Naavi.org

India has a high stake in the American Health Care industry since there is a huge IT spending by the Health care and Health Insurance industry in USA which also gets reflected in the outsourcing market. It is for this reason that HIPAA and HITECH Acts have been of interest to India as  prime Privacy and Information Security regulations which the Indian Business Associates of US Covered Entities were mandated to implement.

Even while the Indian industries are waiting for our own versions of HIPAA through the proposed Health Data Privacy and Security Act and the proposed Data Protection Act of India, HIPAA-HITECH Act provisions continue to be a “Best Practice Standard” for Indian companies exposed to Health Data which is classified as “Sensitive Personal Information” under Section 43A.

Hence any changes in the US Health Care market needs to be closely monitored by Indian companies to assess the financial impact that these regulations may have on the Indian companies. In this context the recent changes in the US in Health Care legislation needs to be watched by the Indian IT industry.

One of the election promises made by Mr Donald Trump was to repeal the present Affordable Health Care Act (ACA) regulations referred to as “Obama Care” and replace it with a better legislation. Now the US Congress has passed the “American Health Care Act -2017 (AHCA)” repealing the Obama Care with “Trump Care”. It has to go through the formalities of being passed by the senate before the President can proclaim it as a law.

The Trump Care does not affect HIPAA or HITECH Act provisions of Privacy and Information Security and hence it does not affect the HIPAA stakeholders both in USA and India. The Obama Care and Trump care both address the Health Insurance industry and the extent to which the citizens of USA should be provided with health insurance subsidized by the Government. Obama Care mandated “Health Insurance for All” and created an IT infrastructure for registration of individuals and for marketing insurance policies etc. People were made to obtain insurance if their income is above a particular limit or pay a tax penalty. If they were below an income limit, the Government would subsidize their premium. The entire project created a large IT business in USA, some of which must have benefitted Indian Companies also.

Trump was of the opinion that Obama Care was not feasible and the insurance companies were increasing the premia to an extent that there would be an unreasonable burden on the Government. Hence he wanted substantial changes or a replacement of the old act with a new act.

Under the new AHCA, it is not mandatory for everyone to take Health Insurance. If some body wants to take a new policy or renew a discontinued policy, when there could be pre-existing conditions, then the insurance agencies can charge a penal premium.

Also the cut off income for subsidization of premium has been brought down reducing the incidence of subsidy in the country as a whole.

Further there could be changes on existing policies with the States could introduce options to leave out some protections.

All this means that there has to be a tweaking of the insurance related data and a complete overhaul of many accounts.

This means that there would be another rush of IT work for making the changes in the accounts of individuals, removal of some from the subsidy scheme, changing the coverage etc. Essentially it could be a low end data updation work part of which could be automated or managed by the customers themselves. However the insurance companies need to revise their terms of insurance and hence IT work related to it would arise.

In summary we can therefore say that the switch over from Obama Care to Trump care would not affect the compliance requirements under HIPAA but may provide additional business for outsourced IT managers, subject of course to the new push for more domestic work force which Mr Trump wants.

Naavi

Related Article in Foxnews

It is a grim reminder to the hard times we live in that a threat has been made to WIPRO stating “If a ransom of Rs 500 crores is not made in “Bitcoins”, there would be a “Bio Attack” on Wipro employee’s through a poisoning of their  food chain system or through a drone dispersion of poison through air”. The implication of the threat received by WIPRO seems to be that RICIN,  a “Poison” extracted from castor seeds would be used to cause extensive death within WIPRO.

I consider this not as an issue concerning only WIPRO. This is a Terror threat and the risks may extend far beyond WIPRO. Hence let us proceed to start an extensive debate on the subject starting with this article.

What is RICIN Threat?

“RICIN” is a natural extract from Castor beans and is said to be easily extracted from waste dumps from castor oil processing industry. It can be transmitted through food, water, air or touch and causes death if ingested in lethal dosage. There is no antidote or vaccine available at this point of time to public for Ricin poisoning. But flushing out the poison from the system may help in survival of the victim if undertaken quickly.

Ricin became a household name because of a popular TV serial “Breaking Bad”  aired in US channels. In this serial, it was repeatedly referred to for killing some body without leaving a forensic trace in the body. It can be used as a powder, a mist, a pill or pellet, and can be dissolved in water and other liquids. This means that a person can contract Ricin poisoning via inhalation or ingestion or through touching a poisoned material such as a letter.

