Naavi.org

It had been reported earlier that a Cyber Cafe owner in Pune was imprisoned for 15 days and fined for Rs 10000/-  under Section 67(C) of Information Technology Act 2000 as amended in 2008 (ITA2000/8). We now have a copy of the judgement in this regard provided by Advocate Prashant Mali.  In view of the judgement becoming a precedent at least in a limited jurisdiction, as well as for academic interest, it is necessary for us to dig a little deeper into the judgement and understand the logic behind the decision. This discussion is based only on the copy of the judgement and we donot have access to any other evidence, points of argument or document which was considered by the Court. Copy of the judgement is available here.

Accused Vishal Hiraman Bhogade, Sandesh Sopan Dere have been convicted under this judgement for offences punishable under Section 67(C)(2) of ITA2000/8 but were acquitted under Sec 43(g),66 of ITA 2000/8, and Section 188 of IPC. It is admitted that the main culprit has not been traced till date and the charge sheet against the unknown accused has been ordered to be kept open.

The judgement dated 31st July 2015 is from Honourable Justice S.R.Nimse, JMFC (Court No 3), Pune. The counsel for the accused was Shri K.R.Subedar and for the prosecution, A.P.P. Sou Narote.

The incident that triggered the case was an e-mail received by the Police Commissioner on 25/8/2012 containing a threat that a bomb blast will occur during the Ganesh festival and challenged the Commissioner to stop it. We can recall that in a similar incident in Chennai occurred in December 2004 when a person inspired by the movie “Ramana” sent an email to some secretaries that “Bombs will explode in Six TASMAC shops between Paris and Guindy”.  This was the time when the undersigned was assisting the Chennai police in investigating such crimes and the culprit was arrested the very next day.  At that time there was no ITA 2008 and hence there was no Sec 66A nor 66F to use. Perhaps the case was pursued under IPC. ( Further details of what happened to the case is not known).

It is interesting to note that in the instant case in Pune the initial charge sheet was filed under Sec 43/66 of ITA2008, and Sec 188 of IPC. Subsequently Section 67(C) was added and finally conviction occurred under this section. Police could have tried Sec 66A though how the Court would have dealt with it after the section being squashed by Supreme Court is not known since at the time the offence was committed, Section 66A was in operation and “Threat through E Mail” could have been tried under the section.

An important precedent that this Case has thrown up is that conviction of an intermediary is possible even before the ultimate cyber criminal is traced.  In many of the Bank fraud cases, the undersigned has been complaining that the Police are reluctant to proceed against the Bank as an intermediary and this judgement would be a good precedent at least in the State of Maharashtra for booking criminal cases against Banks in respect of Phishing complaints. There are already several cases in which the Adjudicator of Maharashtra has held that the Bank involved in Phishing is guilty of negligence and therefore liable under ITA 2008 to pay compensation to the victim. The Police need to follow up such cases immediately and take action against the Bank. This will at least prevent the Banks from further harassing the cyber crime victims by taking up appeals in higher courts to delay payment of compensation to the victims.

The second notable aspect of this judgement is that the Court has punished the accused with imprisonment of 15 days having found him guilty under a cognizable offence for which punishment could have been 3 years. Of course, in this case, perhaps even 15 days was avoidable since there was no “malicious intention” behind the negligence of the Cyber Cafe owner.

In the instant case it appears that the accused at some point of time has decided not to contest and perhaps plead guilty under the assumption that the offence is not serious enough to warrant any imprisonment. But even 15 days imprisonment is rather uncomfortable and deserves an appeal.

Let’s look at Section 67(C), reproduced below to analyze why an appeal is deserved.

Sec : 67 C: Preservation and Retention of information by intermediaries
(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

The condition precedent to applying this section is that there should be an “Intentional” and “Knowing” failure to maintain “Such information as may be (Ed: might have been) prescribed by the Central Government.

There are many sections in ITA 2008 which use the word “Appropriate Government”. However, this section uses the word “Central Government” specifically and hence does not apply to the non compliance of any state laws including the Cyber Cafe regulations under the State Police Act.

Has the Central Government prescribed that a Cyber Cafe needs to preserve and retain information such as the “identity of the users of cyber cafe”? is therefore the main question which the Court ought to have examined.

If there were any regulations for Cyber Cafes in Maharashtra prior to 27th October 2009 when the ITA 2008 became effective and 11th April 2011 when the “Information Technology (Guidelines for Cyber Cafe) Rules, 2011. ” was notified, then they would have to be re notified by making reference to the ITA 2008 which defined Cyber Cafes and the above rules of April 2011. Any earlier notifications should be deemed to have lapsed after ITA 2008 was notified in 2009.

