Header image alt text


Building a Responsible Cyber Society…Since 1998

[Once again, I apologize for a non Cyber Law Post prompted by the unprofessional views expressed by Moody’s which needs countering. Ignore if you want….Naavi]

Press Reports suggest that the International Credit Rating Agency  Moody’s has warned that Narendra Modi needs to rein in members of the Hindu fringe elements or risk losing credibility.

Read Economic Times Article here

Moody’s is a credit rating agency and has the expertise to comment on the financial aspects of the country. It is customary to consider that the economy of the country is affected by several factors one of which is the political environment.  Hence “Country Risk” and “Political Risk” is often used as elements of analysis in a Credit Rating exercise.

However, a prudent Credit Rating agency assigns appropriate weightages to different aspects that affect the economy and obviously the facts such as that it is natural in a Democratic country for  opposition to keep rattling  has to be taken into consideration before factoring in impact of such opposition antics into its rating.

According to the ET report, Moody’s are reported to have “Advised” PM Narendra Modi that

“Modi must keep his members in check or risk losing domestic and global credibility,”.

The report goes on to comment on the ongoing Bihar elections and says

“The BJP is not the incumbent (in Bihar), so a win here would help secure an upper house majority… Overall, it is unclear whether India can deliver the promised reforms and hit its growth potential. Undoubtedly, numerous political outcomes will dictate the extent of success,” 

There is no doubt that the report is a scathing attack on the Modi’s Government and predicts that the GDP growth rate would be around 7.4% to 7.6% for the full fiscal year 2015-2016 as against a potential of around 9.3%.

In a way the report has placed a value on the disruptionist impact of the opposition as around 2% of GDP.

However, instead of restricting itself to providing its views, the report actually becomes a political commentary set to help the opposition in the Bihar elections. Now, politicians like Lalu Prasad Yadav who may not know the difference between Modi and Moody will start quoting the agency in their election speeches.

It must however be emphasized that in our view,

“While a Credit Rating agency has the right to make its observations, it is unacceptable to word its observations in the form of an “Advice” to the country’s Chief executive.

Lifting the Corporate Veil

The report  has to be read along with the credibility of the agency which has lent its name. Since it comes from Moody’s, it is being read and commented. But at the same time, we all know that any such report is a product of some individual’s efforts and ultimately the credibility of the report has to be tested against the credibility of the person who puts out the report. We therefore need to look beyond the name of Moody’s and lift the corporate veil.

This report is attributed to Faraz Syed, associate economist at Moody’s Analytics and raises a question on the credibility of the analyst as well as Moody’s as a Credit Rating Agency.

At the outset, I would like to categorically state that my comments should be disassociated from the fact that the name of the analyst may lead to certain inferences. I am only analyzing the issue from other factors.

Mr Faraz Syed is based in Sydney and is in the process of completing his Master’s degree in Economics. He completed his Bachelor’s degree in 2013 from MACQUAIRE Universtity, in Australia. His interest initially has been in the field of Cricket and  entered the career as an Economist in January 2013. After working for one year with the Australian Bureau of Agricultural and Resource Economics and Sciences, he joined Moody’s in December 2014 as Associate Economist.

His experience  as an analyst in Moody’s is therefore less than an year. I suspect that he has never visited India and his knowledge of India may be through Cricketers  and IPL.

His attempt to convert a Financial Analytical report into a political advisory to a Head of State  shows his immaturity as an analyst and nothing else.

However, one cannot appreciate how Moody’s let the report to be published under its name and that indicates that there is no control or supervision over the work of an “Associate Economist”.

What this States of the Opposition

While the opposition parties and the so called  intellectuals  who are spearheading the AwardWapsi movement would rejoice at the endorsement they have received from Mr Syed Faraz, I must point out the other dimension of the report.

What Mr Syed Faraz says is that the potential of 9.3% growth in GDP has been reduced to around 7.4% because Mr Modi has an opposition in Rajya Sabha and cannot pass progressive legislation. This confirms that the disruptionist activities of the opposition are harming the progress of the nation.

In other words, Mr Syed Faraz and the Moody’s are confirming that the actions of the opposition are “Anti National”.

Having been involved in the Financial Services industry for a long time in the beginning of my career and observed the birth and growth of Credit Rating agencies in India such as CRISIL and ICRA, I consider that India is in a path to progress with economic reforms which need time to yield results. Professionals in credit rating agencies need to understand that we cannot set up power plants in one year and without adequate power, industries cannot take off, and without industries taking off, there cannot be employment etc.. All this takes time and a professional in a credit rating agency should be aware.

