Let’s Create a Community of Data Auditors

DPDPA 2023 as a data protection law charted a course different from GDPR in several respects. One such differentiation that we can note is that DPDPA envisages a role for “Data Auditors” who are independent auditors outside the Company. Currently it is mandatory for Significant Data Fiduciaries to appoint such Data Auditors.

As a result of this, there is now a statutory recognition for such Data Auditors. with this development there is a need to develop Data Auditors as a community and Naavi.org through Ujvala Consultants Pvt Ltd will take the lead in creating this community. Watch out for more information on this front.

In the meantime, as regards the three day program scheduled to be held at Bengaluru on September 27, 28 and 29 by FDPPI, there is a request from many on the curriculum.

I had indicated yesterday that it would focus on “Audit” as per DPDPA 2023 which is for Data Fiduciaries, Significant Data Fiduciaries, Consent Managers etc.

To further elaborate the contents of the discussion would include the following.

a) The legal basis for Data Protection in the form of nuances of DPDPA 2023 along with ITA 2000, CPA 2019 and also international laws such as GDPR.

b) Implementation challenges for “Compliance by Design” with Technical and Organizational controls including the technical challenges of

-Data Discovery, Data Classification, Data Storage, Data Access, Consent Management, Management of Rights of Data Principals, Minor’s Data Management, Data Breach Management, Data Retention Management, Data Confidentiality, Integrity and Availability Management, Grievance Redressal management, Management of Consent Managers, Data Pseudonymization, etc.,

c) Governance Challenges related to how the risks can be assessed and managed including Data Valuation and using Cyber Insurance.

d) Conducting an Audit of how an organization has complied with the DPDPA 2023 requirements in a technical environment with a focus on how to look for evidence gathering and validation.

FDPPI’s Certification C.DPO.DA. is a crown jewel which would be available only for those who successfully complete the examination.

All persons who attend the program are given one free attempt at the examination. Examination would be online for a duration of 2 hours. If they opt out of the examination, they will get a “Participation Certificate”.

If they appear for the exam and cross the first cut-off point, they will be eligible for “C.DPO.DA-L1 (Foundation Level)” Certificate. If they cross the second cut-off point, they will be eligible for “C.DPO.DA.-L2 (Implementation Level) Certificate”. If they are able to cross the third cut-off point they will be eligible for C.DPO.DA.-L3 (Expert Auditor Level) certification.

Appropriate reading material would be provided both online and offline. Discussions will include lectures and Case study discussions.

It is our desire that we want to make the Program an elevating experience for all the participants.

Look forward to meeting you…

Posted in Cyber Law | Leave a comment

Why Auditors have to be ready before the DPDPA Compliance come into existence

It is heartening to note that CERT IN has recognized the need for its Empanelled Auditors to be ready to Audit the DPDPA Compliance in other Companies. As a part of this recognition, CERT In empanelment division recently issued a circular note to all its empanelled auditors recommending certain Certification Programs.

FDPPI is happy to note that CERT IN has included the training program which FDPPI has organized in Bengaluru on September 27, 28 and 29 as one of the recommended courses, stating

It goes without saying that the empanelled auditor firms themselves need to be first compliant with DPDPA before auditing others.

Quote:

Dear Empanelled Auditing Organizations,

As you are aware, CERT-In empaneled auditing organizations play critical role in assessing and hence securing cyber infrastructure of entities operating in Indian cyber constituency. It is imperative for auditing organizations to continuously build capacity through regular training programs and certifications. CERT-In is in discussion with various institutions and forums to prepare audit focused courses/programs in various domains for both technical and senior executives.

As you may also be aware that, Digital Personal Data Protection (DPDP) Act is in place and CERT-In empaneled auditing organizations will also come across privacy and data protection audits. Hence, it is recommended to train management and staff on appropriate data protection and privacy programs. 

Currently following 4 programs have been evaluated by CERT-In and are expected to benefit the auditors engaged with empanelled auditing organizations:

“Unquote”

The recommended programs relevant to CERT In auditors included the following

We are honoured with this recommendation and will do our best to ensure that the confidence reposed in us by CERT In would be adequately justified through our unwavering commitment to excellence and responsibility.

To give an idea of how FDPPI’s program is unique and is different from others is that it would exclusively cover

  1. Audit of Data Fiduciaries
  2. Audit of Significant Data Fiduciaries
  3. Audit of Consent Managers
  4. Audit for Insurability
  5. Assessment of DTS
  6. DPIA and Data Breach audits
  7. Audit of Media and Gaming Companies

These requirements will be covered along with DPDPA 2023 as a law, the implementation challenges in terms of technology tooling. Solutions in the form of current frameworks including ISO 27001/27701, CSF of CERT In/RBI and a detailed discussion on DGPSI will also be covered.

It is needless to say that the program would be unique and those who miss the opportunity would miss an early bus to the coveted Data Auditor community.

Naavi

Posted in Cyber Law | Leave a comment

DPDPA Insurance and Insurability Assessment

I refer to my earlier writings about the need for insuring of risks arising out of non compliance of data protection regulations.

Ref: A Golden Era for Insurance Industry ushered in through Personal Data Protection Act of India

Now with the adoption of DPDPA 2023 and the imminent release of the DPDPA Rules, it has become necessary for Companies to start reviewing their DPDPA Risk Containment policy.

The estimation of the risk starts with the “Gap Analysis” which gives an early indication of how the Rs 250 crore Plus risk could affect the company theoretically. Companies put in place Risk mitigation efforts but the residual risk after mitigation has to be either absorbed or covered through appropriate insurance.

We do expect that the DPB will be considerate and adopt a soft approach towards imposing any penalties. Hence the real risk of administrative penalties for a company which in good faith has implemented DPDPA compliance can be considered much less. However, when a breach does occur, the cost of making improvements to the system following an inquiry by DPB is a reality and has to be covered along with whatever penalties are imposed. The cost of conducting a Data Breach Analysis will also be substantial.

Most Companies do use the services of the Big Four and spend huge money for both gap analysis and data breach analysis.

Presently Cyber Insurance policies do cover the losses to the first party in terms of expenses, liability arising out of claims by victims which we may call as the third party losses arising out of the breach. The “Administrative Penalties” are a new development in India and hence existing policies may not provide adequate coverage for the same.

While the Insurance Companies and the IRDAI needs to think of appropriate upgradations of their current policies even as they think of updating their own Cyber Security Policies to include DPDPA Compliance, FDPPI is launching on its Sixth anniversary on September 17 2024, an “DPDPA Readiness Assessment” (DPRA) at a minimal cost. The assessment based on a set of parameters evaluates the DPDPA readiness in terms of a DTS (Data Trust Score).

This DRA should also be considered as “DPDPA Insurability Assessment” which the Insurance Companies may use to accept any request for underwriting and fixing the premium.

The evaluation itself may be a “DPDPA Insurability Index” (DII) which should be either qualitative such as “Fair”, “Good” and “Excellent”. The “Good” index could be fitted to the normal premium level where as “Fair” may involve a surcharge and “Excellent” a discount in the premium. The assessment would be based on an interview by an auditor with a key executive of the organization, ideally the CEO.

In the event of a data breach there may be an assessment of the Claim which is an assessment which apart from identify the expenses incurred will also evaluate the root cause of breach to identify the negligence factor of the organization to assist the Insurance Companies to determine the claim. This Data Breach Claim Assessment (DBCA) may determine whether the Insurer approves the claim and if so to what extent.

The DRA is presently available for service through Ujvala Consultants Pvt Ltd while the DBCA is under development and identification of technology partners for technical evaluation of a data breach.

On or after 17th September 2024, the DRA would be available for companies.

Naavi

Posted in Cyber Law | Leave a comment

Quantum Computing Cybersecurity Preparedness Act

USA has passed a federal Act called “Quantum Computing Cybersecurity Preparedness Act”. The Act was signed on December 21 2022 with different timelines for implementation. The concept of a legislation urging the Federal Agencies in US to be prepared for Quantum attacks even before the use of Quantum computing has become commercially relevant is a principle that needs a special commendation.

It is natural for organizations like FDPPI or Naavi to say “Be Ready” and start compliance from today since DPDPA 2023 is “Due Diligence” under ITA 2000. But what USA has done with its Quantum Computing Cybersecurity Preparedness Act is that there is a legislative compulsion to make Federal agencies start their security preparedness in advance.

This “Preparedness Act” has mandated certain agencies like OMB (Office of Management and Budget), CISA (Cyber Security and Infrastructure Agency) and NIST (National Institute of Standards and Technology) to start acting and given them time lines.

It has mandated that within 180 days, the OMB shall issue guidance on the migration of IT to post-quantum cryptography and to set budgets. Such efforts are expected to include creating an inventory of assets where there is an exposure of Quantum Cryptographic risks. Again, within 1 year the heads of CISA and National Cyber Director shall provide information on the inventory of such assets to OMB. The NIST shall also issue guidelines for post quantum cryptography standards. It is under this mandate that NIST came out with three standards on August 13, 2024. The Private sector though not part of this mandate is likely to follow suit to enhance their reputation and be eligible for Government Contracts.

This law requires federal agencies to migrate their systems to “Post-Quantum” Cryptography, which is resilient against attacks from Quantum Computers and classical computers.

The RSA (Rivest-Shamir-Adleman) algorithm which is the most commonly used cryptographic algorithm which even India uses in the Digital Signatures is considered vulnerable under Quantum attacks.

If any organization is using cryptographic algorithms like RSA at present then they are considered as not compliant with the “Quantum Computing Cybersecurity Preparedness Act”.

On August 13, 2024, NIST announced approval of three algorithms which are considered “Quantum Safe” Cryptographical algorithms.

These are :

  1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
  2. FIPS204, Module-Lattice-Based Digital Signature Standard
  3. FIPS205, Stateless Hash-Based Digital Signature Standard

FIPS 203 is a general encryption standard, and FIPS 204 and 205 are digital signature standards for authenticating users. Unlike RSA, FIPS 203 and 204 rely on lattice cryptography, which relies on the difficulty of finding the lowest common multiple in a set of numbers. FIPS 205 uses hash functions as its core mathematical problem. Neither cryptographic approach is thought to be susceptible to quantum computing.

NIST’s release of the final post-quantum cryptography standards sets a one-year clock ticking for Office of Management and Budget OMB to issue further guidance preparing agencies for the migration of their data to the new, quantum-resilient standards. 

Agencies are expected to start migrating to post-quantum cryptography quickly once OMB issues further guidance.

The Private Sector needs to follow the new Cryptographic standards at the earliest if they have to remain compliant with the new Act and is able to meet the Quantum risks.

The auditors are now required to provide some guidance to organizations on “Quantum Readiness”.

FDPPI presently has its framework namely DGPSI which is a process based Compliance system. Under DGPSI framework, “Cryptographic Systems” is one process which can be assessed for compliance separately to whatever compliance is required.

In the case of “Quantum Readiness Assessment”, we try to check if the organization is prepared to move to the post quantum cryptographic algorithms. Along with this the awareness of Quantum risks and the inventory of Cryptographic algorithms need to be kept ready before scouting for vendors who can provide replacement of the crypto algorithms.

This type of assessment is new and the SOPs need to be developed. FDPPI is trying to put together an SIG to create such SOPs. Interested members can get in touch with the undersigned.

Naavi

In India it would have been preferable if there had been a similar “DPDPA Preparedness Act”. Instead the DPDPA Rules itself may substitute this requirement and set timelines for the setting up of DPB and for them to roll out certain provisions.

Certain agencies such as SEBI and IRDAI have already issued their own sectoral guidelines for their sectoral organizations to incorporate DPDPA Compliance. Further when the rules are released, the organizations that will be aspiring to apply for registration as “Consent Manager” will require to prepare their platform to comply with the rules.

Posted in Cyber Law | Leave a comment

Are you Quantum Ready?

We are aware that Quantum Computing has been a technology development that has disturbed the Cyber Security community. The reason why the Cyber Security community is worried is that the enormous power of computing that is generated in quantum computing could be used to break cryptographic algorithms used for data security purpose in classical computing.

I donot think the security problems associated with Quantum entanglement or Quantum Interference have been explored enough but some work seems to be in progress for impact of Quantum computing on Cryptographic security arising due to the quantum property of “Super positioning”. It is recognized that encryption tools currently used to protect Banking and retail transactions and digital signatures may be rendered ineffective due to Quantum Attacks.

We are in 2024 end and a survey recently suggested that 78% of large US corporations expect Quantum computing to be in the mainstream by 203o. 73% of the respondents believe that Cyber Criminals will start using the power of quantum computing to decrypt and disrupt today’s cyber security protocols.

Long term security preparedness therefore has to factor in the possibility of Quantum risks in Cyber Security space. Some of the exfiltration attacks occurring now where encrypted files might have been stolen from sensitive organizations may be held by criminals for decryption on a later date when quantum tools are available. “Harvest Now-Decrypt Later” could be a strategy the criminals could be after. The risk is more in the case of data with a long life time value such as financial records, Government records and will be of interest to bad actors.

