SBI takes one Step forward but falls short…in calling for a DPO application.

Posted on June 16, 2020 by Vijayashankar Na

State bank of India became one of the first Bankers to call for applications for the appointment of a “Data Protection Officer”. It has recently released an advertisement calling for applications.

It is good to know that the Bank has recognized the need for an exclusive officer. But it is clear that this is driven more from the international demand from their branches out of India who should have received notices from some supervisory authorities rather than a realization that data protection is a necessity of business.

The educational qualification indicated is

Basic: Graduation or its equivalent
Preferred Professional Certification:
Certified EU GDPR Foundation,
CIPP (Certified Information Privacy Professional),
CIPT (Certified Information Privacy Technologist),
CIPM (Certified Information Privacy Manager) etc

Post qualification work experience required is

Basic: Minimum 15 years’ post qualification work experience (as on 01.04.2020) as  executive/ Supervisor in Corporate Sector out of which at least  10 years’ experience should be in BFSI Sector.
Preferred: Experience in Data Privacy Laws & Regulations and other Data Security areas with associated IT skills.

The age restriction is 55 years and the appointment is a contractual for 2 years.

The special skills required have been indicated as follows:

• Highly developed specialist knowledge in the General Data Privacy Regulation underpinned by theory and experience.
• Evidence of continuing professional and/ or personal self- development.
• Expert knowledge of data privacy laws and practices.
• Exposure to Data Privacy laws & regulations such as General Data Protection Regulation “GDPR”), UK Data Protection Act 1998 etc.
• Knowledge of Information lifecycle, risk management & data security areas.
• Extensive knowledge of Information Governance disciplines.
• Skill of interpretation of national guidance and legislation and subsequent local implementation.
• Flair for managing staff and implementing budgets. Training Delivery.
• Capacity to work with cross functional teams, attention to detail, organizational skills and multitasking.
• Strong management, motivational & leadership skills with ability to drive large change management programs within organizations.
• Ability to maintain confidentiality and deal with situations in a sensitive manner.
• Ability to communicate across all organizational boundaries in an appropriate manner.

In the above job description and indicated qualification, there is no mention of the Indian law for data protection either on the basis of the Information Technology Act 2000/8 or the proposed Data Protection Act.

However, we can presume that “etc” at various places includes the knowledge of Indian regulations and it will be taken into account when candidates are screened.

This is an indication that other Banks will also start thinking of such positions shortly and the career opportunities for “Data Protection Professionals” will start opening up.

Interested persons can visit this link and get more details.

Naavi

Posted in Cyber Law | Leave a comment

Book sale at Amazon and Pricing…

Posted on June 16, 2020 by Vijayashankar Na

Amazon is considered one of the biggest book selling platforms and lists books for sale from many publishers and distributors. However getting registered as a seller in Amazon is with certain formalities and only authorized sellers can sell their wares on the platform.

I am sure that the contract between the seller and Amazon does include prohibition of infringement of copyright or sale of fake products etc. Amazon may claim that they do their due diligence which occasionally may fail. However even in such cases, they should respond when a complaint is received.

However, Amazon.in is not a Cyber Law Compliant organization in India and there is no grievance redressal officer as prescribed under Information Technology Act 2000/8 (Section 79) to whom a complaint can be easily addressed. There are help e-mails but all of them are directed to product buyers and any issues related to the purchase of the product.

I recently came across what I consider as a suspected fraud for which I am seeking the explanation of

1.Amazon.in 

2.Notion Press, Chennai

3. Atlantic Publishers and Distributors, Delhi

4. Bookswagon

Of the above, Atlantic and Bookswagon are selling the book for which I hold the copyright and at a price different from what I have authorized the publisher M/s Notion Press.

Had these publishers taken permission from me or Notion press, and shared the royalty, then it would have been a valid transaction. However they have not.

I am waiting for the response from Notion Press, in particular from Mr Bhargava Adepalley, Naveen Valsakumar and Jana Pillay the Co-founders and also Amazon before coming to a conclusion about their involvement in this fraud.