The Dadri incident or Kalburgi incident has no relevance in the long term economic building of the country. It is only the anti national forces who would like to fish in troubled waters when such incidents happen and if a professional lets himself to be drawn into using those incidents to blame the PM, he stops being a professional. I consider Syed Faraz has betrayed his incapability of filling the boots of an “Economist”. If he gets to be a “Master in Economics” because of his erudite discourse on India, it would reflect the standards of the University that grants him the degree.

Though political commentators in their Bihar election mood may say whatever they feel like, professional organizations such as Moody’s should have shown maturity in passing comments as have been passed in the report and this actually undermines the credibility of Moody’s as a credit rating agency.

I would like to call upon the Moody’s as an organization to disown the advisory, withdraw the report and publish a corrected version without the politicized comments of Syed Faraz.

I will be forwarding a copy of this article to appropriate persons in Moody’s and also request readers to send it to appropriate contacts in Moody’s if they are able to reach out.


ICICI Bank’s Carbon Card..Innovative but more risky for the Consumer

Posted by Vijayashankar Na on October 30, 2015
Posted in Cyber Law  | 1 Comment


ICICI Bank has introduced a new type of Card which it calls “Innovative” and “Asia’s First”.

The uniqueness of the Card is that it carries an LCD screen and a 12 button keyboard. User needs to first register the Card with VISA CODESURE and subsequently, dynamic pass codes are generated for every transaction. There will be an inbuilt battery and a micro processor. The lifespan of the card is about 3 years.

Presently the card is being offered by “Invitation”.

Though the Bank claims that this is more secure, what we can see is that it is as secure as the single PIN that is assigned to the registered card and the dynamic generation of PINs has no value. In  fact if the OTP was being sent through the mobile, then a thief who got hold of the Card and the Core PIN (say if it is written down or is found out by brute force or otherwise) needed to steal the mobile also. However in this system it is not necessary at all.

The Bank therefore needs to explain how this system is more secure than the mobile based OTP. RBI also needs to assure the public that the card meets it’s guidelines.


P.S: This is not a post on Cyber Law and I apologize for the diversion. But I as a citizen of India have my views on some of the recent developments and want to use this platform to record the same. You may ignore it if you donot like. This is prompted by the returning of the awards by many prominent persons which trend has now percolated into the community of scientists. Just as Scientists are also humans and as citizens of India have the right to express their views, I also have my right to express my views and criticize these persons for their action. I am exercising this option.

I was today pleasantly surprised with a report in dnaindia.com where it was stated that an international organization by name “Freedom House”, in its report stated that Internet Freedom in India has improved under the Modi led Government in India. I am not aware of this organization and its credibility but since the view goes with my own view of the Government’s in India since my student days when we saw the pre-Emergency days and followed up with the Emergency days and there after to Sonia Gandhi’s proxy rule, I tend to agree with the report and take this opportunity to add some thoughts on the other burning issue in our media now namely the #Awardwapsi craze.

If we go by the media reports and the noise made by political leaders from the opposition, it appears that India is going through a great time of suppression of freedom and intolerance all because NDA has a majority of 282 Loksabha seats. After the FTII students and Sahitya Akademi winners it is now the turn of scientist community lead by Mr P M Bharghava to return their awards expressing their “Concern” for the “Intolerance” that is prevalent in the society.

The media is holding out as if this is a reflection on the functioning of the Modi Government which on the other hand is going great guns with its African Summit and Easing of Business objectives.

The opposition that is being raised comes bang in association with the Bihar elections and one has to be naive not to see the effort to create a negative PR for the BJP.

In this entire exercise it is the intellectual credibility of these “Award Returnees” that has come in to the public glare. They are reflecting their level of intolerance to a non Congress Government being at the helm and their favourite parties in the opposition becoming irrelevant by the day for reasons of their own.

I suppose that this fervour for returning the awards may wane after the Bihar elections and even those who have announced returning of the awards may not actually return them. I therefore call upon the Government to set up a committee of auditors to follow up the media announcements made by these awardees and create a smooth system for their returning of their awards. They can be collected and put up in a museum. Along with the return of the medals, it is also necessary for these awardees to return the cash benefits they have received which can be put in a fund .

After the disclosures of Netaji Files and other historical documents that were so far buried under a veil of secrecy, it is clear that what we were fed so far as Indian History was a doctored version and  Congress must be blamed for its role in hiding the truth from public. Some of these grey haired intellectuals who are showing intolerance were perhaps aware of these doctoring of Indian history and it makes me sad that they did not have any opposition for this fraud on the Indian society.

