Is Insurance Industry ready for PDPA?

On 7th February 2020, I attended a day long seminar in Hotel Trident, Mumbai organized by the National Insurance Academy Pune jointly with Swiss RE.

The program titled “Digital Disruption..Embracing Digital Innovation in [RE] Insurance business” was a grand success and well attended by all the Insurance Professionals. It was inaugurated by the Chairman of IRDAI in the presence of the CMD of LIC and other dignitaries.

While there was interesting discussions on the innovative use of technologies in Insurance, there was also a discussion on Cyber Insurance.

Despite the enormous enthusiasm that the industry is showing towards the adoption of technology, it was observed that the industry appears to be significantly lagging behind the developments in the field of Cyber Insurance and needs to re double its efforts in developing the Cyber Insurance products and services.

I had observed in my earlier article “Golden Era ushered in for Cyber Insurance industry through personal data protection act of India”  that there was a huge opportunity begging to be harnessed by the industry consequent to the Personal Data Protection Act that is on the anvil.

However the industry appears to be even now looking at only how to adopt IT in their traditional Insurance business and the level of adoption of risk assessment and insurance coverage in the Cyber Space is in very nascent stages. It appears that the insurance industry in India will miss the Gold rush arising out of PDPA.

More importantly, if the Insurance industry does not gear up to the needs of the industry which will be embracing the PDPA, the industries who will try to adopt PDPA will be left high and dry unable to get adequate coverage they would be looking for. In the process there will be many insurance contracts which are likely to be written without a proper understanding of the inherent risks covered. In a way the industry has to go through a period of blind PDPA Risk coverage policies which will be only on paper and would neither be useful to the insurer or the insured.

During the discussions it was a surprise to note that there was no mention of the recent Breach Candy hospital data breach which should have actually dominated the discussions if there was a proper appreciation of the impact of the industry had it come after the PDPA was in force.

There was also a lot of discussions on the use of AI in Insurance which needs to be moderated and adopted to the advent of the PDPA. There was a complete lack of the recognition that many of the AI solutions will have a serious conflict with the PDPA.

It was interesting to note that the IRDAI has recently introduced a “Sand Box” system for the insurance industry to test new products. Since the PDPA is also coming out with a Sand Box concept of its own, the users of new Insurance Products based on the use of AI will need to contend with two Sand Boxes, one for the use of personal data in developing profiles of the insured which will be under the under PDPA and the other for the structuring of the insurance policy.

Naavi pointed out that PDPA will usher in new challenges such as providing a cover for the “Administrative Fines” which will conceptually mean coverage of failure to do the obvious. The industry will have to decide on the coverage based on the reasons for which an administrative fine is imposed. If the reason is an external cyber attack, the coverage may stand. But if the main reason is failure of the internal systems then there could be a resistance from the insurance industry to honour a claim.

Naavi also pointed out the difficulty in valuing the personal data since its value in the hands of the data fiduciary/processor would be varying as it travels through a life cycle. Even the data ownership may change during the lifecycle of personal data requiring proper capturing of the ownership in the insurance contracts. (Some of these problems would be evident to readers who go through Naavi’s recent book on PDPA).

Naavi also pointed out the conflict with the general principle of “Co-Insurance” when the limit on administrative fine under PDPA is defined as 4% of the Global turn over. Since this becomes the bench mark of “Insurable Interest” for a company, if the actual policy for administrative fines is less than 4% of global turnover, then there could theoretically be an “Under-Insurance” of the liability.

Additionally the PDPA Risk is almost always a risk of “Consequential Loss” while the primary risk is one of a “Cyber Crime” arising out of information security failure. Hence the risks covered under the existing Cyber Insurance policies themselves expand to invoke the administrative fines under the PDPA unless they are specifically excluded.

In view of all the complexities that the Cyber Insurance as well as the PDPA Risk insurance involves, a time has come for the industry to think if there is a need to make a major surgical change to the Insurance law in India on the lines of what China has done, by giving up the principle of “Utmost faith” to a contract of “Honest disclosure”.

Without this major change in Insurance law, it will be difficult for the industry to provide the required risk coverage to the industry arising out of Cyber Risks and PDPA risks.

Hope the IRDAI and the Government will take a look at this requirement.

In the immediate future, IRDAI has to try to establish some codes and practices that it can suggest to the DPA so that the insurance industry is able to adopt to the PDPA without much of a problem. If necessary, IRDAI should set up an expert committee for this purpose at the earliest.

