Naavi.org

The crisis created by the Corona virus in the corporate circles have put the BCP processes in these organizations to test and it appears that most companies have not been able to come out with any degree of success.

So far, companies thought that BCP issues will arise only when there is a fire or flood but they were unprepared for the situation that has developed now.

Some organizations have resolved the issue by resorting to Work From Home (WFH) which is good enough for certain types of operations. But wherever there is a security concern of the WFH facility causing a compromise, the companies are stuck in their own policy constraints.

In order to meet the current situation, the policies had to be tweaked to pack the Desktops of most of the employees to be taken home so that any security which was tagged to the device identity could be used along with the operator identity.

Had the system of homomorphic encryption been tested and installed earlier, perhaps some companies could have made use of that environment so that data security could be protected when data is processed remotely.  Otherwise the virtualized environments are the best approximations.

Some organizations could have  hardened the security to prevent ex filtration of data which may be confidential. But as in all such cases, the possibility of shoulder surfing in the home environment always exists and hence the data security is not perfect. In such cases the distributed model of information security responsibility envisaged under the PDPSI (Personal Data protection Standard of India) could come in handy.

While technology people may be able to find some workable solutions, what may pose hurdles in implementation could be the need for policy changes to be approved both internally and by their customers, releasing them from the indemnity obligations which are likely to be there in the contracts.

Internally there has to be a special “WFH Data Security Policy” which takes care of imposing  responsibilities on the employee for not only the functional aspects of his/her work but also for the data security. A remote audit mechanism* may also have to be designed.

As regards contracts with customers, the government notifications issued  for WFH may be considered as the basis on which the Force Majeure clause can be invoked. Under this provision, the contractual obligations can be modified to a reasonable extent. It may be better if a “Disaster Policy” document is drawn up as part of the “Legitimate Interest Policy ” of the organization. But a notice may have to be issued to the clients to avoid complications. A notice applicable to data subjects should also be displayed on the websites so that dilution of compliance can be justified as a temporary measure.

Draft policies for some of the above purposes may be drafted by industry leaders for the benefit of all companies.

Naavi

*(One such remote audit program had been structured by the undersigned for HIPAA compliance by home based Medical transcription workers several years ago when the Privacy and Security issues were not as grave as it is now)

With the entire world being disrupted with the  outbreak of COVID 19, there is a diversion of Government attention to the immediate task of fighting the menace of the Virus. Since the Virus seems to have threatened even the Parliament members, it would not be surprising if the Government takes steps to curtail the Parliament session and defer some of the activities.

It was expected that the Joint Parliamentary Committee was to hold its consultations during the next two months and prepare the bill for final passing into an Act. One can expect that this activity might be delayed unless the JPC adopts a “Virtual Meeting” mode as the entire industry is doing.

If the JPC takes this step, it would be a path breaking decision in the history of the Indian legislative system.

I would urge the JPC to take this bold step so that passing of the PDPA does not get delayed on account of the Corona Virus. The Indian Corporate world already has access to the virtual meetings and it is time for the legislature also to move in this direction.

The proceedings can be recorded and even certified under Section 65B of Indian Evidence Act as suggested under www.odrglobal.in  where a working model for such remote meetings has been presented.

What we need is an effective virtual conferencing platform, supported by identity verification system which can use the digital signature or e-Sign and a recording of the proceedings. The MeitY and NIC are more than capable of making such arrangements immediately.

What may be required is to include such “Virtual Meeting with identification of participants and Section 65B certified recording of the proceedings” as acceptable procedure for such meetings under the Parliamentary procedures/guidelines.

I request the Chairperson of the JPC Mrs Meenakshi Lekhi to take up the matter with the Government and the Speaker to initiate this progressive method of meeting which can come to use not only now with the Corona issue in the background but also in future for speeding up similar proceedings.

Indian law permits such meetings…What is required is for the Parliamentarians to show the will to defeat Corona with the power of the Internet…

The Chairperson of JPC could go down in history as a reformer who initiated this change in the Indian Parliamentary system… if…this becomes a reality.