Though the Cyber Cafe rules of 2011 empowers the State Government to make further rules, and also includes requirements regarding the identity verification of the user,  the most important direction of this notification was for the State Governments to form a regulatory authority for Cyber Cafe regulations which shall introduce registration formalities and notify the agency to whom the log record information etc should be submitted.

The undersigned has submitted detailed suggestions for Cyber Cafe regulations under ITA 2008 to Karnataka Government and also developed Cyber Law Compliance requirements for Cyber Cafes to avoid the non compliance of the ITA 2008. However, like many other suggestions provided by the undersigned over the last several years, neither the Government nor the Cyber Cafes were interested in implementing the suggestions. Though there are several softwares available to cyber cafes to manage ITA 2008 compliance some of which have been even recommended by Police in several States, the State Governments have not created the back end systems to receive data created from these softwares and therefore the use of such software has not gained popularity.

I would have very much appreciated if the Pune Court had devoted some attention on what the Government needs to do to improve compliance rather than putting the Cyber Cafe owner in imprisonment for 15 days. It is unfortunate that representative bodies such as the Cyber Cafe Associations of India or Maharashtra failed to implead in the suit and protect the Cyber Cafe owner.

I wish at least now, public spirited lawyers intervene and appeal against the part of the judgement which sentences the  Cyber Cafe owner to imprisonment. Financial penalty is an adequate penalty in such cases where there is no malicious intention and there is negligence of the authorities as well in not regulating the system.

If not maintaining a visitor’s register is a punishable offence and a cause of action under ITA 2008, not prescribing the nature and format of record keeping by the Cyber Cafes is a negligence on the part of the State Government also. (P.S: Whether the Cyber Cafe rules of 2011 are practical or excessive is a separate debate which the undersigned has presented in the past and hence not repeated here.)

Naavi

Android App available on Google App Store

Android App available on Google App Store

Cyber Law Guru is a mobile App meant to be a channel through which the public an raise any question on Cyber Law to be answered by experts. It is part of the Cyber Law Education initiative of Naavi.

We are glad to inform that Advocate Prashant Mali who is an Internationally renowned Cyber Law & Cyber Security Expert,  Author & a well known practicing advocate in the country has joined the expert panel associated with the app and will be contributing his valuable views on any questions raised by a member of public.

Prashant is Masters in Computer Science, Masters in Law with certification in Computer Forensics Professional & prior working experience in the field of IT Security & Law for more than 20 Yrs.

He has authored 5 books on Cyber Crimes & Cyber Laws. He is a legal adviser to Govt Companies ,MNC’s, Corporates and represents them in various courts. His research interest are in Cyber warfare, Cyber war, Cyber weapon.

Mr Prashant Mali is the president of Cyber Law Consulting, a  premier Law firm involved in Litigation and Consulting matters related to Cyber Law, Privacy Law, Economic Offences, Telecom, Trade Mark & Copyrights, Media and Entertainment, EContracts’, Software Piracy and also provides Expert Legal Opinion and Legal Compliance to Organizations & Individuals.

He has been awarded as “Cyber Security & Cyber Law Lawyer of The Year:2014” by Indian National Bar Association .

We heartily welcome Prashant Mali to the expert panel of Cyber Law Guru.

Naavi

Ed: The panel has now been revamped and Naavi handles all the queries….Naavi

Key Findings of the Ponemon-2015 Data Breach Study…3
(In continuation of the earlier article..)

The IBM sponsored Ponemon Institute’s study of Data Breach Cost across 11 countries, released recently has brought out several interesting aspects that are relevant to Information Security and Cyber Insurance industry. The key findings are being presented here from the Indian perspective.

In the earlier articles we had observed that the average cost of data breach in India is Rs 3640 per record, the average number of data lost per incident was around 18983 and average gross loss per organization was Rs 9.49 crores.

We had also seen the industry wise distribution of losses and the factors that decrease or increase the loss.

In this article we shall explore the results of the study on components of cost and other issues.

According to the study, there are four important components of the cost of data breach as identified by the study. They are

a) Cost of Detection and Escalation
b) Cost of Notification
c) Cost of Ex-Post response
d) Cost of lost business.

The biggest component of cost of data breach is the value of “Lost Business”. This is estimated at an average of $1.57 million. The next biggest component is the Ex-Post response at $1.07 million followed by cost of detection and escalation of $0.99 million and $0.17 million in terms of notification costs. In terms of percentages the four components mentioned above seem to constitute 26%, 4%, 28% and 41% respectively.

In the Indian context where the average loss is Rs 9.49 crores, the components of the cost appear to suggest that the loss of business amounts to Rs 3.8 crores, Ex Post expense amounts to Rs 2.6 crores, cost of detection and escalation amounts to Rs 2.46 crores and cost of notification amounts to Rs 38 lakhs.

The study therefore clearly indicates that there is a significant loss of business that the business may expect if hit by a data breach incident.

In terms of the probability of a data breach, the study does try to throw some light in terms of how the probability may increase or decrease with the availability or otherwise of comprehensive information security measures. It comes to the conclusion that large scale data breach incidents can be significantly reduced with good BCM measures.

While some of the statistics may be debated whether they can be applied directly to the Indian context or not, we can say that the study is one of the best available indicators of the financial risks that an organization may face on account of data breach. This is extremely significant to the India Cyber Insurance Survey 2015 that is being undertaken.

The Ponemon study indicates that there is a good reverse correlation between Information Security and data breach loss. Better the information security, lower is the cost. This should reflect also in the cost of insurance in the same manner. Better the information security, less should be the insurance cost. Whether such a correlation actually exists or not in practice when the Indian companies underwrite cyber insurance, is what the Cyber Insurance study may reveal.

However, what is clear in the Ponemon study is that the Information Security Industry has a high stake in the Cyber Insurance industry.

Unfortunately this aspect does not seem to have been appreciated fully either by the company managements nor the information security professionals. Both seem to think that Cyber Insurance decisions are decisions taken by the Finance department and the Information Security professionals are not often part of the decision making process and hence donot influence the decisions regarding insurability or fixation of premium. Probably the India Cyber Insurance study will throw some light on who are normally involved in the decision making process when a company is contemplating a Cyber Insurance cover.

Naavi

Copy of the Report

Key Findings of the Ponemon-2015 Data Breach Study…2
(In continuation of the earlier article..)

The IBM sponsored Ponemon Institute’s study of Data Breach Cost across 11 countries, released recently has brought out several interesting aspects that are relevant to Information Security and Cyber Insurance industry. The key findings are being presented here from the Indian perspective.

In the earlier article we had observed that the average cost of data breach in India is Rs 3640 per record, the average number of data lost per incident was around 18983 and average gross loss per organization was Rs 9.49 crores.

In this article we shall explore the results of the study on the industry wise distribution of data breach loss.

Health Sector Suffers the highest loss:

The highest loss was suffered in the Health Sector industry where the average loss was $363 mllion. This was followed by Education at $300 million, Pharmaceuticals at $220 million, Financial at $25 million, Communications at $179 milion and Retail at $165 million. Technology industry suffered a loss of $127 million

It may be observed that the health care and pharmaceuticals which are well regulated under laws such as HIPAA have recorded the highest loss. This only indicates that the regulation has created greater awareness which has led to greater claims being made. But what is surprising is that the Financial industry has shown a relatively lower level of loss compared to health sector. This perhaps indicates the positive impact of better information security management.

Root causes for data breach:

An analysis of the root causes of data breach indicate that 47% of the data breach incidents occurred due to malicious or criminal attack while 29% was due to system glitches and 25% due to human error.

In terms of the losses, the malicious attacks resulted in an average loss of $170 per record, while system glitch cost $142 and Human error, $137 per record.

What Corporates need to understand in this observation is that there are attackers who are targeting them with malicious intentions and there is no room for complacency. Also, losses in 43% of cases due to system glitches and human error is also a matter of concern for the management since these are considered “Avoidable”. In other words, this loss can to some extent be attributed to the “negligence” of the companies themselves.

Speaking specially in terms of India, the cost on account of malicious attacks was Rs 4615 ($71) per record, while on System glitches, it was Rs 2925 ($45) and on human error, it was Rs 3185 ($49). This constituted 38%, 30% and 32% respectively.

Factors that impact the data breach cost

The study indicates that the following factors may have a positive impact and reduce the data breach cost per document.

i) Incident Response Team : $12.6
ii) Use of Encryption: $12.0
iii) Employee training :$8.0
iv) BCM involvement :$7.1
v)CISO appointment::$5.6
vi) Board level involvement: $5.5
vii) Insurance Protection: $4.4

The study also indicates that losses increase on account of the following factors.

i) Third-party involvement : $16
ii) Lost or stolen devices: $9.0
iii) Rush to notify:$8.9
iv) Consultants engaged:$4.5

Impact on Cyber Insurance

The observations recorded in the study may impact the Cyber Insurance Industry in India in the following manner.

