Naavi.org

• On May 3rd 2019, a State Gazette Notification was released in Maharashtra regarding the use of Electronic Mail Services by the Bombay High Court. The notification No P.0703/Rule/BHC is called “Bombay High Court Service of Processes by Electronic Mail Services (Civil Proceedings) Rules, 2017.

A copy of the rules is available here.

It may be recalled here that the Bombay Court in an earlier judgement in 2018 had suggested that courts can opt for modern ways of service. In this judgement the honourable judge had discussed the different modes of effecting substitute service of summons under Order 5 Rule 20 of the Code of Civil Procedure, and observed,

“…in sub-rule (i) and (ii), the substituted service means fixing the copies of the summons on different place as mentioned in the Rule. However, the sub-rule(iii) gives further option that the summons can be served in such other manner as the Court thinks fit. Thus, the manner which the Court opts for should be akin to the earlier mode of service, which is mentioned in the Rule. For this, the Court can take into account the modern ways of service which are available due to internet connection. It can be served also by courier or by email or by WhatsApp etc.

Similar views have been held by a few other Courts which are enamored by WhatsApp type of messaging applications and held that service of a notice through WhatsApp is acceptable and the “Blue Tick” is an acknowledgement etc. (Also see details here).

Now the Bombay High Court has gone one step further and amended the rules of the Court through a Gazette notification to adopt the service of notices through E mails. Accordingly the new rules dated 3rd may 2019 have been notified.

While we welcome the desire of the Court to adopt to modern means of communication, we would look at the notification to understand and analyze from academic view point whether it is in compliance with the law of the land or creates a rule that is ultra vires the law. If so, we need to also debate whether  it is desirable for the Courts themselves to ignore the compliance of law either by ignorance or specific  design.

Definition of E Mail

The notification defines an “Electronic Mail” as a store and forward method of composing, sending, storing and receiving messages in electronic form via computer based communication mechanism.

The “Electronic Mail service” is defined as a notice or any process of Court sent by electronic mail by an officer authorized in this behalf by the high court or the district court as the case may be, such communication emanating from an addres specified for the purposes of these Rules.

The definition is incomplete without reference to the definition of a “Computer” under ITA 2000 and a reference there of should have been made in the rules.

The definition is redundant since ITA 2000 defines “Electronic Form” and “Equivalence of a document in electronic form to a document in paper form” through section 4. Hence communication of an order which was permitted to be sent through paper mail is automatically valid when sent through an E Mail or any other form of electronic communication. No revision of procedure  was required.

No Mention of Authentication or Section 65B Certification

The rules donot make proper mention of “Authentication” of the mails  with the use of Electronic/Digital Signature and a need for Section 65B certification when a “Sent” communication is to be admitted as “evidence”.

It was necessary for stating that the Court officer besides the judge shall use a registered digital signature for the purpose of sending out the communication on behalf of the Court.

In case an electronic record is to be produced as evidence to prove that an e-mail has been sent or the e-mail has been received or that an e-mail has been returned un-delivered, whether through an e-mail system or a WhatsApp like system, it is necessary to produce such electronic document along with a Section 65B certificate for it to be admissible.

There is no mention of this requirement.

This is a clear non compliance of the law of the land.

Who determines the Validity of the E Mail address?

The rule also states that the petitioner who wants the notice to be sent to the counter party should file an affidavit stating the e-mail address of the counter party.

Sections 11 to 13 of ITA 2000 clearly lay down the rules regarding “Attribution” of an electronic message, the “Need for Acknowledgement if any”, “The time and place of sending or receiving of an electronic message” which interalia requires the contracting parties to “Designate” e-mail addresses for communication as part of their communication contract.

The procedures notified completely ignores the provisions of the ITA 2000 and defines its own rules.  A use of an e-mail for certain correspondences for prior communication cannot be used for legal communications after a dispute has reached the Court. This is fraught with risks and gives room for misuse.

The procedure suggested is akin to the sending of a mail by ordinary post and not like a mail sent by a “Registered Post” or “Registered Post Acknowledgement Due”…to the last known  address…but without  confirmation.