I am therefore not unhappy that these people are returning their awards and would like these returns to be meaningful and this event can be preserved as a part of the transformation that is happening in our society now.  Hence the returned trophies deserve to be placed in a museum and public should know who are and who are not with the current transformation from the dynastic rule of the Congress family to the Modi led BJP rule.


The scrapping of NJAC Bill by Supreme Court and upholding the system of the Collegium has been debated with muted voice for the last few days in the legal circles.

After Congress announced its politically expedient decision not to back a new version of the Bill, the Government has no option but to stay silent on the issue.

However, no such compulsion is there on citizens of India and one such individual who is aggrieved by the decision on the NJAC Bill has filed a review petition as reported by TOI today. 

( A Copy of the petition is available here)

Naavi.org welcomes this decision for a review since the decision of the bench in NJAC issue is not without its own risk of Judicial over reach.

The tendency seen in the decision to read meanings into common English words which suit the occassion is a dangerous tendency since this creates a precedence that any word in law can be interpreted in any arbitrary manner. Common man will therefore never be able to understand the law as it is intended and will for ever be at the mercy of the Supreme Court to interpret in any manner it likes.

The abuse of this power is no where more evident than in the case of the interpretations on the Constitution which has been amended so many times including the basic structure involving “Equality Before Law”, that the frequently uttered words such as “Constitution is Supreme” sounds hollow.

If the Supreme Court was so concerned about the basic structure of the Constitution, it would not have allowed earlier amendments including discrimination of people on the basis of caste, religion and gender. Today, a ” a  so called Forward Caste Hindu Male in India” is a third class citizen in law and both the vote bank politicians and the accommodating Judiciary are responsible for the status.  No body including the media which boasts itself of being the protector of public conscience seems to be interested in protecting the rights of such Citizens. But when it comes to protecting the appointment of fellow judges, it is strange that the “Basic Structure” of the Constitution is remembered by all.

Naavi.org brought out the aspect of improper interpretation during the Shreya Singhal judgement in scrapping of Section 66A of ITA 2008 and argued that the judgement was incorrect, illogical and involved arbitrary interpretations not consistent with the language used in the law or in a dictionary. This is seen in greater measure during the striking down of the NJAC Bill where the words “In consultation with” is interpreted as if it means “Under directions of”.

As in the case of Shreya Singhal case, there was every opportunity for the Judiciary to read down meanings without being excessively harsh on the legislature and striking down the proposed Act. The Court appeared to show case its power and cause a “Chilling Effect” on the legislature to prove a point that Judiciary is supreme. In the Section 66A case, there was no conflict of interest for the judges and it was only a discussion of whether the Judges understood the technology law as intended or not. But in the current case, there was a clear case of conflict since the Judges were taking a decision that affected their own position as judges.

This was a fit case for a national referendum which the Court could have ordered. Alternatively, Court could have taken a middle path of agreeing for the NJAC with a greater weightage for the judicial persons in the decision making process and a commitment of transparency and avoidance of corruption (financial or otherwise) in the appointment.

Instead, the Court took the decision to strike down a constitutional amendment bill knowing fully well that it would embarrass the current Government more than any body else. In fact the decision has hurt the public confidence on the Judiciary more than upholding it.

We cannot ignore the fact that Supreme Court has faulted during and after “Emergency”, the cause of which was a different set of politicians who ironically are now again benefited politically by the current decision. It is as if Congress is having  its cake and eating it too, thanks to the Judiciary.

When we strongly advocated a review of the Shreya Singhal Judgement, unfortunately there was no support from the legal community since they were perhaps not clear of the law themselves and wanted to avoid confrontation with the Judiciary. However, I am happy to note that int he NJAC case some body has the courage to file a review petition.

I hope this leads to an improvement of the decision and proves one point that even a final judgement from the Supreme Court need not necessarily be correct. This will be a precedent that Supreme Court judgement also can be subjected to a review and roll back.

I wish the petitioners also request the Court to consider ordering a National Referendum on the issue before a final decision is taken and respect the will of the people. This will be a precedence of its own and NextGenIndia  will benefit.


Related Articles:

Review plea filed in SC on NJAC verdict

NJAC: The bad bill The poor pill

What did Justice RM Lodha did to clear CIC-verdict on judges’ appointment

Various articles

Petition copy

Data Breach Notification Policy is a mandatory policy under certain regulations such as HIPAA/HITECH Act and is being increasingly used by different regulatory agencies.

