Supreme Court admits Section 66A is necessary. Naavi.org view vindicated

We refer to the various articles published in this forum (Refer here) on the judgement in the Shreya Singhal Case in which the honourable Supreme Court bench of Justices, F.Nariman and J. Chelmeshwar on 24th March 2015 held that Section 66A of ITA 2008 was not meeting the requirements of constitution and it is so badly drafted that it cannot be “read down”.

The essence of our argument was that the decision was based on a wrong premise that Section 66A was adversely affecting “Free Speech” and was probably guided by a preconceived notion that the arrests made by the Police under Section 66A were all done under the correct interpretation of Section 66A.

On the other hand the facts were different. All the arrests which made the petitioner take up the case to the Court and brought apparently eminent advocates into an argument that the section is unconstitutional were based on “Publishing of content” and not on “Sending of Messages” and hence the entire case was conducted under an erroneous presumption.

As a result the errors of judgement of the police in the field was carried through upto the Supreme Court  and resulted in the quashing of the section.

The Government was incapable of putting up the right argument and let the petition carry through.

The irony was that all those who were supporting Section 66A suddenly turned out as champions of free speech and hailed the decision of the Supreme Court as “Land Mark Judgement”.

Journalists were equally ignorant and in pursuance of a populist opinion praised the decision sky high.

In this entire cacophony, Naavi.org had the conviction to stick its neck out and call the decision a “Mistake” and tried to persuade the Government to apply for a curative petition.

Unfortunately the Government did not share the conviction nor was concerned enough to apply for a revision.

In this background, it is now amusing but satisfying to observe that another bench of the Supreme Court headed by Justice Dipak Misra and Prafulla C Pant seems to have felt the need for  reintroduction of Section 66A  and a need to regulate Social Media.

Refer Article in Times of India

The court’s observation was reportedly made when senior advocate L Nageswara Rao informed the bench that a message was recently circulated on WhatsApp that he was involved in a case of Section 376 of IPC (rape).

Senior advocate K Parasaran, who was assisting the court as amicus curiae, also appears to have cited a recent incident in which wrong information regarding him was widely circulated on the social media.

We are pleased that between March 24 to August 6, the euphoria created by quashing of Section 66A has evaporated and better sense appears to have been restored.

Let’s us hope that at least now the Government of India will draft the revised section to replace Section 66A properly so that uninformed enthusiasts like Shreya Singhal donot rush to Supreme Court and be instruments of creating bad law.

Naavi

Earlier Articles in Naavi.org are available here:

Also here

india_insurance_logo_2

Share Button
Print Friendly

Cyber Law Guru gets a Boost

cyber_law_guru

Pavan Duggal the well known Cyber Law expert in India has joined the panel of experts in the Cyber Law Guru app launched by Naavi with a view to make Cyber Law knowledge reach the common men through an android device. With his joining the expert panel, the panel will now have Naavi, Prashant Mali and Pavan Duggal in the panel. For those who are aware of the development of Cyber Law consultancy in India, Pavan Duggal represents one of the earliest entrants into the field and we are happy that his joining the panel provides a huge boost to the Cyber Law Guru initiative.

scan0004_rotated pavan_duggal prashant-_mali-938x1024

The “Cyber Law Guru”  is Part of Naavi’s initiative to take Cyber Law Education to the masses. Presently the App is available on the Android platform  and in due course the ios version will  also be launched.

Both Mr Prashant Mali and Pavan Duggal have impeccable international reputation and I personally thank both  of them for joining hands on this platform. I hope the Netizens of India will appreciate this great opportunity to interact with experts and enrich themselves. We feel that it is the public who by raising intelligent questions can  make this develop into a useful knowledge base.

It is clarified that Cyber Law Guru is not meant for  “Legal Consultancy” and users are free to contact the experts separately if they want any case specific assistance. However general public and more particularly students can make use of this app to be conversant with the Cyber Laws in the country.

Naavi

Share Button
Print Friendly

Conviction of an Intermediary is possible even before the real cyber criminal is traced.

It had been reported earlier that a Cyber Cafe owner in Pune was imprisoned for 15 days and fined for Rs 10000/-  under Section 67(C) of Information Technology Act 2000 as amended in 2008 (ITA2000/8). We now have a copy of the judgement in this regard provided by Advocate Prashant Mali.  In view of the judgement becoming a precedent at least in a limited jurisdiction, as well as for academic interest, it is necessary for us to dig a little deeper into the judgement and understand the logic behind the decision. This discussion is based only on the copy of the judgement and we donot have access to any other evidence, points of argument or document which was considered by the Court. Copy of the judgement is available here.