Naavi

P.S: Since releasing the above note, I have received clarification from Notion Press as follows:

Notion press has withdrawn paper back sales on Amazon temporarily because of the COVID lock down though they continue to take direct orders for which link is available on here

https://notionpress.com/read/personal-data-protection-act-of-india-pdpa-2020

Amazon has therefore opened up the paperback sales from Ingram distributors who are buying the international version and supplying it in India. These books are printed abroad and sent from there and hence the pricing is on international prices converted into INR. Notion Press has assured that the sales will be reported by Amazon in due course to Notion Press and royalty as applicable to international sales would be credited to the author’s account.

I am also informed that after Notion Press resumes supply to Amazon and Flipkart, the book’s local price would reflect.

I thank Mr Naveen Valsakumar, Co Founder and the team for providing me the clarification.

Had Amazon put a footnote that the paperback version is available from outside India when people log in from Amazon.in, this confusion could have been avoided.

I have made necessary edits in the first version of the post.

Naavi

Posted in Cyber Law | 1 Comment

Section 65B Questions answered

Posted on June 15, 2020 by Vijayashankar Na

On 14th June 2020, we had a well attended webinar organized by the Cyber Society of India, on Section 65B of Indian Evidence Act. During the webinar, I made a brief presentation on the Techno Legal perspective of Electronic Evidence and Section 65B. It was followed by the talks from some other experts also.

During the discussions several questions had been raised by the participants. Some of them were answered by other experts during the webinar. However, I have collated the questions and provide my view for each of them .

Watch this video first:

Sl No Question Response
1

Being a forensic examiner of a particular digital material, whether it need to be produced a 65b certificate?

Yes
2

How a person giving 65B certificate for the data which is not his own property, will verify the veracity of the digital data and it becomes the evidence in the Court.

The Certificate is for what the certifier has seen in his computer. If your eye can see a a car was passing by  in the street, you can give evidence that the car was passing by in the street. It need not be your property
3

For physical/manual documents produced in the court as Documentary Evidence, no Certificate is insisted upon  for relevancy and admissibility, but for electronic documents, why it is insisted notwithstanding it’s genuineness .What is the distinguishing feature in this?

An electronic document is a rendition of the devices. The real original electronic document is the binary stream. Hence the certificate is essential.
4 Can we interpret the Screen shots from mobile as an admissible evidences be it primary or secondary??

The screen shots are electronic documents that can be produced as evidence. The question of “Primary” and “Secondary” is redundant. The original is the binary stream stored in the memory card or the hardware memory of the device. It is not presentable as evidence since it is not humanly readable.
5 Whether 65b certificate demands a third party or persons involvement in between the client and the Court? The Certificate is provided at the request of one of the litigants to the litigant. The litigant presents it in the court may be under an affidavit. The certifier need not always be called in by the Court unless there is doubt whether a certificate has at all been issued by the said certifier or not. When present the certifier can only confirm his signature and the fact that he has given that certificate. Any other deposition on the content orally is not admissible under Section 22A of the IEA. An expert under Section 45A of IEA may however interpret any of the contents and give his opinion. An ordinary certifier cannot.
6 Who can give 65B Certificate: The applicability of procedural requirement under Section 65B(4) of the Evidence Act of furnishing certificate is to be applied only when such electronic evidence is produced by a person who is in a position to produce such certificate being in control of the said device and not of the opposite party. Section 65B certificate is given for the production of the “Computer Output” as defined in Section 65B(1). ..not for the original capture or creation of the electronic document. Everytime an electronic document is produced as evidence, Section 65B certificate has to be produced.
7 Now days everything is an out put of electronic device whether all those require 65B (4) certificate is mandate Yes
8 It seems this section needs a lot of interpretation in view of the individuals/advocates/Judges, this itself indicated that the section should be redefined in a simple way, Technology law is always complicated if we donot understand technology and try to interpret it with our past knowledge. We must forget your current interpretation of Primary and Secondary documents and look at Section 65B without the coloured glasses of our current interpretation.
9 At what stage the certificate has to been give?? during Chargesheet or while tendering the evidence? Preferably when the electronic document is first presented. With the permission of the Court any time thereafter
10 Just we can assume, if this zoom meeting should be made it as an electronic evidence, who will give a certificate, whether Zoom service provider? or the authority of Cyber society? Whoever is viewing the zoom session in his computer can provide a certificate from his perspective of what he saw by capturing the electronic document. You can use a screenshot or recording if you can record. Recording has to be supplemented with hashvalue.
11 PV Anwar has completely taken away the provision of 63/65 from Electronic Record, which Shafi mohamad brings back. Shafhi Mohamad is a two member bench and cannot bring back what the three member bench of PV Anvar has interpreted. The law as there since 17th October 2000 and PV Anvar has only give the recent realization.
12 Can  a person can  self certify when she/he producing a document of phone recording with the transcript that it was received in their own smartphone and that is always in their own possession . Yes… but the quality of the evidence would be low as it can be considered as a self serving evidence
13 Whoever is giving medical or some Certificate they can give their digital signature (encrypted document)..no body can hack it.. Yes if the document is issued in electronic form
14 A print out from LinkedIn regarding profession and salary of an individual,  should a certificate be given by the person taking printout or,  from the LinkedIn office? Person taking the printout
15 What is the necessity of electronic or digital signatures For authentication of an electronic document
16 If the CCTV footage is in the custody of the accused… if he wants to produce the electronic evidence…  who should produce the certificate He can get the cctv footage viewed by a trusted third party who can give the certificate that the electronic document was present in the given form. The defence can argue that the document was in the custody of the accused and hence could have been tampered with. This does not affect what the certifier saw and certified. Court can resolve this through a digital evidence examiner and forensic report
17 We are giving Footage as an evidence for any crime occurs… Yes… should be given with Section 65B certificate
18 Is 65(B) IEA certificate mandatory for the records received from Facebook through email? Yes
19 All form of evidences are verified and cloned or duplicated prior to investigation to ensure the integrity of the evidence. Computer Forensic evidence plays a crucial role in the threat management life cycle, from incidence response to high stake corporate litigation. Contemporaneous certifications are required whenever the document is re-saved
20 India Post established electronic post for quick and fast transmission. It is also comes under the electronic evidence. Here the documents transmits from one terminal to other terminal by way of sending by the sender and the receiver receives the same..

