Naavi.org

Further to the brief report on the FIR reportedly filed by Adarsh Builders on AWS India ,

AWS has responded through their public relations representative from “publicisconsultants-asia.com” as follows:

“The claims against AWS in a recent news report are false. AWS operated as designed and is not responsible for the deletion of Adarsh Developers’ data.” – AWS spokesperson.

I have sought clarification on whether this is a counter accusation that Adarsh Builders have filed a “False FIR” in which case it will also be a threat that counter action may be launched against them or is it to be interpreted as “The allegations made in the FIR by the complainant are denied”.

I am expecting the reply.

The FIR also mentions Redington Group , Bengaluru as A2. I invite response from them.

I have also sought a response from Adarsh Builders and awaiting their reply.

Some of the key information in the FIR state:

“In May 2023, Saidalawi Safan, a business development representative from AWS, contacted the firm and insisted on using their cloud storage servers to ensure retrieval of data even in the events of cyber terrorism or act of sabotage or other events like lightning, earthquake, cyclone, flood, storms, etc,”

“Believing such assurance, in December 2023, the company procured cloud storage facilities with AWS through SAP implementation partner M/s SAVIC Technologies Pvt Ltd, Mumbai. The work order was issued to them to shift the company’s data from the earlier cloud storage facility to the AWS and also to maintain the data securely for three years until November 2027. The payment was agreed for Rs 88,59,924, including GST”

” On January 9, due to the actions of a few individuals at Redington and AWS teams, there has been a data loss”. (We were) further told that employees at Redington Group have entered into our storage area at the root level and deleted our account completely. This event has resulted in the loss of over six years of business data causing substantial financial and operational loss to the company. The deletion of SAP S/4HANA (a business suite used to manage data) has brought the business functions/operations to a complete halt and the vital financial records, supply chain data, customer information, and operational insights accumulated over years are now inaccessible”

Adarsh Builders has stated that they have recovered part of the data deleted and are trying to build the data of customers manually. However a “Personal Data Breach has occurred” and the firm should have reported the breach to CERT In. AWS, Redington as well as Savic Technologies also need to separately file their own breach reports to CERT In. Hope all of them are aware of the Indian data breach requirements.

Being a high profile incident the investigation and the subsequent developments in this case is likely to define the responsibilities of cloud service providers who in most cases are considered as sub contractors of companies. However due to the size of the international organizations like AWS, Azure or Google Cloud, the users take the service contracts on a “As is where is basis” as a “Dotted Line Contract”.

The law in India classifies such contracts as “Unconscionable Contracts” and the onerous conditions are likely to be struck down in a Court of law.

We therefore look at how this case develops in the DPDPA era which is a continuation of the ITA 2000 (Section 43A) regime.

Naavi.org will be leading a discussion on “Obligations and Duties of Cloud Service users and providers” in a knowledge session discussion today at 7.00 pm. This will be open to a limited number of participants on registration and confirmation of registration.

Registration request can be sent here:

https://us02web.zoom.us/meeting/register/CIy9qD-YSBK0o1Bj6_D-nQ

Naavi

Copy of FIR:

Copy of AWS Terms

Copy of AWS India FAQ

Also Refer:

Bangalore Mirror

csoonline

livemint.com

This is a famous quote from John Dryden, an English Poet.

I am reminded of this while commenting on the DPDPA 2023 which by design or accident has many hidden gems that we often ignore in criticising the law.

In many of the interactions I have been having with industry experts particularly relating to the Comments on DPDPA Rules, I end up hearing criticisms from others which appear to be contradicting my own views on the positive features of the Act. Some times I feel that even the MeitY officials may not defend the law like what I may do.

The philosophy behind our approach to the DPDPA 2023 is that once the law is in place, we need to adopt to the laws until it is changed some time in future. We cannot expect that the Rules will be able to tweak the law and make it better. If there is any attempt then the law will be challenged in the Court and Indian Courts can easily be convinced to stay the law for an indefinite period.

Yesterday in the panel discussion organized by Center of Civic Society I reiterated that the DPDPA Rules should not be too detailed and continue to be “Principle Based”. I believe that we should not force MeitY to make the rules too detailed and give an opportunity for the vested interests to argue that it is ultra vires the law. For this reason, I have been advising the Government not to go too prescriptive in the rules as being advocated by the industry but remain generic.

It is true that in the Shreya Singhal case, Supreme Court expressed its unhappiness about the law being vague. But we all know that the supreme Court is not consistent and gives its views as it suits it for the moment. For example, in the Puttaswamy Case, one Judge said , “There is no need to define Privacy..” but went on to impose the liability to protect Privacy on the industry. The same judge even said that the …Even what is written in the constitution is not binding on the Court and they have the discretion to interpret the constitution as they deem fit. The Keshavananda Bharati judgement itself is a blot on the Indian judiciary and its ability to play a fraud on the Constitution but is a highly celebrated judgement which all our legal friends seem to swear by.