The risks could be evident in the use of Digital Signatures as well as for Crypto Currency holders.

Even in India where we are still struggling with finding the rules for DPDPA 2023 and the means to identify “Significant Data Fiduciaries”, corporations connected internationally are hearing the questions of “Are you Quantum Ready?”.

One may respond… I am not even Privacy Ready or Digital Signature ready but how can I be expected to be ready for the future risks?..but some organizations are being forced to ask for “Quantum Readiness Audit” and we the Audit community are posing a question to ourselves if we are “Quantum Audit Ready?”

As it always happens, Naavi.org thinks today what others start thinking tomorrow. Hence we start asking this question “Are we Quantum Ready” in terms of providing consultancy and audit directions to clients who may be thinking ahead of others.

We have in the past discussed the Quantum Computing and its impact in legal implementation of an evidence. Some of the earlier articles are given below. We have discussed Super positioning and Entanglement properties in detail but not the “Quantum Interference”. We shall fill up this gap soon. At the same time time has come to go beyond discussing the superficial aspects of Quantum Properties into the aspects of “Quantum Readiness Audit”.

Let us start our journey into expanding the horizon of our DGPSI audit to beyond AI into Quantum Computing Readiness Audit.

Previous Articles:

10th March 2018: Quantum Computing and Emerging Cyber Law Challenges…Are we ready?

16th March 2028: Section 65B in Quantum Computing Scenario

20th June 2018: The Vast and Far Reaching Applications of Quantum Computing

Also Read: Quantum Computing takes a step further

Posted in Cyber Law | Leave a comment

It is Celebration time

On December 9, 1999, Naavi released his first book, “Cyber Laws for Every Netizen in India”. The book was released in Chennai at the PIB on the same day Information Technology Bill 1999 was presented in the Parliament to replace the Draft E Commerce Act 1998 which was under discussion till then. The book represented my entry into the world of Cyber Laws and even established the trademark character of “Naavi” for the first time.

Then in May 2000, following the outbreak of the “I Love You Virus”, the Bill was quickly passed into a Law and later notified on 17th October 2000 as Information Technology Act 2000. (ITA 2000).

It is this law that was modified in 2008, with ITA amendment act of 2008 and notified on 27th October 2009 in which Section 43A and 72A were present as specific clauses for Data Protection.

Now in 2023, on August 11, the Digital Personal Data Protection Act was passed and anytime in 2024 it is likely to be notified. When this is notified, Section 43A of ITA 2000/8 will be deleted and DPDPA 2023 with its 44 sections will become effective.

All the provisions of the rules of “Reasonable Security Practices” often referred to as SDPI rules which was notified on 11th April 2011, are now contained in the DPDPA 2023. This makes DPDPA 2023 a law that has evolved from ITA 2000. The Section 43A was applicable only for “Sensitive Personal Data” as defined in the ITAA 2008 while Section 72A and several other sections applied to “Personal Data” both sensitive or otherwise.

DPDPA 2023 is therefore a bigger and better version of Section 43A and comes within the current definition of “Due Diligence” or “Reasonable Security Practice” under ITA 2000 making the date of notification of DPDPA 2023 less relevant than many think.

Hence Compliance of DPDPA 2023 is already a mandate of Compliance of ITA 2000/8.

This transition was also reminded to me in another way when I met a journalist (Mr Srikant Govindarajan of CIOL) , yesterday at Bengaluru in a conference related to DPDPA 2023 and he reminded me that he had attended the book launch of the book “Cyber Laws for Every Netizen in India” in Chennai on December 9, 1999.

It was this interaction that reminded me that my career as an ” Author” has actually completed 25 years and has transitioned from the first book on ITA 2000/Cyber Laws to the first book on Data Protection/DPDPA 2023.

It was a reminder of how the 25 years had passed evangelizing the concept of Cyber Law Compliance which is now turned into Privacy and Data Protection Compliance. I suppose in the next one or two years the Data protection phase will merge into DGPSI phase and another book on DGPSI is due as soon as the DPDPA Rules are released.

I hope the almighty provides the opportunity to complete the DGPSI mission successfully in 2025.

When I wrote thee book on Cyber Laws in India, there was no body to even check the proof and point out any corrections. Even when the book “Guardians of Privacy… was published”, there were not many to assist me in proof reading and suggesting improvements. But now we have an army of Data Protection Professionals and hopefully my next book venture will have more experts to assist me.

Naavi

Posted in Cyber Law | Leave a comment