If the Court had adopted the use of Section 65B certificate for evidencing prima facie delivery, then the delivery would have some sanctity like in the case of registered/Registered acknowledgement due delivery of post or the use of a reliable courier service.

Use of the e-mail address on a website as the address to which notices can be sent is daisy since most websites may have an address such as “Info@…” or “Webadmin@…” etc. These may not be designated for the receipt of legal notices.

On the other hand, it would have been better if the Court had held that “Due Diligence” under Section 79 of ITA 2000/8 required a specific e-mail address to be designated as for legal notices.

The Court could have reiterated that under ITA 2008, it is mandatory for websites to designate a “Grievance Officer” whose contact address is to be mandatorily provided on the website. This would have been not only respecting the law as it exists but also could have supported a provision which many are ignoring.

I am aware that a PIL was also filed with the Bombay High Court itself that websites are failing to comply with this provision of ITA 2000/8 regarding provision of contact addresses, though I am not sure of the outcome. Hence the requirement under ITA 2000/8 in this regard was within the knowledge of the Court and it would have been good if this had been re-iterated.

It is noted that under rule 7, parties have been permitted to opt for the use of E-mail by consent which is understandable. Provision of email address could have been made a mandatory provision for filing any petition or reply to the Court.

The suggested protocol attempts to do this.

However in such cases option may have to be provided to some litigants not to use electronic  communication. This would be in conformity with the principle of natural justice.

No mention of Security

The suggested protocol is bereft of the security requirements. In fact it provides immunity for the court and its officers not to be held liable for any omission. Considering that the omissions are derogation of a statutory law, the responsibility of the Court and its officials should not be ignored.

Overall, the notification does not inspire the confidence that the rules have been framed after properly evaluating the provisions of ITA 2000/8 to the context.

Naavi

Naavi has been one of the early proponents of Cyber Insurance in India. This site carries many articles in the past on the subject of Cyber Insurance (Refer here). Additionally, www.cyberinsurance.org.in  contains many of these articles in one place.

In 2015, Naavi.org initiated  a National survey titled India “India Cyber Insurance Survey 2015”, under “Mission Cyber Insurance” that we took up.   This survey was conducted with respondents being professionals in the Information Security domain and other professionals in IT companies and academics. The objective of the survey was to establish a bench mark of perception about Cyber Insurance in India which could be tracked later with similar surveys in the following years.

The survey gave good insights into the status of Cyber Insurance industry in India at a time none of the Indian insurance companies had actually introduced products offering coverage for liability arising out of Cyber Crimes. There were “Cyber Asset Insurance”, “Employee Fidelity Insurance”, “Errors and Ommission Insurance” which were often considered as Cyber Insurance. But real coverage of risks arising out of third party cyber crimes was not available. Few of the insurance contracts written at that time was basically on the reputation of the insured and did not take into account the “Risks” involved for which liabilities were to be covered.

The findings of the survey are available in a series of four articles here.

1.The mystery land of Cyber Insurance-1: Overcome the “All is Well syndrome”

2. The mystery land of Cyber Insurance-2: What is Cyber Insurance?

3. The Mystery Land of Cyber Insurance-3: Who should get Cyber Insurance Cover?

4. Cyber Insurance-4: The enigma called Cyber Insurance Premium

Naavi.org was not able to repeat the survey in the subsequent years to track the development. However, we are glad to know that DSCI has recently conducted a survey and released its report.

According to the DSCI survey,

1. 1. 350 cyber insurance policies have been sold till 2018, which is a 40% increse from overall base in 2017

   2. India’s yearly cyber premium market is around INR 80-100 crore (USD 11-14 million)

   3. IT/ITes and Banking & Financial services are the early adopters. The demand has increased because of Contractual requirements and GDPR. New demands from manufacturing, pharma,retail, hospitality,R&D and IP based organizations are observed.

   4. The premium amount ranges from USD 6500-8000 for a coverage of USD 1 million (0.65 yo 0.8%)

The report makes a mention that the threat surface in India is expanding due to increasing digitization . It is reported that India is the 2nd most affected country due to targetted attacks (for attacks between 2016-2018) and average cost for a data breach in India has gone up to INR 11.9 crores, an increase of 7.9% from 2017 with the average cost per record being Rs 4552.