One of the requirements that will arise in the context of the inability of the insurance industry to come up with a suitable product is for the other sectoral industry regulators come up with a concept of “Peer to Peer Insurance” through the constitution of a “Data Insurance Fund” on the lines similar to the Deposit Insurance and Credit Guarantee Fund” in the Banking industry. I will expand on this concept in subsequent articles.

Naavi

Also Refer:

Cyber Insurance Pricing.. Finextra

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

PDPA Risk Insurance

India is in the threshold of a new legislation called Personal Data Protection Act (PDPA-2020). One of the most striking factors that this legislation represents is that organizations processing “Personal Data” in any form, including the Government departments will here-after  have to worry about a new kind of financial liability that they may face. It is the risk of being fined by the Data Protection Authority for “Non Compliance of the provisions of the Act”.

While the organizations that process the personal data need to be ready with the knowledge and preparations of how to stay compliant with the law, one of the solutions that every personal data fiduciary/processor in India would be looking forward to would be an Insurance policy with which they could get themselves covered.

It is possible to consider that the administrative fines that may arise consequent to non compliance of PDPA 2020 can be also considered as a consequential loss of running the business and hence could be technically covered under the current Business related insurance policies.

However, since the PDPA administrative fines were not envisaged when the policies were underwritten and the amount involved could be as high as 4% of the global turnover of the company, it is difficult for the Insurance companies to consider the risk covered unless a fresh endorsement is made and additional premium collected.

The organization will therefore have to take a view on what risks to be insured under PDPA, whether to restrict it only to first party risk of administrative fines only or include the third party risks of payment of compensation to the data principals.

The Insurance companies also need to structure a policy that suits the requirements of the PDPA.

We are certain that the Insurance Companies in India are far from thinking on structuring a policy for  PDPA risk coverage and it is possible that they will look to the west for re-insurance terms before they start underwriting the risks.

The PDPA risk coverage will be complex because the underlying asset is Personal Data which is intangible, goes through a life cycle of varying value, the asset ownership is unclear, losses are difficult to estimate, etc.  The fines arise if there is negligence in implementation of PDPA compliance and whether the insurance companies relish insuring negligence is a moot point.

May be there is a lot to debate in this field and the discussions have just started..

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Print Version of the book on Personal Data Protection Act by Naavi

Naavi.org is glad to announce that the print version of the book Personal Data Protection Act (PDPA 2020) written by Naavi based on the Bill presently before the Parliament would be available shortly.

The book is released now before the passage of the Act with the objective of making some reading material available to the Parliamentarians who will be discussing the bill for passage and  also for all those persons who have to present their views to the Parliamentary Committee.

The book is being released in the next couple of days by the publishers at a market price of Rs 600/-.

A limited number of copies would be made available to the Naavi.org followers at a pre-order discounted price of Rs 450/- . This will be a limited period offer and would be available on request. Exact modalities of how the discount will be passed on would be provided to those who want to avail the offer.

This offer would also be available to all the students of Cyber Law College who have taken the courses through Cyber Law College or Apnacourse.com.

Requests may be sent by e-mail to naavi@naavi.org with the subject line “PDPA2020”

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Calling attention of the Chief Minister of Karnataka and The Commissioner of Police

It has been reported yesterday that several robberies took place in the Nice Road. One of the persons who met the victims has filed the following report:

Quote:

Guys, there was an attempted robbery at knife point on me at Nice road a couple of hours ago. Thankfully, I could escape in time or I’d have lost everything.
After me, the thieves have robbed 6 more people in the same stretch. One couple going in Activa, one couple going on a Pulsar AS200 and one family going in car. The thieves had longs, daggers and sharp knives and other lethal weapons.

Multiple phones, debit and credit cards, gold ornaments have been stolen from those 3 other cases. Their vehicles have been damaged and their keys were thrown off as soon as they stopped them to rob them.

One guy has assault marks on his face, one girl was slapped hard, one more guy was at knife point while the girl with him escaped to the opposite side to shout for help.

I ripped and escaped from them and came to Hosur toll and informed authorities. Highway Patrol was sent out and the thieves were searched but in vain.

By the time I was done reporting this incident at the toll, the other 2 couples came in and reported their incidents. While we were talking to the authorities, a live news came in saying that a car glass was shattered using a long and the family was robbed.

