Naavi.org

The Corona Crisis is opening the eyes of administrators on the problems that one faces in a situation of crisis.  “Damned if you do and damned if you do not”  is the kind of response the administrators get from the people around us.

A similar crisis often confronts a DPO when the organization faces a “Data Breach”. Suddenly the media will pounce on you, the data subjects will bombard you with e-mails, the DPA will send you a notice, the CEO will shout, your peers will say “I told you so”, the Cyber Insurance company will send a notice, the customers will start reminding you of the indemnity clauses, CFO goes nuts….and  like the German minister who committed suicide not able to face the economic crisis created by the COVID 19,  the DPO will suddenly face a situation which could push any weak person into depression and resignation.

If the DPO speaks out without proper information he could raise the panic levels. If he speaks anything wrong, he can face liabilities for misleading… the problems appear endless.

The DPO in such a situation has to manage the internal and external communications and at the same time initiate necessary corrective actions, maintain the morale both of customers, data subjects and co-workers. This requires a special skill and maturity that most DPOs of the day have not been tested for. We know that our DPO is carrying different knowledge based certifications, has put-in years of service in reputed organizations, but we donot know how he may crumble when despite his honest and tireless work he would be accused by everybody of not being able to prevent the data breach and more importantly prevent the breach of the information of data breach to the media.

“Crisis Management Skill” is therefore an essential requisite of a good DPO.

“Crisis” by definition is an “Unexpected” event of  disruptive proportions exceeding the “Risk Estimates” that are normally considered for mitigation. It carries an existential threat to the organization, and requires an out of box solution to stem the adverse effect quickly.

No amount of policies and procedures would help unless the essence of such policies are ingrained in the thinking process of the DPO. Just as an aircraft pilot faced with an immediate crash cannot think of reading through a voluminous manual and have to take an immediate decision on what to do next, the DPO has to take a quick decision often without any consultation with his superiors.

This calls for a “Decision Making” skill which is part of a good leader. To be able to make a reasonable decision within the capabilities of the person, one has to remain calm and not get panicky. If the DPO gets panicky then he would reduce whatever decision making skill he may actually have. Many drivers who panic in an accident situation often press the accelerator instead of the bake and cause more harm than what they could have done had they simply removed their foot from the peddle even if they had not pressed the brake simultaneously.

“Crisis Prevention” is definitely a strategy to remember and all our Information Security measures and Data Protection regulations are aimed at preventing a crisis from developing. But some day somewhere we may face a situation where the risk mitigation efforts have failed and the crisis has emerged.

Now the option before us is how do we handle the post crisis situation.

The first step in post crisis handling is to identify and control those within and outside the organization who would only worsen the crisis by demoralizing everybody around. Hence the DPO should learn to identify such elements and ignore them. The management should also recognize the possibility that all those who were inimical to the DPO will now take their daggers out and start accusing the DPO. Hence a “Disaster Committee” has to be formed with the CEO, DPO being involved in every decision.

The second step is to ensure that no “Mis information” is spread. At the same time the organization should avoid both false denials as well as pushing the problem under the carpet. Measured communication to the stake holders is of utmost importance. Setting up a Disaster information center to be a single source of contact for the public to know the impact of the disaster is also essential to prevent rumours being spread. Since the DPO’s email could be flooded in such a scenario, immediate technical measures to ensure that the load is disbursed to a back end support team to sift the queries and develop standard approved responses need to be organized.

If necessary the employees of the organization must be locked down in the sense that they should be prevented from communicating with the outside world about the crisis through a strict order whether some body cries out “Freedom of Speech” or “Privacy”. In a crisis situation, the rights of freedom of speech or privacy of the employees have to take a back seat.

It is only after such dousing of fire is attended to, can one focus on analysing the root cause, preventing further damage, making an impact assessment, reporting to regulators etc can take place.

To summarize, the requirements are

a) Stay calm and avoid panic

b) Lock down the systems and people from creating further damage

c) Set up a disaster center with a small number of decision makers like the CEO and DPO with support staff

d) Maintain balanced communication to the stake holders without deception or speculation

e) Ensure a single point information dissemination center to prevent rumors spreading

It is only after  these preliminary efforts that we can consider the “Data Breach Notification”, “Forensic Analysis” etc which are all necessary but need to be prioritized.

Decisive leadership skills including team building, taking tough decisions, absorbing personal risks, not being afraid of failure etc will be required besides the ingrained knowledge and culture that enables the DPO to respond even in sleep in the right direction.

At the end of it all, one can try to draw lessons from the crisis and share it as a knowledge base to address similar situation in future including prevention and monitoring. While we do recommend “Sanctions” for most of the data breach incidents, crisis some times requires a fresh look  since it may so often happen that the standard sanctions may require most employees to resign and go which may not be the solution for building a resilient organization for the future.

Recognizing this need, Naavi has designed the “Certified Expert Data Protection Professional” program to include a module on  behavioural skills required for a DPO. This will be part of the FDPPI’s plans for extending the current knowledge modules such as Module-I, (Indian Laws), Module-G (Global Laws) and Module -T (Technology). The other two modules namely

Module A (Audit) and Module B (behavioural skills) represent skills to be cultivated before some body can be called an “Expert” data protection professional.

At present Naavi’s Cyber Law College in association with FDPPI  is still building the base module of Module-I which focuses on the knowledge part of Indian regulations. Though the importance of behavioural skills and Audit skills are also part of the coverage in the base module, they will be expanded in the coming days with independent modules.

Naavi

It is always a dilemma for every professional to decide what is more comfortable…chose to be a leader? or be happy to be a follower?

Obviously if every one is a leader, there would be chaos. So nature has decided that not all would aspire to be the leader. It is also good for the leader that when he occupies the leadership position, there will be some ready to stand in the next line.

A true leader is like an explorer. He often meets challenging situations which others have not seen. He can make mistakes and even get hurt. But as long as he is pursuing the right path and exercising due diligence, as well as being capable of standing up even if he falls down, he is sure to reach the destination ahead of others.

These leadership qualities are necessary for professionals who want to carve out a new path of progress for themselves which no body else have so for pursued.

The above reflections appear appropriate at this point of time as the undersigned pursues the creation of a new set of leading professionals in India  who can hold the mantle of  “Data Protection Professional” .

The course which leads to the conferring of the title “Certified Data Protection Professional”, by FDPPI, the leading Data Protection Organization in India is set to create another batch of qualified professionals who will be aware of the law which India is adopting for personal data protection.

Though some professionals are as lethargic as they have always been and would like to wait…and wait…until the law descends upon them and then scramble to acquire the knowledge, a set of forward-looking professionals have decided to start their learning today.

There is no doubt that we are looking at a dynamic law and it will change in time not only because the final act will adopt some changes from the Bill which is currently being discussed, but even otherwise with the changing perceptions in the environment of What is Privacy?, How can Privacy be protected by Personal Data Protection?, What should be the Rights of the Data owners?, What should be the obligations of the Data handlers? What should be the exemptions to be given for industry and the Government… and so on.

FDPPI ensures that all those who are now opting to take up their certification course will be provided guidance to be made aware of any changes that may occur in the law when the Act is passed….

So the professionals who are currently pursuing the Course second batch of which will commence (Online) on April 4th, will be the early torch bearers of the knowledge of Personal Data Protection Act as it unveils in India.

We welcome all these early adopters who would be the foundation members of the Data Protection Professional community in India.

(P.S: Contact Naavi for more details)

Naavi

The Course on Certified  Data Protection Professional (CDPP) being conducted with virtual classes from Naavi  was planned to be conducted over 6 weeks with one session each on Saturday’s and Sundays starting from April 4th.

In view of the lock down conditions in the country with most professionals working from home, it has been decided to complete the course of 12 sessions over 3 weeks instead of 6 weeks, by conducting two sessions per day on Saturday’s, and Sundays on April 4, 5, 11,12, 18 and 19th.

The sessions will be conducted between 11 to 12.30 AM and 3.00 to 4.30 PM on these days.

