Increasing Focus emerges on ODR

Naavi has been in the forefront of promoting the concept of ODR. (Online Dispute Resolution). The full details of the service as recommended and ready for pilot implementation is available at www.odrglobal.in  . The concept of ODR that Naavi is promoting involves a virtual meeting place for conducting the interaction between the stakeholders and is backed by a back office support where required.

Naavi has been trying to convince the legal fraternity to adapt their dispute resolution approach to online mediation and arbitration using the ODRGLOBAL platform either partially or fully. Naavi also proposed a CDMAC (Cyber Disputes Mediation and Arbitration Center” exclusively for the Cyber Fraud related disputes.

The ODRGLOBAL platform was proposed as a pilot, ready to use and easily expandable project which other arbitration councils as well as the industry players could use.

However, this concept which is globally unique is yet to attract the attention of the users and remains one of the futuristic projects of Naavi to be implemented.

It appears however that the days of ODR are now slowly dawning on India with repeated calls being made for such a service in different context.

The Latest call has come from the Governor of Reserve Bank, Mr Shaktikanta Das who while delivering a lecture in NIBM, stated

“..we also need to address the existing inadequacies in customer service and benchmark it against international standards. Efforts in developing robust customer grievance redressal mechanisms to increase customers’ trust and confidence in payment systems will be continued.

The RBI in its recent document titled “Payment and Settlement Systems in India Vision 2019-20”, stated

There is need for harmonising the TAT (Turn around Time) of customer complaints and requisite chargebacks. Such time lines should be reasonable and also in alignment with the instructions issued in respect of customer liability for unauthorised electronic payment transactions. The Reserve Bank will be addressing the various facets in this regard, with the objective of optimal time lines expected to result in customer delight and certainty of conclusion.

Recourse to technology-driven dispute redressal mechanisms that are rule-based, transparent, customer-friendly and involve minimum (or no) manual intervention will be advocated / encouraged / appreciated.

The Highlevel committee on Deepening of Digital Payments headed by Mr Nandan Nilekani in its report released in May 2019 stated as follows.

As users go digital, they will expect a higher quality of service from digital payments. They will also expect better protection from fraud and risk. The committee recommends that payment systems use machine driven, online dispute resolution systems to handle complaints.

Additionally, the Data Protection Act as proposed (PDPA 2018) has under Article 39 stated as follows:

Every data fiduciary shall have in place proper procedures and effective mechanisms to address grievances of data principals efficiently and in a speedy manner…A grievance raised .. shall be resolved by the data fiduciary in an expeditious manner and no later than thirty days from the date of receipt of grievance by such data fiduciary.

Similar responsibility is cast on companies even under GDPR as well as the ITA 2000.

In all these cases of grievance redressal, easy access by the stakeholders and the quick resolution is feasible only through an ODR system and not otherwise.

Hence it is essential for the ODR mechanism to be made available in a professional manner.

An indication of the likely move by RBI was already available since ICICI Bank had recently started some activity in this regard and will come up with their system shortly. The other Banks like HDFC Bank need to follow suit without much delay thereafter to maintain their market position.

We can therefore see an enhanced activity in this regard.

The uniqueness of the ODRGLOBAL service that naavi has proposed is that the platform can be used for both mediation and arbitration and in the case of arbitration, a legally valid evidence of the proceedings can be kept with the CEAC certification of the proceedings under Section 65B of Indian Evidence Act 1872.

Organizations such as Arbitration Councils, legal firms, e-commerce companies etc who are desirous of partnering with Naavi in the ODR Global project are welcome.

Naavi

P.S: Proposals from technology startups interested in developing projects with Naavi are welcome to contact Naavi for collaborative development of these services.

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Bombay High Court Rules on E Mail usage

  • On May 3rd 2019, a State Gazette Notification was released in Maharashtra regarding the use of Electronic Mail Services by the Bombay High Court. The notification No P.0703/Rule/BHC is called “Bombay High Court Service of Processes by Electronic Mail Services (Civil Proceedings) Rules, 2017.

A copy of the rules is available here.

It may be recalled here that the Bombay Court in an earlier judgement in 2018 had suggested that courts can opt for modern ways of service. In this judgement the honourable judge had discussed the different modes of effecting substitute service of summons under Order 5 Rule 20 of the Code of Civil Procedure, and observed,

“…in sub-rule (i) and (ii), the substituted service means fixing the copies of the summons on different place as mentioned in the Rule. However, the sub-rule(iii) gives further option that the summons can be served in such other manner as the Court thinks fit. Thus, the manner which the Court opts for should be akin to the earlier mode of service, which is mentioned in the Rule. For this, the Court can take into account the modern ways of service which are available due to internet connection. It can be served also by courier or by email or by WhatsApp etc.

Similar views have been held by a few other Courts which are enamored by WhatsApp type of messaging applications and held that service of a notice through WhatsApp is acceptable and the “Blue Tick” is an acknowledgement etc. (Also see details here).

Now the Bombay High Court has gone one step further and amended the rules of the Court through a Gazette notification to adopt the service of notices through E mails. Accordingly the new rules dated 3rd may 2019 have been notified.

While we welcome the desire of the Court to adopt to modern means of communication, we would look at the notification to understand and analyze from academic view point whether it is in compliance with the law of the land or creates a rule that is ultra vires the law. If so, we need to also debate whether  it is desirable for the Courts themselves to ignore the compliance of law either by ignorance or specific  design.

Definition of E Mail

The notification defines an “Electronic Mail” as a store and forward method of composing, sending, storing and receiving messages in electronic form via computer based communication mechanism.

The “Electronic Mail service” is defined as a notice or any process of Court sent by electronic mail by an officer authorized in this behalf by the high court or the district court as the case may be, such communication emanating from an addres specified for the purposes of these Rules.

The definition is incomplete without reference to the definition of a “Computer” under ITA 2000 and a reference there of should have been made in the rules.

The definition is redundant since ITA 2000 defines “Electronic Form” and “Equivalence of a document in electronic form to a document in paper form” through section 4. Hence communication of an order which was permitted to be sent through paper mail is automatically valid when sent through an E Mail or any other form of electronic communication. No revision of procedure  was required.

No Mention of Authentication or Section 65B Certification

The rules donot make proper mention of “Authentication” of the mails  with the use of Electronic/Digital Signature and a need for Section 65B certification when a “Sent” communication is to be admitted as “evidence”.

It was necessary for stating that the Court officer besides the judge shall use a registered digital signature for the purpose of sending out the communication on behalf of the Court.

In case an electronic record is to be produced as evidence to prove that an e-mail has been sent or the e-mail has been received or that an e-mail has been returned un-delivered, whether through an e-mail system or a WhatsApp like system, it is necessary to produce such electronic document along with a Section 65B certificate for it to be admissible.

There is no mention of this requirement.

This is a clear non compliance of the law of the land.

Who determines the Validity of the E Mail address?

The rule also states that the petitioner who wants the notice to be sent to the counter party should file an affidavit stating the e-mail address of the counter party.

Sections 11 to 13 of ITA 2000 clearly lay down the rules regarding “Attribution” of an electronic message, the “Need for Acknowledgement if any”, “The time and place of sending or receiving of an electronic message” which interalia requires the contracting parties to “Designate” e-mail addresses for communication as part of their communication contract.

The procedures notified completely ignores the provisions of the ITA 2000 and defines its own rules.  A use of an e-mail for certain correspondences for prior communication cannot be used for legal communications after a dispute has reached the Court. This is fraught with risks and gives room for misuse.

The procedure suggested is akin to the sending of a mail by ordinary post and not like a mail sent by a “Registered Post” or “Registered Post Acknowledgement Due”…to the last known  address…but without  confirmation.

If the Court had adopted the use of Section 65B certificate for evidencing prima facie delivery, then the delivery would have some sanctity like in the case of registered/Registered acknowledgement due delivery of post or the use of a reliable courier service.

Use of the e-mail address on a website as the address to which notices can be sent is daisy since most websites may have an address such as “Info@…” or “Webadmin@…” etc. These may not be designated for the receipt of legal notices.

On the other hand, it would have been better if the Court had held that “Due Diligence” under Section 79 of ITA 2000/8 required a specific e-mail address to be designated as for legal notices.

The Court could have reiterated that under ITA 2008, it is mandatory for websites to designate a “Grievance Officer” whose contact address is to be mandatorily provided on the website. This would have been not only respecting the law as it exists but also could have supported a provision which many are ignoring.

I am aware that a PIL was also filed with the Bombay High Court itself that websites are failing to comply with this provision of ITA 2000/8 regarding provision of contact addresses, though I am not sure of the outcome. Hence the requirement under ITA 2000/8 in this regard was within the knowledge of the Court and it would have been good if this had been re-iterated.

It is noted that under rule 7, parties have been permitted to opt for the use of E-mail by consent which is understandable. Provision of email address could have been made a mandatory provision for filing any petition or reply to the Court.

The suggested protocol attempts to do this.

However in such cases option may have to be provided to some litigants not to use electronic  communication. This would be in conformity with the principle of natural justice.

No mention of Security

The suggested protocol is bereft of the security requirements. In fact it provides immunity for the court and its officers not to be held liable for any omission. Considering that the omissions are derogation of a statutory law, the responsibility of the Court and its officials should not be ignored.

Overall, the notification does not inspire the confidence that the rules have been framed after properly evaluating the provisions of ITA 2000/8 to the context.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Status of Cyber Insurance in India

Naavi has been one of the early proponents of Cyber Insurance in India. This site carries many articles in the past on the subject of Cyber Insurance (Refer here). Additionally, www.cyberinsurance.org.in  contains many of these articles in one place.

india_insurance_logo_2In 2015, Naavi.org initiated  a National survey titled India “India Cyber Insurance Survey 2015”, under “Mission Cyber Insurance” that we took up.   This survey was conducted with respondents being professionals in the Information Security domain and other professionals in IT companies and academics. The objective of the survey was to establish a bench mark of perception about Cyber Insurance in India which could be tracked later with similar surveys in the following years.

The survey gave good insights into the status of Cyber Insurance industry in India at a time none of the Indian insurance companies had actually introduced products offering coverage for liability arising out of Cyber Crimes. There were “Cyber Asset Insurance”, “Employee Fidelity Insurance”, “Errors and Ommission Insurance” which were often considered as Cyber Insurance. But real coverage of risks arising out of third party cyber crimes was not available. Few of the insurance contracts written at that time was basically on the reputation of the insured and did not take into account the “Risks” involved for which liabilities were to be covered.

The findings of the survey are available in a series of four articles here.

1.The mystery land of Cyber Insurance-1: Overcome the “All is Well syndrome”

2. The mystery land of Cyber Insurance-2: What is Cyber Insurance?

3. The Mystery Land of Cyber Insurance-3: Who should get Cyber Insurance Cover?

4. Cyber Insurance-4: The enigma called Cyber Insurance Premium

Naavi.org was not able to repeat the survey in the subsequent years to track the development. However, we are glad to know that DSCI has recently conducted a survey and released its report.

According to the DSCI survey,

    1. 350 cyber insurance policies have been sold till 2018, which is a 40% increse from overall base in 2017

    2. India’s yearly cyber premium market is around INR 80-100 crore (USD 11-14 million)

    3. IT/ITes and Banking & Financial services are the early adopters. The demand has increased because of Contractual requirements and GDPR. New demands from manufacturing, pharma,retail, hospitality,R&D and IP based organizations are observed.

    4. The premium amount ranges from USD 6500-8000 for a coverage of USD 1 million (0.65 yo 0.8%)

The report makes a mention that the threat surface in India is expanding due to increasing digitization . It is reported that India is the 2nd most affected country due to targetted attacks (for attacks between 2016-2018) and average cost for a data breach in India has gone up to INR 11.9 crores, an increase of 7.9% from 2017 with the average cost per record being Rs 4552.

During 2017-18 it is stated that the number of policies increased from 250 to 350 and  the coverage included First Party expenses such as  “regulatory Investigation and Fines”, Expenses regarding “Forensic IT Audit”, Stakeholder notifications, legal costs, credit monitoring, PR etc, third party liabilities as well as business interruption loss and Cyber thefts such as Fund transfer frauds, Cyber extortion etc.

Four insurance providers namely TATA AIG, HDFC Ergo, ICICI Lombard and Bajaj Allianz were indicated.

The challenges that confront the industry continue to be lack of awareness and understanding by the buyers and lack of acturial data for proper assessment on the part of the insurance providers.

Two of the companies namely HDFC Ergo and Bajaj Allianz were listed as companies offering personal Cyber Insurance. which was available from around Rs 50,000/- to Rs 10 crore. The Bajaj Allianz policy however offers a coverage with several sub limits for different types of losses. The HDFC Ergo policy offers a combined limit though the pricing is higher than Bajaj Allianz.

The survey also documents some strategic steps that may be taken to promote Cyber Insurance which we may discuss separately in subsequent articles.

A brief recount of issues listed for attention in the survey are as follows:

Government/Regulatory Bodies

-Creating awareness and ecosystem skills in cyber insurance policies

-Incentivizing SMBs through direct intervention or providing procurement benefits

-Providing Toolkits and Checklists

-Creating an ecosystem for cyber insurance to mitigate risks & improve resilience

-Mechanism for Data Breach Notification

-Creation of Cyber Incident Data Repository

-Promoting actuarial science for better modelling of cyber risks

Technology Firms

-Establish sector-specific cyber risk assessment framework

-Innovate to oer tailor-made products & services for cyber risk evaluation, forensics, incident response etc.

-Fortify capabilities

Brokers

-Spread awareness on essential coverage – create toolkits & checklists

-Support SMBs and startups, who wish to buy insurance policies

-Clearly articulate provisions under cyber insurance, and other insurance policies

Insured/Buyer

-Engage with a technology firm for cyber risk evaluation

-Before buying, important to create a ‘Cyber Insurance Committee’ that has representation from Insurance Purchase Group, Offices of CFO, CEO, CIO/CISO, CRO and CMO, for better decision making

Carriers (Insurance Providers)

-Fortify technological capabilities or engage with third party to conduct pre-breach cyber risk assessment and post-breach assessment

-Digitize for data-driven decision making

-Prepare for comprehensive inclusion of data privacy & protection to cover regulations such as GDPR, India’a Draft Bill on Data Protection etc.

Provide value-added services – customization, free counselling, trainings etc.

-Clearly articulate provisions under cyber insurance, and other insurance policies

Overall, it is good that DSCI has recognized the importance of building awareness about Cyber Insurance in the industry. Hope the initiative will continue.

Naavi will continue his efforts in this direction both through the awareness building through www.naavi.org and www.cyberinsurance.org.in. CyberInsurance.org.in was actually meant to be a platform for all stake holders in the Cyber Insurance domain to come together though it is yet to achieve this objective. Hopefully there will be greater awareness of Cyber Insurance and keener interest in the days to come.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

CERT IN should recognize that McAfee Products could be a Security Risk to India

Bitcoin battle has now assumed bigger dimensions and escalated into a “Cyber War proposition” mooted by one of the prominent Anti Virus and Security product manufacturer namely “John McAfee”.  It is not clear if Mr McAfee has any controlling interest today in the company but it is reasonable to expect that he would wield a significant influence over  the decisions of the company and perhaps on some of its loyal employees.

Additionally it appears that Mr McAfee has taken a leadership role in mobilizing hactivists to believe that there is a cause for which they should declare a war on India. Again it is not clear if the hactivists really consider Mr McAfee as a person whose words should be respected and they should launch an attack on India.

Nevertheless, as a Security Risk manager of India, CERT-IN cannot ignore the warning given by Mr McAfee that if India passes a legislation to ban Bitcoins in India, he is inviting a Cyber War against India.

McAfee is a company which was acquired by Intel in 2010 and later on spun off as a separate company.  In 2017,  an Asset Management Firm TPG (Texas Pacific Group) acquired controlling interest of 51% while Intel retained 49%.

It is possible that some of these private equity firms may be indirectly connected with John McAfee.

We recognize that McAfee is an independent professionally managed company today and is not influenced by the views of Mr john McAfee.

However, it is necessary for the company to clearly come out and disassociate itself with the statement of Mr McAfee and re affirm its commitment to fight Cyber Crimes and particulary, that it has no intentions to influence the decision of the Indian Government on Bitcoins.

McAfee as a company should recognize that sharing its name with Mr McAfee is a “Reputation risk” for the company and in situations like this, it is necessary for them to come out with appropriate assurances to the public that it is not in agreement with the call for a Cyber War on India given out by Mr McAfee.

I look forward to such a statement from the company. In the meantime, I request CERT-IN to send a notice to McAfee as a company asking them to clarify their views on the statement of Mr McAfee.

Until we receive a satisfactory response from the company, McAfee products should be put on watch since it is possible that  it may be used to plant Bitcoin mining trojans or other types of malware to harm Indian interests.

I request CERT IN also to come up with a suitable clarification in this regard. I also invite our MPs like Rajeev Chandrashekar and Tejasvi Surya to raise this issue in the Parliament to obtain clarification from CERT-In.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Dear John McAfee, If you declare war on India, be ready for retaliation

John McAfee who some times back  vowed that he would unmask the identity of Satoshi Nakamoto and said “Finding Satoshi is a piece of cake” has now declared “War on India” in support of Bitcoin.

Knowing the brilliance of this man, it is possible that he could have revealed the identity of Satoshi and perhaps not only been refrained from revealing the identity but turn a warrior for Bitcoin. Not sure if this indicates a good pay off from Satoshi sufficient to change his stance in favour of Bitcoin to the extent that he is declaring a “Cyber War” on India.