During 2017-18 it is stated that the number of policies increased from 250 to 350 and  the coverage included First Party expenses such as  “regulatory Investigation and Fines”, Expenses regarding “Forensic IT Audit”, Stakeholder notifications, legal costs, credit monitoring, PR etc, third party liabilities as well as business interruption loss and Cyber thefts such as Fund transfer frauds, Cyber extortion etc.

Four insurance providers namely TATA AIG, HDFC Ergo, ICICI Lombard and Bajaj Allianz were indicated.

The challenges that confront the industry continue to be lack of awareness and understanding by the buyers and lack of acturial data for proper assessment on the part of the insurance providers.

Two of the companies namely HDFC Ergo and Bajaj Allianz were listed as companies offering personal Cyber Insurance. which was available from around Rs 50,000/- to Rs 10 crore. The Bajaj Allianz policy however offers a coverage with several sub limits for different types of losses. The HDFC Ergo policy offers a combined limit though the pricing is higher than Bajaj Allianz.

The survey also documents some strategic steps that may be taken to promote Cyber Insurance which we may discuss separately in subsequent articles.

A brief recount of issues listed for attention in the survey are as follows:

Government/Regulatory Bodies

-Creating awareness and ecosystem skills in cyber insurance policies

-Incentivizing SMBs through direct intervention or providing procurement benefits

-Providing Toolkits and Checklists

-Creating an ecosystem for cyber insurance to mitigate risks & improve resilience

-Mechanism for Data Breach Notification

-Creation of Cyber Incident Data Repository

-Promoting actuarial science for better modelling of cyber risks

Technology Firms

-Establish sector-specific cyber risk assessment framework

-Innovate to oer tailor-made products & services for cyber risk evaluation, forensics, incident response etc.

-Fortify capabilities

Brokers

-Spread awareness on essential coverage – create toolkits & checklists

-Support SMBs and startups, who wish to buy insurance policies

-Clearly articulate provisions under cyber insurance, and other insurance policies

Insured/Buyer

-Engage with a technology firm for cyber risk evaluation

-Before buying, important to create a ‘Cyber Insurance Committee’ that has representation from Insurance Purchase Group, Offices of CFO, CEO, CIO/CISO, CRO and CMO, for better decision making

Carriers (Insurance Providers)

-Fortify technological capabilities or engage with third party to conduct pre-breach cyber risk assessment and post-breach assessment

-Digitize for data-driven decision making

-Prepare for comprehensive inclusion of data privacy & protection to cover regulations such as GDPR, India’a Draft Bill on Data Protection etc.

Provide value-added services – customization, free counselling, trainings etc.

-Clearly articulate provisions under cyber insurance, and other insurance policies

Overall, it is good that DSCI has recognized the importance of building awareness about Cyber Insurance in the industry. Hope the initiative will continue.

Naavi will continue his efforts in this direction both through the awareness building through www.naavi.org and www.cyberinsurance.org.in. CyberInsurance.org.in was actually meant to be a platform for all stake holders in the Cyber Insurance domain to come together though it is yet to achieve this objective. Hopefully there will be greater awareness of Cyber Insurance and keener interest in the days to come.

Naavi

Bitcoin battle has now assumed bigger dimensions and escalated into a “Cyber War proposition” mooted by one of the prominent Anti Virus and Security product manufacturer namely “John McAfee”.  It is not clear if Mr McAfee has any controlling interest today in the company but it is reasonable to expect that he would wield a significant influence over  the decisions of the company and perhaps on some of its loyal employees.

Additionally it appears that Mr McAfee has taken a leadership role in mobilizing hactivists to believe that there is a cause for which they should declare a war on India. Again it is not clear if the hactivists really consider Mr McAfee as a person whose words should be respected and they should launch an attack on India.

Nevertheless, as a Security Risk manager of India, CERT-IN cannot ignore the warning given by Mr McAfee that if India passes a legislation to ban Bitcoins in India, he is inviting a Cyber War against India.

McAfee is a company which was acquired by Intel in 2010 and later on spun off as a separate company.  In 2017,  an Asset Management Firm TPG (Texas Pacific Group) acquired controlling interest of 51% while Intel retained 49%.