In our view, if the law is too prescriptive, it will only show the way how it can be violated legally under the principle, “What is not expressly prohibited under law is lawful” .

I would urge everyone to hear Justice Srishananda of the Karnataka High Court on “Difference between Offence and Crime” we will appreciate that society should discard this definition of what is lawful and unlawful. We should therefore ensure that law is not too prescriptive but deliberately let for contextual interpretation. This will prevent a situation where one judge regretfully remarked, “I know that the accused is guilty but I am declaring him innocent because the prosecution has failed to prove the evidence against him”.

Every one of us may be affected by a new law of the kind of DPDPA 2023 and our first reaction is always a reflection of our discomfiture. If I am a CEO, I am not happy with the new Compliance which requires more investment, effort and disruption of my current state of equilibrium.

In this state of mind, what comes to my immediate notice are the apparent short comings. However, when we reflect deeply we can find many positive features of the law that we can absorb and later convert to our benefit also.

If we are a “DPDPA Compliant Company” our long term sustainability is better addressed. If I try to cut corners today, I may have to fold up one day since we never know when the law will hit us badly.

“Compliance First” should therefore be the motto of every CEO.

The biggest strength of DPDPA 2023 is that it delegates the protection of Privacy to every Company that uses the Personal data because as a “Data Fiduciary” it is the trustee of the data principals. Government need not tell each company on what is lawful. They as “Trustees” have to figure out what is correct and exercise “Due Diligence” to protect the Privacy in the society.

This one principle is enough to elevate DPDPA 2023 above GDPR which provides the status of a “Controller” to a commercial company.

Let us therefore appreciate what is good in DPDPA 2023 and not try to only find faults….

Naavi

Naavi

Until Mr Shakti Kant Das was the Governor of RBI, it appeared that RBI could be relied upon for taking care of the interest of the public. In the Bit Coin case, RBI had taken a bold principled stand which unfortunately had been over ruled by the Ministry of Finance under Mrs Nirmala Seetharaman It was known as the triumph of corruption over national interest.

Now with the new Governor Mr Sanjay Malhotra who was earlier a revenue secretary and has been instrumental in legitimizing Bitcoin using tax as an excuse, the confidence in the RBI as a protector of the public interest is at stake.

This is well reflected in the challenge RBI has mounted on DPDPA 2023 and the Supreme Court judgement on Privacy by stating that “Credit Firms are not required to obtain User’s Consent to maintain Credit Scores” in an affidavit filed with the Supreme Court in the Suryaprakash Vs Equifax and others.

The way Credit rating firms like CIBIL were taken over by foreign companies like TransUnion was directly a consequence of RBI not monitoring the “Data Laundering” that was behind such take overs. Today RBI has gone a step further and is trying to give a free hand to CICs for misusing and profiting from the Credit information of the 140 crore Indians.

The Supreme Court frowned when IRCTC wanted to conduct a survey on whether it is possible to monetization its data and forced it to withdraw the proposal. Whenever UIDAI wants to take day to day operational decisions, Supreme Court pounces on UIDAI to limit its operational freedom.

Now we need to see how committed is Supreme Court in accepting the view of RBI that a consumer has no role in the CICs profiling his credit functioning often causing harm to the data principals.

We consider that the law of DPDPA 2023 should prevail over the earlier CIC law which itself has been fraudulently misused for purposes for which it was not intended.

Under the legislative intent of CIC Act, the credit rating agencies were meant to assist the Banks from reducing their NPAs by preventing borrowing with multiple Banks by a defaulter. It was not the intention to monetize the Credit data of consumers and let US companies make money.

RBI has been a silent spectator in this data loot and must be considered as a co-conspirator in this data laundering exercise.

The current stand of RBI only confirms that RBI wants to challenge the Right of an Individual to determine how his personal data is to be processed by the Banks and for what purposes they can share the data with other Banks. CICs are a third party and if they want to process the data of Bank customers, they have to obtain consent like any other data processor or a joint data fiduciary.

RBI has admitted that the CICR Act was brought as a part of the risk mitigation policy of the Government to arrest accretion of fresh NPAs in the Banking sector. For the same reason the CICR Act does not empower the US Companies to create “Credit Rating” from out of data shared by the banks and sell it to all loan companies at a price.

RBI’s counter affidavit is mis-representation and must be rejected.

Naavi

Amazon Web Services has been blamed by a builder in Bengaluru for a data loss of over Rs 150 crores and an FIR is reported to have been registered by CCB, Bangalore.

According to the report in Deccan Herald, Adarsh Developers were using Amazon Web Services and had migrated their data at an agreed cost of Rs 88 lakhs. Now AWS India has reportedly stated that despite their best efforts the data has been lost and they cannot retrieve and restore it.

