I call for an “All India Cyber Law Awareness Movement”

In another regrettable incident, a talented young person from Patna who was earlier praised by none other than Dr Abdul Kalam for his technical skills has been arrested now for a criminal activity.

The 25 year old tech genius by name Shivendu Madhav from Bihar had reportedly earlier developed and demonstrated a search engine like Google to Dr Kalam in one of the exhibitions and   received accolades. He had also sold one of his technical blogs to an US professor for Rs 4.5 lakhs. He was therefore neither short of money nor recognition and future career prospects. Yet he decided to use his talents to develop a fake railway recruitment portal www.rrbbpl.org and duped lakhs of jobless youths promising them jobs via RRB Bhopal.

Refer Article in TOI

The youth has since been arrested and some of his accomplices are now being traced. Law will take its course and probably this young genius will be punished. As a routine we can also congratulate the police team and appreciate their work.

However, as information security professionals we need to sit back and reflect why such things happen. I am reminded of an earlier case where a youth was arrested in Bangalore for ATM frauds and it was found that he had a very lucrative employment. It appears that the traditional behavioral science theories are being over turned in the current generation where “Negative Motivation” influenced by unrealistic material expectations in the society over ride the traditional motivators such as “Security”, “Reasonable Money” and “Recognition”. People seem to be greedy for more and more money and are willing to risk their future for immediate gains.

This indicates

a) Lack of Ethical training in our IT education.

b) Lack of fear of the law.

I therefore call upon the Ministry of Information Technology to initiate an all India program of ” Creating an Ethical IT Work Force” as a part of the Cyber Security initiative. Such a program requires Cyber Law Education and  Awareness of the consequences of violation of Cyber Laws right from the XI standard when Compute science knowledge gets imparted to our students. We may call this “Cyber Ethics Education”.

Mr Modi has embarked on a “Clean India” program in memory of Mahatma Gandhi from today. I suppose what Mr Ravi Shankar Prasad has to initiate is a “Cyber Law Compliant Mindset Development Program”.

As regular followers of this site are aware, the undersigned has been pursuing “Karnataka Cyber Law Awareness Movement” or “saibar kanUnu PrajnaaMdOLana” (ಸೈಬರ್ ಕಾನೂನು ಪ್ರಜ್ಞಾಂದೋಳನ) and done several programs across Karnataka in the last decade. During the days when Mr H.K.Patil was the law minister of the state under S.M.Krishna’s regime as CM, the undersigned had also discussed several such initiatives with the then Karnataka Government authorities. KLE Society of educational institutions had provided support for the initiative in a big way. But over the years the interest appears to have waned as agencies other than Naavi’s initiatives failed to sustain the movement and Naavi’s initiatives could not sustain on their own due to lack of resources.

In fact one of the activities that these initiatives highlighted was the celebration of October 17 as the “Digital Society Day” to commemorate the notification of ITA 2000. This year this could be a day which Mr Ravi Shankar Prasad should consider to promote some positive action in improving the Cyber Law Awareness in the country.   “Bangalore Cyber Security Summits” conducted in Bangalore during the days when Mr Ashok Manoli was the IT Secretary were also part of such an effort with the participation of the local Government. They need to be revived.

Unfortunately over the next few years the movement withered out and slowly Karnataka lost the momentum it had gained as a “Cyber Law Capital of India”.

The current incident reminds me once again that the concept of “Cyber law Awareness Movement” retains its relevance and needs to be pursued. IIIT Law (International Institute of Information Technology Law), a trust based in Bangalore, Cyber Society of India (CySi) in Chennai are two surviving institutions co-promoted by the undersigned in the past to address the work related to Cyber Law Awareness in the community. Of these CySi is active and doing some good work in Chennai. IIIT Law has lost steam and efforts are being made to pull it back on rails.

I call upon the Karnataka Government as well as well private educational institutions and other related bodies with necessary resources to take up the cause of rebuilding the Karnataka Cyber Law Awareness Movement and also extend it as an “All India Cyber Law Awareness Movement”  (AICLAM).

Such a movement of this type  is an essential part of “Cyber Security” which Mr Modi stressed during his UN General Assembly address recently and therefore meets the objectives set forth by the current Government at the center.

Will Mr Ravishankar Prasad, the IT Minister in Delhi and the PMO consider this?

Naavi

(I Invite suggestions from the public in this regard. Please also spread this message widely)

Share Button
Print Friendly

First Steps in Cyber Crime Insurance

Recently interest on Cyber Crime Insurance has been on the rise in India. According to a recent report in Business Standard, the premia for such policies is around o.5% to 1.5%.

It is important for the insured to however consider what are the exclusions in the policy and there is clarity on the valuations of the insurable assets at the time of purchase and the valuation of claims.

According to the above BS report “distribution of unsolicited email”, “wire tapping”, “eavesdropping”, “fraudulent acts”, “failure to maintain standard computer security” are some of the major exclusions.

Out of the above exclusions, the failure to maintain standard computer security is understandable. However, what is “Standard computer Security” is debatable.

Also it is not understandable how “eavesdropping”, “Fraudulent acts” etc can be excluded. If these are true, insurance companies must be considering more of “Loss due to technical failures” rather than “Loss arising out of Cyber Crimes”.

Technical failures may lead to loss of data. However in most of the cases where a claim is to be preferred there will always be a human hand, malicious or otherwise. Hence “Fraud” cannot be eliminated from the risks. Hence if “Frauds” are excluded, there is insufficient coverage. Also if the coverage does not cover “Liabilities” arising out of the security breach, it is not beneficial to the insured.

