More Banks notified as Protected systems

In October 2024, Meity declared IOB, RBL Ltd, IndusInd Bank ltd, Federal Bank and Bank of Maharashtra as “Protected Systems under ITA 2000”

Notifications:

IOB

RBL

IndusInd Bank

Federal Bank

Bank of Maharashtra

The implications are two fold.

Any attempt to access such computers other than the permitted persons noted below will be considered as an offence that can carry imprisonment of 10 years.

Who can access

(a) any designated employee of the Bank authorised in writing by the Bank to access the protected system;
(b) any team member of contractual managed service provider or third-party vendor who have been authorised in writing by the Bank for need-based access; and
(c) any consultant, regulator, Government official, auditor and stakeholder authorised in writing by the Bank on case-to-case basis.

Any other person accessing the system will be liable for imprisonment of 10 years.

Further under Section 70(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008).

Additionally the Information Security rules under the notification of 22nd May 2018 should apply to such systems (Refer here). Kindly check details here

Hope each of the Banks comply with the directions contained in the May 22 security guidelines.

Naavi

P.S: For records we note that

  1. CAMS was also notified on 2nd February 2024 . It is known more as a Registrar handling securities.
  2. KFin Technologies Private Limited was also notified on 1st February 2024.
  3. NIA was notified on 26th February 2024
Posted in Cyber Law | Leave a comment

Digital Arrest and Cyber hypnosis

In recent days the menace of Digital Arrest related scams have assumed alarming proportions. There are instances of people losing crores of Rupees to this scam and some of these matters are coming for discussion in Courts.

Naavi has been a long time follower of “hypnotism” and has attributed some of thee otherwise illogical behaviour of Cyber crime victims such as the children who succumbed to the Blue Whale game and also held out some analysis in the case of old people succumbing to Phishing frauds. (Refer here).

A time has come to once again look back on the science of Hypnosis and understand whether there is an instance of “Cyber Hypnosis” that can explain some of the irrational behaviour of victims of Digital Arrest.

The aged persons living alone are psychologically vulnerable for friendly suggestions even if it is from strangers. People with Dissociative identity disorder, People who have a history of childhood abuse or other trauma, could be more vulnerable than others to fall prey to cyber hypnosis.

Hypnosis as a traditional theory suggests that a human brain has a sub conscious part which the hypnotist awakens and establishes contact, putting part of the conscious part including the rational part to sleep. As a result the hypnotist is able to give suggestions that the subject finds it difficult to ignore and he becomes a puppet doing what is suggested.

Under this state of “Trance”, the ability of the individual to take rational decisions is side lined and therefore any contractual commitments done during the time are invalid. It is like the “Persons in intoxicated state of mind” or “Occasionally insane” , being held not fulfilling the conditions of a “Free Consent” for a contract.

The fact that two Banks recently were capable of identifying this state of the customer and talk him out of the fraud is an indication that the state can be identified by an alert bystander. It is like a person in the hypnotic trance exhibiting a blank vision which looks out of ordianry.

It is therefore necessary for law to take into account that contracts undertaken under this trance is not a valid contrct.

It is a fact that in digital transactions the Bank which executes the instructions of this customer may not find it easy to identify the abnormality of the situation but if the amount involved is large and not commensurate with the usual habit of the customer, the requirement of “Adaptive Authentication” mandated by RBI requires the Banker to identify the transaction as requiring some caution. Otherwise it should be considered as “Negligence”.

There is no doubt that the Banker on the side of the fraudster is directly involved in the fraud as the Banker of the fraudster with apparent failure of KYC. The Banker at the customer’s end being part of the Banking Chain cannot fully absolve himself of the responsibility for money laundering in this type of fraud.

Since the privity of the contract between the victim is with the Bank at his end, it is natural that the relief to the customer should come from him. Later this Banker can recover the money from the banker at the fraudster’s end. This is an extension of the “Contributory” negligence and “Intermediary responsibility” that the Banks should be held liable for.

This should be the jurisprudence in matters related to Digital Arrest and I hope Courts take cognizance of this menace of “Cyber Hypnotism” and provide appropriate relief to the victims.

Naavi

Posted in Cyber Law | Leave a comment

IDPS 2024 concludes

The two day event Indian Data Protection Summit 2024 came to a successful conclusion with the valedictory function where Dr Bharat Panchal of Bhima Sugam gave the valedictory address. Mr Abhishek Solanki, senior scientist from CERT-In was a gues of honour along with Mr Yashvantha Kumar of Cyber Crime Division Bangalore and Dr A Nagaratna of NLSUI.

During the two days, more than 56 speakers participated in the program including 13 from outside the country. The 8 key notes, 7 panel discussions and 4 Focus Group discussions made the conference a wholesome event. With an excellent organizational support from the KLE, and special efforts of Suresh Balepur, and Ashok Kini, managing the hospitality, the event was memorable.

