Naavi.org

With increasing emphasis on digital progress in India, we often hear the term “Big Data” and the “Privacy” issues associated with it. Just as “Privacy” and “Security” issues have become objects of comparative controversy, Big Data and Privacy are also becoming another set of objects for comparative controversy.

In addressing the Privacy Vs Security issues, we have always held that Security is to be preferred over Privacy and in the context of growing terrorism in India and the world, it is impossible for “Privacy” to be at any time be preferred over Security. This controversy can however be settled with a win-win solution of “Regulated Anonymity” which has been debated earlier.

Now let us look at the Big Data Vs Privacy as a problem which we need to address. This requires a better clarification on what is Big Data before we can comment on the issues arising out of Collection, Mining,Processing, Publishing, Transmission, Disclosure and Harnessing of Big Data.

The Concept of Big Data as against the normal term of “Data” arose when the volume of data to be handled for processing in a single process grew too large to be handled by the normal data processing systems. Along with the size of the data, came the complexity of diverse nature of data and the need to process the huge and complex data.

Big data requires a set of techniques and technologies with new forms of integration to reveal insights from datasets that are diverse, complex, and of a massive scale.  The technical issues raised by the size and complexity gives raise to legal issues that are also difficult of being handled by the existing Cyber Laws.

Hence there is a need to have a re-look at Cyber Laws related to Big Data. In this context, Privacy is presently in the top of the discussion table. “Big Data Crimes” will also be relevant for discussion and will subsequently flow on to “Big Data Security” as we go along the path of understanding the issues raised by Big Data.

The raise of IOT, Smart Cities, Smart Grids etc feed onto generation of Big Data and along with it the need to discuss “Big Data Laws” as a necessary subject of discussion.

The growth of Cyber Terrorism and Cyber Warfare, prevention of which requires “Cyber Intelligence” also overlaps with the policies and laws that are needed for the Collection, Mining, Processing, Storage, Publishing, Transmission, Disclosure and harnessing etc of Big Data.

Nature of Big Data

In order to discuss the “Big Data Laws”, we need to first understand the nature of Big Data.

The Source of Big Data is the information transmission nodes and the public data storage points. Beyond these, data is stored in private custody, behind Firewalls and unless it is transferred from the place of creation across an open network, it may never become accessible to Big Data Sniffers.

When Big Data Sniffers “Mine” for data, they may not target any specific type of data or an individual. The data collected from an omnibus data collection drive may later get filtered and classified into different types of data and tagged accordingly for further harnessing.

Components of Big Data are

a) Personal Data collected from Individuals including individualized data such as emanating from devices embedded to the human body such as Wearable s and Medical implants.

b) Corporate Data which includes business information as well as personal data of individuals in the hands of a corporate either as custodians of employee data or as intermediaries processing data of customers and public.

c) Environmental data including those collected from Weather satellites, Mapping devices, CCTVs in public places etc where the primary aim is not to collect personal data but it becomes part of the overall data collected.

d) Meta Data which is “Data about Data” which involves transactions of Netizens, tracking of data movement over a public network and includes “Log Records” of all kinds. Though this data is impersonal at the time of collection, they are amenable to further analysis and conversion from a de-identified state to an identified state.

Privacy Issues are concerns that arise when an individual’s personal data becomes accessible to another without the knowledge and consent of the data subject.

When an individual is providing specific personal data, the principles of Privacy protection revolves around informing the subject of data being collected, the purpose for which it is collected, how it is being used, secured, disposed off etc., following which a consent of the data subject is obtained by the agency collecting the information.

This is a contractual obligation and any violation of privacy which is in breach of the contract is punishable under various laws.

Even in India where there is no specific Privacy Protection law, Information Technology Act 2000 as amended in 2008 (ITA2000/8) provides protection for the contractual arrangement between the data subject and the data collection agent through Sections 43, 43A, 72A etc. Additionally certain powers are vested with certain authorities which provides for exceptions to Privacy which is used for surveillance, intelligence gathering by security agencies, investigation and prosecution of crimes etc.