From the medical information available about RICIN poisoning, we understand that

The initial symptoms of Ricin poisoning depend upon both the degree and route of exposure.  It may include Fever, Vomiting, Nausea, Severe cough, Abdominal pain, Diarrhea, Dehydration, Flu-like symptoms. Symptoms may occur 12-24 hours after exposure and death can be caused within 72 hours.

(Hence doctors do not have sufficient time to exhaust all “Tests” before deciding on the course of treatment and should not waste time in recommending tests of various kinds.)

Symptomatic poisoning requires to be treated by giving victims supportive medical care to minimize the effects of the poisoning. It is suggested that Care could include such measures as helping victims breathe, giving them intravenous fluids giving them medications to treat conditions such as seizure and low blood pressure, flushing their stomachs with activated charcoal (if the Ricin has been very recently ingested), or washing out their eyes with water if their eyes are irritated.

(This means that the patient should be immediately moved to a proper hospital and medical practitioners should avoid taking the risk of waiting for the symptoms to subside in the ordinary course.)

The medical fraternity may take suitable steps to spread awareness of RICIN poisoning and its symptoms to all medical practitioners.

Now let’s come back to the news report and what the Police can do following the reporting of the incident. The threat has come through an e-mail in the name of Ramesh2@protonmail.com which obviously is a fake ID and requires effort to decypher.

Incidentally, the “Privacy” supporters who often cry foul whenever “Security” concerns are raised and swear by the ToR browsers and the anonymization of internet communication, should now realize what is the threat of such unhindered anonymity.

Similarly, the “Bitcoin” supporters also need to realize how “Bitcoin” has irrevocably become the currency of the terrorists.

Our security response to the incident should be comprehensive and address all direct and indirect issues that enable such terror threats to be held out even in future.

We may try to understand the full details of information available in public domain through this  news report

According to this report,

The anonymous email has been sent to multiple recipients, including senior officials of the firm, on 5th May 2017 and claimed that if the Rs 500-crore payment was not made within May 25, the sender would attack Wipro offices in the city using Ricin. The email has reportedly stated that Ricin would be used through food served at the cafeteria, disperse it using a flying drone or even on the toilet seat or the toilet paper etc”

The sender has also reportedly claimed that he has isolated 1 kg of high-quality Ricin and would be sending 2 grams in envelopes to one of Wipro’s offices in the city in the coming days to prove that he was not bluffing. He has also cautioned the firm to be careful while dealing with his ‘sample dose’.

The email according to the report also contained the link to a news item about the mysterious death of 22 stray dogs at Baranagar in Kolkata, uploaded on the portal of a leading English news daily. The incident occurred on January 21 in Baranagar locality where the carcasses of 22 dogs were found on the road near a construction site. The sender claimed that he had isolated a high-quality, beta strain of the toxin and had tested it on those dogs.

Now it is reported that a case has been registered by Bangalore Police under as a “Cyber Terrorism” (Section 66F of ITA 2000/8).The threat to use  a Drone to sprinkle RICIN is interesting as it amounts to use of a “Cyber Tool” to intrude into  WIPRO territory without authorization. Additionally, the threat will also be considered as a “Terrorist Act committed with the use of electronic documents” under other Acts. However there is a need to ensure that the Police donot stop serious action after the registration of the complaint.

Considering the complexity of the investigations, there is a need to declare a “Serious Terror Threat Alert” across Bangalore, and a massive effort to be launched to identify the root of this e-mail threat.

In my opinion, the threat is serious enough to call the NIA and also invoke international cooperation forthwith.

It is recognized that the e-mail is a “Terror Threat” and those who have sent the e-mail and all their accomplices would face a “Life Imprisonment”. If even one person dies from RICIN poison, then the sender of the e-mail and all his accomplices would face “Death penalty”.

In this context, there are several initiatives that the Bangalore Police need to take, some of which I try to list here.