The question of “Standards” is always daisy. At present in India law requires “Reasonable Security Practice” which is often not interpreted properly by the companies. Hence what constitutes “Failure to meet Security Standards” is always a debatable issue. While many may be able to produce a certificate such as ISO audit or PCIDSS audit, these does not constitute indisputable standards under the “Reasonable Security Practice” under ITA 2000/8.

It would be interesting to see how insurance companies define such exclusions. Unless some data is built up over time on the claim settlements of different companies, it is difficult to evaluate which policy is better for a prospective insurance seeker.

As regards valuation, in a liability insurance, the value of the asset has to be based on the value of “Information” rather than the value of the hardware and software. Hence in companies where “Data Loss” is the prime criteria, the “Data” need to be valued.  Will this be based on acquisition cost or replacement value or liability potential is a matter to be discussed. Normally the acquisition cost of data is relatively low while the liability potential is high. The insurance premium would therefore be on the lower value but the claims would be on the higher value.

According to one of the recent security reports, in case of data breaches the biggest loss comes out of the “Reputation Loss”.  At the time of insurance, is it possible to add the “Value of Reputation” as part of the assets to determine the premium? is therefore a valid point for discussion.

Probably the role of insurance brokers s therefore very critical in the current juncture since they need to ensure a fair coverage for the clients at affordable premia.

We need to watch out the performance of such insurance brokers.

Naavi.org calls upon insurance seekers to share their experience with insurance companies and insurance brokers so that we can evaluate their performance from time to time.

Naavi

Share Button
Print Friendly

Supreme Court clarifies on Evidentiary Aspects

Ever since ITA 2000 became a law in India (17th October 2000), discussions are being held on the admissibility of electronic evidence in a Court of law. Section 65B of the Indian Evidence Act laid down the procedure by which an electronic document may be considered as “Admissible”.

Naavi.org has clarified this many times and since around 2002 maintains a service “Cyber Evidence Archival Center” providing certified copies of electronic document in print form with certification as explained in Section 65B. Though the evidence produced by CEAC has been presented and accepted in some court proceedings, there used to be continued discussion on the subject.

Now in a recent case, Supreme Court has provided some clarification.

According the report, the Supreme Court stated

” An electronic record by way of secondary evidence shall not be admitted in evidence unless the requirements under Section 65B (of Evidence Act) are satisfied. Thus, in the case of CD, VCD, chip, etc., the same shall be accompanied by the certificate in terms of Section 65B obtained at the time of taking the document, without which, the secondary evidence pertaining to that electronic record, is inadmissible,” said the court in the judgment written by Justice Kurian Joseph.”

Refer: Article in FPJ

Naavi

Share Button
Print Friendly

G Mail hacking news triggers interest in Cyber Insurance

The recent report on the compromise of 4.93 million passwords has triggered a renewed interest in Insurance against Data Security threats. According to this report in Indian Express, (See here), some of the BPOs in India have been showing interest in buying such products.

This report is very important since it establishes the viability of such insurance. Naavi has been advocating that Banks should take such insurance to protect the customers against Phishing frauds.RBI has also mandated the same to Banks since 2001.  Many of the Banks have however been suggesting that no such insurance is available in India.

With the developments reported in the news papers,  such excuses will no longer be be acceptable to the judiciary.

This is good news for those Cyber Crime victims who have been pursuing their cases against Banks such as ICICI Bank, PNB, SBI, AXIS Bank etc.

Naavi

Share Button
Print Friendly

Mumbai Adjudicator conducts E-Adjudication

In a commendable move, Mr Rajesh Aggarwal, Adjudicator of Maharashtra (IT Secretary) created a precedence in conducting an online adjudication session with litigants in Nagpur through video conferencing.

Report

Naavi has been advocating such an approach for a long time but no adjudicator had so far taken such a decision so far.  Naavi has also pioneered a facility  at www.arbitration.in for the purpose where the session is also CEAC certified. We are only waiting for more and more persons like Mr Rajesh Aggarwal who are open to people friendly adjduicators.

Hope other adjudicators will also take a cue from Mr Rajesh Aggarwal.

Naavi

Share Button
Print Friendly

Technology used to strangle Bank Customers

Reserve Bank of India is slowly losing focus on customer service aspects of Banking service. Acceding to a request from the Indian Bank’s association, RBI has imposed an ATM transaction limits of 3 withdrawals per month after which the customer would be charged Rs 20 per transaction. (Refer report)

Many of the Banks have already imposed a limit for direct withdrawals at the Bank counters and are charging fees for withdrawing cash at the counters. With the current notification customers are made to pay whether they withdraw cash at the counters or at the ATM. It appears that RBI wants customers to move back into the cash economy and withdraw all their monthly requirements in one go.

When technology was introduced in Banking, customers were promised of better services at lower costs. However over the years Banking transaction costs have only been on the increase and at a pace higher than the inflation. I would be happy if IBA releases data of “Weighted Average Banking Transactions Cost” in India and check how it has been increasing year after year say from 1980 when technology at higher levels was brought in to the system.

While the Government will start subsidizing the costs to select sections of privileged sectors for political reasons, other ordinary “Neglected Class of Bank Customers” will end up paying more than proportionate costs for the Banking services they may avail or even not avail.

Will the RBI Governor Mr Raghuraman Rajan respond?

Naavi

Share Button
Print Friendly