Naavi.org

Close on the heels of the Breach Candy hospital breach which resulted in the compromise of 121 million records and Dr Lal Pathlabs resulting in a compromise of over 1 million records, both of whom were neglected by the CERT IN as well as the media, an attack on Dr Reddy Laboratories seems to have been noticed more prominently by the media.

The reason appears to be that Dr Reddy labs decided to keep its operations closed in India, UK and US, until the breach is properly investigated and remedied and the stock markets also reacted to the closure.

The exact nature of the Dr Reddy labs is not known and unlike the other two cases where the access to the Cloud was reportedly compromised, by hackers, in the case of Dr Reddy’s, company’s own data centers might have been adversely affected probably by ransomware.

The spurt of attacks appear to indicate that before the PDPA becomes a law, hackers want to ensure that valuable data from the pharma industry is siphoned off. In the case of Dr Reddy’s, hands of the competitors and State Actors from China cannot be ruled out.

If PDPA had been in place, there would have been better resources allocated to Information Security/Data Protection by these companies at least in the fear of the heavy penalties. Now companies are taking it easy and hence are vulnerable.

One of the reasons why Companies tend to ignore security for the data assets is that the value of the data asset is not visible on their balance sheets. For example, according to a recent study, the price of medical records in the Dark web can be anywhere between US$250 to $1000.  (Refer here). If this is true, then the value of 1 million records is around Rs 1750 crores to around  Rs 7000 crores. If this value was seen on the balance sheet of Dr Lal Pathlabs or Breach Candy hospital, they would have easily appointed the best professional as a DPO or CISO to take care of the information security and probably prevented the attack. In the case of Dr Reddys, there could be value out of IPR more than the number of records along with the reputation loss, and business loss arising out of closure.

While Information Security professionals worry about how to encrypt, the data, manage the keys, ensure access through complex passwords or digital signatures or hardware tokens etc., we need to also look at the possible reduction of risks if the Company was aware of the value of the data they are holding.

It is therefore suggested that the Institute of Chartered Accountants and the Ministry of Finance should find a way of bringing the notional value of data held by a company into the balance sheets. For example, “Good Will” and other intellectual property rights are often brought into the balance sheet in the form of special reserves which are there on record but not available for dividend distribution. Similarly, contingent liabilities such as guarantees are brought into the books as contra entries. In either case the share holders and SEBI would be aware of the presence of the data assets in the company. The Board can ask relevant questions to the CEO whether the asset is properly secured and insured.

If this is achieved, there would be a huge improvement in the information security investments and corresponding reduction in the attacks. This has been established in studies on the Data Breach losses in companies where it is found that companies with a designated CISO have lower cost of data breaches.

The Ministry of Finance has a second weapon to reduce such Cyber attacks. This is by choking the economy of Cyber Criminals in the Dark Web and making Cyber crimes less remunerative. This can be done by banning all forms of Crypto currencies. I am aware that many administrators, politicians and even members of Judiciary are in favour of Bitcoins for their own reasons. After all Bitcoins is the best Currency for Corruption and even Mr Modi and Amit Shah think twice before attacking Bitcoins. But the long term solution to mitigation of Cyber Risks lies in banning Crypto Currencies rather than chasing Cyber Security through better Firewalls, Consumer education etc. Current approach in Cyber Security is to let the damage happen and then try to address the consequences rather than counter attack the hackers and bleed them of the reward of crime.

We hope the Government will muster enough courage one day to take Crypto currency by the scruff and destroy it for ever. It is more dangerous than the Narcotic drugs and can easily compromise every one who comes across.

I am confident that Mrs Nirmala Sitharaman, Amit Shah or Mr Modi are immune to such compromise but may still lack the will to take on other bureaucrats and politicians who may pounce on the Government together if Bitcoin is banned.  Hope Goddess Chamundeshwari will on this Vijayadashami provide courage to these three to pick up their swords and kill the demon of Crypto Currency.