In this case the document can be  digitally signed by the postal authorities. Section 65B certificate can also be given for producing the evidence of even the digitally signed electronic document

If you have more questions, please send it by e-mail.

Naavi

Posted in Cyber Law | 2 Comments

Are Banks taking sufficient steps to protect their Employees?

Posted on June 14, 2020 by Vijayashankar Na

During the Covid lockdown, apart from the Police and the Health workers who are being hailed as “Covid Warriors”, there are also another industry where the employees are keeping the services going despite the enormous risks that the employees are facing. That industry is “Banking”.

Banks have not closed down even during the severe lockdown conditions and for some time there was alternate day working in some Banks. However some banks have now started daily working ignoring the risks posed to the employees.

Though Banks have digitized their operations and the branch transactions have  reduced, some Banks appear to be not taking appropriate measures required to ensure that employees and the customers donot get infected by contact during the physical banking transactions.

Even in places like Mumbai where the Corona infections are on the higher side, some Banks have not taken the necessary measures to curtail the foot falls in the Branches. Reserve Bank of India does not seem to have made any efforts to properly advise the Banks in this regard.

This is high time that customers are advised to make most of their transactions through online and where necessary, contact the Branch manager through video calls.

The employees should be able to log in remotely from their residences to complete the routine transactions. Even the banking transactions can be done through the internet banking system with suitable modifications where an authorized employee with appropriate access controls based on biometrics, face recognition and digital signatures or e-sign, to log in to the Banking system  and conduct shadow transactions which can be later integrated with the CBS after a time delay.

It appears that in the last 3 months, no effort has been made either by REBIT or IDRBT to introduce such alternate secure methods by which employees can work from home.

The CBS software suppliers which include the  major Indian companies also could have worked out a supplementary interface which could enable secure log in to the system remotely without sacrificing the security aspects.

The lack of innovative initiatives from individual Banks and the RBI is disappointing.

In order to understand the preparedness of the Banks to meet a prolonged lockdown, Naavi.org would like to conduct a survey inviting responses from Banks and other professionals in the area to elicit the following kind of information.

I would be happy if the readers can submit the following information.

In this connection I am conducting an online survey and would like to know your responses for the following.

[weforms id=”10551″]
Naavi
Posted in Cyber Law | 1 Comment

Different Employee Types emerge during Covid

Posted on June 11, 2020 by Vijayashankar Na

One of the interesting aspects of COVID 19 Lockdown is the emergence of new paradigms in HR. It appears that the HR practitioners need to re-skill themselves in several aspects of motivation and leadership as the established theories are getting outdated.

