify the root cause. Thereafter, action can be taken to eliminate the cause. This may require a temporary shutdown of operations to prevent further damage.

In the case of Dr Reddy’s, the responsibility was higher as the company is exposed not only to Indian laws, but to General Data Protection Regulation and Food and Drug Administration regulations. The management of Dr Reddy’s should be appreciated for taking the bold decision to close down its operations until the risk is identified and eliminated.

It is also necessary to flag one more risk that should be recognised because of the publicity gathered by these three data breaches. We are all aware of fake fire accidents that many unscrupulous organisations resort to to claim fire insurance. Similarly, it is possible for unscrupulous organisations to use “fake data thefts” to sell the personal data of citizens on the dark web. In the past, we have seen “data laundering” carried out through mergers and acquisitions where valuable data assets from Indian companies have been transferred to foreign entities. One example was how the ownership of CIBIL, owned by public sector banks having a huge treasure of sensitive personal data of Indian citizens, was surreptitiously transferred to a US company by the sale of shares by individual banks. Though this was a scam involving transfer of thousands of crores of data assets, the finance ministry never recognised the suspicious nature of this acquisition.

Similarly in the coming days, “fake data breaches” may also be used to siphon off data from Indian owners to a foreign company. It is for this reason that in all such major data breaches, CERT-IN should not remain silent and must conduct a mandatory inquiry to document the findings to rule out frauds by the management. A joint inter-ministerial task force is required to find a solution to prevent such data breaches in future.

Na.Vijayashankar

—The writer is a cyber law and techno-legal information security consultant based in Bengaluru

[Reproduced from India Legallive.com]

Posted in Cyber Law | Leave a comment

Has Modi given up his fight against Corruption?

Posted on November 1, 2020 by Vijayashankar Na

Naavi.org has been time and again pointing out that Bitcoins and Crypto Currencies are like the drug menace and have to be eliminated from India if we are serious about rooting out corruption and cyber crimes.

I still believe that Mr Narendra Modi is interested in curbing corruption and cyber crimes. The currency used for these illegal activities including terrorist payments is Bitcoins and other forms of Crypto Currency.

If Crypto currency is eliminated, the Dark Web will be choked of its life blood and it will reduce Cyber Crimes. If this was the only benefit of curbing Crypto currency, perhaps the MOH would have persuaded the MOF to ban Crypto Currency long time back.

But, more importantly, Bitcoin and crypto currency is the life blood of corruption in India and all the politicians, bureaucrats and even some members of the Judiciary could be soft on anything that prevents easy means of corruption and hence are happy to let Bitcoin thrive.

At one point RBI was trying to bring curbs on Bitcoins, But the Bitcoin lobby was able to get a surprising favorable judgement from Supreme Court. It provided what appeared to be a temporary technical relief which has now become a conspiratorial permission to legitimize Bitcoins.

Since then, RBI also has gone silent. The draft bill for regulation of Crypto currency is gathering dust in the MeitY . The message to the public is clear. Corruption wins against even Mr Modi.

I have been trying to bring to the notice of Mr Modi as the last hope to take action in this regard but so far, there is no reply or even an acknowledgement from PMO or the PM.

I suspect that any postings made in the PMO website is filtered and it is not reaching Mr Modi.

Unless Mr Modi takes steps to be able to listen to the public without the coterie deciding what he should see and what he should not, this matter will not get his attention. In the meantime, there are attempts for Banks to get deeper into handling Bitcoins since every body including the Bank Chairmen are happy to support the “Currency of Corruption”.

Waiting for A Miracle

I wish that  there is a miracle and Mr Modi turns his attention on Banning Bitcoin.

Let  God give strength to Mr Modi to take this decision which will surely be a decision harder than launching an attack on China across LAC.

I request any of the viewers of this post including the intelligence agencies who should be monitoring this blog, to bring it to the notice of Mr Modi so that he can once for all clarify whether he has the courage to block Bitcoins and crypto currencies in India or he is too afraid to take this decision.

Once a clarification is received from Mr Modi one way or the other, people like us can  drop our hopes and devote our attention to other things.

Naavi

Posted in Cyber Law | Leave a comment