All of us are at Electronic City police station right now to lodge FIR’s on our respective incidents. Nobody is injured. All are safe. Only one guy was bleeding from his nose and head but it was minor.

This is to inform you all to be safe and DO NOT travel on NICE road at night. I have tweeted to Ashok Kheny on the safety measures and have informed my lawyer on the same. If at all any legal proceedings happen, I will keep you all updated.

I’m safe, the bike is safe, just in the nick of time and sheer luck and thinking.

Be careful….

Unquote:

This is a serious law and order situation that needs to be addressed by the Police and the Government immediately. The Karnataka High Court should take cognizance of the incident and order immediate remedial action.

The Nice Road is gated at both ends and there is CCTV surveillance at the entrance and exist. It is a “Private Road” owned and operated by a company and the entire responsibility for the incident should be borne by the owners. It is necessary for the Police to immediately arrest Mr Ashok Kheny and hold him responsible.

The robbery could not have taken place without the connivance of the staff at either end of the tolls and all the staff members who manned the relevant gates should be questioned.

It is possible for the public to boycott Nice Road but this will create more traffic problems within the city.

Hence the Government should immediately take over the Nice Road from private management cancelling the maintenance contract and take necessary security measures including setting of police pickets at frequent intervals, CCTVs through out the road with proper lighting.

The High Court normally favours the contractor in such cases but it should take citizen centric decision in ensuring that the contractor is responsible.

If some body can file a PIL in this regard, it is welcome.

Will watch the developments to see how the Police handles this issue.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Breach Candy data breach incident could be the “I Love You” moment

In India, we are 20 years into the period since civil liabilities arising out of  Cyber Crimes became legally enforceable through a process of Adjudication. Since then, victims of Cyber Crimes are searching for Cyber Crime insurance. In June 2001, the RBI mandated that Banks should hold Insurance against losses arising out of hacking, denial of access etc. However, it was not until the last few years that individuals in India could take Cyber Insurance policies. Corporates were offered cyber insurance policies since  few years earlier where the first party losses and third party losses were covered. 

The industry is however still far below the state of maturity that is acceptable to the consumers in the country. To put it mildly the policies are constructed without an adequate risk assessment and consumers may be left feeling that the risk coverage is far less than what they would expect at the given premium.

The reasons could be many. For a long time the insurance industry could say that the law was inadequate, the judicial system was ill equipped, crime metrics were not available, the risks were too huge to be covered etc. But these excuses are not unique to Cyber Risks. Such risks have been there in every field and the industry has found ways and means to address them. What has been lacking is the willingness of the insurance industry to take the plunge.

In such a fluid state, the new Act namely the Personal Data Protection Act (PDPA) will come into operation shortly and cause disruption of unprecedented magnitude in the coming days in the industry. 

The data breach reported about the Breach Candy hospital in Mumbai where 1 million patient records and 120 million medical images have been breached has jolted the health care industry. Most of the prudent managements would like to know what could be their liabilities in such cases after PDPA comes into force. The impact of this breach will be extending beyond the health care industry and affect other industries as well.

In India the possibility of individual patients making a claim for loss arising out of the data breach may still be low. Most individuals cannot quantify the loss and their claims would therefore look arbitrary. However, the Data Protection Authority (DPA) in such cases can easily impose an administrative penalty which in the minimum could be Rs 15 crores given the sensitivity of the information and the volume of the breach. 

There is however a possibility that thousands of patients who ever had undergone any treatment in Breach candy hospital may send out e-mails to exercise their “Right to information” and ask if their personal information has been breached?. They may also ask for porting of their information including their medical profile back to them for better safety and erasure of the data in the hands of the hospital. The insurance companies may be fishing for information that would help them reject claims of some of their customers or rework their premium upwards based on the leaked information.

Acknowledging and answering such e-mails and resolving the disputes without creating another “Bhopal Tragedy type litigation in the Courts” will require a new “Dispute Resolution Company” to be set up by the Breach Candy hospital. 

In all this confusion, there would be a doubt as to whether the leaked data is in fact the correct data. There would be many Phishing fraudsters who would try to come with their versions of fraud to further cheat the victims of the data breach in their own innovative manner. All the patients of the Breachcandy hospital may receive e-mails from fraudsters offering them help in getting compensation and this could itself lead to identify theft and further banking frauds.

Mumbai police have to warn the public about such a possibility.