This program will be called Module-I which is about the Indian laws regarding data protection. This is the foundation module for all Data Protection Professionals. In the coming days, FDPPI will be conducting additional modules such as Module G (Global laws including GDPR), Module T (Technology for Data Protection), Module A (Data Audit) and Module B (Behavioural skills for DPOs).

FDPPI welcomes professionals interested in entering the Data Protection domain to make use of this opportunity to upgrade their skills and knowledge and be ready before the Companies will be  looking out for professionals with the right attitude, knowledge and skills to take over the responsibility as DPOs.

Naavi

In continuation of the discussions on Work From Home requirements and keeping with the spirit of CLCC (Cyber Law Compliance Center), we are adding a draft Employee undertaking that is recommended to be taken for Work from home implementations.

Suggestions are welcome. FDPPI is also working on refining the undertaking as may be required.

The Undertaking suggested is as follows:

Quote

Employee Undertaking for Work From Home provided to ………. (The Company)

I, …………………………………………., working as ………………………………………….. at ……………………………………… hereby undertake as follows.

Where as

-a pandemic situation has arisen in the with the outbreak of COVID 19 virus,

-the Government of India has placed certain restrictions on the movement of people in the general interest of public safety,

– the requirement to work from home has arisen out of a public safety requirement,

– the Company has proposed that I shall be allowed to continue to work from home without physically attending the office,

– I as an employee of the company is responsible for the conduct of my activities in complete support of the information security requirements that are adopted by the company both as part of the legal compliance requirements as well as the industry best practices

In consideration of the company agreeing to permit me to work from home and continue to pay my emoluments as if I work from the premises of the Company as I was hither to working,

I voluntarily agree and abide that I am in receipt of a copy of the “Work From Home, Rules 2020” (WFH rules), a copy of which is enclosed in Schedule I and have understood and hereby agree to faithfully follow the instructions contained there in.

In compliance of the WHF rules, during the period this undertaking is in force, I agree that

1. 1. I shall perform my company work only using the designated computer systems as recommended by the Company, particulars of which is available under Schedule II,
   2. I agree to consider that the designated system/s mentioned in Schedule I as belonging to the Company whether the hardware was purchased by the Company or by myself, and will be considered as the extended computer network of the company
   3. The designated systems would be used in a physical environment which would be considered as the “Extended Office Space” of the company.
   4. The Company may monitor my activities on the system as part of the information security requirements of the Company
   5. The Company may audit my physical and computer facilities as it may find it necessary.
   6. I will personally undertake the responsibilities of maintaining the physical, logical and data security measures in respect of the use of the designated systems that will be required to meet the obligations of the company to its customers and the regulatory authorities.
   7. I will personally undertake that I shall not use any unlicensed software on the device for carrying on any activities of the Company.
   8. I shall at all times be available for communication through e-mail: …….. and mobile number…………….. and authorize the company to contact me.
   9. In the event that I need any clarifications on any of the above, I shall get in touch with the designated coordinator of the Company at e-mail:………………………………….,
   10. In the event that I contravene any part of this undertaking, I shall be liable for necessary disciplinary actions as per the policy of the company.

This undertaking shall be operative immediately until it is cancelled by the Company and  acknowledged through e-mail or otherwise.

Signed by:

On:

Witness:

Enclosures:

Schedule I: Work from home procedure 2020

Schedule II: Detailed of designated systems for use of the employee

 Unquote

The current crisis created by the Corona virus and the lock down has forced most companies to permit their IT workers to work from home. This has simultaneously created issues in meeting the security requirements related to the operations and also the policy corrections that needs to be made. The two are inter related.

Some of the large companies had already enabled BYOD on their network. Some of them might have also moved to Zero Trust Architecture linking access to device identity and user identity possibly with multi factor authentication. Such companies have allowed the registered devices (Laptops or Desktops) to be carried home so that they can log on to the corporate network as securely as they were otherwise doing except that they will be coming through a public internet access instead of an internal network.

