Naavi.org

Key Findings of the Ponemon-2015 Data Breach Study-1

The 2015 IBM sponsored Benchmark study by Ponemon Institute LLC on the cost of Data Breach has now been published and makes some interesting observations which we summarise below.

This findings of the previous (2013) study were discussed in this site earlier and the current study helps us track the changes.

The 2015 Ponemon study is a collection of data across 11 different countries over a period of 10 months. Around 350 companies have particiapted in the study. India was part of the study. To be more relevant, we have tried to presnt most of the data in INR terms using Rs 65 as conversion rate.

In the context the undersigned along with a few other IS professionals has undertaken a “India Cyber Insurance Study”, the findings of this data breach cost study is extremely useful.

What is the cost of Data Breach?

The first parameter to observe is the the cost of a data breach per record and for an organization on an average. The consolidated average cost of breach per data was $154 or Rs 10000. However, there was a significant difference from country to country in this respect. While the loss in US was $217, in Germany it was $211 and Canada it was $207.

On the other hand the loss in India was only $56 or Rs 3640.

It is obvious that in India where the data owners donot have proper legal options to pursue data breach related losses and also that culturally we donot value Privacy as much as in the west, the Indian Companies may have a lighter burden of the data breach losses. This is not an indication that India has better Information Security nor that cyber attacks here are lower.

It can be observed that the data breach losses in India have increased from Rs 2405 in FY 2013 ($37) to Rs 3315 ($51) in 2014 and to Rs 3640(56) in 2015. This represents a near 50% increase in the two year period between 2013 to 2015 and a 10% increase in the last year.

The total organizational cost of data breach on the other hand was an average of $3.79 million on a global scale. Even here, the US topped the list with a loss of $6.53 million while in India the loss was $1.46 million (Rs 9.49 crores).

In India the total organizational loss was Rs 6.5 crores ($1 million) in 2013, Rs 8.9 crores in 2014 and now it has grown to Rs 9.49 crores.

Average number of data records lost was around 28000 in US and around 18983 in India.

Implications on Cyber Insurance-Problem of Under Insurance

In the Cyber Insurance Context, the findings of the Ponemon study indicates that

a) Companies in India are exposed to the risk of loss on account of data breach to the extent of Rs 10 crores on an average.

b) The per record cost which a Cyber Insurance policy should cover is around Rs 3640.

c) The Cyber Insurance policy cover which an organization should aim for is therefore the number of data records multiplied by the expected average loss on account of a breach. This will be the “insurable value of the data”.

The availability of data such as what has been published by Ponemon would introduce some elements of uncertainty to companies which take Cyber Insurance unless they properly clarify the terms of the insurance with the Insurance company.

If an organization fails to value the data assets properly at the time of obtaining the insurance and get a confirmation from the insurance company, there may be a charge of under insurance.

For example, if any organization insures for less than the estimated value of the asset insured, then it would amount to “Under insurance” and in the event of a loss, it  would get covered only  for a proportionate value of the loss.

To be more specific, if an organization has 1 lakh data records, the insurable value would be Rs 36.40 crores . If it takes an insurance of say Rs 10 crore, (30%) then it would be considered as a co-insurer for the balance value of the insurable asset. Hence if this company suffers a loss of say Rs 1 crore, the insurance company may cover only 30 % of the loss and pay out Rs 30 lakhs/-

The premium charged therefore should be calculated with only such expectation and not with the expectation that the entire loss of Rs 1 crore would be covered.

It is necessary for the Insured and the Insurer therefore to define and record how the data assets would be insured and claim settled.

Perhaps a clarification is required from the Cyber Insurance Industry in India in this regard………(To Be Continued)

Copy of the Report

Naavi

Naavi has started a circle on www.localcircles.com, titled “Save Digital India From Cyber Fraud”. The objective of the circle is to get together people interested in collaborating a draft of “Cyber Fraud Prevention Policy” to be submitted to the Government.

I request those who are interested in this exercise to join the forum immediately so that we can start a fruitful discussion.

More Information is available here:

Why Do we need a Cyber Fraud Prevention Policy?

Naavi

On January 5 2002, the undersigned wrote on this blog “Declare a War on Pornography”. This was written in the aftermath of the arrest of Dr L.Prakash, a well known Orthopedist and an innovative industrialist who drifted into the world of criminality because of the lure of money around Cyber Pornography.

This site has consistently expressed an opinion that Cyber Pornography is bad and needs to be curtailed. The following articles are worthy of recall in this aspect.

Times of India group guilty under Sections 67,67A and 67B? Will …

Times of India.. Is it Set to Mislead the Public on Savita Bhabhi Issue?

What Do We Do with Obscenity in Times of India?