But it is unfortunate that the person who was well respected in India has chosen to be a “Deviant” and declare his hostility to India and declared a war against the country.

Following the information that India is considering a Bill to make Bitcoin transactions illegal and carry a 10 year imprisonment (Refer here), Bitcoin supporters have started behaving like Mamata Bannerjee after Modi’s victory in the elections.  CCN.com calls this an “Insane” proposal . Others have started a campaign to protect their interest to hold “Digital Black Money” . (Refer all news articles here).

Mr John Mcafee has gone one step forward and has invited “Anonymous” to declare a war on India. (Refer here)

It is obnoxious for a professional to behave in such open support of a system which is a “Currency of Criminals and Terrorists” and deserves to be shut down across the world.

This deserves to be condemned in strongest terms and countered effectively just like a ISIS call to dismember India.

Mr Arun Jaitely has already clarified that we are intending to ban Bitcoins and I hope there will be no re-thinking despite the pressures that Mr McAafee kind of people may try to mount on us.

Let Mr McAfee realize that we in India are committed to the removal of black money and consider Bitcoin as the biggest manifestation of black money. Those who hold and support Bitcoin or other private Crypto currencies are trying to hide behind excuses to preserve their ill-gotten black wealth.They are global money launderers. Hence action through law to eliminate Bitcoin from the system is very much relevant to us.

I have already suggested that Bitcoin should be considered as an instrument of global terrorism and we should ourselves declare a war on Bitcoin. I have also urged Mr Modi to crate a global consortium of like minded countries to take the Bitcoin ban as a global policy.

It appears that Mr McAfee has suddenly woken up to say that he wants the war to be fought against India and not against the terrorists who use Bitcoins as a currency for illegal drug trade, arms trade, financing of ISIS like terrorism etc. This is the typical “Urban Naxalite Mentality” that he is displaying and must be condemned in strongest terms.

Mr McAfee should respect Indian sovereignty and choice to remove the black money in all forms from the system and not try to undermine our rights to make our own law however unpalatable it is for him.

In the context of this threat held out by John McAfee, I request that the Government of India should take such steps as may be necessary to protect our interests including the following measures.

1.Expedite the passing of the Anti Crypto Currency Bill

2.Declare use and promotion of private crypto currencies as “Financial Cyber Terrorism” and all countries supporting the system as supporters of terrorist activities.

3.Vocal supporters like McAfee should be considered as equivalent of global terrorists like Masood Azar and black listed from doing any commercial transactions in India. If he enters India, he should be arrested and tried for terrorism and war against India.

4. I urge the Government to immediately stop all use of McAfee products because they may be used to hack into our systems and wage a war as declared by him

5. I urge RBI to recognize the risk that this declaration poses to the Indian Banking system and advise all Banks in India to stop using McAfee products.

5. I urge public to stop using any McAfee products not only to prevent them being used for hacking but also to build economic pressure on a Company which has declared a war on India.

I urge the Government of India to issue a notice to McAfee to clarify his “War Call” and mobilization of Cyber war force.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Leading Banks across the world Ban Bitcoin transactions

It was heartening to read an article in todaysgazette.com that “Leading Banks across the world are Blocking Crypto currencies” .

According to the report,

In the U.S., several banks have banned their users from using their credit cards to buy cryptocurrencies. The Bank of America, JP Morgan, Citigroup, Discover, and Capital One are freezing the accounts of users who try to use their credit cards to buy cryptocurrencies. Also it states that  VISA  severed its links with Wave Crest after Visa claimed that Wave Crest was not following its rules.

In the U.K., Lloyds banking group was the first to announce it was banning users from buying crypto with their credit cards, following which  the Bank of Scotland, Halifax, and MBNA also banned their customers from buying cryptocurrencies. Most banks are pointing out money laundering and high volatility, as among the top reasons for banning trades related to crypto.

In Asia, the Hong Kong and Shanghai Banking Corporation (HSBC), is also blocking users from carrying out any transaction related to Bitcoin or altcoins. In India, Banks have warned their customers against using their cards to buy cryptocurrency and threatened that customers who did not reveal the nature of their transactions will have their accounts closed and  terminate any account used to fund trades related to cryptocurrency.

These developments need to be taken note of by the Ministry of Finance under Mrs Nirmala Sitharaman so that an appropriate notification is issued to end the uncertainty in the Indian regulatory scenario. The MeiTy can also make a move on its own to ensure that the list of “Exclusions” indicated in Schedule 2 of ITA 2000/8 includes “Any Electronic document purporting to be a currency or legal tender”.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment