Naavi.org

It is time to recall that on 17th October 2020, we have completed 20 years of the existence of Information Technology Act 2000. The one major amendment made to the Act was in 2008.  With the passage of Personal Data Protection Act some time in 2021, there will be another major amendment to ITA 2000. On that occassion apart from deletion of Section 43A, more amendments may be considered.

Naavi has suggested many times the changes required to be made to ITA 2008 and some of the articles regarding such suggestions are given below.

Drawing the attention of T K Vishwanathan Committee on ITA 2000 amendments
Proposed Amendments to ITA 2000 and Privacy Protection
Redefining the scope of ITA 2008.. in the amendments..
Suggestions on Modification of ITA 2008
Domain Name Regulation in ITA 2000..to be amended
ITA 2000/8 will remain the supreme Data Protection Law of India

Looking beyond the earlier suggestions, we need to think about the following six changes to ITA 2000.

1. Introduce mandatory verified account tag to social media posts (as proposed in PDPB 2019 where it is optional) to eliminate fake accounts and reduce the fake news incidence.
2. Reintroduce equivalent of Section 66A to recognize “Offences through Messages” as distinguished from “Offences through publication”
3. Re issue the Section 79 notification for “Tracking” of messages
4. Prevent phishing websites by making domain registrars accountable to check identity of domain registrants
5. Introduce a controller of Mobile of Apps and Games to regulate malicious apps and games
6. Ban Crypto currencies to choke the economy of the dark web

Naavi

Also see: 20 years anniversary of ITA 2000 

Naavi.org was in the forefront of raising objection to the Section 43A rules of the MeitY in 2011 where the MeitY insisted that “ISO 27001 compliance” is deemed compliance of Section 43A.

When I first wrote “Is India selling itself out to ISO 27001?” or Has MIT issued the guidelines without proper evaluation? , “Is DIT misleading the Public”? etc.,  the Kapil Sibal led ministry was extremely unhappy because it was pointed out that if all Indian companies were made to undergo ISO27001, there would be a huge and useless burden on the industry.

Now that Section 43A is coming to the end of its lifetime and would be replaced by the Personal Data Protection Act,  it is time to recall how Naavi’s concern that giving a prominence to ISO 27001 as “Deemed Compliance of Section 43A” was a blunder of the MeitY.

Dr Lal Pathlabs has given a perfect example to justify the point which I made in 2011 which the MeitY brushed aside.

Now going by the press reports, Dr Lal Pathlabs compromised millions of sensitive personal information of Indian public by storing them in Amazon cloud without a password.

Techcrunch.com reports as under:

Quote:

Unquote:

Techcrunch also reports that the security loophole has since been closed, meaning that a password has now been set.

However what surprises me is that the website of Dr Lal Pathlabs does not show any information on the data breach. There is no information about CERT IN having asked for a report on the data breach as per powers available and duty cast on them under Section 70B of ITA 2000/8.

The “Privacy Policy” on the website covers only the information collected on the website and does not give clarity about the policies and practices related to the collection of information on their services.

The Privacy policy inter-alia suggests as follows:

Quote:

Information security

The Company has implemented appropriate security practices and standards and has a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Further, the Company takes appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data and restricts access to your personal data to the Company’s employees who need to have that information in order to fulfil your request or supply our services

Unquote:

This indicates that the privacy policy has been drafted in accordance with the words contained in Section 43A guidelines.

It is therefore not surprising to note that the company also sports ISO 27001 as one of its accreditations

It would be interesting to find out who gave the ISO 27001 accreditation to this company and with what scope and whether that would continue to be used even after the report of the current breach or would be withdrawn.

It is time for the industry to consider that ISO27001 is only a guidance tool and it cannot be considered as a stamp of everything being in order regarding the information security implementation in an organization.

I recall the reply I had received on 11th July 2011 from Mr Prafulla Kumar  of DIT which stated as follows

However the notification contained the words

“A body corporate or a person on its behalf shall be considered to have complied with reasonable security practices and procedures, if they have implemented such security practices and standards and have a comprehensively documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.

