Should there be Insurance for DPDPA Fine?

Currently Cyber Insurance covers first party damage in case of any data breach. This covers cost of recovery of lost data, legal and forensic costs and perhaps some consequential damages such as third party liability claims.

In the post DPDPA scenario, there is a concern about the cost of the Administrative fine which could be substantial. It is a grey area whether this fine if any can be insured.

By the nature of the fine, it is levied because of the non compliance of law besides other reasons such as causing harm to the data principal. It is therefore difficult to provide coverage since in principle, insurance cannot protect and reward non compliance of law.

However, in most cases when fines are levied, the data fiduciary may claim compliance and it would be a matter of the regulator not agreeing that the measures taken were adequate enough. It would be a matter of debate whether there was “Reasonable” measures and “Due Diligence” on the part of the data fiduciary. It is possible that a breach was attributable to the action of a third party despite reasonable measures taken by the data fiduciary for compliance in good faith. It is like an automobile accident which occurs despite careful driving and not because of blatant violation of law such as driving in the one way street in the opposite direction or driving in a drunken state.

If automobile insurance as well as the law for punishment to drivers for rash and negligent driving can distinguish between what is rash and negligent and what is not, should there be a similar discussion on the fines levied for DPDPA non compliance?

In most cases, the order of the regulatory authority may specify the root cause and whether there was gross negligence or lack of food faith in the incident on the part of the data fiduciary. If so, should a “DPDPA Liability Insurance Policy” cover not only the cost of conducting investigation, legal defence , meeting the liability to the data principals but also the administrative fine (may be subject to a sub limit)?

The insurance industry needs to ponder over this.

On the part of Auditors FDPPI would like to offer

a) An Assessment of DPDPA readiness for an Insurance company to accept an insurance proposal

b) An assessment of DPDPA penalty liability when an incident occurs or an inquiry is ordered by the Data Protection Board.

These assessments can be structured for the needs of the Insurer and conducted at the instance of the insurance company.

They may be different from the assessment made as “DPDPA Gap Assessment” or “DPDPA Compliance implementation Assistance”.

Posted in Cyber Law | Leave a comment

California becomes the second US State to recognize Neurorights

Two days back, Californian Government signed a new law SB 1223 which recognized neuro rights as part of the Privacy Rights by defining Neural data as ‘Sensitive data” under CCPA.

With this California became the second state after Colarado (Refer here) to expand the scope of Privacy Act into Neuro Rights Protection.

The bills also suggest that it is possible to extend Neuro Rights by just tweaking the understanding of “Sensitive Data” within a Privacy law.

There is a concern in India that DPDPA 2023 does not recognize “Sensitive Data”. However, the definition of a “Significant Data Fiduciary” under DPDPA 2023 includes such data fiduciaries who process high volumes of “Sensitive Personal Data”. It does not require a legal definition to define “Neural Data” as “Sensitive”.

Hence any organization in India which is working on “Neuro Technology” will now have to be classified as “Significant Data Fiduciaries” and treated as such for compliance. The NIMHANAS type of organizations eminently qualify for such categorization along with all hospitals who may be involved in technologies that could read, store, manipulate or disclose neural data.

“Neural Data” represents the binary activity of the brain cells which is an electro mechanical exercise that builds up charges in a brain cell and when it crosses a threshold charge level, pushes the data to the next brain cell. This is a typical reflection of a binary activity where a built up charge beyond a threshold level represents the binary value of 1 while the value below the threshold level represents zero.

Hence without waiting for further changes in law, India can start protecting Neuro Rights within the current law unless there is any proviso inserted to exclude such data in the rules which is unlikely.

Naavi

also refer: https://neurorights.in/wp/

Posted in Cyber Law | Leave a comment

Want to be a “Master Trainer” for C.DPO.DA.?

FDPPI is closely working with Cyber Law College to develop capacity of Data Protection Officers and Data Auditors.

In this direction, FDPPI being a Not for Profit Organization with an interest in developing the community interests, has decided to develop a set of “Master Trainers” in the immediate future at 20 major cities of the country who can conduct local physical training programs for C.DPO.DA. These Master trainers will be individual torch bearers of Privacy Training supported to the extent required by FDPPI/Cyber Law College.

Since FDPPI has introduced a “Cross Certification” program where by professionals trained by DSCI/IAPP/ISACA are provided privileged entry into the C.DPO.DA. examination ( with a concessional examination fee of Rs 6000/- plus GST as a launch offer applicable till October 17, 2024), it is decided that professionals trained by these “Master Trainers” are also allowed a direct entry to C.DPO.DA. at a differential pricing of Rs 10000/- plus GST (Subject to change).

One of the pre-requisites for being a Master Trainer is however that the entrepreneur should himself be a C.DPO.DA. qualified (at Level 3).

Level 1, 2 and 3 are three grades in C.DPO.DA. and Level 3 represents “Distinction”. Level 1 would be considered as the minimal Certification level for Privacy Professionals and Level 2 is recommended for Implementations consultants. The classification is based on different cut off points in the examination.

Since FDPPI/Cyber Law College is conducting the next program for C.DPO.DA. in Bengaluru on 27-29 of September 2024, it has been also decided to allow three persons aspiring to be “Master Trainers” to attend the training at 50% discount. (Net price would be Rs 20000/- plus GST 3600/- for three days). Persons coming from outside Bengaluru need to make their own arrangements for travel and stay. Interested persons may contact Naavi immediately. Since only three persons will be accommodated in this scheme, aspirants are requested to act quickly.

