Naavi.org

India is in the threshold of a new legislation called Personal Data Protection Act (PDPA-2020). One of the most striking factors that this legislation represents is that organizations processing “Personal Data” in any form, including the Government departments will here-after  have to worry about a new kind of financial liability that they may face. It is the risk of being fined by the Data Protection Authority for “Non Compliance of the provisions of the Act”.

While the organizations that process the personal data need to be ready with the knowledge and preparations of how to stay compliant with the law, one of the solutions that every personal data fiduciary/processor in India would be looking forward to would be an Insurance policy with which they could get themselves covered.

It is possible to consider that the administrative fines that may arise consequent to non compliance of PDPA 2020 can be also considered as a consequential loss of running the business and hence could be technically covered under the current Business related insurance policies.

However, since the PDPA administrative fines were not envisaged when the policies were underwritten and the amount involved could be as high as 4% of the global turnover of the company, it is difficult for the Insurance companies to consider the risk covered unless a fresh endorsement is made and additional premium collected.

The organization will therefore have to take a view on what risks to be insured under PDPA, whether to restrict it only to first party risk of administrative fines only or include the third party risks of payment of compensation to the data principals.

The Insurance companies also need to structure a policy that suits the requirements of the PDPA.

We are certain that the Insurance Companies in India are far from thinking on structuring a policy for  PDPA risk coverage and it is possible that they will look to the west for re-insurance terms before they start underwriting the risks.

The PDPA risk coverage will be complex because the underlying asset is Personal Data which is intangible, goes through a life cycle of varying value, the asset ownership is unclear, losses are difficult to estimate, etc.  The fines arise if there is negligence in implementation of PDPA compliance and whether the insurance companies relish insuring negligence is a moot point.

May be there is a lot to debate in this field and the discussions have just started..

Naavi

Naavi.org is glad to announce that the print version of the book Personal Data Protection Act (PDPA 2020) written by Naavi based on the Bill presently before the Parliament would be available shortly.

The book is released now before the passage of the Act with the objective of making some reading material available to the Parliamentarians who will be discussing the bill for passage and  also for all those persons who have to present their views to the Parliamentary Committee.

The book is being released in the next couple of days by the publishers at a market price of Rs 600/-.

A limited number of copies would be made available to the Naavi.org followers at a pre-order discounted price of Rs 450/- . This will be a limited period offer and would be available on request. Exact modalities of how the discount will be passed on would be provided to those who want to avail the offer.

This offer would also be available to all the students of Cyber Law College who have taken the courses through Cyber Law College or Apnacourse.com.

Requests may be sent by e-mail to naavi@naavi.org with the subject line “PDPA2020”

Naavi

It has been reported yesterday that several robberies took place in the Nice Road. One of the persons who met the victims has filed the following report:

Quote:

Guys, there was an attempted robbery at knife point on me at Nice road a couple of hours ago. Thankfully, I could escape in time or I’d have lost everything.
After me, the thieves have robbed 6 more people in the same stretch. One couple going in Activa, one couple going on a Pulsar AS200 and one family going in car. The thieves had longs, daggers and sharp knives and other lethal weapons.

Multiple phones, debit and credit cards, gold ornaments have been stolen from those 3 other cases. Their vehicles have been damaged and their keys were thrown off as soon as they stopped them to rob them.

One guy has assault marks on his face, one girl was slapped hard, one more guy was at knife point while the girl with him escaped to the opposite side to shout for help.

I ripped and escaped from them and came to Hosur toll and informed authorities. Highway Patrol was sent out and the thieves were searched but in vain.

By the time I was done reporting this incident at the toll, the other 2 couples came in and reported their incidents. While we were talking to the authorities, a live news came in saying that a car glass was shattered using a long and the family was robbed.

All of us are at Electronic City police station right now to lodge FIR’s on our respective incidents. Nobody is injured. All are safe. Only one guy was bleeding from his nose and head but it was minor.

This is to inform you all to be safe and DO NOT travel on NICE road at night. I have tweeted to Ashok Kheny on the safety measures and have informed my lawyer on the same. If at all any legal proceedings happen, I will keep you all updated.

I’m safe, the bike is safe, just in the nick of time and sheer luck and thinking.

Be careful….