1. Police should first declare the implication of the case being registered as a terrorist act through a public notice in all TV channels and Press. It should be made clear in this notice that the e-mail threat is being considered as a “Terror Threat” and the perpetrators face the prospect of “Life Imprisonment” and “Death Penalty”.
2. Police should also make it clear that any person who has information leading to the detection of the sender of the e-mail would be rewarded if he comes up with the information and shares it with the Police.
3. Police should also make it clear that those who may have information about the sender of the e-mail and does not share it with the Police voluntarily will be considered as “Co-Conspirators”, “Preventing Law Enforcement from catching terrorists” and would be considered as guilty of the same offence which has “Life Imprisonment” and “Death Penalty” as possible punishments.
4. Police should also make it clear that “Persons who may have information about the sender of the e-mail” could be his friends, colleagues, family members and even the several service providers involved in sending of the e-mail which could include Protonmail.com since the e-mail is said to have been sent from an address “Ramesh2@protonmail.com”
5. It is possible that the sender of the e-mail could be an “Insider” and there is a reasonable probability that the threat might have come from one of the frustrated dismissed employee or any of the current employees who is disgruntled in some way.
6. It is possible that it is only to create panic and the threat may not be executed.
7. If the perpetrators are only disgruntled employees and not hard core terrorists, Police clarification that this is a “Cyber Terrorism” may make them realize the enormity of the problem that they have unleashed on themselves.(May be by ignorance)
8. If the Police promise that any person who voluntarily gives himself up may be considered as “Not having the malicious intention to carry out the threat”, and therefore charges under Cyber Terrorism would not be pressed, perhaps the persons who have committed the offence or any of their friends and family members who wish that the person would at least not be tried for a “Life Imprisonment” or “Death Sentence” even if they have to face the charge for a financial crime involving “Extortion Threat”, may be willing to surrender with information.

If the above strategy fails to make the sender of the e-mail come out within the next 24 hours, we should escalate the issue from local police to NIA and treat is as a national emergency.

The CERT-In should also walk in today voluntarily to assist WIPRO information security team, the local Police team as well as the NIA and help forming a multi disciplinary “Crisis Management Team”.

If the matter is left to the Police alone, there is a possibility that the investigation would drift. There will also be inter agency rivalry and other issues that may interfere in quick resolution of the problem. Country cannot afford any such inefficiencies to affect this investigation.

Some of the actions that need to be taken in the context of this threat could be…

1. We should recognize that though the threat has now been made to WIPRO as a financial ransom call,  this could be used by a terror organziation (Such as ISIS) without a financial motive to cause indiscriminate loss of life.
2. If so, this threat to WIPRO could be a diversion and the real attack may come elsewhere..could be another IT company, another industry or a five star hotel or any other large congregation of people.
3.  Action should be initiated to ensure that any such organization of large gatherings where there would be central food distribution is aware of the threat.
4. Advisory should be selectively issued to all organizations managing centralized kitchens serving food to a large number of persons. The food managers of these establishments have to be called for an awareness briefing and security hardened across the State.
5. The medical community in Bangalore and hopefully across the State should be alerted about the “Symptoms” and “Response to a suspected RICIN poisoning case”. It is generally understood that if a lethal dose of RICIN is ingested either through food or through air or skin, there is no antidote. However according to some medical advisory, an immediate attempt to remove the poison from the body could help. (Refer here for more details)
6. We should be alert to other forms of RICIN attacks through letters etc which have been reported earlier in USA (Refer article in slate.com)
7. India should immediately make a firm declaration that “Bitcoin” is a “commodity” that is banned in India and anyone who is in possession thereof must surrender it to the Government for exchange or face criminal action for possessing a “Banned Tool of Crime”.
8. Police should alert all Castor oil processors to account for waste disposal and also identify if any large stock of Castor Oil waste having been bought by any person and if so whether such purchase is linked to this threat. (Or could in future become another threat unconnected with this).
9. There is a report that antidote has been developed by UK and US Military though they might not have been tested on humans properly. Indian Government should get in touch with these authorities and invite them to join the disaster management team with some stock of sample antidotes so that they can be used if necessary.
10. There are many leads that the reported incident provides from which it should be possible to identify the sender of the e-mail even if he has used a proxy server. These cannot be discussed in a public forum. Also the Police investigators are much more intelligent than what observers like us can ever be and they should be already on their job. The only thing required is to give them a free hand in the investigation.
11. I therefore reiterate that giving assistance to Cyber Police of Bangalore in all manner is the prime responsibility of any citizen of Bangalore who is alarmed by the threat.

There could be many other angles that need to be explored. But the key evidence lies with WIPRO which is reportedly is “Tightlipped” about the incident. While being “tightlipped” with the media is fine, WIPRO should voluntarily invite CERT IN and NIA to join the probe immediately and share the evidence available with it. It should be ensured that no evidence is destroyed during the internal investigation either by mistake or deliberately.

