Naavi.org

Business Managers always have  difficulty in appreciating the need for investment in Information Security. Money is always a scarce resource in any organization and there are always competing demands. Managers often prefer a marketing investment against an IS investment since the benefits of a marketing activity is more visible and are often immediate.

An investment in IS is however meant to prevent an adverse incident and if it is successful, then we may often not recognize the benefit. No body may  recognize that there was in deed a threat and it was prevented because of the IS investment. Even at the initial decision making stage, it is difficult for the business manager to appreciate why he should invest in IS when there has been no adverse impact on the organization in the past.

In the light of this dilemma, it is interesting that the Ponemon Institute has released an eye opening 2014 survey report quantifying the cost of data breach in India. Though the impact of a security threat may differ from one organization to another, there are certain observations in the report which every manager needs to take note.

For example

1.  The survey points out that the cost of data breach in India increased by 31% in the last year from RS 2271/- to Rs 3098/-. This is cost for one lost or stolen data. In actual practice, whenever there is a data breach incident in an organization, data is lost in large numbers. The average total organizational cost according to the study therefore is reported to have increased by 32% from Rs 6 crores to Rs 8.3 crores.

If therefore there is  a probability of one breach in an organization, then the cost would be around Rs 7 crores. It should also be remembered that the cost of loss in the Financial Sector such as Banks is nearly twice that of  the above average.

Hence one breach is all that it takes to close down a business.That single killer breach can occur any time because there are a number of threats lurking in the environment and a number of unattended vulnerabilities in the organization. It can also occur because a company has a lakh employees and  any one of them can cause the breach for various reasons including negligence, lack of awareness and malicious intention.

Every company has to therefore check if they have the ability to survive  even one breach incident if it occurs in their organization. If not, then they should not argue on the investment required in mitigating the risk even if the risk mitigation may not guarantee 100% elimination of the risk.

2 The survey observes that customers abandon organizations at a higher rate following the data breach. It is natural that customers do abondon organizations if a security breach in that organization puts the customer’s own business at risk of loss. On an average the customer turnover after a data breach increased by 11%. Marketing personnel who compete for investment from the IS department should consider that they need to get that much more of new business to protect their revenue if they try to snatch investment from the IS departments. In financial terms, the average cost of  lost business costs increased from Rs 1.53 crores to Rs 2.01 crores during the year.

3. The study also goes on to state that the cost of data breach can come down by around 9% merely by appointment of a CISO. It can also come down further by around 12% with a good incident response plan, another 20% by a strong security posture and Business Continuity program. In other words the study predicts that around 40% of the cost of data breach can be brought down by simple IS measures and there in lies an indication of the ROI on IS investments.

These figures must be sufficient for any business manager to understand that cutting investment in information security does not reflect prudence.

Refer here for more details

Related Article.

Naavi

In a repeat of a common cyber crime which have earlier been reported in the case of Exporters and Importers, an NRI customer of Syndicate Bank in Manipal has reportedly lost Rs 1.13 crores.

It appears funny that the Bank transferred money based on undigitally signed e-mail received in the name of the customer.

See Report here

It is almost like celebrating an anniversary of the article titled “Negligence of Export Promotion Councils, ECGC and Banks lead to Rs 2.35 crore fraud” published in this site on 27th November 2013 highlighting the responsibilities of Export Promotion Councils, ECGC and Banks in ensuring that such e-mail frauds are not committed.

It is unfortunate that the Bank remained illiterate to such information available in the market. RBI should also share with the public what action it has taken to educate the Bankers on such Cyber Crime Risks.

It is sad that Banks and other regulatory institutions seem to be oblivious of their responsibility to protect the citizens from such frauds.

Unfortunately this fraud has happened in Karnataka which is a haven for Cyber Criminals since there is no cyber judicial system operating here at present. With the Adjudicator of Karnataka shooing away Cyber Crime victims from seeking justice through his office, the CM and Chief Justice looking elsewhere, Cyber Crime victims of Karnataka have no where to go for justice. At least if the Bank had been head quartered outside Karnataka, the situation would have been better.

Until such time that there is change in the approach of Karnataka Government on re-activating the Adjudication system in the State and until the Chief Justice of Karnataka opens his eyes to the problem, it is better for Bank Customers in Karnataka to keep their money in Mumbai headquartered Banks since the adjudication system in Mumbai is more active and some justice can be expected.

Naavi

P.S: The details on why the Adjudication system is not active in Karnataka and why the Karnataka Government and Karnataka High Court is responsible for the miserable state of Cyber Judiciary in the State has been discussed several times in this site and requires no repetition. I wish CM Mr Siddaramaiah who is himself a law graduate or the Chief Justice of Karnataka invites me to explain why I feel so bitter.

Naavi

Supreme Court has set December 2nd as the final  date of hearing  when it will hear all cases related to Section 66A.