In the event of an information security breach, the body corporate or a person on its behalf shall be required to demonstrate, as and when called upon to do so by the agency mandated under the law, that they have implemented security control measures as per their documented information security programme and information security policies.”

“The international Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard referred to in sub-rule (1).”

In view of the above, despite the clarification provided to me directly, MeitY continued to give an impression to the public that ISO 27001 is a “Deemed Section 43A compliance”.

This false impression created by the MeitY is the reason why Dr Lal Pathlabs type of companies continue to ignore information security in its real sense and opt to buy the certification and remain complacent that every thing is fine with them.

I call upon the MeitY to clarify whether they are prepared to withdraw their endorsement of ISO 27001 at least now.

Making mistake once is understandable.

Standing on the ego and justifying it is undesirable.

But Not making amends and not apologizing for the mistake even after it is seen how an “ISO 27001 certified company can have sensitive data in Amazon storage without a password”, is unpardonable.

The data breach raises similar questions on other accreditation agencies like the CAP, NABL etc., who have to withdraw their certifications or at least conduct an enquiry and re-establish the credentials.

I also call upon the NSE and BSE to clarify whether Dr Lal Pathlabs filed any report with them that there was a data breach, there could be a PIL or Government penal action on the company and as a result there could be a financial risk to the share holders of the company.

We will continue to watch if the Clause 49 declaration applicable to listed companies will report the breach to the share holders in the annual report and whether the statutory auditors report the same in their audit reports.

(P.S: Deloitte Haskins & Sells LLP was the auditors of the Company some time back. After the ILFS fiasco, Deloitte could have faced some sanctions barring them from continuing their audit work.  It appears that the matter is with NCLT).

There were 5 independent directors of the Company who also have many questions to answer along with the Company secretary.

I have also pointed out earlier that Adjudicating officers in multiple states can start an enquiry under Section 46 of ITA 2000 on the incident and  PIL can be filed in any High Courts or the Supreme Court, provided the matter is considered as a serious privacy breach. Otherwise all the “I Love Puttaswamy Judgement” statements of privacy activists will only be considered as a TRP hogging drama.

Unless the regulatory authorities take such data breaches seriously and use it to define the future direction of compliance, such incidents will continue to happen in future.

Naavi

Also view the article on the420.in: 

On October 17th, India will be celebrating the 20th anniversary of the birth of the digital society of India. On this day in 2000, Information Technology Act 2000 was notified. On that day, an electronic document became legally recognized as equivalent to a paper document. The digital signature was recognized as equivalent to a physical signature. Together, the legal recognition of electronic document and the method of authentication gave legal recognition to a digital contract. Digital contracts gave birth to the transactions in the digital society with judicial oversight. The electronic document also got recognition as “Evidence” under the Indian Evidence Act and Section 65B became effective as the means of making an electronic evidence admissible in the court of law.

This day is therefore significant in the history of evolution of Digital India and Naavi.org has been celebrating the day as the “Digital Society Day of India” ever since. First few years we even had physical events to celebrate the day. We have always believed that MeitY has to take up this celebration in large scale but it has not happened.

Anyway it is our duty to remember the importance of the day.

Naavi.org is putting together some suggestions on what amendments may need to be considered in the ITA 2000 in the current scenario where the Personal Data Protection Act will automatically affect some of the provisions of this Act.

I invite comments from public on what are the three most important pain points in the Act that they have been confronted with in these years so that it can be consolidated and brought to the attention of the Government.

Naavi

(Image Source: techcrunch.com)

In February 2020, a major data breach was reported from Breach Candy hospital, Mumbai. At that time, Naavi.org called it an “I Love You Moment” recalling the incident in 2000 when the “I Love You” virus hit the Internet and woke up the Indian regulators into taking steps in passing the Information Technology Act 2000 (ITA 2000) which was otherwise kept in cold storage in a Standing Committee.

In the Breach Candy incident, over 121 million medical records of Indian patients had been exposed due to lack of secured storage. The data which included X-rays, Scans, patient history, National ID, date of birth etc  had been stored in the cloud and was accessible through the internet without a password. The data was stored in what is referred to as the DICOM protocol to be accessible to registered medical practitioners attending the patient  and the patient with appropriate user name and passwords but was negligently made available openly.