The problem in Privacy that arises in the Big data context is that at the time data comes into the hands of a Big Data Sniffer, neither he knows that he is collecting personal data nor the data subject knows that his personal data is being collected.

Take for example a street view CCTV which captures the movement of a Car in which the license plate is visible or the face of a person is visible as he is walking across the street. This is initially a data of an activity that a car is moving in a particular street or a man is walking along. But if this data is parsed along with the vehicle registration data it can be presumed that the car’s owner is moving in the street.

Similarly if a face recognition is made on the person walking along by checking with tagged photographs in the social media, the CCTV data becomes a highly personalized data.

If the camera is capturing the person entering and exiting an ATM or a Hospital, we are entering into sensitive personal information about the individual.

These examples indicate that “Data can Change its status from the time it is collected to when it goes into processing”. Herein lies the biggest challenge to Big Data law making.

We cannot prevent the CCTV footage being collected in the first place because there may be a myriad security reasons for the same. Beyond the security reasons there could also be purely functional requirements such as managing the traffic lights in an automated traffic light system.

Once the information which is collected in a public place has an element of “Privacy” there will always be disagreements on how the data can be handled.

We therefore need to perhaps re-think if our definition of privacy itself needs to be reviewed in the context of the development of a digitized environment.

If a person is using a public place, whether the fact that he used the public place can be an information which he can claim to be private? is a point of discussion. Similarly, we can question if  watching a person move along the road threough the CCTV cameras, amount to “Cyber Stalking”?.

Obviously, some would agree that such watching may amount to privacy violation and needs to be protected. But law makers need to think twice before recognizing the “Public Activity” of a person as  “Private Data” subject to privacy protection.

It is a common practice today to see notices such as “This area is under CCTV surveillance” just to ensure that there is no complaint on privacy violation. In the Big Data law making scenario, we need to debate if such a notice is required in a public place (including malls and public offices).

The key point we need to therefore settle is,

Do we try to make new laws that fit into the Big Data scenario by changing some of the existing concepts or try to fit existing laws to where it cannot be regulated and enforced?

When Cyber Laws were made by people who had no understanding of the Cyber Space, we observed many anomalies creeping into the system.  Most of these still remain in the statute and are often the cause of imperfect legal implementation. It will take generations before Jurisprudence develops and matures to address the doubts that arise because the laws made are imperfect to the needs of the society.

A similar situation now prevails where laws made for the normal Cyber Society for privacy protection may not be effective in a Big Data scenario.

We need to therefore re-define what is Privacy in the context of a Digital world and the Big data processing. What is “Personal Data” subject to “Privacy Rights” may have to be re-defined to exclude personal data which is in such state where it is in the form of “raw data not associated with the personal information” though it may be capable of being tagged by a further sequential process.

Once this re-definition of privacy is accepted, the Big Data collector can be free from the obligations of Privacy. It is however the responsibility of Big Data processors to ensure that the linking of “Big Data” with “Identifiable Individual” does not happen except through a regulated process. The new Privacy laws have to therefore address this technical stage of processing Big Data. In a way this is keeping data collected as anonymous data being retained in anonymous state even when it goes down the further processing stream.

For Big Data to be useful, at some stage down stream of the processing chain, it has to be identified with an individual and it is at this process that the Privacy Protection laws can be applied.

The several “Intermediaries” involved in the Big Data Analytics have to be therefore classified into different categories such as “Anonymous Data Processors”, “Identified Data Processors” and “Data Identification Gate keepers” . The “Big Data Privacy Law” can then apply different norms to these different entities.

I invite comments and suggestions …..

