Wiping Every Tear from Every Eye.. Forget Courts…Transform from Litigation to ODR

cji_2During a recent meeting of Chief Justices of High Courts, the Chief Justice of India, Mr T.S.Thakur broke down emotionally with the burden of a perceived guilt of the Judiciary in not being able to reduce the pendency of cases.

While this brought out the frustration of an honest Chief Executive of the system, I could not miss a feeling that the solution is staring at us and we have not perhaps identified it.

The solution lies squarely in an aggressive promotion of the system of ADR (Alternate Dispute Resolution). Being from the IT enabled legal services industry, it was natural for me to immediately feel the increased need for the use of ODR to accelerate the ADR process itself.

Afterall, the Modi Government passed the Amendment Act to the Arbitration and Conciliation Act 1996 on 31st December 2015 enabling the use of electronic means for conducting ADR. The amendment also contained what may be considered as revolutionary proposal to fix specified time limit for completion of Arbitration and incentives and disincentives for variations.

Now all those Advocates and Professionals who have the necessary legal and domain experience and the “Urge to Resolve Disputes” should consider setting up their own “Dispute Resolution Centers” (also identified as Arbitration and Mediation Centers) so that in the next couple of years, we have a huge capacity build up in Dispute Resolution which will at least ensure that there is no further build up cases in the overworked Judiciary.

Naavi’s ODRGLOBAL.IN proposes to provide the technical infrastructure to enable and empower such professionals so that they can conduct online dispute resolutions and apply their arbitration and mediation skills to good use.

Ofcourse, skills in Arbitration or Mediation are to be nurtured. They are different from what advocates learn while acquiring LLB or practicing in a Court of Law. Perhaps we may consider that Mediation is more an “Art” than a tought and learnt skill. However, efforts are to be made by professionals to polish their dispute resolution skills before they plunge full scale into this new profession.

The first thing an “Arbitrator” or an Advocate participating in Arbitration proceedings or even the Litigant parties need to understand that in a “Litigation” it is more often a “Win-Lose” fight where as Arbitration and more so the Mediation is a “Win-Win” negotiation.

Further, the Judge in a litigation is strictly constrained by the inefficiency of the counsels and cannot go beyond the evidence and argument provided by the counsels even if it is inefficient and incorrect. Arbitrator has a greater freedom to find a solution and can intervene more pro-actively than in a litigation.

In a mediation, the emphasis is driving towards a mutually agreeable conclusion and not being correct to a point of law.

If this principle of “Win-Win” is understood and implemented, then the society will be lot better in the next decade when the pending 3 crore cases are resolved by Courts since they will not create 3 crore dissatisfied losers trying to take revenge on other 3 crore winners,  rather than having 6 crore happy resolved formerly disputing parties.

(P.S: I agree that all disputes are not amenable to a Win-Win solution. But the principle needs to be appreciated). 

If we agree, the question then arises….

a) If I am a professional advocate or a domain specialist

Should I become an Arbitrator?

Should I ask my clients to include an arbitration clause in the agreement providing for “Online Arbitration on the technology platform of www.odrglobal.in”?

…. perhaps it is time to consider.

b)  If I am a Consumer facing organization, say a Bank or a White Goods manufacturer or a Service provider, or an e-Commerce player,

Should I start incorporating the ODR clause into my contracts?…..(with odrglobal.in as the technology platform)

…. perhaps it is time to decide

This transformation from a “Litigation Mindset to ODR Mindset” could be an innovation in the dispute resolution industry that can wipe “Every tear from Every eye”….an evergreen mission for all nation builders.

Whenever we discuss an “Innovation” with established  industry practitioners, we come across a dilemma.

They often ask….

Should I be the first to try out? Are there some unknowns which I cannot identify?.

Most of the conservative practitioners come to the conclusion, let me not be the first..  Let me wait for others to implement the innovation and then come in.

No doubt this is a common human trait and we need to respect the cautious attitude of such “Safety First-Innovation Next” kind of professionals.

But behind this attitude lies the quality of management .. “Should I be a Leader or Am I content being a “Follower”.

The entire “Start Up ” industry is built on this premise that “Innovation is the Key to Success”. No doubt some or even many innovations may fail. But as long as the innovator hedges his risks to the extent that he will not go down with a failed innovation, there is no reason for not trying to be an innovator.

In fact it is the few innovators who succeed who turn out to be the industry leaders and icons.

Today, I would like to ask a question to all the Legal heads of companies including the Infosys, Wipro, Flipkart , as well as the Toyotas, Whirlpools, Citi Bank or State Bank etc, or for that matter any consumer facing Company why they should not take the lead in using ODR as a dispute resolution mechanism between themselves and the Customers.

It would be an “innovation” that may distinguish them as a leader rather than a follower. Will these companies who are known leaders in their respective fields bogged down by the thought “Let others try…then I will follow..”. I hope not.