Employees of the Redington Group and AWS have been blamed for the data loss. Whether it was sheer negligence, incompetence or a possible criminal intention is to be found out in the investigation.

This investigation would currently be under ITA 2000 and involve Unauthorized access, Failure of security , Contractual failure etc.

Even CERT In needs to be involved in the investigations along with the police.

Though DPDPA is not yet applicable, the principles of DPDPA would be part of the due diligence expectations under ITA 2000 and since personal data could also be part of this “Personal Data Breach”, we should consider this investigation and eventual disposal of this case as a case fit for “Privacy Watch”.

Let us closely follow this case since it has a huge implication on AWS as a “Joint Data Fiduciary” responsible for reasonable security practices and indemnifying the loss for individuals whose personal data is involved in the incident.

Naavi

Despite the DPDPA 2023 having been passed as a law, all of us know that there is a need to create a Public awareness about what Privacy means to a common man. Without this awareness the law is unlikely to be effective.

Hence the first step we all want to take up is how to make the common man appreciate the importance of Privacy or in other words what are the “Risks” of Privacy Infringement.

I would like every member to start thinking how they contribute to the development of this Privacy Culture in India.

Let us assume a task where one of you will address the Parents in a School or Members of a housing society and explain the concept of Privacy. You will immediately realize how to communicate the need of “Right of Choice” of the individuals without adversely affecting the school authorities or the Society putting up CCTV cameras in the society.

Privacy is a complex concept and there is always a conflict between the Individual Privacy Rights with the Business Interests of Monetization as well as the Surveillance and Investigative Needs of Law Enforcement.

When we spread the awareness of Privacy we need to spread the balanced awareness of the rights of Privacy without losing sight that we cannot wish away the needs of Monetization by business and Surveillance for national Security. If we donot recognize the need for such harmony, we will only create three segments of the market who will keep fighting amongst themselves.

The Challenge before us is how to make people aware of their “Rights” along with “Duties” and also how to appreciate that there needs to be an acceptance that Business and Governance also are important for an orderly society.

Can we have comments from all of you?

Naavi

The DPDPA 2023 has completely changed the outlook of the industry in the Use and Management of Data. So far, like every other business entity that has adopted itself to the “Data Driven” business strategy, the industry was concerned only with “Information Security” or “Cyber Security”, preventing Cyber criminals access data in their custody and commit frauds.

In late 2018, J W Marriot chain had “become aware” of a data breach of its reservation system which had actually happened in 2014 in the network inherited from “Starwood” hotels which had been purchased by the Marriott in 2016. Over 500 million guest data with credit card and passport details had been accessed by hackers. Investigations revealed that one of the Competing bidders for the takeover of Starwood could have been responsible for the breach. The involvement of the Chinese Military was also traced. It was therefore a business rivalry and foreign state sponsored attack. This was considered an “Information Security Issue” and the damage to individuals was collateral.

However in terms of the damage to the Company, the penalty imposed by the UK ICO was more than $120 million under GDPR and was much more than the direct loss suffered most of which was covered by the Cyber Insurance.

The Insurance industry is deeply divided on whether the administrative penalties can be covered by Insurance and in the instant case J W Marriott did not contest the fine and it is reported that it ultimately settled the penalty at around $52 million.

Indian Hospitality industry so far was not much concerned about such data breaches since the industry was protected by weak enforcement and weaker judicial system in India.

The the current law of ITA 2000 required an affected party to claim damages for it to be liable for such data breaches but the “Valuation” of personal data for claiming damages continues to be a grey area and it would require decades of litigation for a PIL to materialize (eg: Bhopal Gas Tragedy case). Hence industry was taking it easy. Most large hotel chains today have lakhs of personal data including Aadhaar data, PAN data, Driving license data etc and they are retained for decades.

Now with DPDPA 2023 coming into force, the “Risk of DPDPA Non Compliance” hangs over the heads of all the members of the hospitality industry though to the limited extent of around Rs 250 Crores to say around Rs 500 crores if multiple breaches or non compliance is recorded.

Under DPDPA 2023, the Hospitality industry players will be given a new responsibility as “Data fiduciaries” and responsible for the protection of the “Privacy Rights” of their customers.

Industry should therefore wake up and start taking steps to mitigate the DPDPA non compliance Risk.

After shedding the complacency and deciding to secure the personal information under their custody, the industry should not fall into the second trap of complacency that they are secured by being certified for ISO 27001 or GDPR. They need to look for Certification under the India specific Compliance frameworks such as DGPSI.

In this context it is timely that ETCISO is hosting an event on 18th February 2025 at 4.00 pm to 6.00 pm in Bengaluru (Park Hotel).

Naavi