It is obvious that the society cannot let an incident of this type to run riot and damage the business of private hospitals. What has happened today to Breach candy hospital can happen to Apollo tomorrow and Fortis day after. The community should therefore ensure that this type of incident is treated like a disaster which is definitely unwanted but some thing that needs to be faced with courage and pragmatism.

The  Insurance industry has a big role in finding a way forward to how we face such data breaches in the current legal regime before PDPA and after PDPA comes into existence. Currently it is the duty of the CERT In to investigate and find out why and how this breach happened and how it can be prevented in future. The Ministry of Health has come up with guidelines on EHR management and the protocols used for storing of medical images are supposed to be a global standard.  It is possible that Breach Candy hospital had implemented Privacy and Information Security standards equivalent to HIPPA requirements.

It is clear that these measures have not helped in preventing the breach. It is possible that the root cause of the breach may not be a sophisticated hack but only  a simple password related negligence or lack of encryption. The reasons should be analysed and lessons learnt.

If all hospitals now rush to get Cyber Insurance covers the policies there is a need for the insurance companies to to be able to respond positively. But in writing any policy at this time, they need to take into account  the emerging PDPA law that may be in place in the next few months. Hence, the first version of the “Post PDPA Cyber Insurance Policy” should be what these insurance companies need to offer.

For the industry which is still struggling to structure policies for the 20 year old Cyber Crime risks, the challenge of writing the policy for PDPA risks would be almost impossible at least for now. The Indian Companies may only look at the Re-insurers abroad and structure their policies based on what the re-insurers suggest. This may require time and may continue to be deficient in  meeting the requirements.

The IRDAI should therefore step in and form an expert committee of the Insurance industry to study the impact of PDPA on the Insurance products and draw up a specific PDPA Risk coverage policy template, much the way RBI set up the S R Mittal working group in 2000 immediately after ITA 2000 was notified, which came up with the Internet Banking guidelines in June 2001.

Other sectoral regulators should also take cognizance of the emerging law and within their own sectors come up with PDPA related codes and practices that could be adopted by the DPA when it comes into existence.

The process of understanding the law and coming up with a set of suggestions is a time consuming affair. Hence these sectoral managers should start their action now rather than waiting until the Government passes the bill, appoints a DPA and the DPA in turn sets up its office and be ready to issue guidelines of its own.

It is to enable such introspection within each industry that the undersigned published his book on PDPA which is presently in e-book format and shortly would be available in print form too. Hopefully the industry would be equally concerned in starting their compliance exercise without any excuses.

When the Information Technology Bill 1999 was introduced in the Parliament in December 1999, Naavi had released his first book on Cyber Law titled “Cyber Laws for Every Netizens” with the hope that it would help the legislators while passing the law. It is with a similar objective that the book on PDPA has also been released though many may feel that it is premature to read the law before it actually gets passed. Even in 1999, the Bill was languishing in the standing committee and no body was sure when it would be passed. But suddenly a virus called “I Love You” hit the global scene and the standing committee suddenly woke up and the law got passed in a hurry.

It appears that the Breach Candy incident will be a similar jolt to the Ministry which may ensure that the Bill gets passed in the current budget session as planned.

If that happens, we can say “I Love you Breach Candy”….because  some thing good can happen to the community as a result of this mishap.

There is a wise saying that “It is not the way we fall that matters, but the way we get up”. This applies to the Breach Candy hospital as well as the regulators and the legislators who are considering the passage of the Bill.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Breach Candy data breach may expedite passage of Personal Data Protection Act

According to the news reports published today medical records of over 120 million medical images of Indian patients and 1 million medical records got exposed due to a cyber incident.  The records have been made available online freely by the attackers.

The records compromised included the patient records and scans and images with details such as the name of the patient, their date of birth, the national ID, name of the medical institution, their medical history, physician names and other details that are meant to be classified.

The incident is believed to have occurred due to the compromise of industry protocol for medical image storage and could have resulted from compromise of passwords of authorized persons.

While this sort of incidents could be termed as privacy infringement and the hospital could be liable for claim of damages from the affected patients, had the PDPA (Personal Data Protection Act ) been in place (Expected to be in place shortly), there could have been a hefty penalty imposed on the hospital by the Data Protection Authority.

For the time being the Breach candy hospital may escape liability but just as the “I Love You” virus expedited the passing of the Information Technology  Act in  2000 , the Breach Candy leak could expedite the passage of the PDPA bill presently in the Parliament.

Naavi

 

Also refer: Economic times article

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment