Naavi.org

February 23rd 2020 is set to be a historic day in the development of Data Protection eco system in India. It is the day when the very first batch of professionals are facing their challenge for getting certified by the Foundation of Data Protection Professionals in India (FDPPI).

The participants of this initial batch are those who undertook a 6 week long online training provided by Cyber Law College (www.cyberlawcollege.com).

The current batch is a small batch of foundation members of FDPPI and will form the backbone of such certification programs in the future. This batch has been trained and the certification program is being administered solely by Naavi.

After the successful conduct of this program, the Certification mechanism will be taken over by FDPPI and more such programs both for training and for Certification will follow.

This Certification would be titled “Certified Data Protection Officer in India-Level 1” and incorporates the awareness of the law as of date. It will be followed by higher levels in due course as additional skills are input at different levels including  Advanced awareness of the law as it emerges, the Technical Skills, the leadership skills and the awareness of international laws. In totality this Certification would be unique and is conceived at a level higher than the currently available systems in other countries.

While many of the Indian professionals do get certified through international agencies, FDPPI envisages creation of “Ethical Data Protection Professionals” who have their primary expertise in the Indian market.

This indigenous system of Certification is considered essential as the principle of “Data Sovereignty” is embedded in the Indian data protection laws and needs to be incorporated into the system of training and certification.

The motto of FDPPI is to create “Knowledgeable, Skilled and Ethical Data Protection Professionals” and the Certification program would be a significant step in this direction.

Naavi

Cognizant is a respected MNC with significant stake in Indian data processing industry. It is not a company of the type Facebook, WhatsApp or Google who are known to have woven their business around harnessing (Exploiting?) “Personal Data” and profiling of data principals/subjects.

But today’s ET carries an article with the headline “Cognizant sees data protection bill increasing costs, obligations”.

The article also uses the following photograph of Cognizant’s building for the article.

This is a clear indication that the reporter wants to attribute the opinion conveyed in the article to Cognizant and no other company.

The body of the article says

“IT services provider Cognizant has said the Personal Data Protection Bill, 2018 could impose stringent obligations on it for localisation of sensitive data, and along with regulatory changes in other countries may lead to additional compliance costs.”

“Complying with changing regulatory requirements requires us to incur substantial costs, exposes us to potential regulatory action or litigation, and may require changes to our business practices in certain jurisdictions, any of which could materially adversely affect our business operations and operating results”.

The second paragraph of the article mischievously makes another quote from a company called Teaneck, a New Jersey based form which is more directly critical of the Indian law  and says

“If enacted in its current form, it would impose stringent obligations on the handling of personal data, including certain localization requirements for sensitive data. Other countries have enacted or are considering enacting data localization laws that require certain data to stay within their borders,” .

Gartner’s quote in the same article says ““Some short-term disruptions are possible, but the answer to this would be significant investment in data governance. It will impact smaller providers more because they have to create special provisions, change processes and systems of transferring data,”.

The journalistic mischief is in presenting the facts as if Cognizant is critical of the introduction of PDPA in India. It is well known that there is a lobby in India which is critical of the Bill for various reasons. The article clubs Cognizant with such companies.

It is to be noted that in the 2018 version there was opposition to the Data Localization aspect. Unfortunately the Government yielded to the pressure of the industry and diluted the provisions in the 2019 version which is currently under discussion. This ET article suggests that Cognizant is still unaware that PDPA 2018 has now become PDPA 2019 and is set to become PDPA 2020. The reaction of Teaneck also indicates that they are not aware of PDPA 2019.

Assuming that the comments are attributed to the annual reports, it is fine for the management to acknowledge that there is a changing legal landscape and there will be additional costs associated with it. This is a normal expectation from any financial report to the share holders.

But the reputed publication like ET should remember that quoting a dated comment in the current context where public are watching the comments on the PDPB 2019 being submitted to the Parliamentary committee, is a misuse of journalistic freedom. Had the reporter added a sentence that a revised version of the bill is now under discussion with a diluted data localization measure, he would have been more truthful.

I request Cognizant India to issue a clarification that it is not the view of Cognizant that the introduction of PDPA for the protection of Privacy of Indian Data Principals as directed by the honourable Supreme Court is undesirable and imposing any unreasonable costs on its operations in India.

Naavi

On 7th February 2020, I attended a day long seminar in Hotel Trident, Mumbai organized by the National Insurance Academy Pune jointly with Swiss RE.

The program titled “Digital Disruption..Embracing Digital Innovation in [RE] Insurance business” was a grand success and well attended by all the Insurance Professionals. It was inaugurated by the Chairman of IRDAI in the presence of the CMD of LIC and other dignitaries.

While there was interesting discussions on the innovative use of technologies in Insurance, there was also a discussion on Cyber Insurance.

Despite the enormous enthusiasm that the industry is showing towards the adoption of technology, it was observed that the industry appears to be significantly lagging behind the developments in the field of Cyber Insurance and needs to re double its efforts in developing the Cyber Insurance products and services.

I had observed in my earlier article “Golden Era ushered in for Cyber Insurance industry through personal data protection act of India”  that there was a huge opportunity begging to be harnessed by the industry consequent to the Personal Data Protection Act that is on the anvil.

However the industry appears to be even now looking at only how to adopt IT in their traditional Insurance business and the level of adoption of risk assessment and insurance coverage in the Cyber Space is in very nascent stages. It appears that the insurance industry in India will miss the Gold rush arising out of PDPA.

More importantly, if the Insurance industry does not gear up to the needs of the industry which will be embracing the PDPA, the industries who will try to adopt PDPA will be left high and dry unable to get adequate coverage they would be looking for. In the process there will be many insurance contracts which are likely to be written without a proper understanding of the inherent risks covered. In a way the industry has to go through a period of blind PDPA Risk coverage policies which will be only on paper and would neither be useful to the insurer or the insured.

During the discussions it was a surprise to note that there was no mention of the recent Breach Candy hospital data breach which should have actually dominated the discussions if there was a proper appreciation of the impact of the industry had it come after the PDPA was in force.

There was also a lot of discussions on the use of AI in Insurance which needs to be moderated and adopted to the advent of the PDPA. There was a complete lack of the recognition that many of the AI solutions will have a serious conflict with the PDPA.

It was interesting to note that the IRDAI has recently introduced a “Sand Box” system for the insurance industry to test new products. Since the PDPA is also coming out with a Sand Box concept of its own, the users of new Insurance Products based on the use of AI will need to contend with two Sand Boxes, one for the use of personal data in developing profiles of the insured which will be under the under PDPA and the other for the structuring of the insurance policy.

Naavi pointed out that PDPA will usher in new challenges such as providing a cover for the “Administrative Fines” which will conceptually mean coverage of failure to do the obvious. The industry will have to decide on the coverage based on the reasons for which an administrative fine is imposed. If the reason is an external cyber attack, the coverage may stand. But if the main reason is failure of the internal systems then there could be a resistance from the insurance industry to honour a claim.

Naavi also pointed out the difficulty in valuing the personal data since its value in the hands of the data fiduciary/processor would be varying as it travels through a life cycle. Even the data ownership may change during the lifecycle of personal data requiring proper capturing of the ownership in the insurance contracts. (Some of these problems would be evident to readers who go through Naavi’s recent book on PDPA).

Naavi also pointed out the conflict with the general principle of “Co-Insurance” when the limit on administrative fine under PDPA is defined as 4% of the Global turn over. Since this becomes the bench mark of “Insurable Interest” for a company, if the actual policy for administrative fines is less than 4% of global turnover, then there could theoretically be an “Under-Insurance” of the liability.

Additionally the PDPA Risk is almost always a risk of “Consequential Loss” while the primary risk is one of a “Cyber Crime” arising out of information security failure. Hence the risks covered under the existing Cyber Insurance policies themselves expand to invoke the administrative fines under the PDPA unless they are specifically excluded.

In view of all the complexities that the Cyber Insurance as well as the PDPA Risk insurance involves, a time has come for the industry to think if there is a need to make a major surgical change to the Insurance law in India on the lines of what China has done, by giving up the principle of “Utmost faith” to a contract of “Honest disclosure”.

Without this major change in Insurance law, it will be difficult for the industry to provide the required risk coverage to the industry arising out of Cyber Risks and PDPA risks.

Hope the IRDAI and the Government will take a look at this requirement.

In the immediate future, IRDAI has to try to establish some codes and practices that it can suggest to the DPA so that the insurance industry is able to adopt to the PDPA without much of a problem. If necessary, IRDAI should set up an expert committee for this purpose at the earliest.

One of the requirements that will arise in the context of the inability of the insurance industry to come up with a suitable product is for the other sectoral industry regulators come up with a concept of “Peer to Peer Insurance” through the constitution of a “Data Insurance Fund” on the lines similar to the Deposit Insurance and Credit Guarantee Fund” in the Banking industry. I will expand on this concept in subsequent articles.

Naavi

Also Refer:

Cyber Insurance Pricing.. Finextra

India is in the threshold of a new legislation called Personal Data Protection Act (PDPA-2020). One of the most striking factors that this legislation represents is that organizations processing “Personal Data” in any form, including the Government departments will here-after  have to worry about a new kind of financial liability that they may face. It is the risk of being fined by the Data Protection Authority for “Non Compliance of the provisions of the Act”.

While the organizations that process the personal data need to be ready with the knowledge and preparations of how to stay compliant with the law, one of the solutions that every personal data fiduciary/processor in India would be looking forward to would be an Insurance policy with which they could get themselves covered.

It is possible to consider that the administrative fines that may arise consequent to non compliance of PDPA 2020 can be also considered as a consequential loss of running the business and hence could be technically covered under the current Business related insurance policies.

However, since the PDPA administrative fines were not envisaged when the policies were underwritten and the amount involved could be as high as 4% of the global turnover of the company, it is difficult for the Insurance companies to consider the risk covered unless a fresh endorsement is made and additional premium collected.

The organization will therefore have to take a view on what risks to be insured under PDPA, whether to restrict it only to first party risk of administrative fines only or include the third party risks of payment of compensation to the data principals.

The Insurance companies also need to structure a policy that suits the requirements of the PDPA.

We are certain that the Insurance Companies in India are far from thinking on structuring a policy for  PDPA risk coverage and it is possible that they will look to the west for re-insurance terms before they start underwriting the risks.

The PDPA risk coverage will be complex because the underlying asset is Personal Data which is intangible, goes through a life cycle of varying value, the asset ownership is unclear, losses are difficult to estimate, etc.  The fines arise if there is negligence in implementation of PDPA compliance and whether the insurance companies relish insuring negligence is a moot point.

May be there is a lot to debate in this field and the discussions have just started..

Naavi

Naavi.org is glad to announce that the print version of the book Personal Data Protection Act (PDPA 2020) written by Naavi based on the Bill presently before the Parliament would be available shortly.

The book is released now before the passage of the Act with the objective of making some reading material available to the Parliamentarians who will be discussing the bill for passage and  also for all those persons who have to present their views to the Parliamentary Committee.

The book is being released in the next couple of days by the publishers at a market price of Rs 600/-.

A limited number of copies would be made available to the Naavi.org followers at a pre-order discounted price of Rs 450/- . This will be a limited period offer and would be available on request. Exact modalities of how the discount will be passed on would be provided to those who want to avail the offer.

This offer would also be available to all the students of Cyber Law College who have taken the courses through Cyber Law College or Apnacourse.com.

Requests may be sent by e-mail to naavi@naavi.org with the subject line “PDPA2020”

Naavi

It has been reported yesterday that several robberies took place in the Nice Road. One of the persons who met the victims has filed the following report:

Quote:

Guys, there was an attempted robbery at knife point on me at Nice road a couple of hours ago. Thankfully, I could escape in time or I’d have lost everything.
After me, the thieves have robbed 6 more people in the same stretch. One couple going in Activa, one couple going on a Pulsar AS200 and one family going in car. The thieves had longs, daggers and sharp knives and other lethal weapons.

Multiple phones, debit and credit cards, gold ornaments have been stolen from those 3 other cases. Their vehicles have been damaged and their keys were thrown off as soon as they stopped them to rob them.

One guy has assault marks on his face, one girl was slapped hard, one more guy was at knife point while the girl with him escaped to the opposite side to shout for help.

I ripped and escaped from them and came to Hosur toll and informed authorities. Highway Patrol was sent out and the thieves were searched but in vain.

By the time I was done reporting this incident at the toll, the other 2 couples came in and reported their incidents. While we were talking to the authorities, a live news came in saying that a car glass was shattered using a long and the family was robbed.

All of us are at Electronic City police station right now to lodge FIR’s on our respective incidents. Nobody is injured. All are safe. Only one guy was bleeding from his nose and head but it was minor.

This is to inform you all to be safe and DO NOT travel on NICE road at night. I have tweeted to Ashok Kheny on the safety measures and have informed my lawyer on the same. If at all any legal proceedings happen, I will keep you all updated.

I’m safe, the bike is safe, just in the nick of time and sheer luck and thinking.

Be careful….

Unquote:

This is a serious law and order situation that needs to be addressed by the Police and the Government immediately. The Karnataka High Court should take cognizance of the incident and order immediate remedial action.

The Nice Road is gated at both ends and there is CCTV surveillance at the entrance and exist. It is a “Private Road” owned and operated by a company and the entire responsibility for the incident should be borne by the owners. It is necessary for the Police to immediately arrest Mr Ashok Kheny and hold him responsible.

The robbery could not have taken place without the connivance of the staff at either end of the tolls and all the staff members who manned the relevant gates should be questioned.

It is possible for the public to boycott Nice Road but this will create more traffic problems within the city.

Hence the Government should immediately take over the Nice Road from private management cancelling the maintenance contract and take necessary security measures including setting of police pickets at frequent intervals, CCTVs through out the road with proper lighting.

The High Court normally favours the contractor in such cases but it should take citizen centric decision in ensuring that the contractor is responsible.

If some body can file a PIL in this regard, it is welcome.

Will watch the developments to see how the Police handles this issue.

Naavi