(…..Discussions will continue)

Naavi

Click Here to send email  in response to RBI

View Here Naavi’s views

1. https://www.naavi.org/wp/?p=4548
2. http://www.naavi.org/?p=4563

I draw the attention of all the individuals who hold the position of a Director in any of the Scheduled Commercial Banks in India including RRBs as well as Cooperative Banks about the new responsibility thrust on them by RBI through its Circular on Cyber Security Framework released on June 2, 2016 and further by announcing its intentions through the “Draft Circular” on August 11, 2016 to limit Customer liability on Internet/Mobile/Credit Card/Debit Card/ATM Card frauds. 

I also draw the attention of all Bank Staff Training establishments, Principals and Faculty Members who have the responsibility to educate the Banking Executives, as well as the well wishers of Banks such as the Auditors and Company Secretaries who have the responsibility to advise the Directors towards compliance of RBI regulations may in turn keep the Directors informed that the new dispensation of RBI hoists inescapable responsibilities on them and cannot be ignored.

Kindly analyze the following and take appropriate steps without any further delay.

Naavi

Recently, we witnessed an alarming situation where the Bank of Bangladesh lost Rs 90 crores through a hacking of their SWIFT money transfer system. A similar attack also occurred on Union Bank of India system and but for a stroke of luck, Bank could have lost about Rs 1200 crores through a similar fraud. Unlike the earlier major frauds where money of customers have been stolen from the Bank accounts, this time the attack was directly on the Bank’s system. It also demonstrated that there are vulnerabilities within the Banking system and the same vulnerabilities may also cause losses to the customers.

The Legal Implication

What we need to recognize here is that the  hacker was able to engineer a money transfer of hundreds of crores of rupees by forging the transfer request of two responsible officials of the Bank entrusted with the Maker-Checker responsibilities before funds can be transferred in the SWIFT system. It is therefore clear that such hackers will not find it difficult to forge the signature of a  Branch system administrator who may have powers to create new users, new passwords for their own staff members to create fraudulent access credentials and initiate transfer of  substantial amounts from many customer’s accounts.

Banks will therefore not be able to claim that they have good security systems in place and such systems have been audited for standards such as ISO 27001 by one of the Big Four firms etc. and try to convince judicial authorities that whenever a Bank fraud occurs it is the negligence of the customer which is responsible and not that of the Bank.

Cyber Security Framework (CSF-2016)

Taking note of the new risks that the SWIFT attack represented, RBI was quick to come up with a new “Cyber Security Framework” (CSF-2016) as a mandatory recommendation for Banks revising and upgrading the earlier directions contained in the Internet Banking Guidelines of June 2001, and the E Banking Security Guidelines (GGWG) of April 2011 as well as other guidelines on Card transactions released from time to time.

While issuing the new guidelines RBI has placed direct responsibility to the Board of Directors to take cognizance of the gaps that exist in compliance and the road map for mitigation of the gaps.

The suggestions made in the CSF 2016 are much beyond what were contained in the earlier guidelines and include setting up of a Security Operations Center (SOC) and a “Honey Pot” to defend against “Unknown Zero Day Vulnerabilities”.

The current information security systems will not be able to meet the compliance requirements even in the Big Banks and smaller banks will be woefully short of the requirements.

The Board of Directors need to therefore develop strategies of meeting the compliance requirements within the limitations of funds and expertise within their own Banks.

The CSF 2016 also requires that a report has to be sent to RBI as and when a security breach happens by submitting a detailed report within two to six hours of the incident coming to their knowledge. There will therefore be no opportunity to preview the report by holding a board meeting to approve what is being submitted to RBI that may create a liability on the Bank and its Directors.

The situation therefore calls for an urgent action by Directors to safeguard their own interests and that of the Bank. Such action includes training themselves and reviewing the action so far taken in this regard.

Many of the Banks might have already passed a resolution in their previous Board meeting since the deadline for submission of a Board acknowledged Gap report was July 31, 2016.

If the Directors had not fully appreciated the requirements and passed the resolution in good faith that their professional departments must have presented a fair proposition, now is the time for the Directors to look back at the papers which they approved and see if there is a need for review since the next deadline for actual compliance is September 30, 2016 which is hardly 45 days ahead.