It is possible that some of these private equity firms may be indirectly connected with John McAfee.

We recognize that McAfee is an independent professionally managed company today and is not influenced by the views of Mr john McAfee.

However, it is necessary for the company to clearly come out and disassociate itself with the statement of Mr McAfee and re affirm its commitment to fight Cyber Crimes and particulary, that it has no intentions to influence the decision of the Indian Government on Bitcoins.

McAfee as a company should recognize that sharing its name with Mr McAfee is a “Reputation risk” for the company and in situations like this, it is necessary for them to come out with appropriate assurances to the public that it is not in agreement with the call for a Cyber War on India given out by Mr McAfee.

I look forward to such a statement from the company. In the meantime, I request CERT-IN to send a notice to McAfee as a company asking them to clarify their views on the statement of Mr McAfee.

Until we receive a satisfactory response from the company, McAfee products should be put on watch since it is possible that  it may be used to plant Bitcoin mining trojans or other types of malware to harm Indian interests.

I request CERT IN also to come up with a suitable clarification in this regard. I also invite our MPs like Rajeev Chandrashekar and Tejasvi Surya to raise this issue in the Parliament to obtain clarification from CERT-In.

Naavi

John McAfee who some times back  vowed that he would unmask the identity of Satoshi Nakamoto and said “Finding Satoshi is a piece of cake” has now declared “War on India” in support of Bitcoin.

Knowing the brilliance of this man, it is possible that he could have revealed the identity of Satoshi and perhaps not only been refrained from revealing the identity but turn a warrior for Bitcoin. Not sure if this indicates a good pay off from Satoshi sufficient to change his stance in favour of Bitcoin to the extent that he is declaring a “Cyber War” on India.

But it is unfortunate that the person who was well respected in India has chosen to be a “Deviant” and declare his hostility to India and declared a war against the country.

Following the information that India is considering a Bill to make Bitcoin transactions illegal and carry a 10 year imprisonment (Refer here), Bitcoin supporters have started behaving like Mamata Bannerjee after Modi’s victory in the elections.  CCN.com calls this an “Insane” proposal . Others have started a campaign to protect their interest to hold “Digital Black Money” . (Refer all news articles here).

Mr John Mcafee has gone one step forward and has invited “Anonymous” to declare a war on India. (Refer here)

It is obnoxious for a professional to behave in such open support of a system which is a “Currency of Criminals and Terrorists” and deserves to be shut down across the world.

This deserves to be condemned in strongest terms and countered effectively just like a ISIS call to dismember India.

Mr Arun Jaitely has already clarified that we are intending to ban Bitcoins and I hope there will be no re-thinking despite the pressures that Mr McAafee kind of people may try to mount on us.

Let Mr McAfee realize that we in India are committed to the removal of black money and consider Bitcoin as the biggest manifestation of black money. Those who hold and support Bitcoin or other private Crypto currencies are trying to hide behind excuses to preserve their ill-gotten black wealth.They are global money launderers. Hence action through law to eliminate Bitcoin from the system is very much relevant to us.

I have already suggested that Bitcoin should be considered as an instrument of global terrorism and we should ourselves declare a war on Bitcoin. I have also urged Mr Modi to crate a global consortium of like minded countries to take the Bitcoin ban as a global policy.

It appears that Mr McAfee has suddenly woken up to say that he wants the war to be fought against India and not against the terrorists who use Bitcoins as a currency for illegal drug trade, arms trade, financing of ISIS like terrorism etc. This is the typical “Urban Naxalite Mentality” that he is displaying and must be condemned in strongest terms.

Mr McAfee should respect Indian sovereignty and choice to remove the black money in all forms from the system and not try to undermine our rights to make our own law however unpalatable it is for him.

In the context of this threat held out by John McAfee, I request that the Government of India should take such steps as may be necessary to protect our interests including the following measures.

1.Expedite the passing of the Anti Crypto Currency Bill

2.Declare use and promotion of private crypto currencies as “Financial Cyber Terrorism” and all countries supporting the system as supporters of terrorist activities.