Accused Vishal Hiraman Bhogade, Sandesh Sopan Dere have been convicted under this judgement for offences punishable under Section 67(C)(2) of ITA2000/8 but were acquitted under Sec 43(g),66 of ITA 2000/8, and Section 188 of IPC. It is admitted that the main culprit has not been traced till date and the charge sheet against the unknown accused has been ordered to be kept open.

The judgement dated 31st July 2015 is from Honourable Justice S.R.Nimse, JMFC (Court No 3), Pune. The counsel for the accused was Shri K.R.Subedar and for the prosecution, A.P.P. Sou Narote.

The incident that triggered the case was an e-mail received by the Police Commissioner on 25/8/2012 containing a threat that a bomb blast will occur during the Ganesh festival and challenged the Commissioner to stop it. We can recall that in a similar incident in Chennai occurred in December 2004 when a person inspired by the movie “Ramana” sent an email to some secretaries that “Bombs will explode in Six TASMAC shops between Paris and Guindy”.  This was the time when the undersigned was assisting the Chennai police in investigating such crimes and the culprit was arrested the very next day.  At that time there was no ITA 2008 and hence there was no Sec 66A nor 66F to use. Perhaps the case was pursued under IPC. ( Further details of what happened to the case is not known).

It is interesting to note that in the instant case in Pune the initial charge sheet was filed under Sec 43/66 of ITA2008, and Sec 188 of IPC. Subsequently Section 67(C) was added and finally conviction occurred under this section. Police could have tried Sec 66A though how the Court would have dealt with it after the section being squashed by Supreme Court is not known since at the time the offence was committed, Section 66A was in operation and “Threat through E Mail” could have been tried under the section.

An important precedent that this Case has thrown up is that conviction of an intermediary is possible even before the ultimate cyber criminal is traced.  In many of the Bank fraud cases, the undersigned has been complaining that the Police are reluctant to proceed against the Bank as an intermediary and this judgement would be a good precedent at least in the State of Maharashtra for booking criminal cases against Banks in respect of Phishing complaints. There are already several cases in which the Adjudicator of Maharashtra has held that the Bank involved in Phishing is guilty of negligence and therefore liable under ITA 2008 to pay compensation to the victim. The Police need to follow up such cases immediately and take action against the Bank. This will at least prevent the Banks from further harassing the cyber crime victims by taking up appeals in higher courts to delay payment of compensation to the victims.

The second notable aspect of this judgement is that the Court has punished the accused with imprisonment of 15 days having found him guilty under a cognizable offence for which punishment could have been 3 years. Of course, in this case, perhaps even 15 days was avoidable since there was no “malicious intention” behind the negligence of the Cyber Cafe owner.

In the instant case it appears that the accused at some point of time has decided not to contest and perhaps plead guilty under the assumption that the offence is not serious enough to warrant any imprisonment. But even 15 days imprisonment is rather uncomfortable and deserves an appeal.

Let’s look at Section 67(C), reproduced below to analyze why an appeal is deserved.

Sec : 67 C: Preservation and Retention of information by intermediaries
(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

The condition precedent to applying this section is that there should be an “Intentional” and “Knowing” failure to maintain “Such information as may be (Ed: might have been) prescribed by the Central Government.

There are many sections in ITA 2008 which use the word “Appropriate Government”. However, this section uses the word “Central Government” specifically and hence does not apply to the non compliance of any state laws including the Cyber Cafe regulations under the State Police Act.

Has the Central Government prescribed that a Cyber Cafe needs to preserve and retain information such as the “identity of the users of cyber cafe”? is therefore the main question which the Court ought to have examined.

If there were any regulations for Cyber Cafes in Maharashtra prior to 27th October 2009 when the ITA 2008 became effective and 11th April 2011 when the “Information Technology (Guidelines for Cyber Cafe) Rules, 2011. ” was notified, then they would have to be re notified by making reference to the ITA 2008 which defined Cyber Cafes and the above rules of April 2011. Any earlier notifications should be deemed to have lapsed after ITA 2008 was notified in 2009.

Though the Cyber Cafe rules of 2011 empowers the State Government to make further rules, and also includes requirements regarding the identity verification of the user,  the most important direction of this notification was for the State Governments to form a regulatory authority for Cyber Cafe regulations which shall introduce registration formalities and notify the agency to whom the log record information etc should be submitted.

The undersigned has submitted detailed suggestions for Cyber Cafe regulations under ITA 2008 to Karnataka Government and also developed Cyber Law Compliance requirements for Cyber Cafes to avoid the non compliance of the ITA 2008. However, like many other suggestions provided by the undersigned over the last several years, neither the Government nor the Cyber Cafes were interested in implementing the suggestions. Though there are several softwares available to cyber cafes to manage ITA 2008 compliance some of which have been even recommended by Police in several States, the State Governments have not created the back end systems to receive data created from these softwares and therefore the use of such software has not gained popularity.