This will be purely optional for the trainees and if they are satisfied with the certifications given by the individual trainers there is no need to also try to get a C.DPO.DA. Certification. This is a voluntary offer from FDPPI and the other organizations whose Certifications are eligible for this cross certification are not required to provide any mutual counter offers.

With this Cross Certification Scheme and opening it out to Private Individuals, FDPPI is democratizing the training to persons with passion of training. This is an opportunity for every training professional or training company to develop their own training programs at their own pricing and enabling their candidates to opt for industry standard certifications. It is presumed that in the long term this will revolutionize the Certification mechanism and enable reduction of cost to the professionals aspiring for multiple Certifications.

Naavi

Posted in Cyber Law | Leave a comment

Opportunities fly past. Recognize and Seize it

Posted in Cyber Law | Leave a comment

Let’s Create a Community of Data Auditors

DPDPA 2023 as a data protection law charted a course different from GDPR in several respects. One such differentiation that we can note is that DPDPA envisages a role for “Data Auditors” who are independent auditors outside the Company. Currently it is mandatory for Significant Data Fiduciaries to appoint such Data Auditors.

As a result of this, there is now a statutory recognition for such Data Auditors. with this development there is a need to develop Data Auditors as a community and Naavi.org through Ujvala Consultants Pvt Ltd will take the lead in creating this community. Watch out for more information on this front.

In the meantime, as regards the three day program scheduled to be held at Bengaluru on September 27, 28 and 29 by FDPPI, there is a request from many on the curriculum.

I had indicated yesterday that it would focus on “Audit” as per DPDPA 2023 which is for Data Fiduciaries, Significant Data Fiduciaries, Consent Managers etc.

To further elaborate the contents of the discussion would include the following.

a) The legal basis for Data Protection in the form of nuances of DPDPA 2023 along with ITA 2000, CPA 2019 and also international laws such as GDPR.

b) Implementation challenges for “Compliance by Design” with Technical and Organizational controls including the technical challenges of

-Data Discovery, Data Classification, Data Storage, Data Access, Consent Management, Management of Rights of Data Principals, Minor’s Data Management, Data Breach Management, Data Retention Management, Data Confidentiality, Integrity and Availability Management, Grievance Redressal management, Management of Consent Managers, Data Pseudonymization, etc.,

c) Governance Challenges related to how the risks can be assessed and managed including Data Valuation and using Cyber Insurance.

d) Conducting an Audit of how an organization has complied with the DPDPA 2023 requirements in a technical environment with a focus on how to look for evidence gathering and validation.

FDPPI’s Certification C.DPO.DA. is a crown jewel which would be available only for those who successfully complete the examination.

All persons who attend the program are given one free attempt at the examination. Examination would be online for a duration of 2 hours. If they opt out of the examination, they will get a “Participation Certificate”.

If they appear for the exam and cross the first cut-off point, they will be eligible for “C.DPO.DA-L1 (Foundation Level)” Certificate. If they cross the second cut-off point, they will be eligible for “C.DPO.DA.-L2 (Implementation Level) Certificate”. If they are able to cross the third cut-off point they will be eligible for C.DPO.DA.-L3 (Expert Auditor Level) certification.

Appropriate reading material would be provided both online and offline. Discussions will include lectures and Case study discussions.

It is our desire that we want to make the Program an elevating experience for all the participants.

Look forward to meeting you…

Posted in Cyber Law | Leave a comment

Why Auditors have to be ready before the DPDPA Compliance come into existence

It is heartening to note that CERT IN has recognized the need for its Empanelled Auditors to be ready to Audit the DPDPA Compliance in other Companies. As a part of this recognition, CERT In empanelment division recently issued a circular note to all its empanelled auditors recommending certain Certification Programs.

FDPPI is happy to note that CERT IN has included the training program which FDPPI has organized in Bengaluru on September 27, 28 and 29 as one of the recommended courses, stating

It goes without saying that the empanelled auditor firms themselves need to be first compliant with DPDPA before auditing others.

Quote:

Dear Empanelled Auditing Organizations,

As you are aware, CERT-In empaneled auditing organizations play critical role in assessing and hence securing cyber infrastructure of entities operating in Indian cyber constituency. It is imperative for auditing organizations to continuously build capacity through regular training programs and certifications. CERT-In is in discussion with various institutions and forums to prepare audit focused courses/programs in various domains for both technical and senior executives.

As you may also be aware that, Digital Personal Data Protection (DPDP) Act is in place and CERT-In empaneled auditing organizations will also come across privacy and data protection audits. Hence, it is recommended to train management and staff on appropriate data protection and privacy programs. 

Currently following 4 programs have been evaluated by CERT-In and are expected to benefit the auditors engaged with empanelled auditing organizations:

“Unquote”

The recommended programs relevant to CERT In auditors included the following

We are honoured with this recommendation and will do our best to ensure that the confidence reposed in us by CERT In would be adequately justified through our unwavering commitment to excellence and responsibility.

To give an idea of how FDPPI’s program is unique and is different from others is that it would exclusively cover

  1. Audit of Data Fiduciaries
  2. Audit of Significant Data Fiduciaries
  3. Audit of Consent Managers
  4. Audit for Insurability
  5. Assessment of DTS
  6. DPIA and Data Breach audits
  7. Audit of Media and Gaming Companies

These requirements will be covered along with DPDPA 2023 as a law, the implementation challenges in terms of technology tooling. Solutions in the form of current frameworks including ISO 27001/27701, CSF of CERT In/RBI and a detailed discussion on DGPSI will also be covered.

It is needless to say that the program would be unique and those who miss the opportunity would miss an early bus to the coveted Data Auditor community.

Naavi

Posted in Cyber Law | Leave a comment