Naavi.org

An unprotected open-source data base of Modern Business Solutions (MBS) based in Austin, TX is said to have compromised 58 million to 258 million data base records of its customers because of faulty configuration of its security.

According to this report from riskbasedsecurity.com  the firm provides cloud based data management platform called Hardwell Data allowing the customers to collect, store and transfer data records regardless of format, including a cloud based hosting system for databases. It is stated that the IP address of the insecure data base was identified on an internet search and shared within a small group of friends which ultimately resulted in the mega data breach.

Leaked information included names, IP addresses, birth dates, email addresses, vehicle data and occupations.

It is understood that the data base has now been secured and is no longer accessible. This however confirms that the breach was a result of a gross negligence by the information security managers of the firm.

While the IS professionals look at the problem from their perspective, there is another angle to the whole episode.

“Modern Business Solutions” is a common name used by many businesses and websites many of them in India. At least one of them is known to be providing services to ICICI Bank.  It is possible that the MBS of Austin might not have any connection with the company having business relationship with ICICI Bank.

However, as a part of the “Compliance Requirements”, it is necessary for ICICI Bank to come out with a public disclaimer that there is no business relationship between the MBS of Austin, TX and the Bank and no data of any Indian is involved in the data breach.

The same advisory holds good for all business entities in India who deal with any company called “Modern Business Solutions” to issue necessary disclaimers. Such companies who are “Lookalikes” also need to issue their own disclaimers.

For the future every company  should consider using the services of “www.lookalikes.in” so that when such reputation loss occurs on account of any shared name, their own customers feel re-assured.

Naavi

October 17 is a special day in the Digital history of India since it was this day in the year 2000 that India first provided legal recognition for electronic documents by notifying the Information Technology Act 2000. Since then the life of many IT professionals in India has changed for ever. Along with recognition of electronic documents came the Digital/Electronic signatures and a whole set of business opportunities around that. Cyber Lawyers saw a new field of activity emerging and professionals in law enforcement had to recognize the new domain of Cyber Law enforcement. E Commerce and E-Governance as well as E Banking in particular has also contributed to millions of job opportunities that can be attributed directly to the event of October 17, 2000 notifying the ITA 2000.

Now under the leadership of Mr Modi, India is talking of a new era of Digital progress beyond the e-commerce and e-Governance. We are deep into Mobile Commerce, use of Aadhar as a universal digital ID. Smart Cities and IOTs are slowly making it a part of our life. Electronic circuits are part of many of our day to day gadgets including the wearable Watches, the Cars, the Washing Machines etc.

Along with these developments in technology, the Cyber Crimes are also increasing and Police are under constant challenge to tackle the new age crimes.

In such an environment, it is the duty of every one of us who has directly or indirectly been affected by the advent of Cyber Laws in India and created Netizens out of Citizens to commemorate October 17 with the respect it deserves.

I therefore urge all Cyber Professionals to conduct their own special activities on this October 17 to just remember that this is the day when the “Digital Society of India” was born.

If you are in an educational institution, call your students and hold an awareness meeting.

If you are in a Company, have a “ITA 20008 Compliance Meeting”.

If you are a Bar Council member, call a meeting to discuss “Cyber Laws in India”,

If you are in the Police, conduct a meeting of your subordinates and increase the awareness of Cyber Crimes….

If you are in Indian Defense, develop an awareness of the world of Cyber Wars…the next war will be dominated by Cyber attacks.

And if you are Mr Narender Damodar Das Modi, call a cabinet meeting and make the Cabinet colleagues aware of the importance of developing and managing a “Cyber Law Compliant E Governance system”.

…………Just as “International Yoga Day”, the “Digital Society Day” deserves to be commemorated.

Naavi

Over the last few years, tech enthusiasts have been encouraging the BYOD or Bring Your Own Devices as a concept in corporate environment firstly to reduce the costs and then to bring in more convenience to the employees  in operating in a seemless fashion at Office and Out of Office. Over time, some are even suggesting “Bring Your Own Cloud” to encourage employees using their own cloud storage even for storing corporate data assets handled by them.

However, security professionals have always raised a red flag for such innovative measures since it is a security nightmare to manage the IS principles of protecting the confidentiality of information.