It would help the investigation if all available resources national and international are gathered for effective investigation. I call upon the PMO to advise the necessary agencies to set up a “Serious Cyber Incident Management Team” and proceed for investigation.

As regards trying to persuade the offenders to surrender, even if the Police fail to issue their own public notification as I have suggested,

this article published on the internet is a public notice. Hence any person having a knowledge of the crime should consider themselves notified that they would be considered accomplices of the terrorist act if they donot immediately disclose information within their knowledge to the appropriate authority.

This is also a friendly advise to the person who has sent the e-mail and his friends and relatives, that if any of them come out voluntarily and disclose useful information, and/or surrender, the charges on “Cyber Terrorism” may either be dropped or may not easily sustain in further trials and they will face a lesser charge and lesser punishment than life imprisonment  or death penalty.

In particular, I request the family members and friends of the sender of the e-mail to either persuade him/her to surrender or voluntarily disclose his identity for his/her own good. If they have any difficulty contacting the Cyber Crime Police of Bangalore for this purpose, they are welcome to contact me for guidance.

Hope this incident will not materialize in all its ugly manifestations that it threatens. But there should be no complacency either by WIPRO, CERT IN or other establishments including the State and Central Governments.

I am forwarding a copy of this article to the new CERT IN Director General and hope he would swing into action before the end of the  day if he has not already done.

Naavi

Also Refer:

Regarding the stray dogs killed

Beware of Cyber Stone Pelters

Update: 8th May 2017

The complaint has now been transferred from the Cyber Crime Police Station to Bellandur Police Station and the investigation is likely to continue as a terror threat in the physical space. It is likely to be treated as one of the many e-mail threats that float around.

The charges under Section 66F are likely to be replaced with Section 66C/66D along with sections from IPC and Unlawful Activities Prevention Act. There is no indication at present of the incident being treated seriously and hence no NIA angle is likely to be there.

Let’s hope that the threat remains a prank and does not escalate.

 Update: 11th May 2017

Also see report in ISMG

US and Australia are talking of tightening their VISA rules to protect their domestic employment and in the process are hurting the profitability of Indian companies.

At this time it is necessary for Indian Government to come to the assistance of Indian companies in such a manner that the Indian companies are not unduly hurt by the unfair policies followed by the foreign Governments.

While US and Australia will hurt India through the VISA policies, EU will hurt India through its GDPR imposition which will increase the cost of data processing in India. Cumulatively, Indian IT industry is facing a challenge ahead which will reflect in lower employment in the Engineering sector in the immediate future.

Initially, I was under the impression that the Indian IT companies may be able to convince their customers to “Work from India” which would have actually increased the employment potential here. It would also prevent the brain drain and hence I considered that the Trump measures would actually benefit India.

However, from my preliminary interaction with some software professionals, it appears that the existing clients in US or elsewhere are unlikely to agree for the work to be shifted to Indian centers as an outsource contract so that the cost structure can be preserved in the existing contracts. They would like the work to be done at the existing cost parameters absorbing the higher costs of VISA or higher cost of local employment.

This is unfair but is a factor which industry competition alone can resolve. But Indian Companies donot seem to have the courage to take on their clients and would prefer to buckle under pressure. Considering the recent announcement that INFOSYS would create 10000 jobs in US, it appears that these IT companies will not use this opportunity to increase the employment opportunities in India. Instead they will become employment creating agencies for the US and Australia.

It is therefore necessary for Mr Arun Jaitely to find some means by which incentives are created for Indian companies to create jobs in India and disincentives for the IT companies preferring to work as job creating agents for foreign Governments.

At the same time, we need to create incentives so that foreign companies interested in creating employment in India are encouraged.

If the objective is recognized and accepted, I am sure that Mr Jaitely can find the means of incentivisation and disincentivisation through his next budget to ensure that more IT jobs are created in India than what is lost through the new immigration policies in USA and Australia.

The EU has indicated a new principle where by the “Global Turnover” is taken as a basis for imposing penalty for data breach or non compliance of GDPR regulations. If EU can dip into global activities of a company for data breach affecting the privacy of EU citizens, we should take a cue and take cognizance of companies both Indian and foreign making profits by creating jobs in India or in their own country in a proportion that shows discrimination.

