Naavi.org

The Aadhaar Amendment Bill was passed by the Rajyasabha today and brought in many important changes that would off set the restrictions that the Supreme Court had placed on the use of Aadhaar.

The main objection of the Supreme Court was that Aadhaar should not be used by the private sector since it could compromise the privacy of the individual. Even during the time the Supreme Court considered the objections raised by the opposition that sought to attack the Aadhaar scheme as a proxy attack on Mr Modi, UIDAI had introduced the “Virtual Aadhaar ID” as well as offline authentication. If these had been considered by the Supreme Court, at the time of its earlier decision, it would not have been necessary for the Court to send shock waves through the industry by banning the use of Aadhaar by private sector.

Now in the amendment, the Virtual Aadhaar ID  has been also recognized as the “Aadhar Number” making it usable instead of the original aadhaar number. Since the virtual Aadhaar ID can be changed from time to time, the user can use different Virtual IDs for different transactions and protect the real ID.

The system of “Offline verification” has been defined as a process of “Verifying” the identity of the Aadhaar holder without authentication.   The system which UIDAI has implemented requires the Aadhaar holder to download the Offline e-KYC document and submit the same to an agency which needs to conduct a KYC. The document downloaded is an XML document with the digital signature of the UIDAI which should be used by the verifier. Where demographic information is shared the user will be obligated not to use it for any purpose other than for which it was provided.

Further the Aadhaar holder can voluntarily use Aadhaar number to provide his authentication to the user agency based on an “Informed Consent”. This enablement will meet most of the requirements of the user industries though the Privacy Activists may still raise issues of whether an “Informed” consent was obtained or not. Once the PDPA comes into effect, the agency using the Aadhaar number for authentication will have a larger responsibility as a “Significant Fiduciary”.

The Act will by a regulation mandate user agencies that would use only a Virtual Aadhaar ID and not the main Aadhaar ID. It is expected that most of the private sector players may be placed under this mandatory use of Virtual Aadhaar ID which should satisfy the Supreme Court on the Privacy protection. This notification may come as rules that will follow.

The Aadhaar authenticating agency is also expected to indicate alternate measures other than the use of Aadhaar for the purpose of authentication and does not make it a mandatory condition for delivery of any service.

The Act also makes some changes in the penalty clauses to deter any misuse. Disputes would be settled through Adjudication followed by the appeal with TDSAT.

Additionally the amendment to the Telegraph Act indicates that the Telecom operators may use the Aadhaar as a means of authentication for their services. This will be part of the telecom licensing provision as if it is a special category of license. It is expected that the TRAI will specify further safeguards as may be necessary when licenses are issued with the use of Aadhaar as an identity parameter. It appears that the current license holders may have toseek for a special endorsement for the use of Aadhaar agreeing to whatever additional conditions that TRAI may place.

In summary, it can be stated that one of the dark phases of Aadhaar usage has perhaps passed off. Hopefully the Fintech industry which had been severely hit by the Supreme Court judgement can feel more comfortable now.

(P.S: This is the immediate impression on the Bill as passed and may need a review when more details are available)

Naavi

Whenever a fraudulent withdrawal occurs on a Bank account, it is a common practice for the Bank to allege that there was a phishing mail which the customer answered and therefore he has compromised the access credentials to the account and responsible for the unauthorized access and the consequential loss.

The limited liability circular of RBI also limits the protection under the automatic zero/limited liability on reporting of a disputed transaction within the specified time only to cases where there are no “Proof” of the customer sharing the payment credentials. In such cases the scope of the circular is limited to the debits that occur after the reporting. The “Burden of Proof”  of sharing of payment credentials have to be provided by the Bank.

In a practical situation it so happens that when an incident of fraudulent withdrawal is noticed, the customer is under a panic situation. He first calls the Bank to tell them that he is either not able to access the account or the balance in the account is less than what it should be.

In such cases, the complaint is registered and a number is allocated which needs to be kept safely as evidence of reporting (Naavi has suggested using the service of CEAC for sending such notices to bring a trusted third party evidence into the equation).

Normally in the subsequent discussions, the Bank will advise the customer to file a Police complaint and follow the incident with the Police as a crime against the customer.

The Bank in the course of the conversation may also ask “Have you received any mail recently from the Bank asking for your password? ” or “Did you give your OTP to any body” etc.

If the customer has received a mail which we normally refer to as the “Phishing Mail” or a “Vishing Call”, he will say he has received. Some of such customers may say that they had received such communication but they did not respond.

This conversation is normally recorded by the Bank but not the customer. Hence the evidence of this conversation is available with the Bank but not the customer.

The customer often goes to the Police and files a complaint making the unknown fraudster as suggested by the Bank as the accused and does not include the Bank as the main accused or as a person who has abetted the crime.

We have recently come across an allegation by a customer that the Bank asked him to delete the phishing e-mail and he deleted it. Later in the judicial proceedings it has  become an evidentiary requirement.

During the proceedings in the Court, the Bank may simply deny that it has asked the customer to delete the mail and the customer will be left high and dry to prove that he is speaking the truth.

As a general warning to the Bank customers who may be victims of frauds, I would like to therefore request that they should not delete the phishing e-mail. It is a potential evidence of an attempted crime even when no loss occurs and is actually the evidence of crime if the fraud happens. Deletion is removal of evidence and is punishable under Section 65 of ITA 2000/8 and Section 204 of IPC.

If the bank suggests this, the bank is guilty of destruction of evidence or an attempt to fraudulently mislead the customer to commit such an offence.

Further the Customer should request the Bank to produce the recording of the conversation to prove or disprove whether there was such a phishing e-mail etc. Bank is bound to provide such evidence or shall admit that it itself is liable for destruction of evidence since the recording itself is an evidence.

Customer should insist that the Bank produces the recording as a Section 65B (IEA) certified evidence as otherwise there is a possibility of tampered evidence being produced.

Further even when the Limited Liability Circular fails to protect the customer, it does not foreclose the legal options of recovery which is through Adjudication where the customer may still hope for a remedy even in case of the so called phishing.

This is for the general information of the public.

Naavi

Out of the several “Vision” statements included in the budget proposal of 2019-20, one particular proposal which attracts the attention is the proposal to start a television program exclusively for the start ups.

Naavi.org has been engaged in “Awareness Building” on Cyber Law Compliance since 1998 and with the enactment of the Personal Data Protection Act (PDPA), there will be more of such awareness activities that needs to be done. This objective of Naavi.org which has been carried over to the organizations like the FDPPI (Foundation of Data Protection Professionals in India” now may have an additional tool to reach out to people through this very unexpected budget proposal namely “Start UP TV of India”.

This Channel is supposed to be started as part of the Doordarshan Boquet  and is expected to serve as a platform for promoting start-ups, discussing issues affecting their growth, matchmaking with venture capitalists and for funding and tax planning.

In as much as “Start Up” is a business venture, the entire business domain will come under the scope of this TV. It could be the CNBC TV or ET News without the stock market noise.

I have in the past discussed with some channels about programs on Cyber Security but most of them have felt that the “TRP” for such programs may not be attractive. So, the proposal of “Start Up TV of India” will also face the challenge of commercial viability which needs to be efficiently handled.

It is not clear if this TV will run under the guidance of the Ministry of IT or Ministry of Information and Broadcasting.

Mrs Nirmala Seetharaman stated that the channel will be designed and executed by start-ups themselves.

We donot know if there has already been some discussions in this regard and some body has been assigned the responsibility for the same.

It is however interesting to know how this idea develops in the coming days.

Naavi

Naavi has been an evangelist for Cyber Insurance for a long time. In fact a separate bloc cyberinsurance.org.in was created to have a focussed discussion on Cyber Insurance only to find that the interest level of the market is still too low for the blog to be of interest as a separate entity. In 2015, Naavi conducted an all India survey on the status of Cyber Insurance to understand the status of the industry. It was found that there was a huge gap in the understanding of the user industries on Cyber Insurance as a product. Many had not even considered it as a requirement as part of their IS policy.

However recently it is found that atleast about 350 Corporate Cyber Insurance policies have been issued. About an year back the individual Cyber policies were also introduced by Bajaj Allianz and later HDFC ERGO and it is indicated that there are more than 15000/- individual policies in operation at this point of time. Hence it appears that Cyber Insurance as a concept has atleast taken off.