Naavi

When Section 66A of ITA 2000 was used by the Mumbai Police to arrest the Palghar girls, several people objected to the arrest and claimed that there was an infringement of the right to freedom of speech. When the case went upto Supreme Court, the Court said there was a “Chilling Effect” caused by Section 66A provisions that could stifle freedom of expression and scrapped the section.

Now one is left to wonder where are the Shreya Singhals and the Supreme Court when there is an assault on the freedom of press in Mumbai where the Maharashtra Government is acting more lethal than the 1975 Indira Gandhi regime and the Mumbai Police is acting most unprofessionally.

Is Freedom of Press limited only to

opposing Section 69 notification under ITA 2000? or

opposing implementation of Aadhaar? or

opposing the notification under Section 79 for intermediaries?

Is the stifling of Republic TV channel not an infringement of the right to free speech?.

Supreme Court owes an answer for the people of India.

Where are organizations like Medianama.com who jump into action  whenever there is an  anti Modi Government issue to fight on?

Why are they silent on the assault on freedom of press in Maharashtra?.

Are they also like the Award Wapsi gang with an agenda?…

there is a need for introspection by these agencies.

While Republic might have invited the wrath of the  Government and Mumbai Police because of the intense campaign it ran and is running, why are other media vehicles in the Print and Internet as well as other channels like Times Now maintaining silence on what is adversely affecting their industry as a whole?

By treating this as a problem of Republic alone we are allowing the Mumbai Police and Maharashtra Government to use “Divide and Rule” policy.

It is a shame if Times Now thinks that it can benefit if Republic journalists are all in jail without understanding that the plight of Republic may come to them next.

NDTV and India Today may be rejoicing since they are known to consider Republic as a sworn enemy and their editorial policies are opposed to both Republic and Times Now.

If we allow Maharashtra Government to succeed in its attempt to silence Republic now,  there will be a permanent damage to the freedom of speech in India. This can never be corrected.

I would not hesitate to also blame the Central Government to have remained a moot spectator and allowed the issue to escalate.

With Maharashtra Government declining permission for CBI in the state, it appears that the Shivasena is slowly taking Maharashtra out of the federal system. In due course, it can be another troubled state like Mamata’s West Bengal .

We all expected  Mr Modi and Amit Shah to be  decisive leaders but we find that  they are failing in their handling of Maharashtra. If they donot wake up now, they will be responsible for the deterioration of law and order across the country as more states like Kerala will intensify their anti national tendencies.

Many of the professionals in the media and academy were not happy with the Arnab way of “Journalism by shouting”. But that is an issue that pales into insignificance when we talk of whether 1000 journalists of Republic be harassed with FIRs and mid night enquiries are to be conducted to extract evidence in TRP case while the post mortem of Sushant Singh Rajput is deliberately botched up.

It is time that Media as a whole whether it is Digital media, TV media or Print media raise their voice against the actions that are being taken by Mumbai Police and Maharashtra Government in the Republic issue.

Let me not mince my words. Our Supreme Court would have taken a suo moto notice  if there was a similar action against any publication or entity which is part of the  favoured lobby in Delhi. But it appears that the Supreme Court wants to keep its distance since the victim in this case is Mr Arnab Goswami and his channel, supportive of Mr Modi and BJP.

There is a perception that our constitution does not support equality  for all and has a built in bias against parts of the community brought in by the various amendments. It is the duty of the Supreme Court to correct this impression by its intervention when required. It is therefore the responsibility of the Supreme Court to act swiftly and try to assure the citizens of India that what is happening in Mumbai is unacceptable by any democratic standards.

Otherwise there is no difference between this Supreme Court and the Court of 1975 which upheld the emergency. The state of lawlessness visible in Maharashtra now, is a clear indication to the international governments to consider that Indian judiciary cannot be trusted to uphold democracy in a crisis. Just as it capitulated in 1975 to political expediency, it is again showing a tendency to abandon its duty to  pull up Mumbai Police and the Government.