This entire data set would be now in the Dark Web and could be exploited by criminals.

The incident was called a “I Love You” moment because it was felt that it would ensure the passage of Personal Data Protection Act in India which was pending with the JPC. Unfortunately the Covid intervened and the JPC activity was delayed. The JPC has till now not completed its study and the presentation of the Bill back in the Parliament has been postponed again and again. Now it has been pushed beyond 2020 and may be presented only in January 2021.

When the Breach Candy data breach occurred, it was a failure of “Reasonable Security Practice” under Section 43A of the ITA 2000 and it was possible for any affected party to file a complaint on the hospital for compensation. There could have been a PIL also. But no victim came forward.

However, it would have been possible  for the regulatory mechanism to take some proactive steps to recognize the incident as a representative incident that required attention in the interest of preventing such incidents in future.  The Adjudicator of Maharashtra could have taken suo-moto action under Section 46 of ITA 2000. The CERT-In could have conducted an enquiry and suggested some remedies. Even a High Court could have taken a suo moto action and initiated an enquiry.

However none of these regulatory bodies thought it fit to move in and take some action which would have brought better discipline in to the system. All of them collectively exhibited apathy and ignorance which is the bane of our country. Probably none of them wanted to do anything that could put the well known hospital into disrepute.

Now another major data breach has hit us in the form of Dr Lal Pathlabs. The Personal Data Protection Bill is still a Bill and again we need o fall back on the ITA 2000. At least now we need to see if CERT IN conducts an enquiry and some Adjudicator takes a suo moto enquiry on behalf of the affected patients or some PIL gets filed in a High Court.

According to the information available, Dr Lal PathLabs headquartered in New Delhi serves 70000 patients a day and stores the medical diagnostic results on the Amazon Web services.

It is alleged that the data was stored without a password protection .

It is impossible to think how any IT operator handling the data was unaware of the need to encrypt the data in cloud storage. Having a password is like LKG lesson we teach our students  and if any data is stored without a password or in passwords such as admin123, then it is not possible to recognize that person as “IT Literate”.

If the Company had engaged such IT operators then the company which describes itself as “An international Service provider of diagnostic and related health tests”, then the management of the company including the board of directors should question themselves if they had any moral right to be in a critical business like health care.

It is immaterial

if the IT team of the company, the CEO or the Directors were  aware of Information Security or Data Security, or not

whether they were aware of HIPAA standards or Section 43A -ITA 2000 or not,

whether  they were aware of  The Personal Data Protection Bill 2019,

Whether there was a DPO in the company or not or whether he was a certified data professional or not.

But if they did not have the basic “Password control” for the Amazon cloud storage, then they need to re assess their managerial credentials.

Amazon provides services for data storage even under HIPAA standards and it is difficult to see how they would have enabled access without a password and that too without some combination stronger than something like admin123. Perhaps the information that the database was not protected with password is not correct. The possibility is that some default password was used or the lab must have a system where the password was broadcast to all their units so that anybody could use the database.

Whatever is the reason for the data breach, it is sad to note that a large company like Dr Lal Pathlabs could have such a callous approach to data security.

What is lost is lost. Whether we fine the company Rs 5 crores or 100 crores is immaterial. What is now required is for us and the regulators to reflect, how long we will keep on postponing the passage of Personal Data Protection Act and how long CERT-In and the Adjudicators under ITA 2000 remain mere show pieces in the system of data protection in India.

Though the JPC on Personal Data Protection Bill has taken time upto the budget session to submit its report, it is time for the members of the JPC and the Chair person to re-think and try to submit their report at least in the December session of the Parliament.

Naavi

P.S: The privacy policy of Dr Lal Path labs  inter-alia state as follows:

Information security

The Company has implemented appropriate security practices and standards and has a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business. Further, the Company takes appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data and restricts access to your personal data to the Company’s employees who need to have that information in order to fulfil your request or supply our services

The problem is what is “Appropriate” in the context which needs to be debated.