Will HHS impose a hefty fine on American Dental Association?

Posted on May 3, 2016 by Vijayashankar Na

In what may be described as an unfortunate but grim reminder of the risks that we run in the Cyber Space, American Dental Association (ADA) appears to have exposed itself to a risk of a hefty fine from the Department of health and Human Resources (HHS) which regulates HIPAA and HITECH Act implementation in USA. (P.S: I thank Mr Avkash Kathariya  for bringing the incident to my notice)

The Association recently sent a soft copy of CDT 2016 manual through a flash drive.

ada_virus_2ada_virus_1

 

 

 

 

 

It was found that the flashdrive contained a link to a website which is known for distribution of malware. This article in krebsonsecurity.com indicates that the fact that a malware was contained in this official communication was detected by a security professional who checked the flash drive.

In an inevitable “disclosure and Remedial Action”, the Association released an e-mail alert on the incident.

A copy of an e-mail which the center for Informatics and Standards in American Dental Association has sent to their customers recently is reproduced below.

IMG-20160503-WA0000

HHS normally imposes hefty fines for potential or real disclosure of PHI by Covered entities and Business Associates. This incident exposes the possibility that a malware could have been injected into the systems of any of the users and has to be recorded as a “Suspected Security Breach Incident” at every one of the users who may be exposed to HIPAA compliance requirement. Whether or not there has been any actual data breach, it would be necessary for these entities to document the incident, conduct an appropriate internal investigation and record (hopefully) “There was no breach of unsecured PHI”.

The incident could have been a major disaster in the health care industry resulting in unprecedented levels of PHI data breach. We should be relieved that  it has been detected at the earliest and the security specialist responsible for the detection identified as “Mike” a member of a forum titled DSL Reports deserves to be given a major bounty by ADA and HHS.

In India, “Distribution of a Computer Contaminant” would invoke action under ITA 2008 both for civil and criminal action. The Computer Abuse act in USA may have similar provisions and action can be taken on ADA for payment of damages and for criminal negligence while HIPAA itself may not be able to impose penalty on ADA.

The incident  however is a big lesson to every organization that some times distributes useful data with good intentions loaded onto a CD or Flash drive. The work is often sub contracted to some supplier who may not have any idea of the security issues involved in distributing a malware along with the intended content.

The least that a content provider may do in such circumstances is to take care to digitally sign his file and include a disclaimer and alert that enables the user to scan the data before use for malware.

Naavi

 

Posted in Cyber Law | Leave a comment

Wiping Every Tear from Every Eye.. Forget Courts…Transform from Litigation to ODR

Posted on May 1, 2016 by Vijayashankar Na

cji_2During a recent meeting of Chief Justices of High Courts, the Chief Justice of India, Mr T.S.Thakur broke down emotionally with the burden of a perceived guilt of the Judiciary in not being able to reduce the pendency of cases.

While this brought out the frustration of an honest Chief Executive of the system, I could not miss a feeling that the solution is staring at us and we have not perhaps identified it.

The solution lies squarely in an aggressive promotion of the system of ADR (Alternate Dispute Resolution). Being from the IT enabled legal services industry, it was natural for me to immediately feel the increased need for the use of ODR to accelerate the ADR process itself.

Afterall, the Modi Government passed the Amendment Act to the Arbitration and Conciliation Act 1996 on 31st December 2015 enabling the use of electronic means for conducting ADR. The amendment also contained what may be considered as revolutionary proposal to fix specified time limit for completion of Arbitration and incentives and disincentives for variations.

Now all those Advocates and Professionals who have the necessary legal and domain experience and the “Urge to Resolve Disputes” should consider setting up their own “Dispute Resolution Centers” (also identified as Arbitration and Mediation Centers) so that in the next couple of years, we have a huge capacity build up in Dispute Resolution which will at least ensure that there is no further build up cases in the overworked Judiciary.

Naavi’s ODRGLOBAL.IN proposes to provide the technical infrastructure to enable and empower such professionals so that they can conduct online dispute resolutions and apply their arbitration and mediation skills to good use.

Ofcourse, skills in Arbitration or Mediation are to be nurtured. They are different from what advocates learn while acquiring LLB or practicing in a Court of Law. Perhaps we may consider that Mediation is more an “Art” than a tought and learnt skill. However, efforts are to be made by professionals to polish their dispute resolution skills before they plunge full scale into this new profession.

The first thing an “Arbitrator” or an Advocate participating in Arbitration proceedings or even the Litigant parties need to understand that in a “Litigation” it is more often a “Win-Lose” fight where as Arbitration and more so the Mediation is a “Win-Win” negotiation.

Further, the Judge in a litigation is strictly constrained by the inefficiency of the counsels and cannot go beyond the evidence and argument provided by the counsels even if it is inefficient and incorrect. Arbitrator has a greater freedom to find a solution and can intervene more pro-actively than in a litigation.

In a mediation, the emphasis is driving towards a mutually agreeable conclusion and not being correct to a point of law.

If this principle of “Win-Win” is understood and implemented, then the society will be lot better in the next decade when the pending 3 crore cases are resolved by Courts since they will not create 3 crore dissatisfied losers trying to take revenge on other 3 crore winners,  rather than having 6 crore happy resolved formerly disputing parties.

(P.S: I agree that all disputes are not amenable to a Win-Win solution. But the principle needs to be appreciated). 

If we agree, the question then arises….

a) If I am a professional advocate or a domain specialist

Should I become an Arbitrator?

Should I ask my clients to include an arbitration clause in the agreement providing for “Online Arbitration on the technology platform of www.odrglobal.in”?

…. perhaps it is time to consider.

b)  If I am a Consumer facing organization, say a Bank or a White Goods manufacturer or a Service provider, or an e-Commerce player,

Should I start incorporating the ODR clause into my contracts?…..(with odrglobal.in as the technology platform)

…. perhaps it is time to decide

This transformation from a “Litigation Mindset to ODR Mindset” could be an innovation in the dispute resolution industry that can wipe “Every tear from Every eye”….an evergreen mission for all nation builders.

Whenever we discuss an “Innovation” with established  industry practitioners, we come across a dilemma.

They often ask….

Should I be the first to try out? Are there some unknowns which I cannot identify?.

Most of the conservative practitioners come to the conclusion, let me not be the first..  Let me wait for others to implement the innovation and then come in.

No doubt this is a common human trait and we need to respect the cautious attitude of such “Safety First-Innovation Next” kind of professionals.

But behind this attitude lies the quality of management .. “Should I be a Leader or Am I content being a “Follower”.

The entire “Start Up ” industry is built on this premise that “Innovation is the Key to Success”. No doubt some or even many innovations may fail. But as long as the innovator hedges his risks to the extent that he will not go down with a failed innovation, there is no reason for not trying to be an innovator.

In fact it is the few innovators who succeed who turn out to be the industry leaders and icons.

Today, I would like to ask a question to all the Legal heads of companies including the Infosys, Wipro, Flipkart , as well as the Toyotas, Whirlpools, Citi Bank or State Bank etc, or for that matter any consumer facing Company why they should not take the lead in using ODR as a dispute resolution mechanism between themselves and the Customers.

It would be an “innovation” that may distinguish them as a leader rather than a follower. Will these companies who are known leaders in their respective fields bogged down by the thought “Let others try…then I will follow..”. I hope not.

I call upon all the legal heads and business heads of companies to step into this new world of ODR and contribute to the vision of “India as a Global Hub of ODR”.

I request all readers to forward this post to any of their known legal contacts in the industry and seek their response and feedback which may be sent to Naavi

Naavi

arbitration_logo4

Posted in arbitration, Cyber Law | Leave a comment

Have Russian Hackers entered India?.attacking State Bank of Mysore and Bank of Baroda?

Posted on April 29, 2016 by Vijayashankar Na

Recently two bank fraud incidents have been reported one from State Bank of Mysore in Karnataka and another from Bank of Baroda in Lucknow where security specialists have suspected hacking of the Bank’s servers without any compromise of information at the POS or the customer side.

Reference:

Hindu and Hindu Business Line on SBM fraud

TOI on BOB fraud : P.S: Though this was a case of hacking into dormant accounts by an insider, there is a failure of information security even in this fraud.

nyooz.com on BOB

In the background of these frauds, one can read the article in Kasparesky published a few months back titled: “Dozens of banks lose millions to cybercriminals attacks” and “APT-Style bank robberies on the increase..

This article states that Kasparesky which exposed a sophisticated bank fraud gang last year by name Carabanak has now identified threats from of two more gangs by name Metel (or Corkow) and GCMAN. It also said that Carabanak has reemerged with new targets. Some of these attacks indicate a spear phishing attacks on the Bank employees.

It appears that the recent attacks in India may indicate the activity similar to what has been reported here.

One of the strategies that is reportedly used is to first gain access to one of the user’s computer and plant a trojan. The trojan may crash some application such as Microsoft Word and it is expected that  the admin will be called to set things right. When the admin logs into the victim’s computer with his password, his credentials are captured by the attackers. Using this, the attackers slowly get into other systems until they are able to compromise the fund transfer systems leading to further frauds.

What we have seen in SBM now with small amounts being transferred may be only a testing of the fraud and we may soon see a major break in SBM which may shake the Bank and put its customers into great pain. May be similar threat is there in other banks also.

The recent failure of basic information security principles in an otherwise reputed company like TCS leading to a Rs 6000 crore damage on the Bank is an indication that most of the companies (including the Banks) have very weak security culture.

Additionally the opening of Unified Payment Interface opens up the mobile network to one part of the Banking servers which can be used by hackers to worm their way up the network into the core banking servers and launch a major attack to bring down a bank.

Knowing the attitude of Banks and RBI, nothing constructive is expected to be done to prevent such attacks and hence it would not be long when this prognosis may sadly come true.

I would therefore advise Bank customers to manage their risks by ensuring that they spread out their bank balances into multiple Banks and ensure that all the eggs are not in a single basket. Better still, spread it across smaller banks including cooperative banks without internet and mobile banking  so that their hard earned savings are protected.

Naavi

Posted in Cyber Crime | Leave a comment

SBI introduces a long awaited security measure to control Card frauds

Posted on April 27, 2016 by Vijayashankar Na

State Bank of India has been one of the Banks specially targetted by Card fraudsters for cloning and fraudulent withdrawal. A few years ago, Damodaran Committee of RBI recommended the most sensible control where by the customer should be given the ability to switch on and off the online banking facility.

Now We understand that SBI has introduced a “SBI Quick” service where a customer can switch on and off the use of debit cards through SMS and or Missed calls.

While the full details of how the system operates and whether it would be limited to the use of Debit cards or would be extended to credit cards, are awaited, the service in principle is welcome and has to be a mandatory feature.

This is similar to the olden day locking and unlocking of STD facility in a phone.

Hopefully the implementation of SBI quick will ensure that the security weaknesses in the current system donot also spill over to this locking and unlocking system where by a fraudster may just look at this as one additional step to cross before he continues to do what he is presently doing.

More info here: 

Naavi

Posted in Cyber Law | Leave a comment

Backup your Biggest data file.. to fight ransomware

Posted on April 27, 2016 by Vijayashankar Na

Ransom ware has been one of the biggest threats that is confronting IT users at present.  Many companies have found that their critical resources have been rendered useless with the ransomware encrypting the files and demanding a ransom for release of the decryption key.

It is however heartening to note that researchers at Kasparesky have recently found a way to decrypt files encrypted by CryptXXX.

The solution works if the user can produce one original unencrypted copy of a file that has been encrypted by the CryptXXX and the key can decrypt all other files of size equal to or less than the subject file used for finding the decryption key.

This means that if the file used for breaking the encryption is the largest file in the system, the entire set of encrypted files can be decrypted.

See Article in threatpost.com

Henceforth it is therefore a security strategy to find out which is the largest file in the system and take a backup in an offline environment.

Hopefuly, at least a few can find relief from this strategy…until a new updated version of CryptXXX with a work around hits the market.

Anyway, we need to thank Kasparesky for the solution…

Naavi

Posted in Cyber Law | 2 Comments

Has RBI Permitted Social Media Banking?.. What about audit of Mobile Apps?

Posted on April 25, 2016 by Vijayashankar Na

We have been following the discussions on how the Unified Payment Interface introduced by RBI has created one big security risk where the telecom links have been provided a direct access to Banking transactions server through execution of USSD codes.

Though the authorities claim to have adequate security, customers are yet to be convinced about whether RBI and the Banks are saying the truth.

Does it mean that Banks and RBI can lie?

I would like consumers to make their own conclusions from the following RTI exchange between one Mr Sisirkumar and RBI.

(P.S:Though this RTI pertains to ICICI Bank, the issues are expected to apply to other Banks also)

Mr Sisirkumar of Vijayawada made a simple RTI Query to RBI raising the following questions.

  1. Details on decision taken by RBI to let Banks use Social media and mobile applications.. and how RBI arrived at a decision that this does not violate the privacy of customers or their data.
  2. Details on specific documents related to approval given by RBI to ICICI Bank limited for creation of the following accounts.
    1. https://twitter.com/icicibank
    2. https://twitter.com/icicibank_care
    3. https://facebook.com/icicibank/
    4. https://youtube.com/user/icicibank

3. Details of  decision taken to permit ICICI Bank to do social media banking

4. Copy of RBI guidelines on how online presence can be conveyed to customers

5. A copy of the results of the security and privacy audits conducted by RBI

6.Details of the official RBI accounts on social media and the relevant act as per which they have been created and their purpose.

RBI has replied to the above RTI as follows:

Reply for query1:

” Department of Payment and Settlement Systems, Reserve Bank of India (DPSS, RBI) has not issued specific instructions to Banks on areas raised in the query. However, Banks have been advised vide our circular on mobile banking which is available on the website of RBI at link:

https://rbidocs.rbi.org.in/rdocs/notification/PDFs/65MNF052B434ED3C4CE391590891B8F3BE66.PDF

Para 2(ii) of Annexure I advise that social media can also be used by the Banks to build awareness and encourage customers to register on mobile Banking as one of the measures of customer awareness programs”

Reply for query 2:

“DPSS, RBI has not issued any such approvals to ICICI Bank Ltd”

Reply for query 3:

“No Specific instruction has been issued to ICICI Bank”

Reply to query 4

“DPSS has not issued any instructions in this matter”

Reply to query 5:

“DPSS has no information in this matter…. Your query has been forwarded to CPIO..to provide information if available..”

Reply to query 6:

“DPSS, RBI has no information in this matter….Your query has been forwarded to CPIO…”

Subsequently regarding query 6, M.Nandakumar, CPIO replied on January 12, 2016 stating :

“We have no information”

Another reply dated January 11, 2016 signed by Ms Alpana Killawala , CPIO stated for the same query,

“From April 13, 2015, the Reserve Bank of India has presence on two Social Media sites namely, You Tube and Twitter. It is an initiative taken by Reserve Bank for enhanced outreach and real time engagement with the public in addition to engaging with them through traditional media.

Purpose: For wider dissemination of information about RBI policies, rules and regulations”.

On query 5, a reply dated January 15, 2016, Subhash Chandra Mishra, another CPIO replied

“No Security or Privacy audits of mobile applications of banks are done by us. However, the level of adherence to extant guidelines issued by RBI are examined during the course of annual inspection of banks.”

From the above it is clear that the DPSS which issues guidelines on the use of technology is not even aware of the need for security and privacy audits and the CPIOs are completely confused about the state of affairs.

The replies confirm that RBI has not even considered security and privacy audits of mobile apps and have not recognized the security risks associated with the use of Twitter and Facebook for conducting banking transactions such as balance enquiry and transfer of funds. Perhaps they are not even aware that some banks are using Twitter handles to interact with the Banking servers and execute fund transfer requests.

As an ex Banker and lot of respect for RBI (by tradition), it is a big surprise for me to note the level of incompetence at the RBI.

This in fact corroborates some of my earlier concerns that I expressed in respect of use of USSD codes for Banking transactions by NPCI.

I am awaiting Banking security experts to react to what we have indicated here particularly to the fact that the mobile apps have not been audited by RBI.

In the earlier guidelines IDRBT was supposed to clear any banking related applications. Obviously, this guideline is being flouted by Banks and RBI has not taken any corrective action.

Naavi

Posted in ITA 2008 | 1 Comment