I call upon all the legal heads and business heads of companies to step into this new world of ODR and contribute to the vision of “India as a Global Hub of ODR”.

I request all readers to forward this post to any of their known legal contacts in the industry and seek their response and feedback which may be sent to Naavi

Naavi

arbitration_logo4

Share Button
Print Friendly

Have Russian Hackers entered India?.attacking State Bank of Mysore and Bank of Baroda?

Recently two bank fraud incidents have been reported one from State Bank of Mysore in Karnataka and another from Bank of Baroda in Lucknow where security specialists have suspected hacking of the Bank’s servers without any compromise of information at the POS or the customer side.

Reference:

Hindu and Hindu Business Line on SBM fraud

TOI on BOB fraud : P.S: Though this was a case of hacking into dormant accounts by an insider, there is a failure of information security even in this fraud.

nyooz.com on BOB

In the background of these frauds, one can read the article in Kasparesky published a few months back titled: “Dozens of banks lose millions to cybercriminals attacks” and “APT-Style bank robberies on the increase..

This article states that Kasparesky which exposed a sophisticated bank fraud gang last year by name Carabanak has now identified threats from of two more gangs by name Metel (or Corkow) and GCMAN. It also said that Carabanak has reemerged with new targets. Some of these attacks indicate a spear phishing attacks on the Bank employees.

It appears that the recent attacks in India may indicate the activity similar to what has been reported here.

One of the strategies that is reportedly used is to first gain access to one of the user’s computer and plant a trojan. The trojan may crash some application such as Microsoft Word and it is expected that  the admin will be called to set things right. When the admin logs into the victim’s computer with his password, his credentials are captured by the attackers. Using this, the attackers slowly get into other systems until they are able to compromise the fund transfer systems leading to further frauds.

What we have seen in SBM now with small amounts being transferred may be only a testing of the fraud and we may soon see a major break in SBM which may shake the Bank and put its customers into great pain. May be similar threat is there in other banks also.

The recent failure of basic information security principles in an otherwise reputed company like TCS leading to a Rs 6000 crore damage on the Bank is an indication that most of the companies (including the Banks) have very weak security culture.

Additionally the opening of Unified Payment Interface opens up the mobile network to one part of the Banking servers which can be used by hackers to worm their way up the network into the core banking servers and launch a major attack to bring down a bank.

Knowing the attitude of Banks and RBI, nothing constructive is expected to be done to prevent such attacks and hence it would not be long when this prognosis may sadly come true.

I would therefore advise Bank customers to manage their risks by ensuring that they spread out their bank balances into multiple Banks and ensure that all the eggs are not in a single basket. Better still, spread it across smaller banks including cooperative banks without internet and mobile banking  so that their hard earned savings are protected.

Naavi

Share Button
Print Friendly

SBI introduces a long awaited security measure to control Card frauds

State Bank of India has been one of the Banks specially targetted by Card fraudsters for cloning and fraudulent withdrawal. A few years ago, Damodaran Committee of RBI recommended the most sensible control where by the customer should be given the ability to switch on and off the online banking facility.

Now We understand that SBI has introduced a “SBI Quick” service where a customer can switch on and off the use of debit cards through SMS and or Missed calls.

While the full details of how the system operates and whether it would be limited to the use of Debit cards or would be extended to credit cards, are awaited, the service in principle is welcome and has to be a mandatory feature.

This is similar to the olden day locking and unlocking of STD facility in a phone.

Hopefully the implementation of SBI quick will ensure that the security weaknesses in the current system donot also spill over to this locking and unlocking system where by a fraudster may just look at this as one additional step to cross before he continues to do what he is presently doing.

More info here: 

Naavi

Share Button
Print Friendly

Backup your Biggest data file.. to fight ransomware

Ransom ware has been one of the biggest threats that is confronting IT users at present.  Many companies have found that their critical resources have been rendered useless with the ransomware encrypting the files and demanding a ransom for release of the decryption key.

It is however heartening to note that researchers at Kasparesky have recently found a way to decrypt files encrypted by CryptXXX.

The solution works if the user can produce one original unencrypted copy of a file that has been encrypted by the CryptXXX and the key can decrypt all other files of size equal to or less than the subject file used for finding the decryption key.

This means that if the file used for breaking the encryption is the largest file in the system, the entire set of encrypted files can be decrypted.

See Article in threatpost.com

Henceforth it is therefore a security strategy to find out which is the largest file in the system and take a backup in an offline environment.

Hopefuly, at least a few can find relief from this strategy…until a new updated version of CryptXXX with a work around hits the market.

Anyway, we need to thank Kasparesky for the solution…

Naavi

Share Button
Print Friendly

Has RBI Permitted Social Media Banking?.. What about audit of Mobile Apps?

