Header image alt text


Building a Responsible Cyber Society…Since 1998

Data Breach Report within 60 minutes

Posted by Vijayashankar Na on July 4, 2013
Posted in HIPAAPrivacy  | No Comments yet, please leave one

Reporting of Data Breach incidents has been one of the most contentious aspects of the HITECH Act provisions. The initial provisions on the data breach notifications were kept in abeyance for nearly 2 years predictably because the industry did not want to expose its failures to the public. Hence the mandatory disclosures to be made on the website of the Company, on the website of the regulator, and the news papers were all resented. However, the US regulators have been firm on the data breach notification norm.

In the recently proposed rule on health insurance exchange released in US it is stated that the data breach should be reported to the HHS within one hour of its identification and this has raised lot of eye brows on the feasibility of such reporting. (Report)

This proposed rule sets forth financial integrity and oversight standards with respect to Affordable Insurance Exchanges; Qualified Health Plan (QHP) issuers in Federally facilitated Exchanges (FFEs); and States with regard to the operation of risk adjustment and reinsurance programs. Comments from the public have been invited until July 19, 2013.

Data Breach Reporting is an essential part of information security management at the industry level but the concerns of the industry need to be understood in the proper perspective. Quick reporting of data breach has its advantages at the industry level since similar breaches in other organizations can some times be prevented by timely action by the regulator. For this purpose the “One Hour Rule” must be considered as good.

However it is necessary to understand that the dissemination of a “Potential/Suspected Breach information” needs to be kept within the regulator until the exact nature and extent of the breach is ascertained. The regulator may initiate corrective action if necessary but without the disclosure of the victim. Once the regulator confirms on his own through preliminary examination of evidence that the “Potential/Suspected Breach” as a “Real Breach”, then the formal disclosure measures may be initiated.

It is therefore necessary for HHS to introduce a simple “Potential/Suspected Data Breach Notification Scheme” to implement the One hour rule. It is possible that there may be many false alarms in the process but the industry should be given the confidence that “False Alarms” will be properly identified and killed without a reputation damage being caused to the organization.

Let’s hope that HHS will take this industry demand into consideration and issue the necessary modified guidelines.


Print Friendly, PDF & Email

The controversy surrounding the PRISM program of US Government under which the US intelligence agency intercepted the communication of billions of foreigners assumed a twist today with the Hong Kong Government accusing the US Government virtually of hacking.

The whistleblower Mr Snowden who had first made public the US program was known to be in Hong Kong and the US Government had issued a request for his arrest. However it is now learnt that he has been allowed to move out of Hong Kong to a safer country and the Hihg Kong Government has issued a press release that he was allowed to move out since the US request for arrest did not meet its legal requirements.

Copy of the press release issued by the Hong Kong Government in this connection is available here.

What is interesting is that the Hong Kong Government has stated in the press release as follows.

” Meanwhile, the HKSAR Government has formally written to the US Government requesting clarification on earlier reports about the hacking of computer systems in Hong Kong by US government agencies. The HKSAR Government will continue to follow up on the matter so as to protect the legal rights of the people of Hong Kong.”

This appears to be a veiled threat that international legal action may be initiated on the US Government if necessary. This should indicate the stand some other Governments may also take. In India perhaps the Government will await for the Supreme Court judgement on the related PIL before taking any stand.


Print Friendly, PDF & Email

Aadhar Cards sent by ordinary post

Posted by Vijayashankar Na on March 6, 2013
Posted in Cyber CrimeCyber LawPrivacy  | 2 Comments

Aadhar numbers are being issued by the Government of India as a once in a life time identification number for a resident of the country. Many consider this as a “Sensitive personal Information” which is going to be linked with the Bank accounts, and several other vital activities of an individual.

If the Aaadhar number falls into wrong hands, it has the potential to be misused.

UIDAI is maintaining that “Aaadhar” is only a “Number” and the document they send is not a “Card”. It is a number which can be quoted to a service provider such as the Bank and the Bank can use it for identifying the individual not because of his posession of the Aadhar card, but with the use of his biometric. This means that every time aadhar ID is to be used, the individual has to provide his biometric (such as the finger print) and the user has to make a query to the UIDAI data base to confirm “Is this the ID of MR…? Yes or No”. The data base is expected to reply either Yes or No.

However in practice and more so since the verification mechanism is unlikely to be available for some time now, the Aadhar paper (let us call it a Card though UIDAI would maintain that it is not a “Card”) will be used by the public as a Photo ID. It is likely to be used for all and sundry applications including railway ticket booking, bank accounts, etc.

Under these circumstances, I was shocked and surprised that I was delivered my cards today by the postal department through ordinary mail. The covers carried a stamp of only Rs 5 and had not even been gummed. They were left by the postman in the letter box on my compound. Though UIDAI had taken my mobile number, they did not alert me that the cards are being delivered.