Limited Customer Liability

As a further act of follow up towards “Safe E Banking” , RBI has now released a draft circular on August 11, 2016 and indicated its intentions of bringing in the concept of “Limited Liability” to customers in respect of frauds. “Limited Liability” for customers automatically means “More Liability” for the Banks.

According to the proposed system, in all cases of fraud in which the negligence of the Bank is involved, the liability has to be fully boarne by the Bank. In any case, once the Bank has been notified of an unauthorized debit, any further fraudulent withdrawals if any would also be the responsibility of the Bank irrespective of whose negligence caused the loss.

In cases where the fraud has occurred due to the direct negligence of the Customer, he may be held liable.

In cases of third party breaches where neither the customer nor the banker’s negligence is involved, if the customer notifies the  the unauthorized transaction within 3 days of it being reported to him by the Bank (Sending an alert is the responsibility of the Bank), the customer will not be liable. If in such cases the Customer reports after a delay, but within 4-7 days, the liability will be limited to Rs 5000/- .

If the customer notifies the unauthorized debit arising out of a third party breach in which there is negligence of neither the customer nor the Bank, beyond 7 days, or fails to report it at all, then the Bank has to state in its policy how much of liability can be hoisted on the customer beyond the R 5000/-. It is difficult to say if RBI would accept a 100% liability in such cases on the customers since the law also may not support it. It has to be a graded system and reasonable under the circumstances. Probably any liability to the customer beyond 50% would be unreasonable even if he has failed to report the unauthorized debit in his own account.

The non compliance of the CSF 2016 and providing a false confirmation to RBI that the bank is compliant would establish “Negligence” and “Complicity” of the Bank in facilitating a fraud and can make it liable for all frauds.

In view of the above, it is time that Directors of Banks immediately take necessary action to ensure that their responsibilities are  properly discharged and they are free from personal liabilities. I hope this would a personal resolution that they should take on this 70th Independence day of India.

P.S: I have placed more detailed discussions in the earlier articles and will continue to put more information and invite the Directors of the Bank to peruse the same and take appropriate action. 

Naavi

If the recent circular of RBI on limited liability for Customers in E Banking frauds becomes a reality, it would simultaneously open the doors for the Cyber Insurance Industry to offer products for Cyber Insurance to individual Bank customers.

The reason why Insurance Companies were reluctant to insure E Banking frauds on behalf of individuals was their fear of unknown risks and possibility of a sudden huge loss arising out of Phishing at individual customer’s level or at a system level in Banks or their critical service providers.

While Insurers manage their risks by having  a limited liability clause in their policies with sub limits for various causes, now the overall liability of the customer itself would have been brought down significantly in view of the RBI guidelines.

When a loss occurs on account of an E Banking Fraud, the fraud would be classified as

A: Zero Liability Incident

B: Limited Liability Incident

The “Zero Liability Incident” is one in which the Customer shall not be liable and the Banks should reverse the amount lost within 10 days.

This is applicable when the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer in case of

a) Fraud or Negligence on the part of the Bank

-irrespective of whether the loss was reported by the customer or not

b) Third party breach

-where the fault lies neither with the Bank nor with the customer and

-the customer notifies the Bank within three working days of receiving communication from the bank regarding the unauthorized transaction

c) Involving Negligence of the customer

-such as sharing of payment credentials

– after the customer reports the unauthorized transaction to the Bank

The “Limited Liability Incident” is one where the customer has to bear the loss to a limited extent and would cover the following cases.

a) In cases where the responsibility for the unauthorized electronic banking transaction lies neither with the Bank nor the Customer and

-the customer notifies the Bank of the unauthorized nature of the transaction between 4 to 7 days

-the liability of the customer is limited to the transaction value or Rs 5000/- whichever is lower

-Where the customer notifies the Bank after 7 days, the liability will be determined as per the Bank’s approved policy.