Report in Hindu

According to the news report, a Bench of Justices J.Chelameswar and S.A.Bobde will hear the petitioners Shreya Singhal. Common Cause and People’s Union for Civil Liberties. The counsels representing these bodies are Mr Soli Sorabjee, Mr Prashant Bhushan and Mr Sanjay Parikh respectively.

The three petitions have three different prayers. First is that the case on the Palghar girls who were arrested for posting a FaceBook comment and Liking a FaceBook comment be dismissed. Second is that no arrests be made under the section and the third is that the section is unconstitutional.

Let’s analyze each of the three pleas and the likely arguments that may be taken by the different counsels.

1. Palghar Issue:

In this case, one of  the girls comment on her facebook page as follows:

Quote:

‘People like Thackeray are born and they die daily, and one should not observe a ‘bandh‘ for that‘

UnQuote:

One of the other friends clicked “I Like”. Police arrested both under Section 66A and the magistrate committed the girls to judicial custody of 15 days.

A similar issue came up in Pondicherry when a Twitter post by a person called Ravi Srinivasan, a businessman, stated “got reports that Karti chidambaram has amassed more wealth than vadra.” In this case also police went about arresting the person who posted the tweet under Section 66A.

Additionally there are cases on Aseem Trivedi, the Cartoonist and many floating notices to intermediaries under Section 79 demanding removal of content allegedly contravening Section 66A.

Subsequently the Central Government through its “advisory” dated 9th January 2013, advised as follows:

“State Governments are advised that as regard to arrest of any person in complaint registered under section 66A of the Information Technology Act 2000, the concerned police officer of a police station under the State’s jurisdiction may not arrest any person until he/she has obtained prior approval of such arrest, from an officer, not below the rank of the Inspector General of Police in the metropolitan cities or of an officer not below the rank of Deputy Commissioner of Police or Superintendent of Police at the district level as the case may be.”

2. Parikh’s Plea:

According to the report, the plea is only that “no Arrests are to be made without following the guidelines”.  While the above advisory is a “Guideline” it is unlikely to be considered effective since law and order is a state subject and a mere advisory of the above nature will be ignored by the State police.

If any other guideline is required, it can come up as a “Notification” under iTA 2000/8 which should be notified in the Gazette.

3. Soli Sorabjee’s Plea

This plea is likely to focus on whether the provisions of Sec 66A is within the definition of “Reasonable Exclusions” to Civil Liberty guaranteed under Article 19(1) of our Constitution which states:

–(1) All citizens shall have the right

(a) to freedom of speech and expression;…

–(2) Nothing in sub clause (a) of clause ( 1 ) shall affect the operation of any existing law, or prevent the State from making any law, in so far as such law imposes reasonable restrictions on the exercise of the right conferred by the said sub clause in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence

Issues on which Supreme Court needs to ponder:

1. As regards the Palghar issue, the Supreme Court needs to consider if Sec 66A which is applicable to messages and E Mails should also be considered as applicable to Face Book and Twitter. In the process it has to take a view on the difference between “Publishing and Transmitting” Vs “Sending a Message through E Mail or a Communication Device”.

2.As regards the guidelines for arrest, Supreme Court needs to consider what guidelines are required to be issued in this regard and what is the acceptability of the advisory issued in this regard.

3. As regards the constitutionality, Supreme Court needs to look at several angles including whether Sec 66A is actually meant to abridge the constitutional right of “Freedom of Expression” under Article 19 (1) or for any other objective. If the objective of the section is not to restrict the “Freedom of Expression” whether it is necessary to impute such a non existent legislative intent and declare the section invalid and whether in such a process it will defeat the any other objective that the section has set about to do.

Analyzing Section 66A as it exists today:

The Section is titled “Punishment for sending offensive messages through communication service, etc” and states as under

 The section consists of three sub sections.  The title as well as the content indicates that it is meant for  “Sending” any information or Electronic Mail or Electronic Mail Message.  Sub section (a) qualifies the nature of the content. Subsection (b) emphasizes “Persistent” sending and Sub Section (c) emphasizes the “Purpose of Sending”.

E Mail is specifically mentioned in Sub Section (c) but the other two sub sections use the term “information”.

Sub section (c) mentions “Electronic Mail” as well as “Electronic Mail Message”. We can presume that the term Electronic Mail Message was meant to address SMS or MMS. However the use of the term “Mail” in  “Electronic Mail Message” has the effect of excluding the SMS or MMS which uses a different protocol than the mail protocol. Today we have several messaging services including What’s App, Instagram etc besides the SMS and MMS and the section does not appear to cover the different forms of messaging under this section. If the term “information” itself had been used in sub section (c) it would have been better. In that case the sub section (c) would have read as follows

“ any information for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such information“

 Since the first para of the section refers to “Sending” by means of a computer resource or a communication device, all the three subsections should be considered as referring to “Sending” and includes e-mails, SMS or Instagrams or any other forms in which information is sent from one to another. “Sending” implies “pushing” as against “Receiving” which implies “Pulling” of the information. 