I would have very much appreciated if the Pune Court had devoted some attention on what the Government needs to do to improve compliance rather than putting the Cyber Cafe owner in imprisonment for 15 days. It is unfortunate that representative bodies such as the Cyber Cafe Associations of India or Maharashtra failed to implead in the suit and protect the Cyber Cafe owner.

I wish at least now, public spirited lawyers intervene and appeal against the part of the judgement which sentences the  Cyber Cafe owner to imprisonment. Financial penalty is an adequate penalty in such cases where there is no malicious intention and there is negligence of the authorities as well in not regulating the system.

If not maintaining a visitor’s register is a punishable offence and a cause of action under ITA 2008, not prescribing the nature and format of record keeping by the Cyber Cafes is a negligence on the part of the State Government also. (P.S: Whether the Cyber Cafe rules of 2011 are practical or excessive is a separate debate which the undersigned has presented in the past and hence not repeated here.)

Naavi

cyber_law_guru

Android App available on Google App Store

Share Button
Print Friendly

Advocate Prashant Mali Joins Cyber Law Guru Expert Panel

cyber_law_guru

Android App available on Google App Store


Cyber Law Guru is a mobile App meant to be a channel through which the public an raise any question on Cyber Law to be answered by experts. It is part of the Cyber Law Education initiative of Naavi.

We are glad to inform that Advocate Prashant Mali who is an Internationally renowned Cyber Law & Cyber Security Expert,  Author & a well known practicing advocate in the country has joined the expert panel associated with the app and will be contributing his valuable views on any questions raised by a member of public.

Prashant is Masters in Computer Science, Masters in Law with certification in Computer Forensics Professional & prior working experience in the field of IT prashant _maliSecurity & Law for more than 20 Yrs.

He has authored 5 books on Cyber Crimes & Cyber Laws. He is a legal adviser to Govt Companies ,MNC’s, Corporates and represents them in various courts. His research interest are in Cyber warfare, Cyber war, Cyber weapon.

Mr Prashant Mali is the president of Cyber Law Consulting, a  premier Law firm involved in Litigation and Consulting matters related to Cyber Law, Privacy Law, Economic Offences, Telecom, Trade Mark & Copyrights, Media and Entertainment, EContracts’, Software Piracy and also provides Expert Legal Opinion and Legal Compliance to Organizations & Individuals.

He has been awarded as “Cyber Security & Cyber Law Lawyer of The Year:2014” by Indian National Bar Association .

We heartily welcome Prashant Mali to the expert panel of Cyber Law Guru.

Naavi

Share Button
Print Friendly

Information Security and Cyber Insurance have a direct correlation

Key Findings of the Ponemon-2015 Data Breach Study…3
(In continuation of the earlier article..)

The IBM sponsored Ponemon Institute’s study of Data Breach Cost across 11 countries, released recently has brought out several interesting aspects that are relevant to Information Security and Cyber Insurance industry. The key findings are being presented here from the Indian perspective.

In the earlier articles we had observed that the average cost of data breach in India is Rs 3640 per record, the average number of data lost per incident was around 18983 and average gross loss per organization was Rs 9.49 crores.

We had also seen the industry wise distribution of losses and the factors that decrease or increase the loss.

In this article we shall explore the results of the study on components of cost and other issues.

According to the study, there are four important components of the cost of data breach as identified by the study. They are

a) Cost of Detection and Escalation
b) Cost of Notification
c) Cost of Ex-Post response
d) Cost of lost business.

The biggest component of cost of data breach is the value of “Lost Business”. This is estimated at an average of $1.57 million. The next biggest component is the Ex-Post response at $1.07 million followed by cost of detection and escalation of $0.99 million and $0.17 million in terms of notification costs. In terms of percentages the four components mentioned above seem to constitute 26%, 4%, 28% and 41% respectively.

In the Indian context where the average loss is Rs 9.49 crores, the components of the cost appear to suggest that the loss of business amounts to Rs 3.8 crores, Ex Post expense amounts to Rs 2.6 crores, cost of detection and escalation amounts to Rs 2.46 crores and cost of notification amounts to Rs 38 lakhs.

The study therefore clearly indicates that there is a significant loss of business that the business may expect if hit by a data breach incident.

In terms of the probability of a data breach, the study does try to throw some light in terms of how the probability may increase or decrease with the availability or otherwise of comprehensive information security measures. It comes to the conclusion that large scale data breach incidents can be significantly reduced with good BCM measures.