It is reasonable to expect that the liability will be still limited and cannot be 100% of the transaction value

The residual category where the fraud is involving negligence of the customer (such as sharing of payment credentials) and the loss occurs before the customer reports the unauthorized transaction to the Bank, the loss may have to be boarne by the customer.

From the perspective of an Insurer therefore, it is critical that the customer notifies the Bank that a transaction reported to him by the SMS or EMail alert by the Bank is “Unauthorized”  and it is done within 3 days.

Then the Bank will check if the unauthorized transaction is due to the “Negligence” of the Customer which will be a matter of dispute to be resolved in the next 90 days.

The Customer will not have any liability unless it is able to provide evidence that the negligence of the customer was the cause of the loss or the customer himself committed the fraud with an accomplice or otherwise.

In the meantime Bank will have to provide a shadow credit within 10 days which should also provide for compensation of any interest loss that may be involved especially in the credit card transactions.

Since the customer is not suffering any loss in these transactions, the Insurer need not take any liability on the individual’s cyber insurance policy.

Even in other cases, the liabilities will be limited to Rs 5000/- except where the “Negligence” is proved. What constitutes negligence in these cases is a matter that will be debated and the Insurance industry will be required to put its weight behind the customer in ensuring that excessive responsibility is not expected of the Customer in identifying a fraud such as “Phishing” or “Vishing” particularly when malware is used to extract the credentials of the customer without his knowledge.

Insurers will also be required to recognize the concept of “Proximate Cause” for loss where a the Bank had an opportunity to prevent the loss even after the negligent act of the customer but failed to do so because of its own inadequacies in which case the loss is due to the failure of the Bank and not of the customer.

Though some of these intricate points will be disputed and resolved over a period of time, it is clear that the Cyber Crime Insurance Risk of the insurers for E Banking frauds  in policies issued or to be issued to individuals has come down from the clouds to the ground level

There is therefore no excuse after this circular to the Insurance companies to issue such policies for individuals.

I hope Tata AIG, HDFC Ergo, ICICI Lombard, Bajaj Alliance etc will now start structuring their individual Cyber liability policies.

We look forward to developments in this regard in the next few months and request IRDA to also suggest all its members through a circular to construct such policies.

In particular, I request attention of Mr Rajesh Aggarwal the dynamic ex-Adjudicator of Maharashtra who is now heading a public sector Insurance Company and urge him to make the first move. Let one of our public sector Insurance companies be the first to introduce a Cyber Insurance Policy for Individuals as a part of the 70th Independence day celebrations.

Naavi

At the cost of repetition, we must congratulate RBI on its recent circular of August 11, on Customer Service in which they have proposed that customer’s liability on cyber frauds should be limited.

Presently, a draft circular has been issued and RBI is awaiting public comments before confirming the circular. I urge all visitors to peruse the circular and provide a strong positive feedback to RBI. (Refer this earlier article for details).

The reason why I advocate strong positive support for this move of RBI from all consumers and consumer organizations (without remaining silent supporters) is that there is every possibility that vested interests in Banks would try their best to scuttle this move of RBI and let the circular remain in draft form and not see the light of the day. The Indian Banks Association which is an industry body is often swayed by the leading Banks such as SBI and ICICI Bank to adopt practices which are not always consumer interest protective. We therefore need a balancing pressure on RBI to maintain its poise and let the circular become a reality.

I recall that way back in 2002, in a circular dated April 8, 2002, RBI had stated

“…we continue to receive complaints of fraudulent encashment by unscrupulous persons opening deposit accounts in the name/s similar to already established concern/s resulting in erroneous and unwanted debit of drawers’ accounts…..Besides, in cases of the above kind, the banks have also not restored funds promptly to customers even in bona-fide cases but deferred action till completion of either departmental action or police interrogation…..

With a view to redressing the grievances of the customers in this regard, we have reviewed the position and advise that (i) in cases where banks are at fault, the banks should compensate customers without demur, and (ii) in cases where neither the bank is at fault nor the customer at fault but the fault lies elsewhere in the system, then also the banks should compensate the customers ( upto a limit) as part of a Board approved customer relations policy.”

However, we have not seen Banks following this instructions from RBI. I can personally vouch for the same having represented many Cyber Crime victims in Banks against Banks such as ICICI Bank, PNB and Union Bank of India”. Other Banks will not be better since the big brother SBI is leading this anti-customer attitude and making RBI look like a paper tiger good only for issuing circulars which can be safely ignored.

In August 2011, the D.Damodaran Committee on Customer Service in Banks had made some far reaching customer friendly recommendations. But the influential Banks forced RBI to forget  the report and not issue any operative circular as a follow up.

It is in this context that we the consumers need to stand up and support RBI in its latest efforts and not let our vigil drop.

Now it appears that RBI has once again issued a circular which will have far reaching protective influence on Bank customers. It puts a cap on the liability that a Bank customer may suffer on account of a Cyber fraud which may happen with a Phishing Attack or a Credit Card Cloning or an ATM hack, or hacking of the Bank systems. In most of these cases, involvement of Bank staff may be implied though not proved. But in almost all cases, negligence of the Bank can be identified as the “Proximate Cause” of the loss that a customer suffers.

The recent circular has classified the losses into the following categories:

1. When a customer brings to the notice of the Bank the fraudulent transaction within 3 working days of him coming to know, there would be “Zero Liability” for the customer
2. Where the report is delayed and made within 4-7 days the customer’s loss will be limited to Rs 5000/-
3. Where the delay is more, the Bank’s Board shall have a policy on how to deal with the customer’s liability.

Once notified, the bank shall credit the amount from their suspense debit within 10 working days.

There is however a possibility that Banks may try to find a loophole in the RBI guideline and try to avoid the liability on themselves.

I have even seen one argument from a Bank that they cannot pay back the fraudulent money because it is “Public Money” as if the customer’s own money does not belong to that category. We have also seen Banks trying to hide behind “Privacy” and refusing to reveal information of fraudster’s accounts through which an honest customer’s money has been withdrawn forgetting that opening such accounts with defective KYC was part of the offence under AML.

Such unscrupulous Banks can go to any extent to refuse relief to Cyber Crime victims under one pretext or the other unless strong penalties are imposed for non compliance of RBI’s orders.

In the circular, the frauds have been categorized into three categories as follows.

1. Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)
2. cases involving negligence by a customer, such as where he has shared the payment credentials,
3. . Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.

In the first type involving fraud or negligence on the part of the Bank,  (including where  staff of Bank may be involved), there would obviously be no liability for the Customer.

At the same time legal proceedings can be initiated on the Bank and its executives including the Chairperson and Directors for civil and criminal action under ITA 2000/8.

I wish RBI also imposes “Sanctions” on such a Bank  and its key executives without waiting for the law to grind to a conclusion.

The third type is self explanatory once we understand the implications of the second type “cases involving negligence of the customer”.

What is Negligence of a Customer

Banks have been struggling for generations to decipher the meaning of “Negligence” under Section 131 or Section 10 of Negotiable Instruments Act. We often leave it to be judged by the circumstances of the case to define “negligence” as “What a Prudent man under similar circumstances would have done” or “What a prudent man under similar circumstances would not have done” without being clear about who is that “Prudent Man”.

It is the Courts who have in different occasions defined what is negligence. In the E-Banking environment we need to accept that the Judiciary has not matured enough to provide a good guidance of what is “Negligence” on the part of a Customer.

Looking back on some of the instances we can identify the following types of behaviour which could come for discussion as “Negligence”.