Companies have tried to manage the issue with a firewall control that checks the integrity of the device every time it is connected to the corporate network. But this is hardly sufficient security for the risk of possible deliberate or inadvertent misuse of the device when it is connected to other networks at home or in public and the possibilities of stealth viruses sneaking in. The only control for such possibilities is the updated anti virus which may however be updated only when connected to the corporate network and cannot prevent a zero day malware getting in in between the two working days when the device is off the corporate network.

Now the risks are expanding with mobile phones becoming smarter than what they should. There are malwares that are known to activate the microphone or camera and record conversations in the vicinity and send them out through the network to some command and control center for futher exploitation. This was countered by the companies trying to ban use of mobiles in some sensitive operational areas in the company though many ignore such precautions.

Now, in an interesting security measure, the UK Government has banned the wearing of  “Apple Watch” in cabinet meetings since it is considered a spying threat.

Read the Article here

In the Corporate world, the use of “Wearables” is the next craze and one can see all top executives looking smart with smart wearables to monitor their health and substitute the use of mobiles for some functions such as checking on messages. There  is no doubt that today most of us check the messages on the mobile more often than checking time on the watch and hence it makes sense to display the messages on the wearable watch.

But it is time to recognize that Companies need to start the practice of discouraging too much of gadgetry to be brought by the employees into the sensitive corporate environment putting the security at risk. At the same time it is time to add the “Wearables” to the list of monitored BYOD devices in the Corporate network.

When ITA 2008 undergoes the next revision, perhaps the Government needs to recognize the cyber crime threats arising out of such gadgets as part of the Cyber-eco system it should protect through legislation.

Naavi

(This is a continuation of the series of articles on this subject)

Article1 : Article 2 : Article 3: Article 4 : Article 5

(Easy to Read copy of the Bill)

What’s in It for Business?

The first impression about a new and improved “Consumer Protection Act” set to come into India with the likely passage of the Consumer Protection Bill 2015 in the coming Parliament session is that it is meant for activists and lawyers and of course the small set of vigilant consumers.

However it must be  remembered that it is one of those consumers who want a strict Consumer Protection Law who is also the proprietor or business owner who is at the receiving end of a strong Consumer protection legislation. There is no need to presume that he is interested always in cheating the customer and make money. After all all businessmen are not dishonest and greedy. The new Consumer Protection Bill 2015 (CPA2015) will therefore be of great interest to the businessmen and particularly those professionals working in large business houses who conduct business offline and online. It is not only relevant for the Hindustan lever or Nestle or Colgate or Pathanjali, but also to Flipkart, Snapdeal, Amazon and others.

We shall therefore look at the CPA2015 from the “Compliance” angle and try to identify some focus areas for the business. (Refer to the copy of the Act here whenever needed).

Penalty

Let us first look at the “penalty” clause in the Act.

As per Clause 79 of the CPA 2015,

(1) Where a trader or a person against whom a complaint is made or the complainant fails or omits to comply with any order made by the District Commission, the State Commission or the National Commission, as the case may be,

such trader or person or complainant shall be punishable with imprisonment for a term which shall not be less than one month but which may extend to three years,

or with fine which shall not be less than ten thousand rupees but which may extend to fifty thousand rupees, or with both

(2) Notwithstanding anything contained in the Code of Criminal Procedure, 1973, the District Commission or the State Commission or the National Commission, as the case may be,

shall have the power of a Judicial Magistrate of the first class for the trial of offences under this Act, and on Conferment of such powers, the District Commission or the State Commission or the National Commission, as the case may be, shall be deemed to be a Judicial Magistrate of the first class for the purpose of the Code of Criminal Procedure, 1973.

(3) All offences under this Act may be tried summarily by the District Commission or the State Commission or the National Commission, as the case may be.

It is to be noted that there is both a Civil and Criminal liability attached to non-compliance and the authorities entrusted with the responsibility for adjudication have the magisterial powers and take discussions on a summary basis. The scope for dragging the case and harassing the complainant is therefore limited and businesses cannot take the consequences lightly.