a) Industries such as  may be charged a higher premium than other industries.
b) Losses on account of human errors and system glitches could be scrutinized in a forensic analysis and rejected if any negligence is found in the survey.
c) Companies which have taken special measures to reduce human error through apparently effective training may get a rebate measured against the expenses incurred for training.
d) Outsourcing of operations may increase the cost of insurance

P.S: An interesting offshoot of the study is an indication that appointment of a CISO reduces the organizational cost of data breach by an average of Rs 67 lakhs. May be this is an indication of the remuneration package an average CISO should enjoy? …

(..to be continued)

Naavi

Copy of the Report

Key Findings of the Ponemon-2015 Data Breach Study-1

The 2015 IBM sponsored Benchmark study by Ponemon Institute LLC on the cost of Data Breach has now been published and makes some interesting observations which we summarise below.

This findings of the previous (2013) study were discussed in this site earlier and the current study helps us track the changes.

The 2015 Ponemon study is a collection of data across 11 different countries over a period of 10 months. Around 350 companies have particiapted in the study. India was part of the study. To be more relevant, we have tried to presnt most of the data in INR terms using Rs 65 as conversion rate.

In the context the undersigned along with a few other IS professionals has undertaken a “India Cyber Insurance Study”, the findings of this data breach cost study is extremely useful.

What is the cost of Data Breach?

The first parameter to observe is the the cost of a data breach per record and for an organization on an average. The consolidated average cost of breach per data was $154 or Rs 10000. However, there was a significant difference from country to country in this respect. While the loss in US was $217, in Germany it was $211 and Canada it was $207.

On the other hand the loss in India was only $56 or Rs 3640.

It is obvious that in India where the data owners donot have proper legal options to pursue data breach related losses and also that culturally we donot value Privacy as much as in the west, the Indian Companies may have a lighter burden of the data breach losses. This is not an indication that India has better Information Security nor that cyber attacks here are lower.

It can be observed that the data breach losses in India have increased from Rs 2405 in FY 2013 ($37) to Rs 3315 ($51) in 2014 and to Rs 3640(56) in 2015. This represents a near 50% increase in the two year period between 2013 to 2015 and a 10% increase in the last year.

The total organizational cost of data breach on the other hand was an average of $3.79 million on a global scale. Even here, the US topped the list with a loss of $6.53 million while in India the loss was $1.46 million (Rs 9.49 crores).

In India the total organizational loss was Rs 6.5 crores ($1 million) in 2013, Rs 8.9 crores in 2014 and now it has grown to Rs 9.49 crores.

Average number of data records lost was around 28000 in US and around 18983 in India.

Implications on Cyber Insurance-Problem of Under Insurance

In the Cyber Insurance Context, the findings of the Ponemon study indicates that

a) Companies in India are exposed to the risk of loss on account of data breach to the extent of Rs 10 crores on an average.

b) The per record cost which a Cyber Insurance policy should cover is around Rs 3640.

c) The Cyber Insurance policy cover which an organization should aim for is therefore the number of data records multiplied by the expected average loss on account of a breach. This will be the “insurable value of the data”.

The availability of data such as what has been published by Ponemon would introduce some elements of uncertainty to companies which take Cyber Insurance unless they properly clarify the terms of the insurance with the Insurance company.

If an organization fails to value the data assets properly at the time of obtaining the insurance and get a confirmation from the insurance company, there may be a charge of under insurance.

For example, if any organization insures for less than the estimated value of the asset insured, then it would amount to “Under insurance” and in the event of a loss, it  would get covered only  for a proportionate value of the loss.

To be more specific, if an organization has 1 lakh data records, the insurable value would be Rs 36.40 crores . If it takes an insurance of say Rs 10 crore, (30%) then it would be considered as a co-insurer for the balance value of the insurable asset. Hence if this company suffers a loss of say Rs 1 crore, the insurance company may cover only 30 % of the loss and pay out Rs 30 lakhs/-

The premium charged therefore should be calculated with only such expectation and not with the expectation that the entire loss of Rs 1 crore would be covered.

It is necessary for the Insured and the Insurer therefore to define and record how the data assets would be insured and claim settled.

Perhaps a clarification is required from the Cyber Insurance Industry in India in this regard………(To Be Continued)

Copy of the Report

Naavi

Naavi has started a circle on www.localcircles.com, titled “Save Digital India From Cyber Fraud”. The objective of the circle is to get together people interested in collaborating a draft of “Cyber Fraud Prevention Policy” to be submitted to the Government.

I request those who are interested in this exercise to join the forum immediately so that we can start a fruitful discussion.

More Information is available here:

Why Do we need a Cyber Fraud Prevention Policy?

Naavi