While some of the statistics may be debated whether they can be applied directly to the Indian context or not, we can say that the study is one of the best available indicators of the financial risks that an organization may face on account of data breach. This is extremely significant to the India Cyber Insurance Survey 2015 that is being undertaken.

The Ponemon study indicates that there is a good reverse correlation between Information Security and data breach loss. Better the information security, lower is the cost. This should reflect also in the cost of insurance in the same manner. Better the information security, less should be the insurance cost. Whether such a correlation actually exists or not in practice when the Indian companies underwrite cyber insurance, is what the Cyber Insurance study may reveal.

However, what is clear in the Ponemon study is that the Information Security Industry has a high stake in the Cyber Insurance industry.

Unfortunately this aspect does not seem to have been appreciated fully either by the company managements nor the information security professionals. Both seem to think that Cyber Insurance decisions are decisions taken by the Finance department and the Information Security professionals are not often part of the decision making process and hence donot influence the decisions regarding insurability or fixation of premium. Probably the India Cyber Insurance study will throw some light on who are normally involved in the decision making process when a company is contemplating a Cyber Insurance cover.

Naavi

Copy of the Report

india_insurance_logo_2

Share Button
Print Friendly

Appoint a CISO and save Rs 67 Lakhs !

Key Findings of the Ponemon-2015 Data Breach Study…2
(In continuation of the earlier article..)

The IBM sponsored Ponemon Institute’s study of Data Breach Cost across 11 countries, released recently has brought out several interesting aspects that are relevant to Information Security and Cyber Insurance industry. The key findings are being presented here from the Indian perspective.

In the earlier article we had observed that the average cost of data breach in India is Rs 3640 per record, the average number of data lost per incident was around 18983 and average gross loss per organization was Rs 9.49 crores.

In this article we shall explore the results of the study on the industry wise distribution of data breach loss.

Health Sector Suffers the highest loss:

The highest loss was suffered in the Health Sector industry where the average loss was $363 mllion. This was followed by Education at $300 million, Pharmaceuticals at $220 million, Financial at $25 million, Communications at $179 milion and Retail at $165 million. Technology industry suffered a loss of $127 million

It may be observed that the health care and pharmaceuticals which are well regulated under laws such as HIPAA have recorded the highest loss. This only indicates that the regulation has created greater awareness which has led to greater claims being made. But what is surprising is that the Financial industry has shown a relatively lower level of loss compared to health sector. This perhaps indicates the positive impact of better information security management.

Root causes for data breach:

An analysis of the root causes of data breach indicate that 47% of the data breach incidents occurred due to malicious or criminal attack while 29% was due to system glitches and 25% due to human error.

In terms of the losses, the malicious attacks resulted in an average loss of $170 per record, while system glitch cost $142 and Human error, $137 per record.

What Corporates need to understand in this observation is that there are attackers who are targeting them with malicious intentions and there is no room for complacency. Also, losses in 43% of cases due to system glitches and human error is also a matter of concern for the management since these are considered “Avoidable”. In other words, this loss can to some extent be attributed to the “negligence” of the companies themselves.

Speaking specially in terms of India, the cost on account of malicious attacks was Rs 4615 ($71) per record, while on System glitches, it was Rs 2925 ($45) and on human error, it was Rs 3185 ($49). This constituted 38%, 30% and 32% respectively.

Factors that impact the data breach cost

The study indicates that the following factors may have a positive impact and reduce the data breach cost per document.

i) Incident Response Team : $12.6
ii) Use of Encryption: $12.0
iii) Employee training :$8.0
iv) BCM involvement :$7.1
v)CISO appointment::$5.6
vi) Board level involvement: $5.5
vii) Insurance Protection: $4.4

The study also indicates that losses increase on account of the following factors.

i) Third-party involvement : $16
ii) Lost or stolen devices: $9.0
iii) Rush to notify:$8.9
iv) Consultants engaged:$4.5

Impact on Cyber Insurance

The observations recorded in the study may impact the Cyber Insurance Industry in India in the following manner.

a) Industries such as  may be charged a higher premium than other industries.
b) Losses on account of human errors and system glitches could be scrutinized in a forensic analysis and rejected if any negligence is found in the survey.
c) Companies which have taken special measures to reduce human error through apparently effective training may get a rebate measured against the expenses incurred for training.
d) Outsourcing of operations may increase the cost of insurance

P.S: An interesting offshoot of the study is an indication that appointment of a CISO reduces the organizational cost of data breach by an average of Rs 67 lakhs. May be this is an indication of the remuneration package an average CISO should enjoy? …

(..to be continued)

Naavi

Copy of the Report

india_insurance_logo_2

 

Share Button
Print Friendly