In general, if a Company enters into a contract where by a work which can be done by a work force X of which x1 is employed in India and x2 is employed in another country of the contractor’s choice, the global employment potential of a contract and how it is distributed between the two countries should be taken note of in imposing a “Balancing Tax” so that the profitability of the contract is neutral to the distribution of employment expenditure between the two countries. If the global manpower expense under the contract is N and n1 and n2 are the expenses in each country, then the “Employment Balancing Tax” should be levied on the company in the proportion in which the manpower productivity is distributed.

I am aware that the proposal may be considered bizarre, complicated and even be questioned under the international treaties. But  we need to make US and Australia realize that we want to be fair in promoting free trade and only want freedom to shift the work to India if it is technically and functionally feasible.

Obviously, we cannot shift physical construction work from one country to another but the IT work can be shifted since today Virtual Workers can be as effective as physically present workers.  The proposal is therefore more directed towards IT companies and IT contracts.

Hence I suggest that “Anywhere Employment” should be the basic theme of all international contracts and any contract which forces a skewed distribution of manpower should be considered as a violation of free trade principles.

All contracts will have a “Body shopping” component where it can create jobs in either country without affecting the functionality of contract execution. We can therefore consider as in the case of “Transfer Pricing”, subjecting all International contracts of “Body shopping” to some taxation based control that brings a balance in the employment creation in both India and the contracting country.

Comments are welcome….

Naavi

Recently, a question was posed to the undersigned about the acceptability of evidence when there is a challenge that the evidence was obtained through illegal means. Following is my reaction to the query.

There have been many occasions in which an Indian Court had to debate whether an evidence can be admitted when it is brought to its notice that the evidence was obtained illegally. Most of these cases in the past have arisen on account of the Government tapping the telephone conversations and it has been challenged either as “Improper” or “Illegal”.

Illegality arises when the person has obtained an evidence by deceit, stealing or in the case of Cyber Evidence, by “hacking”. Impropriety may arise when there was a legal means and a procedure for collection of evidence which was not followed.

Obviously, it is easy to assume that “Procedural Irregularities” can be condoned but human rights activists often raise objection when evidence has been obtained through illegal means.

The opposition to the Courts accepting an illegally obtained evidence stems from the fact that it may violate the “Constitution of India”, the “Right to Privacy” and such other principles which are dear to some activists and even some Judges.

In many cases of matrimonial disputes, the spouses often plant spyware in the other spouse’s phone or computer and gather incriminating evidence. We had recently reported a West Bengal Adjudication verdict  in which a husband was fined for violating the privacy of his wife when he extracted evidence supportive of his matrimonial dispute case by means which were held violative of the privacy of his wife.

There are also instances when some resort to hacking of face book or gmail accounts to extract evidence.

In all such cases the counter party has a case against the party which has obtained evidence that it was obtained illegally and hence should not be admitted.

However, a series of Indian judicial decisions have held that an evidence is admitted if it is “relevant” though it was obtained improperly or illegally.

Hopefully the matter is considered a settled view since according to this Business Standard Report, the Bench headed by Justice B.S. Chauhan has stated,

“It is a settled legal proposition that even if a document is procured by improper or illegal means, there is no bar to its admissibility if it is relevant and its genuineness is proved. If the evidence is admissible, it does not matter how it has been obtained,”

It must however be noted that once a person adduces some evidence, it is an admitted evidence  against him and  can be used against him if required.

Hence when an evidence is presented which has been obtained illegally, it is open to the Court to accept it and proceed with the trial in the subject case where it was presented as evidence. At the same time  a separate action may lie against the person who obtained the evidence in violation of some law.

Hence parties should weigh the pros and cons of presenting an evidence obtained illegally before a Court. Police may however use the evidence during the preliminary investigation and for interrogation so that they may be able to unearth further evidence through legal means which can be used in the Court.

Considering the inconsistency that prevails in the Judicial system and the views of different judges, it cannot however be ruled out that Judges may selectively accept or reject evidence based on whether it was obtained improperly or illegally and the degree of illegality involved.

In some of the matrimonial cases as was referrred to earlier (West Bengal Adjudication) the illegality was only restricted to using of a shared password between husband and wife or “access to a system exceeding the authority provided by the owner” (Section 43). Such contraventions may be considered as “Technical Overreach” by one party and is unlikely to be strong enough a reason for rejecting the evidence (if it is relevant).

However, an operation like a “Sting Operation” where inducements are thrown out to tempt a party to transgress law (eg: corruption cases) which are similar to operating “Honey Pots” or policemen trapping sex predators on the chat rooms, could be falling in the grey area of whether the evidence should be accepted or not since these could be “evidence that is created by the person when it did not exist in the first place”.

Again, when an evidence which is present some where (say a Computer or Mobile or Private page of a Facebook, Encrypted Message etc) is extracted for presentation in a Court  as defense in a case brought on the person who is presenting the evidence, it should be considered as a legitimate reason where the evidence should be admitted even if the manner in which it was obtained was not entirely above board.

In the case of offensive action based on such evidence, Court may exercise its discretion whether the evidence was collected as it was present and not created out of an inducement and therefore there was a duty to bring out truth before the Court of an offence already committed by the accused for which the evidence was collected.

Comments welcome

Naavi

Also Read :

A Research report  on 2013 Law Commission report 

1983 Law Commission report

Reference Article-1

Reference Article-2

Reference Article-3

Delhi High Court Judgement-2012 (Digambar Khattar Vs Union of India)

Globalization of Indian IT business has created many challenges to the Indian economy as a whole and in particular to certain domain specific regulators. One such regulator who finds himself frequently under a bind is RBI while regulating the Foreign Exchange transactions. Over the years the strict regulations under FEMA have been diluted and great freedom has been given to the Indian public to purchase foreign exchange and also retain it abroad and use it for specified purposes.

In the Free Trade environment, there are many instances where an Indian company enters into a business contract in which it commits itself into certain obligations which directly or indirectly are convertible to payment of compensation to a foreign company in foreign exchange. In the process the regulatory functions of RBI gets disturbed.

As long as the compensation is reasonable and is directly related to and is a part of the revenue proposed to be earned through the contract, it is a fair proposition.

However, in the recent days, we know that “Indemnity” obligations under certain contracts far exceed in value to the actual revenue gained in the contract. One example of this was the claim made on SIFY (Before its merger with TechM) of US$ 1 billion for violations in its software development contract and failure to provide appropriate documentation for the beneficiary (UPAID) to obtain a valid Patent in USA. This is reported to have been finally settled for US $ 70 million in the dispute resolution process.

TCS also faced a situation where a claim of US$ 940 million was made on it by an US Company Epic for a data breach incident, which again must have been reduced to around $200 million in subsequent discussions.

Recently, Tata Group had to face litigation to meet its obligations under a contract with DOCOMO which involved payment of compensation in foreign exchange.

These are instances which indicate that Companies land up confronting RBI in seeking foreign exchange remittance arising as a contractual obligation about which RBI had no inkling until the liability has matured. Given the comfortable FE reserves at present, RBI may be able to meet the requirements without fuss but it is bad in principle that RBI should be unaware of such liabilities until they fructify.

With the onset of GDPR which speaks about a penalty level upto 4% of global turnover of a data controller/data processor coming directly under the jurisdiction of EU, the rules of the game have changed. The EU companies will without doubt incorporate compliance obligations along with indemnity clauses in their contracts with Indian sub contractors who are “Non EU Data Processors”.

Some Indian companies may come directly under the regulation if they are providing any services to EU citizens including “Monitoring” the activities of EU data subjects. All other data processors in India who enter into a contract with any international data controller is also exposed to the indemnity liability by virtue of the contracts signed.

Some of these contracts may appear to emanate from say US but the US client himself may have a back to back processing contract with the EU countries and hence the Indian Companies have to cover themselves for the GDPR risk even in these contracts.

Hence the “Liability Risk arising out of data breaches, for Indian companies acting as Data Processors” is a universal risk that cumulatively add up to several billion US dollars. It cannot be ignored.

Remember that the indemnity clause may simply say “..shall indemnify any loss caused to Party A by Party B not complying with the provisions of this contract..” (or equivalent) and not specify any limits.

We are therefore exposing ourselves to a risk of 4% of global turnover of the international vendor and not limited to 4% turnover of the Indian company.

GDPR also provides for the EU data subjects themselves claiming compensation from the subcontractors of a data controller also and hence some maverick may file a class suit on an Indian Company for a mass data breach running to a claim of compensation of billions of dollars.

In this context, we need to take a look at some of the clauses which are there in the Model Standard Contract Clauses which have been issued by EU earlier which were already part of some Business Process Contracts or may be incorporated in the contract now renewed under GDPR in a contract under article 46(2)(a).