1. Keeping the ATM card along with its PIN written down in one place.
2. Acting on a Phishing E-Mail and logging into a “Pseudo Bank Site” failing to recognize impersonation in the e-mail and the website, thereby providing the credentials on the pseudo bank site.
3. Allowing Trojans and viruses to attack their access devices such as a computer or mobile which could be a Key logger virus or a Man in the browser virus, Coat tailing virus etc
4. Answering a Vishing Call and providing credentials like the OTP
5. Using very weak passwords such as “1234” etc.
6. Downloading malicious apps on the mobile or on the computer
7. Not updating or installing an effective malware protection software
8. Sharing their cards and passwords with family members or others whom they otherwise think are trustworthy
9. Not using secure mode of accessing Bank accounts with the use of Digital Signatures or the Secure Browsing Mode provided by their anti virus software.

At the same time, we need to recognize that some of the above acts of potential negligence could be prevented if Bankers are “Not Negligent” or are “Security Conscious”.

For example,

1. Banks can introduce a mandatory face recognition system for all ATMs so that there is also a record of who visited the ATM
2. Defined weak passwords can be deactivated (most banks do it at present)
3. Phishing sites need to be brought down at the earliest. How early depends on what Banks spend on such security. But customers using a web protection feature in their anti virus software or a netcraft anti phishing extension for their browsers may be able to identify phishing reasonably quickly. But when can we consider “Non Installation of Netcraft extention” as “Negligence” depends on an evaluation of the minimum level of awareness in the Bank customers. This also depends on what “Awareness Building” efforts have been taken by the Bank (and documented).
4. Using of Passwords and OTP instead of ITA 2008 approved digital signatures/eSign for the purpose of authentication and not even providing an option for interested customers.
5. Ignoring the June 2001 Internet Banking Guidelines of RBI  and absorbing the legal risk for not using digital signatures.
6. Ignoring the judicial award of the Adjudicator of Tamil Nadu in the S Umashankar Vs ICICI Bank case advising use of digital signatures for bank statements distributed to customers.

In the case of sophisticated spear phishing attacks, many of the technology aware  as well as security aware users have fallen prey in the past.

Hence the  level of expertise required to identify and eliminate phishing attacks should not be considered as a base line skill level that can be expected of an ordinary Bank customer. When Trojans and Viruses are installed while visiting otherwise respected websites or downloading of apps and software programs and the available malware protection has also failed, it is too much to expect every Bank Customer to have the necessary expertise to identify the signature of a malware and take steps to prevent its malicious action.

Hence the burden of “Negligence” should not be thrust on the customer in the case of phishing and installation of malware  where the customer himself is a “Victim” of an identity theft crime. Making an identity theft victim liable because he allowed himself to be a victim, is like telling a pick pocket victim why did you keep your money in the pocket and not in the locked brief case or underwear pocket?

Bankers will however advance an argument that if in the case of “Phishing” the customer is not made to bear the burden, they will collude and commit frauds on the Bank. I therefore suggest that in cases of “Phishing” (and Vishing) where the  customer has in fact parted with his credentials, if the “Customer” and the “Beneficiary” donot have any nexus (Such as one being a family member or a friend), his contention that he was cheated should be given credence and the fraud should be considered as arising not due to the negligence of the customer.  Even then, I suggest that the customer could be penalized  even 10% of the total loss. This can be part of the mediation between the customer and the bank where the mediator adjudicates if the customer was in deed negligent or not.

Presently RBI has a scheme of Ombudsman to resolve disputes arising out of “Non Adherence to RBI regulations”. However Ombudsman often refuse to take responsibility to mediate and function more like “Adjudicators” and often have a soft corner with the Banks. Customers have often been at the wrong end of the decisions of Ombudsman and hence this system requires a serious rethinking. One suggestion is to make the Ombudsman adopt a mediation strategy and include a member of public who has knowledge of Cyber Fraud issues in the mediation team.

In all cases of “Alleged Negligence” by the customer where the Bank wants to refuse payment under the proposed scheme, the Ombudsman may step in to resolve the dispute.

We need to continue our discussions and debate this issue of “What Constitutes Negligence” of the Customer in cases of E Banking frauds before making the customer pay for the technological advances of the financial market. I invite comments and suggestions in this regard.

Naavi