We have been following the discussions on how the Unified Payment Interface introduced by RBI has created one big security risk where the telecom links have been provided a direct access to Banking transactions server through execution of USSD codes.

Though the authorities claim to have adequate security, customers are yet to be convinced about whether RBI and the Banks are saying the truth.

Does it mean that Banks and RBI can lie?

I would like consumers to make their own conclusions from the following RTI exchange between one Mr Sisirkumar and RBI.

(P.S:Though this RTI pertains to ICICI Bank, the issues are expected to apply to other Banks also)

Mr Sisirkumar of Vijayawada made a simple RTI Query to RBI raising the following questions.

  1. Details on decision taken by RBI to let Banks use Social media and mobile applications.. and how RBI arrived at a decision that this does not violate the privacy of customers or their data.
  2. Details on specific documents related to approval given by RBI to ICICI Bank limited for creation of the following accounts.
    1. https://twitter.com/icicibank
    2. https://twitter.com/icicibank_care
    3. https://facebook.com/icicibank/
    4. https://youtube.com/user/icicibank

3. Details of  decision taken to permit ICICI Bank to do social media banking

4. Copy of RBI guidelines on how online presence can be conveyed to customers

5. A copy of the results of the security and privacy audits conducted by RBI

6.Details of the official RBI accounts on social media and the relevant act as per which they have been created and their purpose.

RBI has replied to the above RTI as follows:

Reply for query1:

” Department of Payment and Settlement Systems, Reserve Bank of India (DPSS, RBI) has not issued specific instructions to Banks on areas raised in the query. However, Banks have been advised vide our circular on mobile banking which is available on the website of RBI at link:

https://rbidocs.rbi.org.in/rdocs/notification/PDFs/65MNF052B434ED3C4CE391590891B8F3BE66.PDF

Para 2(ii) of Annexure I advise that social media can also be used by the Banks to build awareness and encourage customers to register on mobile Banking as one of the measures of customer awareness programs”

Reply for query 2:

“DPSS, RBI has not issued any such approvals to ICICI Bank Ltd”

Reply for query 3:

“No Specific instruction has been issued to ICICI Bank”

Reply to query 4

“DPSS has not issued any instructions in this matter”

Reply to query 5:

“DPSS has no information in this matter…. Your query has been forwarded to CPIO..to provide information if available..”

Reply to query 6:

“DPSS, RBI has no information in this matter….Your query has been forwarded to CPIO…”

Subsequently regarding query 6, M.Nandakumar, CPIO replied on January 12, 2016 stating :

“We have no information”

Another reply dated January 11, 2016 signed by Ms Alpana Killawala , CPIO stated for the same query,

“From April 13, 2015, the Reserve Bank of India has presence on two Social Media sites namely, You Tube and Twitter. It is an initiative taken by Reserve Bank for enhanced outreach and real time engagement with the public in addition to engaging with them through traditional media.

Purpose: For wider dissemination of information about RBI policies, rules and regulations”.

On query 5, a reply dated January 15, 2016, Subhash Chandra Mishra, another CPIO replied

“No Security or Privacy audits of mobile applications of banks are done by us. However, the level of adherence to extant guidelines issued by RBI are examined during the course of annual inspection of banks.”

From the above it is clear that the DPSS which issues guidelines on the use of technology is not even aware of the need for security and privacy audits and the CPIOs are completely confused about the state of affairs.

The replies confirm that RBI has not even considered security and privacy audits of mobile apps and have not recognized the security risks associated with the use of Twitter and Facebook for conducting banking transactions such as balance enquiry and transfer of funds. Perhaps they are not even aware that some banks are using Twitter handles to interact with the Banking servers and execute fund transfer requests.

As an ex Banker and lot of respect for RBI (by tradition), it is a big surprise for me to note the level of incompetence at the RBI.

This in fact corroborates some of my earlier concerns that I expressed in respect of use of USSD codes for Banking transactions by NPCI.

I am awaiting Banking security experts to react to what we have indicated here particularly to the fact that the mobile apps have not been audited by RBI.

In the earlier guidelines IDRBT was supposed to clear any banking related applications. Obviously, this guideline is being flouted by Banks and RBI has not taken any corrective action.

Naavi

Share Button
Print Friendly

“Even when my client is negligent, the liability can be on me”- Lesson from TCS-Epic dispute

The US$ 940 million penalty imposed on TCS by a US district Court (Wisconsin) is to be considered as a watershed moment in the history of data security management in India since it involves one of the most reputed IT companies of India and what could be  a silly information security negligence.

What is also important to note is that the kind of contravention that TCS has been accused of is some thing many other companies in India are also indulging in as a matter of routine.

Some times these incidents of information security negligence arise out of ignorance of individual employees but when it goes undetected and even supported by several employees and their team leaders, one wonders ..

…”How come none of these people were aware of the basic information security routine?”