If EU-GDPR authorities are looking at India for “Adequacy” or economists are looking at “Ease of Doing Business” in India they will take into account the Law and Order situation in the Country. The EUCJ judgment on Schrems II case is a clear indication that unless unfettered action of the Government and the Police on companies is not checked in law, there is no “Adequacy” under GDPR.

The international agencies may now have to consider that Maharashtra is a state in India for which the they have to assign a lower score in terms of lawful democratic governance.  As a federal Country with law enforcement being the local subject, the interference by Police is a local Government issue. Other states may claim that they are more democratic than Maharashtra and claim a better “Adequacy” or “Index of doing business” than Maharashtra.

This may mean that some States in India may be considered “Adequate” under GDPR requirement and some may not. Maharashtra belongs to the “Not Adequate Status” by miles.

I suggest that Karnataka Government may seize this opportunity, reiterate its “Lawful Governance” and claim a superior status for its Data protection status. This will enable data centers in Maharashtra processing EU data to shift its data centers to Karnataka.

If however, Maharashtra is considered part of India, the rating of India also may be downgraded and we will not have any defense.

These are long term adverse implications of the fight between the Maharashtra Government and Republic Channel. Both the Central Government and the Supreme Court have to accept responsibility for such developments caused by their inability to discipline the rogue elements in the States whether it is in J&K, West Bengal, Kerala or Maharashtra.

Naavi

The Joint Parliamentary Committee (JPC) on Personal Data Protection Bill 2019 appears to have felt  insulted by the refusal of Amazon to attend the JPC and there are suggestions in the media that the JPC should issue a privilege notice and force their presence before the JPC.

It is understandable that JPC has delayed the completion of its proceedings because they wanted to give time to organizations like Face Book, Google, Twitter or Amazon to appear before the committee. This was a matter of courtesy.

But these organizations are interested more in delaying the passage of the bill and if they feel that the JPC would not finalize the Bill before they hear these big guys, it would be an incentive for them to find more excuses to delay their appearance.

The approach of the JPC to summon an unwilling organization through a “Privilege” excuse is self defeating.

It is also not understandable that the Business Standard report   suggests that questions were asked by the committee members to Face Book on how much tax they paid etc. These are again not the issues on which JPC should be concerned and diverting the JPC to issues other than the suggestions on PDPB 2019 appears irrelevant and diversionary.

We must understand that this JPC is not like the IT Standing committee. The objective of this JPC is to ensure that as much of opinion is gathered as possible so that the bill when passed would be well drafted. To this end they can try to collect as many opinions as possible. Most of the views of experts are already with the committee in the form of written submissions. The JPC invitation is only to get more clarity on the subject by interacting with domain experts.

Probably the JPC is being mislead to get into areas which are outside the scope of PDPB 2019 forcing further delay in its passage and this should be corrected.  Such an approach will provide grounds to challenge the recommendations of the JPC later in the Courts.

Business organizations like Amazon as well as Google of Face Book have vested interests and their views  are expected to be skewed against the interests of the larger public good. If a company like Amazon does not want to attend the JPC, it means that they donot have any views to submit and will accept whatever law comes into force. Unlike Google of Face Book, Amazon does not have a history of challenging the Government regulations and it appears that they would be happy to work as the law of the land dictates.

If Amazon attends the JPC, it can only say that they donot want data localization or that the financial information should not be considered as “Sensitive”. These will only support the detractors of the Bill and those who oppose data sovereignty. It will not help in the drafting of a better law.

I therefore urge the JPC to ignore the non attendance of Amazon and conclude the proceedings at the earliest.

Whatever efforts the JPC takes in good faith in collecting the views of the large MNCs, the opposition to the bill will continue to exist and there will be some litigation that will follow on the principles of data sovereignty, data localization etc., unless the JPC is interested in making the law as per the dictates of the large corporations.

Further, if the JPC gives a perception that Amazon’s views are essential to pass an Indian law, they would be undermining the status of the JPC and the Indian Parliament itself.