Over the last two weeks, I have had extensive discussions with many Insurance professionals to understand the “Perception Gap” between the cyber insurance user industry and the insurance companies. I will try to share some of these thoughts and analysis of some of the insurance polices through these columns.

I have set two objectives for this latest activity focussing on Cyber Insurance

1. Bridging the perception gap between the Information Security industry and Cyber Insurance industry by being the conduit of knowledge exchange between these two industry professionals.
2. Developing the possibility of a specific Cyber Insurance Policy extension or a Cyber Policy itself to cover the risks that arise due to the PDPA (Personal Data Protection Act) that is in the offing.

The above exercise involves conduct of many awareness sessions for the Cyber Insurance industry to make them understand the expectations of the IS industry and vice-versa.

The PDPSI (Personal Data Protection Standard of India) security framework which has been announced by the undersigned is ready to be used as a framework for compliance of PDPA. This can also be a guidance for “Cyber Insurability audit” and hence could assist the Insurance companies in assessing the premium.

Watch out for more discussions in this aspect and join me in this new push for Cyber Insurance.

Naavi

Naavi will be meeting a group of IS and Cyber Insurance professionals  in Pune to discuss the impact of PDPA on the Cyber Insurance industry.

Naavi

PDPA or the Personal Data Protection Act which is being introduced in the Parliament during the current session will be a landmark legislation in India. Presently PDPA is in draft Bill stage and it may become a law during this year. After the notification  of ITA 2000 on 17th October 2000 which  provided legal recognition to Electronic Documents in India for the first time and heralded the birth of the “Digital Society” in India, PDPA will be the most significant legislation to affect the country’s industry.

PDPA is an extension of ITA 2000, which was substantially amended in 2008. Now Section 43A of ITA 2000/8 will be replaced by the entire set of provisions in the PDPA 2018 or PDPA 2019 as it may now be called.

While many may look at PDPA as an extension of the need to protect “Privacy” which the Supreme Court declared as a fundamental right in India, it must be recognized that Privacy Protection had already been extensively recognized when ITA 2008 amendments kicked in.

While there are a couple of sections like 72A as well as Section 43 which can be invoked in respect of Personal Information being breached and misused,  Section 43A was one section in ITA 2000/8 which directly defined the responsibility of organizations collecting “Sensitive Personal Information” (SPI). It defined what was SPI and declared that in the event of a company not following a “Reasonable Security Practice”, (RSP) it would be liable for paying compensation to any victim who suffers a wrongful loss as a consequence.

While the definition of RSP itself was left a little vague, it was specified that RSP is what would be defined in a contract between the data subject and the company or as defined in a law or as defined in an industry specific gazette notified framework.

Unfortunately, Indian industry (except  Banking) did not appreciate or understand the flexibility provided to them in the law or was too lazy to work on a sector specific framework. Instead they simply manipulated the naive MeiTy to declare that a company with a certification of  “ISO 27001” could be deemed to have complied with the “RSP Standard”.

This statutory dependence on an audit process which was commercially driven and subject to many abuses was vehemently opposed by the undersigned and the Ministry was forced to admit in a reply to the RTI query that

“Rule..does not mandate implementation of ISO 27001 standard exclusively… Body corporates are free to adopt and implement other codes of best practices agreed by the industry association”

(Refer here)

This did not prevent the ISO 27001 industry to however claim that  ISO 27001 ensures that organizations comply with ITA 2000. (Refer here).

 PDPA is More Onerous

Now PDPA makes a huge difference to the compliance requirements of the industry related to Privacy Protection and Personal Data Protection.

PDPA does not restrict itself to SPI. It extends to Personal Information (PI) and “Minor’s Personal Information” which is also considered sensitive. It classifies the Data Fiduciaries into more sensitive levels of Significant Data Fiduciary and Guardian Data Fiduciary with increased responsibilities.

Most importantly, by defining the relationship between the Data Subject and Data Controller as we normally refer to as a relationship of “Fiduciary” nature and calling the Data Subject as the Data Principal and the Data Controller as the “Data Fiduciary”, PDPA has changed the narrative completely. The Data Fiduciary is now expected to act like a “Trustee” of the Data principal and his duties are not restricted to following instructions in the “Consent” Form. Though the “Consent” remains in the statute,  it is more an indication of the Data Principal’s objectives for sharing his personal data. The determination of how it has to be processed in the best interest of the Data Principal lies with the Data Fiduciary and not limited to what is contained in the Consent.