If this mode of delivery is being used as a routine, the possibilities of the cards being lost and misused on a large scale is a certainty.

Government of India owes an explanation to this callous way of handling the delivery of the aadhar card. If the Card is lost in transit, will Aadhar issue duplicate cards? If not should people manage without a “Card”? with some unknown person having the card in his possession and using it as an ID?


Print Friendly, PDF & Email

Mobile Framework for E Governance

Posted by Vijayashankar Na on March 5, 2013
Posted in Cyber LawPrivacyUncategorized  | No Comments yet, please leave one

Government of India has announced a mobile governance framework to make use of the increasing mobile usage in the country. It is estimated that there are 870 million mobile users whom the Government aims to provide access to e Governance services.

The detailed framework is available here:

One of the key components of the framework is the creation of “Mobile Services Delivery Gateway” (MSDG) which will be a shared infrastructure for both Central and State Governments.

The MSDG will ensure that content would be deliverable to different kinds of mobile devices including land lines, basic mobile devices,smart phones, tablets, laptops etc. Mobile Application Store (m-apps) and APIs developed.

It is also proposed that an authentication system based on Aadhaar will also be developed.

A mobile payment gateway will also be part of this infrastructure.

Interesting days are ahead for mobile users and service providers.

The framework does not specifically speak of any information security measures and we have to wait and see how data security is being addressed.


Print Friendly, PDF & Email

Cooperative banks need to gear up to Internet Banking

Posted by Vijayashankar Na on February 19, 2013
Posted in Cyber CrimePrivacyRBI  | 1 Comment

The discussion paper on Disincentivisation of cheques issued by RBI has indicated a hard policy push towards use of E Banking in the form of Internet Banking and ATM.

Many of the Cooperative Banks and Regional Rural Banks may not have Internet Banking facility at present. With what RBI implies, these Banks have to quickly introduce internet banking since the customers of the Bank will find it difficult to issue or receive cheques from their own clients since this will introduce a higher cost element to the transactions.

This will be a serious challenge not only to the IT departments but also the manpower training departments of these Banks to ensure that the Banks are adequately prepared for the change. If they delay the transition, their business may suffer.


Print Friendly, PDF & Email

Naavi.org has finalized its first response to the RBI discussion paper on Disincentivisation of cheques released by RBI on 31st January 2013.

A Copy of the response is available here :  


Public comments can be sent upto 28th February 2013 through email here: chequeusage@rbi.org.in

Copy of the discussion paper is available here

Earlier posts at Naavi.org so far are available here:

1.  2  3  4  5.  6  7  8  9  10

I urge public to go through the notes and send their own comments to RBI.

It is to be noted that the discussion is aimed at withdrawing some banking facilities to people who are presently not on the Internet banking system. Such people may not even see the discussion note. So far only a few business news papers have carried the news about this proposal. Language news papers and TV media are yet to bring this to the notice of the public.

People who view this note should remember that I and you may not be very much adversely affected by the notification. But there are senior citizens, pensioners, villagers and many many small enterprises, traders, professionals etc who need to know what RBI is up to and how their current right to Bank with cash and cheque are being affected by the proposals.

I therefore request all of you to pass on this information to others who are not likely to have noticed this discussion papers.

Please inform consumer organizations, your friends in the press and ask them to highlight the issue.

If you know any parliamentarians, please draw their attention.

Remember that a similar attempt in UK was withdrawn after the public raised their objection. The Government of UK has given a public assurance that Cheques will be continued as long as customers want.

The issue here is not to discourage electronic banking. But today E-Banking has too many risks. Cyber Frauds are on the increase. US has provided statutory limitation of customer liability for cyber frauds at US$50. In India RBI has asked Banks to obtain insurance and bear the liability themselves. However in this discussion paper there is an attempt to put words in the mouth of RBI as if cyber fraud losses are to be borne by the customers. This is the mischief some of the Banks who have high incidence of Cyber frauds are playing on the general public.

There is a lot RBI needs to do to shore up E Banking security. Even the measures already suggested by them have been ignored by most Banks. There is a crisis of regulatory control for RBI against the Banks. The Damodaran Committee report on Customer Service which was customer friendly has not been notified. In its place this highly anti consumer proposal is being put up.

Advocates who are public spirited need to take up the issue through PIL in Supreme Court since the tenor of the discussion paper is against the basic character of Banking in law and is beyond the powers of RBI to tamper with.

Naavi will continue to post further clarifications and opinions on this matter on the website but what matters is action on the physical space. Please contribute your might to the same. This is a challenge of how an assault on physical space mounted from cyber space will be countered bu the community.


Print Friendly, PDF & Email