Product Liability

Chapter VI of the Bill states that the “manufacturer” or “producer” of product shall be liable for any product liability action if the claimant establishes all of the following by a preponderance of the evidence.

(a) the product contains a manufacturing defect or there is a deviation from manufacturing specifications;

(b) the product is defective in design;

(c) the product failed to contain adequate instructions of correct use to avoid danger or warnings of the improper/incorrect use;

(d) the product did not conform to an express warranty with respect to the product made by the manufacturer or product seller;

(e) the defendant was the manufacturer of the actual product that was the cause of harm for which the claimant seeks to recover compensatory damages; and

(f) the dangerous aspect of the product was the proximate cause of the harm suffered by the claimant.

The Product Seller will be liable for product liability action in the following circumstances.

(i) the product seller exercised substantial control over the aspect of the design, testing, manufacture, packaging, or labelling of the product that caused the alleged harm for which recovery of damages is sought

(ii) the product seller altered or modified the product, and the alteration or modification was a substantial factor in causing the harm for which recovery of damages is sought

(iii)the product seller made an express warranty as to such product independent of any express warranty made by a manufacturer as to such product, such product failed to conform to the product seller’s warranty, and the failure of such product to conform to the warranty caused the harm complained of by the claimant;

(iv) the claimant is unable, despite a good faith exercise of due diligence, to identify the manufacturer of the product

(v) the manufacturer is not subject to service of process under the laws of the State; or

(vi) the court determines that the claimant would be unable to enforce a judgment against the manufacturer:

From the above, it can be deduced that sellers of products imported from abroad such as the ubiquitous Chinese products could be liable for product liability since either the manufacturer cannot be identified or cannot be sued.

A Product seller other than the manufacturer may also be liable on the basis of negligence if the seller did not exercise reasonable care in assembling, inspecting or maintaining the product or in passing on warnings or instructions from the manufacturer about the dangers and proper use of the product (Provided that failure to exercise such reasonable care was a proximate cause of the harm).

It is to be noted that a “Complaint” under the CPA 2015 may be made for

a) Unfair Trade Practice

b) Defects in the product or Deficiency of Service

c) Excessive charging

d)Unfair contract entered into

and sale of hazardous and unsafe products as well as violation of safety standards if any.

Any act of withholding relevant information from the consumer could be considered as a “Deficiency” of service and any statements made on the internet or website could be considered as “advertisement”. Any aspects of warranty or promise contained in the communication with the consumer which is known to be untrue would constitute an “Unfair Trade Practice”.

The possibilities of deliberate and not so deliberate mis-statements normally arise because many products require the additional services of “Installation” and “Demo” which are some times handled by third party contractors who have no loyalty either to the brand or to the selling outlet and the product liability could arise out of the actions of these “agents”.

The manufacturers as well as the reputed retailers who have their own brand positioning need to ensure that the agents representing them are well trained and informed to avoid any type of mis-communications or over charging or damage or harm to the consumer at the time of installation.

The retailers conducting “Festival Sales” and the online companies running special campaigns such as “Big Billion Sales” often hire temporary employees during the peak sales time who are untrained and unprofessional. Actions of such persons could create liabilities to the suppliers if properly pursued by a vigilant consumer.

It is also essential for all manufacturers and suppliers to put in place a proper “Grievance Redressal Mechanism” which could act as a cushion to soften any adverse impact of deficient service/defective product.

The CPA2015 suggests its own mediation process but it is possible for the product manufacturers/sellers to squeeze in a dispute resolution mechanism before the mediation process or action from the dispute redressal agencies envisaged under the Bill can be invoked. This is mandatory for the online service providers under ITA 2000/8 and should be useful for others too. Such alternate dispute resolution mechanism can be an “Ombudsman” or “Mediation” or “Arbitration”.

If a consumer gets a reasonable redressal of grievance under these service provider’s dispute resolution mechanisms, the adverse impact of the mediation as envisaged under the Bill could be reduced.