The essence of the policy is that when a potential data breach is discovered in a Company, the data subjects whose interests are adversely affected would be informed. Some times it is required to be notified to the regulatory agency and also to the media or placed on the website.

Obviously the companies which suffer a data breach are not happy with such a regulation since it adversely affects their reputation and future business flow. Also it will prompt litigation even in cases which would have normally not be escalating beyond a simple dissatisfaction. The Notification would therefore be like “Inviting Trouble”.

If there is a regulation that data breach notifications are mandatory, then there is no choice for the company. Cyber Insurers would look at it as a part of mandatory legal compliance.

When there is a regulation then probably the industry would have clarity on how to define a “Data Breach” for notification purpose and what procedure to be followed. But when there is no regulation, the Companies would most probably try to avoid notification.

In India where we donot have a Privacy law, the only reference to data breach notification is through the rules under Section 79 of ITA 2008 applicable to Intermediaries. Though there is a mandate under this rule, it is doubtful if it has been recognized and followed.

The Cyber Insurance Company is interested in the notification since it is a good practice and has some specific advantages.

One of the main advantages of the policy is that it instills a sense of discipline in a company for information security. Without the need to disclose the data breach, any company would be interested in brushing the problems under the carpet. If there is a policy then there will be a clear definition of how a breach can be recognized and what needs to be done if a breach is suspected.

The second most important advantage is that when smaller breaches get reported, the company would be hardening its security before anything big hits them. It works as a circuit breaker that defuses the risks instead of allowing risks to accumulate and explode.

For this reason, I advocate that Cyber Insurance Companies need to develop their own Data Breach Notification policies and impose it on the insurers even if there is no law to mandate it.

If a Company already has adopted a Data Beach Notification policy along with a Privacy Policy and Information Security policy, the insurability of the organization actually improves and it should have a positive influence on the insurance proposition.

A Prudent Cyber Insurance Company would be not only interested in imposing a data breach notification policy but also a more comprehensive information security policy of its own to safeguard the interests of itself and the insured organization. Though some companies would prefer to adopt the ISO standards of Information security rather than suggesting anything of its own, it is preferable that the Cyber Insurance companies do suggest some minimum information security standards before considering a proposal. In such a case, the data breach notification policy is one that they should consider.

Naavi’s Cyber Law Compliance Center offers a model Data Breach Notification policy that tries to address the concerns of the regulators without unduly humiliating the company reporting the potential data breach incident. The model policy can be adopted by any user industry if necessary with other associated policies.

In due course it would be necessary for regulators to develop requirements of their own which can be incorporated in such polcies. RBI, SEBI, IRDA and CERT IN are some of the regulators who should be considering mandating imposition of such policies in the larger interest of consumers whose interest they try to protect.


Also posted on cyberinsurance.org.in

Model Data Breach Notification Policy from CLCC

Posted by Vijayashankar Na on October 27, 2015
Posted in Cyber Law  | No Comments yet, please leave one

Naavi’s Cyber Law Compliance Center (CLCC) has so far announced a program to build a Society of Cyber Law Compliant  Netizens/Organizations in India which requires a code of conduct to be developed. We intend suggesting the code of conduct through a series of policy documents published through CLCC which can be adopted as a “Standard”. We have already released a WhatsApp Group Administration Policy” which may be adopted  by any WhatsApp group admin subject to a free registration of the group to the CLCC.

A question has been raised by one Admin if there is any way of getting a legally valid evidentiary confirmation for the users having adopted the policy. It has been suggested that at present the policy is notified by reference to the link to the document at the CLCC at the time a member joins the group.

However, it has been suggested that CLCC can act in conjunction with ceac.in to provide a “Certified E Mail Delivery Service” through which the notices can be served to the users. This may however be offered at a fee and details can be discussed when there is a specific enquiry.

In the meantime, CLCC has also worked on a Voluntary “Data Breach Notification Policy”. Such a policy is often mandated by regulators in many countries. In India there is no Privacy law for the time being and the reference to data breach notification as a policy is available in ITA 2000/8 but not very specific.

We however consider that such a policy is part of the recommended “Good Practice” for all entities which want to build a trust with its customers before picking up their data for any service. We also feel that such a practice will instill a sense of discipline amongst the Information Security Professionals in an organization. It is also envisaged that having a data breach notification practice  will also create a short circuiting of liabilities before they accumulate and blow up on a later day and hence should be of interest to Cyber Insurance Companies to suggest it as a mandatory practice.

Since Data Breach Notification Policy will be only of commercial interest, we intend to make it available on request at this point of time. Requests may be sent by email to Naavi indicating the organization for which it is expected to be used.