Does “Facebook posting”, “Facebook liking” and “Tweeting” constitute “Sending”? or “Publishing”? is an important issue that needs to be evaluated by the Supreme Court.  If the “Information” stays on a web server and the recipient visits the web space to view the content, such content is more aptly described as “Publishing” rather than “Sending”. Both Face Book and Twitter are Social networking sites where the user’s content gets displayed for any visitor to see. It therefore appears that applying Section 66A to Palghar Case or Karti Chidambaram’s case was incorrect.

It may be noted that Section 67, 67A and 67B could cover both publishing as well as transmission if the message content can satisfy the requirements of “Obscenity”that these sections try to address. The Palghar and Karti Chidambaram cases are not within the provisions of these sections.

Now let’s see what “Grossly Offensive” and “Menacing” means. “Menacing” is easier to interpret since it should contain some kind of threat, a suggestion that some harm will be caused to the person or property by the person who is sending a message. Netither the Palghar case nor the Karti Chidambaram’s case contains such a threat from the sender.

Sub section adds a requirement that the sender should know that the message he is sending is “Known to be false” and he sends such a message “persistently” with the objective of causing annoyance etc. Criticality here is “persistent” which means that the message should be sent again and again. This does not apply to Facebook and Twitter and can only apply to cases such as sending repeated SMS/MMS messages or e-mail. This is more apt for what we normally consider as “Cyber Stalking” or “Cyber Bullying”. The Palghar or Karti’s case does not fall under this category.

Sub section (c) is distinguished by the requirement “to mislead the addressee about the origin”. This refers  to a typical “Phishing” and most of the “Spam” mails.

Thus Sub sections (b) and (c) address cyber crimes such as Cyber Stalking, Cyber Bullying, Phishing and Spam and if the section is quashed for whatever reasons, these crimes will escape punishment at least under this section. This will be a retrograde step.

Sub Section (a) covers extortion messages and messages which can be classified as “More Offfensive than what is generally offensive”. Some things which we may call “disgusting” can be classified as falling under this section. Such messages if they are “Obscene” are already covered under Section 67/67A/67B. Hence  Sec 66A must be considered as addressing messages which are not obscene but are otherwise more offensive than offensive.  Sub section (a) also has a purpose of addressing certain cyber crimes which escape other sections and hence deserves to be retained. Hence quashing of the section would be undesirable even in this context.

From the above, we can see that Mr Soli Sorabjee would be committing a mistake if he argues for quashing of the section.

It must be remembered that Section 66A was never meant to be used for addressing the issue of “Defamation”. IPC handles this adequately. If “Defamation” occurs with “Electronic Documents” whether it is a posting on a website or an email or a message, then the offence can be covered in IPC read along with Section 4 of ITA 2000/8. Hence the objective of Sec 66A was not to duplicate the provisions of Sec 499 of IPC in the electronic document space. It was only to address the new types of cyber crimes such as phishing, spamming, cyber stalking, cyber bullying etc which neither IPC nor the earlier version of ITA 2000 could address.

The  words “annoyance”  does not amount to “Defamation”. Annoyance is what the recipient of a message experiences. “Defamation” is caused  when a person is insulted before other persons. In a one to one communication, no “Defamation” can take place since insults and insinuations are made directly from the sender to the receiver. unless it is a bulk message which goes to other persons as in a forum, defamation cannot occur. Defamation when a message is sent to persons other than the recipient can be covered under IPC along with recognition of electronic documents under Sec 4 of ITA 2008 in the same way making adverse comments in public can attract defamation in physical space.

If however Police applied Sec 66A in some cases then it was their mistake and is not a reason to change the law.

Further if the issue of “Arrest” under section 66A has to be addressed separately, then it would interfere with other sections of “Cognizability” that ITA 2008 refers to. It is not possible to prevent arrest only under one section unless the number of years of punishment under the section is reduced to less than 3 years. If this is done, then the benefit would flow to other cyber crimes which the section tries to address.

Hence there is no case for either quashing the section or for tinkering the arrest aspects as presented by the two learned counsels in their respective cases. The case on Palghar ladies also lacks substance and deserves to be dismissed as a mistake by the Police in interpreting the law.

 Whatever restrictions on the freedom of expression that the section may imply is justified because such exceptions represent cyber crimes that need to be prevented.

It would be interesting to see if the eminent advocates who argue the case and the misconceptions about the section built by the media are good enough to persuade the Supreme Court to ignore the fact that Sec 66A was meant to address different Cyber crimes other than “Defamation” and hence it cannot infringe the “Freedom of Expression” .

In view of the above it is necessary for the Union Law Ministry and Union Ministry of Communication and Information Technology to implead themselves in the case and defend the need to retain the section and not declare it as unconstitutional. If necessary an “Explanation” can be added to the section to the effect that ” This section is not meant to address “Defamation” as envisaged under Section 499 of IPC”

Naavi