Naavi

(This is a continuation of the series of articles on this subject)

Article1 : Article 2 : Article 3: Article 4 : Article 5

(Easy to Read copy of the Bill)

Scope of CPB2015

The reasons for which a Consumer can invoke the protective provisions of the Act are indicated in the definition of “Complaint” are

1.  “Unfair Trade Practice”
2.  “Defect in the Product” or
3. “Deficiency in Service”,
4. “Over charging”,
5. Selling of “hazardous” goods
6. Providing of “hazardous services”, and
7. “Causing loss through unfair contract”

A “Consumer dispute” is recognized when the he person against whom a “Complaint” has been made, denies or disputes the allegations contained in the complaint.

For a valid complaint therefore it is necessary for the complainant to show a cause of action under any of the parameters indicated above and also that the dispute has been raised with the seller who has refused to redress the complaint.

The parameters indicated above have been defined in detail in the Act and can be discussed separately.

Similarly, the procedures for lodging a complaint may also be discussed later particularly when the rules are available.

Naavi

Article1 : Article 2 : Article 3: Article 4

(This is a continuation of the series of articles on this subject)

Article1 : Article 2 : Article 3: Article 4 : Article 5

(Easy to Read copy of the Bill)

The Dispute Resolution Mechanism

The main objective of CPB 2015 is to ensure that the Consumer has an effective means of redressal of his grievance. For this purpose, the Act tries to establish a comprehensive dispute resolution mechanism.

In the Consumer Protection Act 1986, the following Dispute Resolution system existed.

1. Central Consumer Protection Council
2. State Consumer Protection Councils
3. District Forum (Consumer Disputes Redressal Forum at the District level)
4. State Commission (Consumer Disputes Rederessal commission at the State level
5. National Consumer Disputes Redressal Commission

In the CPA2015, the Dispute Resolution System has been significantly expanded and includes the following

1. Central Consumer Protection Council
2. State Consumer Protection Council
3. District Consumer Protection Council
4. Central Consumer Protection Authority
5. Central Consumer Protection Authority
6. District Commission
7. State Commission
8. National Commission
9. Consumer Mediation Cell

The objectives and constitution of the Central Council and State Council are similar to the present set up.

Additionally, a District level Consumer Protection Council has now been proposed with the Collector as the Chairman. It will have objectives similar to the other councils at the district level, which will be to promote and protect the rights of Consumers.

The Central Consumer Protection Authority (CCPA)

Another new feature of the CPA2015 is the proposal to establish the office of a “Central Consumer Protection Authority” (CCPA) which will have the objective to promote, protect and enforce the rights of consumers. A Commissioner in the rank of the Secretary to the Government would be appointed. He will be assisted with five Deputy Commissioners.

There is a provision in the proposed law for a person of eminence in public or social life with requisite credentials and professional experience of not less than 15 years in the areas related to consumer’s rights and welfare, consumer’s policy, law, economics, business,commerce or industry to be appointed as the commissioner or Deputy Commissioner.

It is expected that at least for some of the posts of Deputy Commissioners, a non Government persons could be appointed But it is unlikely that the post of the Commissioner would go to some body other than an existing or former Secretary of the Government. However, the thought that this post is kept open for an eminent person if available is considered good.

The office of the CCPA will be located in Delhi.

The CCPA will have authority to

(i) to inquire suo motu or on a complaint or a direction from the Government into violations of consumer rights enumerated in this Act and shall launch prosecution in an appropriate court or District Commission or State Commission or National Commission, as the case may be;

(ii) to intervene in any proceeding in any allegation of violation of consumer rights before a court, with the permission of such a court or District Commission or State Commission or National Commission, as the case may be;

(iii) to review factors that inhibit the enjoyment of consumer rights and recommend appropriate remedial measures;

(iv) to review safeguards provided under any law for the time being in force for the protection of consumers and recommend measures for their effective implementation;

(v) to make recommendations for adoption of international covenants and best international practices on consumer rights for to ensure effective enforcement of consumer rights;

(vi) to undertake and promote research in the field of consumer rights;

(vii) to spread and promote awareness about the rights of consumers and consumers’ literacy;

(viii) to encourage of non-governmental organisations and other institutions working in the field of consumer rights and cooperate and work with consumer protection agencies;