However there is a need to ensure that the working environment within the house is as secure as it can be as per the physical security policies that the organization would be currently adopting. There is no physical guard to prevent entry of unauthorised persons into the work room, there is no guarantee that the worker has not allowed his friends to look over his shoulder on what he is doing and also his network being compromised in some manner.

Some of these issues has to be controlled by making the employee responsible for the physical security as if he is the guard himself. An undertaking to this effect has to be taken along with the awareness training that is required to make the individual realize that the company is today an “Aggregation of Each of its employees” and each work unit represents the employee and his working computer along with its surroundings.

Every employee should be asked to take a video of the surroundings under which he works and register it with the company.

The Company may declare that the surroundings under which the person works will be the “Work place” and “Belongs to the Company”. The work space therefore becomes the extended work space of the organization and the employee continues to work within the “Premises”. The only difference is that the “Premises” has dis-integrated and moved to different locations.

In a way the “Virtualization” concept gets re-defined by virtualization of the work space surrounding the virtual data space.

If possible, the Company should incorporate this in the Work From Home (WFH) Policy.

The Company should also declare in the WHF policy that until further notice the employee would be the  IS manager for his work environment and would be personally responsible for any data breach arising out of his negligence.

In order to enable the individual to understand his IS role, an immediate training of the broad requirements of the employee in his extended role should be provided.

If the working person and work place is secured from intrusion, then the device security can be handled through appropriate software devices that create a secure connectivity and also enabling the centralized IS team to audit each device remotely to ensure that the individual has not compromised the configuration that has been set by the company.

If the devices used are enabled with audio and video capabilities, the security agent should be enabled for auditing the environment by randomly taking a snap of the employee and listening to sounds captured by the device to ensure that no third party is shoulder surfing.

Yes..this is spying on the employee… not permitted under Privacy considerations…but essential in the extraordinary circumstances in which we are now functioning.

Comments?….

Naavi

The crisis created by the Corona virus in the corporate circles have put the BCP processes in these organizations to test and it appears that most companies have not been able to come out with any degree of success.

So far, companies thought that BCP issues will arise only when there is a fire or flood but they were unprepared for the situation that has developed now.

Some organizations have resolved the issue by resorting to Work From Home (WFH) which is good enough for certain types of operations. But wherever there is a security concern of the WFH facility causing a compromise, the companies are stuck in their own policy constraints.

In order to meet the current situation, the policies had to be tweaked to pack the Desktops of most of the employees to be taken home so that any security which was tagged to the device identity could be used along with the operator identity.

Had the system of homomorphic encryption been tested and installed earlier, perhaps some companies could have made use of that environment so that data security could be protected when data is processed remotely.  Otherwise the virtualized environments are the best approximations.

Some organizations could have  hardened the security to prevent ex filtration of data which may be confidential. But as in all such cases, the possibility of shoulder surfing in the home environment always exists and hence the data security is not perfect. In such cases the distributed model of information security responsibility envisaged under the PDPSI (Personal Data protection Standard of India) could come in handy.

While technology people may be able to find some workable solutions, what may pose hurdles in implementation could be the need for policy changes to be approved both internally and by their customers, releasing them from the indemnity obligations which are likely to be there in the contracts.

Internally there has to be a special “WFH Data Security Policy” which takes care of imposing  responsibilities on the employee for not only the functional aspects of his/her work but also for the data security. A remote audit mechanism* may also have to be designed.

As regards contracts with customers, the government notifications issued  for WFH may be considered as the basis on which the Force Majeure clause can be invoked. Under this provision, the contractual obligations can be modified to a reasonable extent. It may be better if a “Disaster Policy” document is drawn up as part of the “Legitimate Interest Policy ” of the organization. But a notice may have to be issued to the clients to avoid complications. A notice applicable to data subjects should also be displayed on the websites so that dilution of compliance can be justified as a temporary measure.

Draft policies for some of the above purposes may be drafted by industry leaders for the benefit of all companies.

Naavi

*(One such remote audit program had been structured by the undersigned for HIPAA compliance by home based Medical transcription workers several years ago when the Privacy and Security issues were not as grave as it is now)