A question will also arise why a similar summons were not sent to the Indian e-Commerce companies or IT Companies having a huge stake in Data Protection.  There may be a perceived discrimination against Indian players such as Jio or TCS or Infosys who also may be invited through summons and obtain their views.

It is therefore strongly felt that  JPC should refrain from making the non attendance of Amazon an issue to give them a second hearing as if their views are critical to the passage of the Bill. If Amazon is important, why not Flipkart, BigBasket, Jio Mart, PayTM, all of whom will have their own views as important as that of Amazon.

We respect Amazon for its E Commerce but we donot think that they should be given a privilege to dictate the framing of Indian law or even left feeling that they are big enough for the Joint Parliamentary Committee of the sovereign Indian Parliament to hold the passage of the legislation begging for their views to be provided.

We have already lost lot of time and the recent data breaches in Breach Candy, Dr Lal Pathlabs and Dr Reddy laboratories indicate that international hackers are making a merry of the lawlessness on data protection and will continue to do so until the organizations implement better security measures in the fear of the PDPA (India).

We believe that all the recent data breaches are genuine breaches and occurred because the organizations were naïve enough not to have a passwords to their cloud data storage.

I however donot rule out the possibilities of other organizations taking a cue from these organizations and start faking the data breaches to sell their data to hackers. Such frauds are common in the Insurance area where organizations often fake fire accidents to claim insurance claims. (Many politicians might have also used such fake “Fire Accidents” to get incriminating documents destroyed.).

Given the value of medical and financial data in the dark web close to us$100 per data set, if a company has a few million such records, faked hacking can be a way of selling the data if the company or any of its executives want to make a million dollar bonanza stashed away in the form of Bitcoins, which again, our Government and the Supreme Court through their magnanimity  have allowed to remain in our economy as a currency of criminals and a currency of digital black wealth. (Message for Mr Modi for his Mann Ki Bath)

Passage of PDPB 2019 without further delay is therefore essential and the JPC should conclude the proceedings at the earliest and submit its recommendations. It will take further time for the DPA to be established and regulations to be compiled. But the companies will atleast be put on notice on the 4% of global turnover as possible administrative penalty if they ignore PDPA provisions.

If necessary, we can always make an amendments after passage. We know that California Consumer Privacy Act (CCPA) got amended about 7 times after its initial passage before it was due to become operative. There is no issue therefore of amending the Act say after about an year of its passage incorporating some of the experiences during that period.

Naavi

The incidence of Covid and the forced need for Work From Home (WFH) as a part of an organizational culture is a disruptive change to our life style that all of us need to adopt and adapt.

As Covid appears to be peaking out, companies have reached a stage where they will have to re-assess their strategies on how to return to their earlier operational methods or retain the current norm as the “New Normal”.

In all ISMS concepts, we try to identify what is “Reasonable”, “Commensurate with the Risks” and “Best Industry Practices” based on which we chose options.  The “New Normal” if accepted now makes it necessary for us to consider whether our current practices require a permanent change.

For example the WFH situation has made

a) BYOD as more the norm than an exception. Access devices are mostly the laptops of the individuals where the user has to also manage his personal banking transactions, e-commerce, gaming, personal communication, entertainment etc. unless it is  possible for every body to maintain a separate laptop for office purpose.

b) Physical security as less relevant than before as the heavily guarded corporate premises with access controls at the gate, biometric attendance, electronic door locks have been replaced by the home offices where workers work from their bed room, with children falling over the laptops, friends, relatives and family members walking all over.

c) The monitoring of the worker with  a centralized IS department has lost its meaning since even the CISO may be operating from his drawing room on his laptop

d) Security is therefore confined to network access security fortified by the integrity of the individual

e) Firewalls have to be liberal to accommodate access through public networks and monitoring of logs has become a bigger challenge as one has to watch a distributed work force.

f) The contractual agreements where the company had committed that the operations will be carried out in a given premises with audit access to the customer etc has lost meaning since hither to one building floor which housed 1000 workers has now spread out into 1000 different households in different towns and cities.

If we donot appreciate this change and be prepared to accept that all our principles of Information security require a complete overhaul, then we are cheating ourselves.

Hence rigid information security management systems based on international standards need to be flexible with appropriate work arounds.

In terms of Privacy, it is time for us to realize that “Privacy” as a right under Article 21 of the Indian constitution subject to “Reasonable Exemptions” under Article 19(2), needs to be revisited to set proper priorities between Article 21 and Article 19.

Perhaps we need to reverse the priorities between the two articles and recognize that Privacy is a right under the “Right to Security” that is indicated as Article 19(2) as a sub part of the Right to Freedom of Expression.

I am sure that some of the committed Privacy activists would swear by the Puttaswamy judgement and the last word on Privacy has been laid in stone.

However, we must appreciate that Puttaswamy judgment was a view in the Pre-Covid situation and may need a re-look in the Post-Covid situation. The need for such a question arose in the Aarogya Setu app where the debate was whether an individual’s right to privacy was higher than the right of another individual’s right to remain at a safe distance from the pandemic risk.

If Aarogya Setu is mandatory for Mr A because Mr B wants to know if it is safe to come near that person or having come near that person and later the person being adjudged covid +ve Mr B wants to be made aware of the risks, then the decision on what is correct or wrong depends on whether the Right to Security of B is as much or more valuable than the Right to Privacy of Mr A.

Similarly, in the Cyber Crime prevention scenario, insisting on Aadhaar as an ID for a certain service is violation of privacy or is a security measure also need to be re-assessed.

Some puritans may wonder, whether we can question the Constitution, disagree with what is written in the constitution and what the Supreme Court has interpreted. But it is necessary for us to also remember that our constitution has been amended more than 100 times. Many of these amendments have been against the basic concept of equality and justice to all because they were held inconsistent with the right to correct the past oppression of a section of the society.

Hence what the Constitution or the Supreme Court says today is only a temporary guideline and “Jurisprudence” is always under development and may change the concepts which we otherwise may consider as set in stone.

The ISMS practitioners and Data Protection professionals need to therefore have an open mind to recognize that the Post Covid information management is a new era and many of the principles which we thought as sacrosanct in the past may need to be amended.

Data protection professionals also therefore need to be flexible enough to adapt to the new norm and shed their dogmas.

As an example if ISO 27001 was the bible of Information Security practice so far, it need not be so in the coming days. May be PDPSI is the Bhagavadgita of Data Security and can be more relevant and effective as the ISMS guide in the Post Covid era.

Naavi

(Comments and Criticisms welcome)

It is time to recall that on 17th October 2020, we have completed 20 years of the existence of Information Technology Act 2000. The one major amendment made to the Act was in 2008.  With the passage of Personal Data Protection Act some time in 2021, there will be another major amendment to ITA 2000. On that occassion apart from deletion of Section 43A, more amendments may be considered.

Naavi has suggested many times the changes required to be made to ITA 2008 and some of the articles regarding such suggestions are given below.

Drawing the attention of T K Vishwanathan Committee on ITA 2000 amendments
Proposed Amendments to ITA 2000 and Privacy Protection
Redefining the scope of ITA 2008.. in the amendments..
Suggestions on Modification of ITA 2008
Domain Name Regulation in ITA 2000..to be amended
ITA 2000/8 will remain the supreme Data Protection Law of India

Looking beyond the earlier suggestions, we need to think about the following six changes to ITA 2000.

1. Introduce mandatory verified account tag to social media posts (as proposed in PDPB 2019 where it is optional) to eliminate fake accounts and reduce the fake news incidence.
2. Reintroduce equivalent of Section 66A to recognize “Offences through Messages” as distinguished from “Offences through publication”
3. Re issue the Section 79 notification for “Tracking” of messages
4. Prevent phishing websites by making domain registrars accountable to check identity of domain registrants
5. Introduce a controller of Mobile of Apps and Games to regulate malicious apps and games
6. Ban Crypto currencies to choke the economy of the dark web

Naavi

Also see: 20 years anniversary of ITA 2000