(ix) to conduct investigations, either suo motu or on a complaint or on a reference made by any Consumer Disputes Redressal Agency under Chapter IV, into violations of consumers’ rights, conduct search and seizure of documents or records or articles and other forms of evidence, summon delinquent manufacturers, advertisers and service providers and to record oral evidence and direct production of documents and records as may be prescribed by the Central Government;

(x) to pass orders, on the basis of such investigations for recall of goods found to be unsafe or withdrawal of services found to be unsafe or hazardous and direct, on the basis of its investigations, for discontinuation of practices found to be unfair and prejudicial to consumer interest and order reimbursement of the price of the goods (or services) so recalled, to purchasers of such goods or services;

(xi) to mandate the use of unique and universal goods identifiers (GTIN’s) in such goods, as may be necessary to prevent unfair trade practices and protect consumer interests;

(xii) to issue safety notices and alert consumers against unsafe goods or services held to be unsafe; (xiii) to order withdrawal of advertisements found to be false or misleading and direct issuance of corrective advertisements, wherever necessary;

(xiv) to declare as null and void, terms of contracts found to be unfair to the consumer;

(xv) to impose fine which may extend to fifty thousand rupees and while imposing fine, the following factors shall be taken into account by the Central Authority in determining the amount of fine:

(A) the impact of the violation with respect to population and area affected;

(B) the frequency and duration of the violation;

(C) the vulnerability of the class of persons likely to be adversely affected by the violation; and

(D) the gross revenue from sales effected by the conduct.

(xvi) to take cognizance of misleading advertisements;

(xvii) to enforce its orders against conduct of the industry, manufacturers or traders or service provider for exploiting consumers’ interests;

(xviii) to advise Ministries and Departments on Consumer Welfare measures;

(xix) to frame regulations and guidelines to prevent unfair trade practices and to protect consumer’s interest.

The Central Authority may, either suo motu or on a complaint made or a direction given by the Government, after investigation into such violations of consumer rights or any unfair trade practice, or any advertisement prejudicial to the public interest, or to the interest of any consumer or consumers in general or any advertisement in contravention of the rights of the consumers, enumerated in this Act, shall forward the matter to the concerned Regulator, if any, with its recommendations: Provided that the concerned Regulator may take cognizance of the matter referred to it and pass necessary directions as it deems fit.

As we can appreciate, the powers of CCPA are vast. Considering the scope of the CCPA which will affect the entire Consumer industry including Banking, E Commerce, the FinTEch Companies etc, the role is extremely critical and the entire set of  officials who will function as Commissioner and Deputy Commissioners will shoulder a great resposnibility and hopefully the right persons will be found for filling up this crucial positions.

Consumer Disputes Redressal Agencies

There will be the National Consumer Dispute Rederessal Commission to be appointed by the Central Government  along with  the State and District Consumer Disputes Redressal commissions which will be simliar to the current set up.

In the constitution of the District as well as the State Commissions an attempt has been made for representation of eminent educated persons from the public including women which should also be considered as a welcome step.

The jurisdiction of the District commission will be upto Rs 50 lakhs (as against the present Rs 20 lakhs)

State Commission will be the first appeal authority followed by the National Commission and the Supreme Court. It will also have the original jurisdcition where the dispute value is higher than Rs 20 lakhs and upto Rs 10 crores.

The National Commission will be the appeal authority for the State Commission and have the original jurisdiction for disputes above Rs 10 crores or as otherwise may be fixed.

Mediation

A significant step in providing a good dispute resolution mechanism is in the proposal that

-the  State Government shall, establish for the purposes of this Act, by notification a District Consumer Mediation Cell attached to the District Commission in each district of the State and

-a Consumer Mediation Cell attached to the State Commission

– The Central Government shall, establish for the purposes of this Act, by notification a National Consumer Mediation Cell attached to the National Commission

The mediation cell will keep a list of empannelled trained mediators who can settle the disputes through mediation.

The establishment of “Mediation” as an alternate dispute resolution mechanism at all the three levels should  speed up the dispute resolutions and reduce the pendency.

More details on the procedures of complaints handling at all levels will be covered in a subsequent article.

We may in summary state that some significant changes have been made to the dispute resolution mechanism which will make the law more effective.

Naavi

Article1 : Article 2 : Article 3: Article 4