Govt Can Ban Porn websites for obscenity

The War on savitabhabhi.com needs to be continued

Cyber Pornography- We need to fight for a Clean Internet

Should we legalize por.n?

In all these articles we had strongly put up a view that Government needs to act strongly to put down Cyber Pornography. In fact when savitabhabhi.com was shut down, many blamed the undersigned being responsible for it and he had to face the wrath of many friends in the IT industry for supporting what is often considered as an archaic view.

Now today’s internet news talks of “#PornBan: Indian government reportedly starts blocking porn sites”.

There are similar reports in other websites and expected criticism from many quarters. I am sure many of my friends in the industry will consider this as an assault on personal freedom particularly after a recent Supreme Court verdict saying that Viewing Pornography by an adult is a “Fundamental Right”

Obviously, this will bring out many adverse reactions and Mr Arnab Goswami will cry “Here is an RSS Agenda”. Mr Digvijay Singh will second him along with Manishankar Iyer.

Let them keep shouting. I feel satisfied that the NDA Government has done a  good thing by this move though I am not sure how long this will last.

I remember having presented in the National IT Convention meeting of BJP in Chennai on 28th September 2008 several issues that BJP needs to address if it comes to power in the 2009 elections  including the issue of Cyber Pornography, National Cyber Army Command etc which are being discussed now .

I am however happy to observe that 13 years after Naavi gave a war cry, and 7 years after the direct interaction, the people who matter seem to have heard it.

I wish the Government will have the courage to withstand the pressures from the opposition and the media lobby and ensure that the Indian Cyber Space is cleaned of pornographic stuff.

Blocking pornographic sites is not only a moral issue but is also a Cyber Security issue. The move to block pornographic sites  will  eliminate one important virus dropping channel that the criminals tend to use often.

I wholeheartedly congratulate the Government on this move. I urge the Supreme Court not to interfere with this decision since it is a National Security issue.

Naavi

In a first of the kind verdict in JMFC Court, in District Pune, Khed, a Cyber Cafe owner was punished for not keeping the visiting register with an imprisonment of 15 days and a fine of Rs 10000/-

The conviction has been done under Section 67C of ITA 2008 and Section 188 of IPC.

Section 67C is for preservation of records and states as under:

Preservation and Retention of information by intermediaries

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Section 188 of IPC states as under:

 Disobedience to order duly promulgated by public servant.—

Whoever, knowing that, by an order promulgated by a public serv­ant lawfully empowered to promulgate such order,

he is directed to abstain from a certain act, or to take certain order with certain property in his possession or under his management,

disobeys such direction,

shall, if such disobedience causes or tends to cause obstruction, annoyance or injury, or risk of obstruction, annoyance or injury, to any person lawfully employed,

be punished with simple impris­onment for a term which may extend to one month or with fine which may extend to two hundred rupees, or with both; and

if such disobedience causes or trends to cause danger to human life, health or safety, or causes or tends to cause a riot or affray, shall be punished with imprisonment of either description for a term which may extend to six months, or with fine which may extend to one thousand rupees, or with both.

Explanation.—It is not necessary that the offender should intend to produce harm, or contemplate his disobedience as likely to produce harm. It is sufficient that he knows of the order which he disobeys, and that his disobedience produces, or is likely to produce, harm.

Illustration An order is promulgated by a public servant lawfully empowered to promulgate such order, directing that a religious procession shall not pass down a certain street. A knowingly disobeys the order, and thereby causes danger of riot. A has committed the offence defined in this section.

It is interesting to observe that under Section 67C, the Government of India has not notified any rules. There is however a rule for Cyber Cafe owners under Section 79. This requires formalities of “Registration” for which a Registration Agency should be there. This has not been notified by the Central Government.

However certain States might have issued notifications under either ITA 2000/8 or other State Laws where the record requirements might have been specified. If no such orders are there, it is difficult to see how Section 67C can be invoked.

As regards Sec 188 of IPC, some annoyance or injury must have been caused to a person (probably a public servant) by an act of disobedience of an order. Not sure if not maintaining the records per-se falls into this category.

However, other information available indicates that the Cyber Cafe owner had earlier sent a “threatening” email to the Police Commissioner. Probably this case was originally filed under Section 66A and later that section might have been dropped.

Any way it is interesting to note that Section 67C might have been invoked for the first time for a conviction. This needs to be taken note of by all Companies  since there could be many non compliance issues of record keeping under ITA 2000/8 of which all of them are guilty. The CISOs and CEOs need to watch their backs.

Naavi

An Android App Available on Google Store

In a grim reminder of mobile technology risks when more and more e-banking and e-commerce activities are moving onto the app platform, the “Stagefright” vulnerability is expected to expose all Android users including Lollipop 5.1.1 to risk of being hacked.