The publication of the book “DGPSI-The Perfect Prescription for DPDPA compliance” during the event marked a significant development of FDPPI’s efforts to facilitate DPDPA compliance in the industry. Hopefully this would also be a significant milestone in the development of Data Protection Compliance in India.

The set of these twin books would server the purpose of providing the information on Privacy as a Fundamental right, the DPDPA as an act, the Governance aspects related to Data protection and the practitioner’s guide for implementation and audit. Though the rules are yet to be notified for DPDPA, the DGPSI booklet serves presently as a Jurisprudential exposition that tries to identify how each of the DPDPA provisions may be implemented.

A detailed report of the event will be available later and the registered delegates would also get a link to the videos to be published virtually.

Naavi

Posted in Cyber Law | Leave a comment

Welcome to IDPS 2024

Posted in Cyber Law | Leave a comment

The Lawyers perspective of DPDPA and the Nachiketa Debate

yesterday, I had an opportunity to experience the perspective of Law Students on the DPDPA in the Moot Court Competition held by KLE Law College which discussed the issues of a data breach and how the lawyers could argue the incident in the Court in days to come and how the Judges may react.

I am not fully aware of the problem statement but it was clear that the problem was that there was a website providing medical services belonging to the Government sector where a breach of the personal data of customers was observed through an AI algorithm used by the payment gateway. The arguments centred around the compensation payable to the individuals whose personal data was lost and the liability of the website.

It was good to see many interpretations of the provisions of the Act presented by the students which represented the investment they have made in understanding this new law.

However, many of these interpretations appeared to need correction as otherwise the data protection Jurisprudence may get corrupted in near future.

In particular, it was amusing to see the tendency of the community to use Section 35 exemption from personal prosecution of Government officials as a ground to ask for scrapping of the section like the scrapping of Section 66A of ITA 2000.

We we have repeatedly pointed out that this decision of the Supreme Court arose because of a mis interpretation of the term “Transmission” of electronic information as “Publishing” of electronic information and a desire of the Supreme Court to show its power by scrapping a provision instead of helping in clarification through a “Reading down” of the provision.

Law students should realize that their glory is not in scrapping down a law enacted by the Parliament but to bring clarity to the law. Even the prayer to the Courts in such cases should be in improving the system rather than bringing down the system. Perhaps even the Courts need to appreciate this.

The community appears to be mis-interpreting DPDPA and focussing on being critical of the administrative powers of the DPB rather than focussing on the basic objective of the Act. It was also seen that some students were drawing the objectives of GDPR into interpretation of the act without understanding the applicability. The community appeared to be unable to appreciate that DPDPA is a compliance related law and has to work with ITA 2000 for personal remedy. It was surprising that in the discussions no body remembered the remedy available under Section 46 of ITA 2000 for the victims of a data breach while the power of the court to grant compensation in such cases was remembered from the Bhopal Gas tragedy.

It is interesting to note that during the next week’s IDPS 2024, we will be discussing “Adjudication as a remedy for Data Breach Compensation” in a Key Note as well as the “Grievance redressal mechanism” in the focussed group discussion. Hope the legal community would benefit from these discussions.

We need a “Nachiketa debate” on DPDPA with the Judiciary to ensure that DPDPA or any of its provisions does not get scrapped but the Judiciary assists in improving the interpretation of the Act.

Naavi

Posted in Cyber Law | Leave a comment

Transform Privacy Policy Disclosure to Offer Format

DPDPA 2023 expects that “Consent” is the legal basis for processing of personal data. Consent requires a contract between the data principal and the data fiduciary. A Contract is a combination of an “Offer” and an “Acceptance”.

What we normally find on websites today are “Privacy Policy” which is a declaration of the organization that this is what we do to protect your privacy. This is in the form of a “Disclosure”.

When the disclosure is presented as a “Offer” and is confirmed as “Accepted”, the “Consent” is actualized. This leads to the action of the data principal in providing the necessary information, for the data processor to process the data as per the consent.

Perhaps to put the DPDPA 2023 into proper compliance framework, we need to change the “Disclosure Format” of Privacy policy to an “Offer” format of a Notice.

One of the implementation challenges is to make the consent contract non repudiable with proper authentication. The ITA 2000 indicates that the authentication of an electronic document is valid only if it is supported by a digital/electronic signature. As a result to enable a “Perfect Consent”, the Privacy Notice has to be accepted with an electronic signature. Since all data principals donot have a digital signature, the Aadhar based E-Sign is an option to explore. If however, e-sign has to be used for every consent, withdrawal of consent, modification of consent etc. it will be an expensive proposition for the data fiduciary.

How does DGPSI try to address this? or how should MeitY facilitate this? is a point of debate…

….Let us discuss your views on this in IDPS 2024 at Bengaluru, on November 30 and December 1…

Register today..at www.idps2024.in

Posted in Cyber Law | Leave a comment