Some of these clauses are as follows:

“…The data subject can enforce against the data importer this Clause, ….(Ed: when a remedy may not be easily available against the data controller)”

“…The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law”

“.. The data importer agrees and warrants:….that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract…” etc

Without going into further details, we can very well see that these contractual terms try to override the Indian laws.

We should not consider that these are normal clauses under a contract where the jurisdiction for dispute resolution is normally switched from Courts to Arbitration or from one country to another country. These clauses determine the liability which is “Indeterminable” at the time of signing of a contract and on which the contracting parties may not have a “meeting of mind”.

Secondly, India has a financial regulation under which RBI is regulating the flow of foreign exchange. While in pursuance of the overall economic objectives of the country, RBI has provided for many free remittance options, some with a mere reporting or approval from an Authorized dealers, remittances that may run to millions of dollars cannot be delegated to Authorized dealers or brought under free contractual remittances.

Hence when a data processor company in India receives a notice from a EU regulator or a Data Controller to pay a few million US dollars as compensation or attend an arbitration which eventually may lead to a similar decision, even if the company has foreign exchange balances earned through its exports and held in approved Foreign Currency accounts (Exchange Earner’s Foreign Currency Account or EEFC) , it cannot take a decision to make the payment without referring the matter to RBI.

The permissible debits to an EEFC account are as follows. (Refer here)

i) Payment outside India towards a permissible current account transaction [in accordance with the provisions of the Foreign Exchange Management (Current Account Transactions) Rules, 2000] and permissible capital account transaction [in accordance with the Foreign Exchange Management (Permissible Capital Account Transactions) Regulations, 2000].

ii) Payment in foreign exchange towards cost of goods purchased from a 100 percent Export Oriented Unit or a Unit in (a) Export Processing Zone or (b) Software Technology Park or (c) Electronic Hardware Technology Park

iii) Payment of customs duty in accordance with the provisions of the Foreign Trade Policy of the Central Government for the time being in force.

iv) Trade related loans/advances, extended by an exporter holding such account to his importer customer outside India, subject to compliance with the Foreign Exchange Management (Borrowing and Lending in Foreign Exchange) Regulations, 2000.

v) Payment in foreign exchange to a person resident in India for supply of goods/services including payments for airfare and hotel expenditure.

Permitted current and capital account transactions under FEMA are described below.

A Current Account Transaction has been defined as a Transaction other than Capital Account Transactions, means all transaction which do not alter assets or liability outside India of resident or assets or liability in India of Non Resident .

such transaction includes,

-Payments due in connection with foreign trade, other current business, services, and short term banking and credit facilities in the ordinary course of business.

-Payments due as interest on loans and as net income from investments,

-Remittances for living expenses of parents, children, and spouse residing abroad,

-Expenses in connection with foreign travel, education and medical care of Parents, Spouse and children’s.

Capital Account Transactions are classified into two classes:

(i). Capital Account Transactions of person resident in India.

-Investment in foreign securities
-Foreign Currency loans raised in India and abroad
-Transfer of Immovable properties outside India
-Guarantees issued by a person resident in India in favour of a person resident outside India.
-Export, Import and holding of currency/currency notes.
-Loans and overdrafts (borrowings) by a person resident in India from a person resident outside India
-Maintenance of foreign currency account in India and outside India by a person Resident in India.
-Taking out a insurance policy form an insurance company outside India.
-Loan and overdraft to a person resident outside India
-Remittance outside India of capital assets of a person resident in India.
-Sale and purchase of foreign exchange derivatives in India and abroad and commodity derivatives abroad

(ii). Capital Account Transactions of person resident outside India.

(a) Investment in India by way of Issue of securities by a body corporate or an entity in India and investment therein by a person resident outside India; and
Investment by way of contributions by a person resident outside India to the capital of a firm or proprietorship concern or an association of person in India.

(b) acquisition and transfer of immovable property in India in favour of, on behalf of a person resident in India.

(c) Guarantee by a person resident outside India in favour of, or on behalf of a person resident in India,

(d) Import / Export of Currency/Currency Notes/ into/from India by a person resident outside India

(e) Deposit between a person resident in India and person resident outside India.

(f) Foreign Currency Accounts in India of a person resident outside India

(g) Remittance outside India of a capital assets in India of a person resident outside India.

All payments in foreign exchange other than what is mentioned above require “Prior Approval” of Government of India.

However, in the case of liabilities arising out of the Standard Contractual Clauses in a data processing contract, a Company approaches the Government or RBI as a post-facto request that it has to remit foreign exchange and RBI or the Government will be in a dilemma of how to deal with this fait accompli.

In my opinion, a Company entering into a contract knowing fully well that it does not have a prior approval of the Government for the contingent event of performance of one of the contractual clauses arises, amounts to entering into a “Fraudulent Contract”.

It is neither enforceable by the Data Controller nor it is executionable by the Indian data processor.

Should we place our Indian companies in such a situation?…… there is need for NASSCOM and the Government to ponder over the issue.

On my part, I suggest companies to ensure that the contracts are all made “Subject to laws prevailing in India” . In other words, it contracts should include “GDPR Exclusion Clause” where

a) the liabilities are limited to a particular amount for which the Company should have a prior permission from the Government or

b) Liabilities are subject to the laws in India including FEMA.

I am sure that the business managers will raise a hue and cry on rejecting the standard contractual clauses suggested by the clients and the corporate legal advisors may be brushed aside.

However, from the compliance angle, I would advise the legal advisors and compliance managers to raise an alert so that the top management takes a decision based on its risk appetite. The CFOs and the Financial Auditors should qualify the accounts for both balance sheet purpose and SEBI purposes that “Certain liabilities committed by the Company are not quantified and not provided for”.

Alternatively, NASSCOM, RBI and the Finance Ministry need to sit together and find out a solution. Presently, it is a good time to find a solution through the proposed Indian Data Protection Act which is under drafting by the Ministry of IT in consultation with NASSCOM. This law will introduce a super regulator for data protection who may be called the “Data Commissioner of India” who will be responsible for all “Data” processed in India.

ITA 2000/8 tries to provide protection for data from the perspective of an Indian data subject whose personal and sensitive personal information is processed by an Indian company. It indirectly addresses the rights of international bodies by suggesting that “Reasonable Security Practice” under Section 43A is as defined in a contract between the data subject/data controller and the data processor. This will enable an international data controller to seek remedy for his losses under ITA 2000/8 when there is a breach of contractual terms of security. This opens up a door for the indemnity clause to be enforced with the support of Indian judiciary. (Adjudicator).

The proposed Data Protection Act of India may go a step further and make all data processors in India subject to a registration/licensing process with the data commissioner. This office can if necessary also be made responsible to vet the data processing contracts and ensure that there are no inherent conflicts.

Alternatively, the Data Commissioner of India should be given a mandatory power by which no legal action can be initiated against a registered data processor in India without the permission of/intervention of the Data Commissioner. In such a case this office will act as a filter between the Indian data processors and the foreign Data controllers/Data subjects and ensure that no unreasonable liability suit is hoisted on Indian companies.

I request the MeITy, NASSCOM and RBI/Finance Ministry to quickly start negotiating on this matter before the law is frozen (before October as the Government has indicated).

An opportunity missed now will be an opportunity lost for ever.

Naavi

Police in Lucknow have raided several Petrol Bunks in Lucknow who were using a Chip inside the dispensing unit to dispense less petrol for every litre dispensed and systematically siphon off about 50 ml for every litre of petrol.

This is similar to a fraud discovered some time back in Bangalore where Auto meters were tampered with a Chip which made the meters run faster than they should.

In fact Chinese are known to master the “Manchurian Chip” fraud where by they insert chips inside computers for the purpose of creating a backdoor. This has been confirmed earlier by Scotland yard in POS machines where credit card information was being stolen and forwarded to China from UK.

Refer this Article of 2008

Both these cases are clearly “Tampering with a Computer device” and amount to a cyber crime under Section 66 of ITA 2000/8 besides other sections of IPC.

So far it appears that Police are hunting only for the person who fitted the Chip in the bunk. They need to actually arrest the Petrol Bunk owners who are the financial beneficiaries of the fraud.

It is possible that some of them might have removed the chip by this time. However, if the petrol purchase and sale quantities are audited and reconciled over a period, it is possible to observe if the total sale is more than the petrol purchased by the bunk and this should be sufficient to book the owners for a criminal offence both under ITA 2000/8 and also under the Income Tax act for suppression of income.

Hope Police will act in this direction.

Naavi