Unquote:

This is a serious law and order situation that needs to be addressed by the Police and the Government immediately. The Karnataka High Court should take cognizance of the incident and order immediate remedial action.

The Nice Road is gated at both ends and there is CCTV surveillance at the entrance and exist. It is a “Private Road” owned and operated by a company and the entire responsibility for the incident should be borne by the owners. It is necessary for the Police to immediately arrest Mr Ashok Kheny and hold him responsible.

The robbery could not have taken place without the connivance of the staff at either end of the tolls and all the staff members who manned the relevant gates should be questioned.

It is possible for the public to boycott Nice Road but this will create more traffic problems within the city.

Hence the Government should immediately take over the Nice Road from private management cancelling the maintenance contract and take necessary security measures including setting of police pickets at frequent intervals, CCTVs through out the road with proper lighting.

The High Court normally favours the contractor in such cases but it should take citizen centric decision in ensuring that the contractor is responsible.

If some body can file a PIL in this regard, it is welcome.

Will watch the developments to see how the Police handles this issue.

Naavi

In India, we are 20 years into the period since civil liabilities arising out of  Cyber Crimes became legally enforceable through a process of Adjudication. Since then, victims of Cyber Crimes are searching for Cyber Crime insurance. In June 2001, the RBI mandated that Banks should hold Insurance against losses arising out of hacking, denial of access etc. However, it was not until the last few years that individuals in India could take Cyber Insurance policies. Corporates were offered cyber insurance policies since  few years earlier where the first party losses and third party losses were covered. 

The industry is however still far below the state of maturity that is acceptable to the consumers in the country. To put it mildly the policies are constructed without an adequate risk assessment and consumers may be left feeling that the risk coverage is far less than what they would expect at the given premium.

The reasons could be many. For a long time the insurance industry could say that the law was inadequate, the judicial system was ill equipped, crime metrics were not available, the risks were too huge to be covered etc. But these excuses are not unique to Cyber Risks. Such risks have been there in every field and the industry has found ways and means to address them. What has been lacking is the willingness of the insurance industry to take the plunge.

In such a fluid state, the new Act namely the Personal Data Protection Act (PDPA) will come into operation shortly and cause disruption of unprecedented magnitude in the coming days in the industry. 

The data breach reported about the Breach Candy hospital in Mumbai where 1 million patient records and 120 million medical images have been breached has jolted the health care industry. Most of the prudent managements would like to know what could be their liabilities in such cases after PDPA comes into force. The impact of this breach will be extending beyond the health care industry and affect other industries as well.

In India the possibility of individual patients making a claim for loss arising out of the data breach may still be low. Most individuals cannot quantify the loss and their claims would therefore look arbitrary. However, the Data Protection Authority (DPA) in such cases can easily impose an administrative penalty which in the minimum could be Rs 15 crores given the sensitivity of the information and the volume of the breach. 

There is however a possibility that thousands of patients who ever had undergone any treatment in Breach candy hospital may send out e-mails to exercise their “Right to information” and ask if their personal information has been breached?. They may also ask for porting of their information including their medical profile back to them for better safety and erasure of the data in the hands of the hospital. The insurance companies may be fishing for information that would help them reject claims of some of their customers or rework their premium upwards based on the leaked information.

Acknowledging and answering such e-mails and resolving the disputes without creating another “Bhopal Tragedy type litigation in the Courts” will require a new “Dispute Resolution Company” to be set up by the Breach Candy hospital. 

In all this confusion, there would be a doubt as to whether the leaked data is in fact the correct data. There would be many Phishing fraudsters who would try to come with their versions of fraud to further cheat the victims of the data breach in their own innovative manner. All the patients of the Breachcandy hospital may receive e-mails from fraudsters offering them help in getting compensation and this could itself lead to identify theft and further banking frauds.

Mumbai police have to warn the public about such a possibility.

It is obvious that the society cannot let an incident of this type to run riot and damage the business of private hospitals. What has happened today to Breach candy hospital can happen to Apollo tomorrow and Fortis day after. The community should therefore ensure that this type of incident is treated like a disaster which is definitely unwanted but some thing that needs to be faced with courage and pragmatism.

The  Insurance industry has a big role in finding a way forward to how we face such data breaches in the current legal regime before PDPA and after PDPA comes into existence. Currently it is the duty of the CERT In to investigate and find out why and how this breach happened and how it can be prevented in future. The Ministry of Health has come up with guidelines on EHR management and the protocols used for storing of medical images are supposed to be a global standard.  It is possible that Breach Candy hospital had implemented Privacy and Information Security standards equivalent to HIPPA requirements.

It is clear that these measures have not helped in preventing the breach. It is possible that the root cause of the breach may not be a sophisticated hack but only  a simple password related negligence or lack of encryption. The reasons should be analysed and lessons learnt.

If all hospitals now rush to get Cyber Insurance covers the policies there is a need for the insurance companies to to be able to respond positively. But in writing any policy at this time, they need to take into account  the emerging PDPA law that may be in place in the next few months. Hence, the first version of the “Post PDPA Cyber Insurance Policy” should be what these insurance companies need to offer.

For the industry which is still struggling to structure policies for the 20 year old Cyber Crime risks, the challenge of writing the policy for PDPA risks would be almost impossible at least for now. The Indian Companies may only look at the Re-insurers abroad and structure their policies based on what the re-insurers suggest. This may require time and may continue to be deficient in  meeting the requirements.

The IRDAI should therefore step in and form an expert committee of the Insurance industry to study the impact of PDPA on the Insurance products and draw up a specific PDPA Risk coverage policy template, much the way RBI set up the S R Mittal working group in 2000 immediately after ITA 2000 was notified, which came up with the Internet Banking guidelines in June 2001.

Other sectoral regulators should also take cognizance of the emerging law and within their own sectors come up with PDPA related codes and practices that could be adopted by the DPA when it comes into existence.

The process of understanding the law and coming up with a set of suggestions is a time consuming affair. Hence these sectoral managers should start their action now rather than waiting until the Government passes the bill, appoints a DPA and the DPA in turn sets up its office and be ready to issue guidelines of its own.

It is to enable such introspection within each industry that the undersigned published his book on PDPA which is presently in e-book format and shortly would be available in print form too. Hopefully the industry would be equally concerned in starting their compliance exercise without any excuses.

When the Information Technology Bill 1999 was introduced in the Parliament in December 1999, Naavi had released his first book on Cyber Law titled “Cyber Laws for Every Netizens” with the hope that it would help the legislators while passing the law. It is with a similar objective that the book on PDPA has also been released though many may feel that it is premature to read the law before it actually gets passed. Even in 1999, the Bill was languishing in the standing committee and no body was sure when it would be passed. But suddenly a virus called “I Love You” hit the global scene and the standing committee suddenly woke up and the law got passed in a hurry.

It appears that the Breach Candy incident will be a similar jolt to the Ministry which may ensure that the Bill gets passed in the current budget session as planned.

If that happens, we can say “I Love you Breach Candy”….because  some thing good can happen to the community as a result of this mishap.

There is a wise saying that “It is not the way we fall that matters, but the way we get up”. This applies to the Breach Candy hospital as well as the regulators and the legislators who are considering the passage of the Bill.

Naavi

According to the news reports published today medical records of over 120 million medical images of Indian patients and 1 million medical records got exposed due to a cyber incident.  The records have been made available online freely by the attackers.

The records compromised included the patient records and scans and images with details such as the name of the patient, their date of birth, the national ID, name of the medical institution, their medical history, physician names and other details that are meant to be classified.

The incident is believed to have occurred due to the compromise of industry protocol for medical image storage and could have resulted from compromise of passwords of authorized persons.

While this sort of incidents could be termed as privacy infringement and the hospital could be liable for claim of damages from the affected patients, had the PDPA (Personal Data Protection Act ) been in place (Expected to be in place shortly), there could have been a hefty penalty imposed on the hospital by the Data Protection Authority.

For the time being the Breach candy hospital may escape liability but just as the “I Love You” virus expedited the passing of the Information Technology  Act in  2000 , the Breach Candy leak could expedite the passage of the PDPA bill presently in the Parliament.

Naavi

Also refer: Economic times article

As the Personal Data Protection Act of India (PDPA2020) gets ready to make an entry into the Indian legal landscape, the Insurance industry is looking upto the new opportunities that are being opened up by the law. Following the recent global trend, the penalties under PDPA 2020 are set at 2% or 4% of the global turnover of an organization depending on the type of offence. Even the Government departments could face penalties upto Rs 5 crores. Hence the industry would be desperately looking for covering the PDPA Risks.

The Cyber Insurance industry was extremely lethargic when it came to the introduction of Insurance covers for Cyber Crimes. India came up with laws on Cyber Crimes and creation of liabilities for organizations arising out of Cyber Crimes way back in 2000 with the ITA 2000. The amendments in 2008 increased the responsibilities of intermediaries in IT service. The RBI way back in 2001 suggested the banks to cover the hacking and denial of service risks with cyber insurance. However the Insurance industry could not come up with proper insurance covers until recently. Personal cyber insurance policies in particular came on  on the scene only during the last few years and are yet to be popularized.

The Cyber Insurance policies basically cover the first party risks where the insured suffers loss of data, loss of production,loss of intellectual property, reputation loss. With Ransomware being on the prowl, payment of ransom are also covered by some of the policies. Additionally, third party risks involving claims of damages by personal data owners on account of a cyber attack is also covered in these policies. Some of the policies which cover employee misconduct or technical errors are also often called Cyber Insurance policies though they are different from Cyber Crime Insurance policies in concept and risk coverage. The policies issued to the corporates are largely based on the reputation of the organization. It is unclear to what extent the “Security Status” of an organization is factored in when the premium is fixed for such policies.

In 2015 when Naavi.org conducted a national survey to understand the Cyber Insurance preparedness in India, the results showed very little involvement of Cyber Security professionals in the determination of Cyber Insurance coverage in companies. It appears that the situation has changed for the better in the recent days since some Insurance companies are now claiming that they are looking at the security preparedness of an organisation such as whether the organization has a “ISMS policy”? whether an IS audit has been conducted? etc.

Even before the Cyber Insurance products reach a level of acceptable maturity, the PDPA 2020 will usher in a new era in Information Security that will need a fresh look at Insuring PDPA Risks.

One of the first challenges that PDPA brings in is that it takes the financial liability risks to a far higher level when the insured asset is “Personal Data” of individuals as against the “Business Data” or “IPR data”. Theoretically the risks can go upto 4% of the global turnover and any insurance for a lesser level would amount to “Under insurance”.

The second challenge is to identify the “Insurable Asset” for which an effective “Data Classification” policy and implementation mechanism should be present in the organization.

The third Challenge is to track the “Personal Data” in an organization through its “Life Cycle” when it’s insurable value may fluctuate. As “Raw Data” becomes “Persona Data” then migrates to the state of “Sensitive Personal Data”, its insurable value changes. Similarly the personal data life cycle which is “Reversible” may see a change of insurable value when sensitive personal data is de-sensitized or de-identified or pseudonymized or destroyed. When the life cycle of personal data is reversed, there would be costs to be incurred for each change of status but the market value of the data may actually decline. When reverse life cycle operations are implemented, the end result could be of lesser or zero value but the operation has a cost which the insured would like to identify as “Cost of Maintenance of Personal Data”. Will this be “relevant cost” for insuring? will the change in value of the data as it moves between different life cycle stages gets reflected in valuation of personal data either at the time of insuring or when a claim is to be assessed?

When the PDPA risks are to be computed for the purpose of underwriting, it must be remembered that liabilities of administrative fines may arise even when there is not data breach. Hence the Insurance industry may have to assess its risks based on what steps the insured has initiated for mitigation of risks. Such steps include the “Maintenance of Personal Data”, the policies of anonymization, de-identification/pseudonymization etc besides the usual policies such as access control, encryption, data breach incident identification and reporting system, grievance redressal system, the conduct of DPIA, appointment of DPO etc.

In settling claims, it would be necessary to consider all aspects which are normally considered in a Cyber Crime insurance policy such as the legal costs, investigation costs, etc., but also the valuation of personal data in the hands of the organization, the value additions that the organization might have created in the form of “Profiles” and the value of personal data in the hands of the data principals (or data subjects as they may be called elsewhere).

Hence while PDPA 2020 will usher in a golden era for Insurance Companies in India, it will need a structuring of a new policy structure and management requirements. Exciting days seem to be ahead of the insurance industry as we await the passage of PDPA 2020 in the budget session of the Parliament this year.

Naavi