It is possible that TCS may fight it out in the court and get the penalty reduced. But there are many lessons Indian companies need to learn from this episode including,

” Even when  my client is negligent, the liability can be on me”

To understand the reasons how a Rs 6000 crore liability arose on TCS (Bigger than the Satyam liability in the case of UPaid patent infringement in rupee terms), we need to look at the details of the case well explained in this article in wire.in (Article in wire.in ).  Another  article in business Standard debates on the amount of the penalty.

Essentially, the incident involves employees of TCS accessing confidential information on the information systems of Epic Systems, a health care software company which has accused TCS and Tata America International Corp (American arm of TCS) of “Brazenly stealing trade secrets, confidential information, documents and data”. One of the allegation is that TCS built a competing software called “Med Mantra” using stolen intellectual property of Epic Systems.

According to the details now available, the case involves three (possibly four) parties namely the TCS, Epic Systems and Kaiser Pemanente,  a health care organization, one of the subsidiaries of which is includes a chain of Kaiser Foundation Hospitals. In view of this there is a HIPAA-HITECH angle and possible health data compromise which could lead to more damage claim on Kaiser and may be through Kaiser, on TCS. There is a previous client of Kaiser who may also have a role to play in this game of negligence.

Kaiser was using a software of Epic for hospital management since 2003 and TCS was a consultant to Kaiser and had also signed an agreement with Epic stating “Epic’s program property contained trade secrets of Epic protected by the operation of law”. In 2011, TCS was engaged by Kaiser to test Epic Software through approved off shore development centers in Chennai and Kolkata where certain data security measures were to be in place. Such data security measures  included simple things such as web access being blocked, USB ports being blocked etc.. essentially to ensure that the employees donot get unauthorized access to Epic’s data.

(It may be noted that the testing environment ought to have also taken measures to be “HIPAA Compliant” since there was an exposure to the data compromise risk involving individually identifiable health information of US citizens though this point is completely missed in the discussions so far).

It appears from the records that TCS failed to have adequate information security measures in place in the development centers.

Additionally, during the testing process, TCS employees regularly required access to some internal documents of Epic since it was the essence of the testing process. Such documents were available in Epic servers and ought to have been selectively released to the TCS employees under authorization of Epic whenever required on a need to know basis.

To make the process simple, it appears that when required, access was granted  to the Epic’s proprietary data such as “Release Notes” which were the foundation documents for the testing process directly to TCS employees.  While one process was for the request to be made by TCS to a Kaiser employee for the relevant documents and for Kaiser personnel to download the document and provide access to TCS employees, a work around was initiated where TCS employees acted on behalf of Kaiser, accessed and downloaded the documents directly.

It is here that we can say that Kaiser was negligent in allowing such access but TCS could have refused to take such access as offered and raised the flag of potential breach of information security principles.

One of the employees who was earlier working with another Kaiser client and who had at that time given access to Epic system (UserWeb) then joined TCS and started working on the project. But this time he felt that not having a direct access to Epic system was delaying things and therefore checked if his earlier access to UserWeb was still working. Since to his surprise, neither his past employer nor Kaiser nor Epic had disabled his access, he felt happy and continued to use the old company’s access to do work for TCS. He also shared this access credentials with other members of his team and they all used it to access and download documents from Epic, impersonating themselves as the ex-employee of another firm without understanding the gravity of the situation.

The fact that these TCS employees are unaware of the risk of sharing passwords that too of a different firm indicates a complete failure of the training provided and the security culture prevailing in the team.

Here again there was gross negligence of the earlier employee of that erring employee, Kaiser and Epic which contributed to the unauthorized access.

While it remains a matter of debate if TCS or its employees can be charged of bad intentions or misuse of the IP for developing a competing product etc which are allegations in the course of a legal trial, the fact that there was an information security failure at TCS, EPIC, Kaiser and the unknown Kaiser Client where the erring employee was earlier working, is apparent.

Who has to take how much of the blame and how much of loss is a matter which the Courts can decide.

Will the Courts be able to appreciate this as an “Information Security Failure” and not “Hacking” depends on how mature are the Judges and how efficiently lawyers present their case.

Before I end, I cannot but express my feeling that it would have been better for all the parties concerned if this dispute had gone to an arbitration where technology and information security experts had sat in judgement rather than the Juries and Judges who may be more conversant with Computer Abuse law than the nuances of Information security governance.

Perhaps here is a case for TCS and the like to consider odrglobal.in as the dispute resolution mechanism at least in future. Of course odrglobal.in is only a technology platform and the adjudication of liabilities have to be assessed by experienced arbitrators who need to be appointed.

I call upon the IT industry in Bangalore to set up an “International IT Arbitration Council” and invite NASSCOM and STPI Bangalore to to take up the necessary initiative.

Naavi

arbitration_logo4

Share Button
Print Friendly