3.Vocal supporters like McAfee should be considered as equivalent of global terrorists like Masood Azar and black listed from doing any commercial transactions in India. If he enters India, he should be arrested and tried for terrorism and war against India.

4. I urge the Government to immediately stop all use of McAfee products because they may be used to hack into our systems and wage a war as declared by him

5. I urge RBI to recognize the risk that this declaration poses to the Indian Banking system and advise all Banks in India to stop using McAfee products.

5. I urge public to stop using any McAfee products not only to prevent them being used for hacking but also to build economic pressure on a Company which has declared a war on India.

I urge the Government of India to issue a notice to McAfee to clarify his “War Call” and mobilization of Cyber war force.

Naavi

It was heartening to read an article in todaysgazette.com that “Leading Banks across the world are Blocking Crypto currencies” .

According to the report,

In the U.S., several banks have banned their users from using their credit cards to buy cryptocurrencies. The Bank of America, JP Morgan, Citigroup, Discover, and Capital One are freezing the accounts of users who try to use their credit cards to buy cryptocurrencies. Also it states that  VISA  severed its links with Wave Crest after Visa claimed that Wave Crest was not following its rules.

In the U.K., Lloyds banking group was the first to announce it was banning users from buying crypto with their credit cards, following which  the Bank of Scotland, Halifax, and MBNA also banned their customers from buying cryptocurrencies. Most banks are pointing out money laundering and high volatility, as among the top reasons for banning trades related to crypto.

In Asia, the Hong Kong and Shanghai Banking Corporation (HSBC), is also blocking users from carrying out any transaction related to Bitcoin or altcoins. In India, Banks have warned their customers against using their cards to buy cryptocurrency and threatened that customers who did not reveal the nature of their transactions will have their accounts closed and  terminate any account used to fund trades related to cryptocurrency.

These developments need to be taken note of by the Ministry of Finance under Mrs Nirmala Sitharaman so that an appropriate notification is issued to end the uncertainty in the Indian regulatory scenario. The MeiTy can also make a move on its own to ensure that the list of “Exclusions” indicated in Schedule 2 of ITA 2000/8 includes “Any Electronic document purporting to be a currency or legal tender”.

Naavi

Complaints from an employer against an employee for data theft is a common occurrence in the corporate world particularly when the employee has exited the company and also started a competing business.

In the current business environment where the corporate work is carried on with the use of e-mails and from home computers, it is natural that in most cases, employees will have corporate data in their personal custody and in personal computers.

Most companies will also have employee contracts which typically has an NDA clause in which the employee is supposed to return corporate data in his hands in the event of his leaving the company etc. However, some of the provisions of the employee NDA contract are impractical and is ignored in practice.

Hence disputes do arise in every resignation of an employee and quite often when a critical employee leaves the organization, the organization may also be unreasonable in pursuing criminal cases against the employee using the business practice to which both were parties during the employment including sharing of the corporate data in the personal domain of the employee.

In resolving such cases, the Courts need to appreciate corporate practices, the “Data Protection/Information Security policies” of the Company, the intention of the parties etc besides the provisions under law such as ITA2000/8.

One such interesting case was recently decided at TDSAT in the case of Dr Rishi Dixit & Ors Vs PreventiNe Life Care Pvt Ltd.  PreventiNe Life Care is a  genetics laboratory based in Mumbai (India), offering genetic screening and predictive testing services in association with various Hospitals.  It obviously handles “Sensitive Personal Data” which is the subject of data protection obligations under ITA 2000/8 and the upcoming PDPA and industry standards such as HIPAA etc. Dr Dixit is a medical professional employed in the organization and delivering his professional services as head of diagnostic services. He appears to have resigned in 2012 along with some of his research colleagues and later set up a rival company.

The Company had alleged that the accused had stolen software and also corporate data  in the form of confidential algorithm, formulas, process, client/customer list, project, research paper,diagnostic procedure and other important information, which were the properties of the Company, through  emails sent from the company network to the personal e-mails. Using the said information the accused are alleged to have started a rival company Navigene Genetic Science Pvt Ltd and adopted a similar business model.

The Adjudicator had therefore granted a compensation of Rs 30 lakhs to be paid by the accused to the Complainant (PreventiNe Life Care) which was challenged in an appeal to TDSAT and was disposed off recently on 31st May 2019.