PDPA defines the “Data Principal’s Rights” and “Obligations of the Data Fiduciary” which become guidelines for the Data Fiduciary to implement “Privacy By Design” and the security requirements.

Though many derogations are provided including the cover of “Legitimate Interest”, the law imposes penalties both in terms of large financial fines as well as the possibility of criminal prosecution against the Company and its executives. Such fines are of the nature of “Administrative Fines” and need not necessarily require a data breach as it was in the case of ITA 2000/8 but could be imposed even for non compliance.

As a result of these changes, the responsibility of industry for compliance  regarding Privacy Protection and related Data Protection  has increased several folds with the introduction of PDPA.

The biggest impact of PDPA is likely to be on the Data Analytics industry. Data gets a higher value when it is associated with the identity of individual and parameters associated with an individual. Data is considered “Personal Data” if it is identifiable with a living human. If the identity is masked, the data becomes “Pseudonymous personal data” and escapes PDPA. If it is “Anonymized” then also the processing escapes PDPA.

Pseudonymous data by definition is “Re-identifiable”. Anonymous data is not.  Re-identification of a de-identified data is an offence under PDPA and could result in imprisonment of upto 3 years and/or fine of Rs 2 lakhs. The liability may extend to the Company and individually to the managers/Directors  who are negligent. Such offences are cognizable and non bailable making the risk higher.

The Civil liability which could arise out of many non compliance issues could result in penalties upto 4% of the global turnover of the company and is therefore threaten to wipe out the business.

With such penalties hanging over their heads, every company needs to take such steps as are required to ensure that the possibility of non compliance is near zero.

 PDPA Risk for Data Analytics and AI industries

In this context a data analytics company needs to ensure that the incoming data is largely pseudonymous or anonymous. If not it has to ensure that data is filtered at the first in-gate so that the risk is minimized at further levels of processing.  While this is easier said, we realize that most of the time the identity is integral to the data processing and cannot be easily detached.  Further, the granular details that a data set may contain could make the apparent pseudonymous data easily re-identifiable in the hands of a determined data thief.

Since many of the data analytics companies need to depend on sub contractors, the inability of the sub contractors to protect the personal data upto the “PDPA Standard” could impose vicarious liabilities on the data fiduciary.

In view of these risks, data analytics companies need to be extremely careful in designing their processing systems to ensure that they are “PDPA Compliant”.

Artificial Intelligence industry on the other hand supports data processing industry of every description including Data Fiduciaries, Significant Data Fiduciaries, Guardian Data fiduciaries. In many cases they will be the “Sub Contractors” of the data fiduciaries. In certain cases the AI companies dictate the business process of the data fiduciaries as if they are the main contractors and the data fiduciary is a sub contractor. Such “Reverse domination” is also present in many other data processing situations in the Digital Marketing industry. As a result the AI industry players could be “Joint Controllers” as GDPR defines or “Data Fiduciaries of the Data Fiduciary” in the Indian Context.

AI is one industry where processing often is hidden in the algorithm and it is not easy to discern compliance violations. Indian law is very clear that any violation of law by the AI agent would be the responsibility of the AI creator/manager. Hence AI companies will be liable for any non compliance issues arising out of the AI algorithm incorporated in the process.

In view of the above, both the Data Analytics and the AI industry need to implement special efforts to be PDPA compliant.

Be Compliant and Be Protected

The PDPSI (Personal Data protection Standard of India), designed by the undersigned contains the necessary basic guidance for industries to be PDPA compliant. The PDPSI standard supports the PDPA requirement that every Data Fiduciary should conduct “Data Audits” from time to time and develop a “Data Trust Score” (DTS). This again drastically changes the paradigm of Data Security in the country bringing in a sort of “Disclosure” which is “indicative” of the risks rather than the mandatory data breach notification that follows the actual breach. An audit under PDPSI framework should therefore normally end with an allocation of DTS to an organization. Such DTS will naturally affect the “Insurability” of the organization and impact the cost of data processing.

It is therefore time for the Data Analytics and AI industry to examine the impact of PDPA on their operations and to take such steps as may be essential for their survival before the law is set in stone.

Naavi