…Who knows…this could be the forerunner for the Virtual parliamentary attendance in future…

Naavi

Also Read :

Karnataka High Court introduces video conferencing.:

Organizations like COAI and IAMAI are associations of business organizations with the basic objective of working towards  the benefit of the industry which their members represent.

In the current context when Corona threat has quarantined the entire population at home and the entire activity of connecting to internet has shifted from the dedicated broad band cables and Satellite connections to personal WiFi connections and mobile internet service.

It is obvious that the band width in this segment will choke and also create  security issues.

At this time, the IAMAI and COAI have to come up with their own contribution on how to increase the bandwidth and ensure security and convenience. They should increase the usage limits and also reduce the marginal cost.

Corporates who may have surplus bandwidths should think of sharing their bandwidth with public WiFi hot spots with security of which they are familiar.

I hope these organizations try to fulfill these responsibilities.

The DOT has to ensure that this widening of the personal internet bandwidth and data packages happens immediately.

Recently IAMAI pursued a Supreme Court case just to facilitate money laundering through Bitcoin exchanges and COAI has raised objections on some data collection exercise that the DOT is undertaking to verify the call drop problems. Instead of wasting their energies on such anti Government activities, these associations should focus more on positive contribution they can make to the society at this hour of crisis.

Naavi

ISACA, Bangalore Chapter has organized an online program on Personal Data Protection Bill 2019.

The session would be conducted by Naavi between 5.30 pm and 7.30 pm today the 21st March 2020 and the topic would be “Auditing Privacy Protection through Data Protection”.

The session would be conducted on Zoom (Visit here for more details) and will carry CPE credits.

Naavi

Be a Certified Data Protection Professional

The first Certificates of the CDPP course conducted in December 2019-February 2010 were given to Mr Durai Kannaiyan and Mr Nikhil Ranjan Nayak in a function in Chennai on 14th March 2020, by the honurable guests Justice K.N. Basha (Former Judge of Madras High Court) and M.P. Mr P.Wilson. (Current Member of Rajyasabha).

They were two of the nine persons who successfully completed the certification program. Two others are from Mumbai and Five others are from Bangalore.

The successful candidates were:

M/S Durai Kanniyan, Nikhil Ranjan Nayak from Chennai, Mr Anil Chiplunkar and Bondiah Adepu from Mumbai , Mr Suresh Balepur, Rajesh Kumar, Vasanthika Srinath, Suma Nagraja and V.K.Jyothi from Bangalore.

Cyber Law College which was the training partner for the program and FDPPI convey its hearty congratulations to all these professionals who got certified through the rigorous certification program conducted over a three moth period under the supervision of Sri Na.Vijayashankar, (Naavi) Chairman of FDPPI and the Director of Cyber Law College,

Naavi

It may be recalled that on 17th January 2017, the High Court of Madhya Pradesh came up with a concept of “Contemporaneous Certificate” for production of  Section 65B Certified electronic documents to the Court, in the case of Sharadendu Tiwari Vs Ajay Arjun Singh (17th January 2017) . Accordingly when an electronic document is converted from one form to another and stored, a Section 65B certificate will be required to authenticate each stage of such conversion. As long as the chain of these contemporaneous certificates is maintained properly, the last document is as good as the original for the purpose of admissibility.

Using this principle, CEAC (Cyber Evidence Archival Center), which is a pioneer in the production of Section 65B certified electronic documents, has decided to introduce the following system for distribution of the certificates.

Accordingly, when CEAC observes any electronic document and creates a computer output as per Section 65B of Indian Evidence Act for admissibility, the same would be stored in the CEAC Dropbox under a secure access of the person who requests for the certificate. The certificate can then be viewed and downloaded by the authorized person. The uploaded document will carry the Section 65B certificate from CEAC. The authorized person would create his own Section 65B certificate and produce it in a Court when required.

This system has been introduced since in some cases , the signatory of a Section 65B certificate may be summoned by a Court just to confirm if the certificate has in deed been issued by him. The certifier having already added the details of how the observation was made in the certificate itself, has nothing more to add to the document as a witness. But this would involve additional cost to be incurred by the person who presents the document in the Court.

In the new system, the need to summon the CEAC official to the Court would not arise except under very special circumstance.

Naavi