This case has implications for study under ITA 2000/8, Data Protection regulations, and also Copyright laws. There are similar cases that may be under litigation in many courts including the civil and criminal courts outside the Adjudication/TDSAT system and the judgement could have its indirect influence in such cases.

 A Copy of the Judgement is available here . 

Some observations on the judgement are recorded here for academic discussion.

1. The rival company was opened while the accused were still in the service of the earlier company and therefore violated one of the clauses of the employment contract. This was however a matter for the civil courts to adjudicate as regards the compensation and was rightly noted as not falling under Section 46 of ITA 2000/8.
2.  The Adjudicator also noted that he is not considering the IPR issues involved in the dispute. However the possibility of some of the information being “Copied” from e-mails sent by the Company to the accused has been taken note of and hence Copyright violations have been recognized.
3.  The defense that the information was sent by the company to the personal e-mails of the employees and thereby the company relinquished its right on the confidentiality of the information has been rejected.
4.  The use of such information for purposes other than for which they were shared by the Company has been held as a contravention of Section 43 of ITA 2000. Accordingly contravention of Section 43(b), 43(i) and 43(j) along with Section 66 of ITA 2000/8  was taken into account by the Adjudicating Officer.
5.  TDSAT has made a specific comment that the complainant is free to pursue the matters of employment contract and copyright which have not been taken into account in this adjudication in a separate action and proceeded to look at the appeal in the context of the application of ITA 2000/8 both for the misuse of data in the form of software on which the company had rights as well as the business data.
6. TDSAT has after comparing the reports generated by the systems used by the two parties come to the conclusions that there are significant differences between the two which may not indicate that the software was stolen. (This is relevant for the copyright issue also).
7. It was recognized that if the software was stolen and modified, the person responsible was a person who was not a party to the dispute and hence some of the charges regarding conspiracy to steal, modify and misuse the software cannot be validated.
8. As a result of the observations recorded by TDSAT,  the charge that the appellants had stolen, copied or misused the proprietary software developed by the respondent for generating the diagnostic reports is held not sustainable against the appellants. This substantially eliminates the “Copy Right” aspect and any remedies under the copyright law might have been seriously dented by the observations.
9. As regards the other allegation, some data has been provided as proof from the hard disk of the computer system used by the accused. It is not clear if the electronic evidence produced in this respect was appropriately certified under Section 65B. The defense appears to have failed to challenge the evidence and therefore the evidence might have been admitted by deemed mutual consent. Considering that the final outcome of the case was very much dependent on this evidence, the omission could be considered catastrophic. (Ed: This observation of Naavi is not to dispute whether the accused deserved to be punished but to flag a common mistake that many litigants do which enables the accused to escape liability on technical grounds)
10. It has been held by TDSAT that one of the accused who was also the promoter of the rival company cannot be held liable under Section 43 since there is no evidence against him of the data being stolen from the victim company and has only used his domain knowledge to interpret whatever data was made available to him by the other co-accused.
11. Since one of the two allegations (Software theft) failed and one of the accused was also held not liable, the damage of Rs 30 lakhs granted by the Adjudicator was reduced to rs 15 lakhs.

It is also noted that the judgement appears to have been written by honourable Sri A.K. Bhargava, member of the TDSAT since it involved significant technical issues besides the legality of the applicability of Section 43(b), 43(i) and 43(j) of ITA 2000/8 to the dispute.

The advantage of a two member TDSAT with a technical member has been highlighted in this case. Cyber Appellate Tribunal when first formed was a single Judicial member body and though subsequently a technical member was appointed, no hearing could be held by the two member body until it was merged with TDSAT.

Naavi has also for a long time advocated that the Adjudication body under ITA2000 should be fortified by adding the Law Secretary of the State to the panel. Hopefully, this suggestion will be considered by the Government and I request the IT Minister to consider this amendment to ITA 2008 when the next opportunity arises.

It must be noted that this case was a complicated Techno Legal Issue involving ITA 2000/8 as well as Copyright issues and TDSAT has shown dexterity and finesse in arriving at the final judgement. The judgement makes a good case study for academicians.

Naavi