It is a fact that after three months lockdown as the industries open out, they are receiving an unexpected response from many employees who are preferring to continue the “Work From Home” (WFH) practice as a more long lasting practice. This has set the industries thinking on their long term strategies of employee engagement.

It is a fact that in the IT industry, productivity has not suffered much because of the lock down. Many individual employees have actually improved on their productivity and also achieved better work life balance.

The situation is not the same in manufacturing organizations or where a team effort is critical for creative output.

Also there are people who enjoy the company of their family members and those who are not. This has also given raise to more domestic conflicts.

Nuclear families with responsibility to take care of children are in another peculiar situation where the employers are calling the employees back to work while the schools are not ready for physical classes. Hence looking after the children is another reason why some employees donot want to return to work.

HR also have the problem of new recruitment and possible moonlighting by employees.

All these issues are beside the security issues which the security professionals are trying to address separately.

Legal departments are also struggling with their contracts with the customers and how to accommodate WFH into their contracts.

An interesting discussion was held by FDPPI under its Jnaanavardhini series of webinars on 10th June 2020 where a Behavioural science trainer discussed the HR issues arising out of the Covid.

In the coming days, we may have to classify our present and prospective employees who may be technically skilled to use technology for work as two principal types namely the “Lone Wolf” and “Hunter in Pack”. or the “Family Type” and “Company Type”

The Lone wolf will be happy to work from home and deliver. He may sleep upto 9.00 am, does not shave, works in shorts, but works upto 2.00 am in the night to finish the task given to him. As long as the task is well defined, he is happy to work alone. This is best suited for individual software employees who need to code.

The Hunter in Pack however needs peer nudging to activate his creativity and will go into depression if he is not with the team.

These attitudes may also reflect in whether a person has a happy family to support him or depends on the work place facilities like the canteen the gym etc.

A recruiter therefore has to design methods of identifying the type of employee and fit him into the corporate environment. The “Return to Workspace” option also has to be designed to meet the type of employee and the nature of his activities. Projects may have to be redefined as “Team Only”, “WFH compatible” etc.

The team leads also need to be comfortable with the different types of engaging with the team members. They have to be adept both in physical brain storming meetings as well as the virtual meetings.

Probably we need to design specific training programs to develop a new “Virtual Leadership” capabilities which will help the leader to “Virtually Motivate” his employees into action.

These are new areas of research and perhaps we need to add to the current motivational and leadership theories.

There is also a challenge when we recruit some body under the Covid conditions, train them up and later we have to move back into the old system. The some of the people who are well entrenched into the current work-life balance will consider giving up their jobs solely for the reason of the change and there could be a new attrition challenge to address.

The software development companies will be critically hit in such migration from corporate work space to home workspace.

The trend is like the “Stockholm Syndrom” exhibited by kidnap victims as more and more COVID lockdown victims start falling in love with the new paradigm of work. This could both be a threat and an opportunity for the innovative HR Professionals.

It looks exciting opportunities ahead for HR managers who can think differently and adopt their skills to the new environment. Management schools have to look at “HR Management in a Virtual Environment” as a new area of specialization.

Let us keep our thoughts on this emerging area of learning which is as important as “Security or Privacy Management in a Virtual Environment”

Naavi

Posted in Cyber Law | Leave a comment

Logistics Companies…Jiomart Reliance Digital and Bluedart, Don’t ask for OTP

Posted on June 9, 2020 by Vijayashankar Na

In the recent days, i came across two instances where the logistics companies used an OTP to get an acknowledgement of delivery. First was the case of Reliance Digital or the Jio Mart. Second was BlueDart.

In both cases after the delivery, an OTP was sent to the customer and he was asked to reveal the OTP to the courier boy so that he would input the OTP from his mobile as confirmation of the delivery.

This goes against the general principle of caution that we try to educate the consumers with, that they should not share OTP with anybody.

If we develop this habit of courier boys asking for OTP, then we will be opening a new channel of fraud where the OTP may actually be sent just in time to carry out some fraud and the consumer may fall a victim.

I therefore request these big companies to stop this practice. They can however have some other way of obtaining the confirmation including the customer himself confirming receipt directly to the company.

If this practice is not stopped these companies will be indirectly responsible for such OTP stealing frauds if any.

Naavi

Posted in Cyber Law | 1 Comment