See details here

Also here

Stagefright is a multimedia library for the Android OS and is present in all the versions of Android from Froyo 2.2. The security risk is mainly related to an insecure code in Stagefright.

The vulnerability therefore encompasses 95 percent of Android smartphones  and tablets (nearly 1 billion devices) in use at present. It has been dubbed the worst vulnerability in the history of the Android mobile operating system, which was developed by Google.

Through Stagefright exploit, users can remotely take control of an Android device and access photos, cameras, private data and more. In Android devices that are running on Android versions older than JellyBean OS, hackers can gain control of the device, even if the MMS is not opened by the user. Moreover, on such devices, hackers will even be able to delete the problematic MMS without the consent of the user.

The Stagefright exploit is carried out by sending a malicious MMS to an Android device. However, the Android OS is unable to detect it as a security issue but only recognizes it as a video file.

Users of Google hangout are also vulnerable since the app may process the  videos for quicker viewing and hence receiving the message on Google hangout may be enough to make a user vulnerable.

It appears that the solution is not very complicated. In order to prevent such a hack attack, users are only required to disable the automatic retrieving feature for MMS. One can go to “Messaging”, click on “Settings” and “Remove the check on Auto Retrieve”.

Naavi

According to this report in Deccan Herald the MCIT  has constituted a panel under the chairmanship of Mr T K Vishwanathan to rework on Section 66A which was struck down by Supreme Court in what is popularly referred to as the Shreya Singhal verdict.

We invite readers to go through all articles written on this site on the subject of Sec 66A here:

Site Search Google (New Posts) :66A:

Site Search Google (Old Posts) :66A:

Google Search Section 66A+vijayashankar

Duckduckgo search Section66A+naavi

In these articles written by the undersigned, it has been clearly argued that the decision of the Supreme Court in this matter was erroneous. Our contention has always been that this section 66A was not meant to cover “Defamation” and was wrongly mis-applied by Police in various states. Most of the times this was done at the instance of politicians to harass their opponents. However repeated mis-application actually made everyone believe that the section was actually meant to address defamation in social media.

We reiterate that “Publishing” a content on social media visible to many is different from “Sending” a message either in the form of e-mail or SMS . Messaging is a one to one communication. It does not result in “defamation” since no third party is privy to it unless one of the parties to the communication makes it public. However the personal message can cause distress, harassment, threat etc. Section 66A tried to address this and not defamation.

Unfortunately, neither the petitioner nor the battery of lawyers who participated in the discussions on Section 66A understood the legal intent behind the section. They all assumed that Police must be right in arresting persons under Section 66A for social media activities and therefore the section itself was to blame.

Regrettably, the bench which heard this petition was swayed by populist sentiments on upholding the sentiments on “Freedom of Speech” and went on to emphatically assert that “Section 66A” was applicable to “all” communication and not “any communication sent through a communication device or e-mail” and declare its commitment to uphold the democratic principle by murdering the section.

Politicians of the UPA Government who had repeatedly  misused the section to meet their political ends suddenly became the champions of free speech to welcome the judgement. Politicians of BJP were too confused and inadequately informed to have the courage to say anything different. The media persons particularly the top TV anchors were too naive and also swayed by their own populist instincts to say that this was a “land mark” judgement upholding the highest principle of democracy.

Naavi was in a minority stating that the judgement was a result of mis perception of the purpose of the section, and though upholding free speech is fine, what the Supreme Court was doing by scrapping the section 66A was actually promoting the use of social media for mischevous use.

Naavi tried to persuade the Government to apply for a review of the decision but could not succeed.

After a few months, it appears that the Government has finally come to realize that removal of Section 66A has the potential of doing more damage than the perceived benefits that it was supposed to bring and is reportedly considering its re-introduction.

It is good that Mr T K Vishwanathan is back to work on the required drafting. Mr Vishwanathan was involved in the drafting of the original ITA 2000 though  perhaps he was not involved in the drafting of the amendments of 2008 in which section 66A came in. But he is aware of the early discussions on the philosophy behind ITA2000 and hence should be able to sort it out.

The irony however is that  what may ultimately come out is actually a “E-defamation law” which was not available in ITA 2008. ITA 2008 criminalized “Obscene publishing” and not “Defamatory publishing”. Defamation was still a subject of IPC even when committed with electronic documents as defined under ITA 2000/8. This position will now change. There will now be a specific provision on defamation with the use of Twitter, Facebook and other social media vehicles. The so called “Free Speech Protectors” will have to ready themselves for another legal battle once this new law comes into being.

In the meantime, considering the need for National Security and the role of social media in this respect, the undersigned welcomes the move to regulate certain aspects of the misuse of social media.

We however hope that more than “E-Defamation”, what is required to be regulated is use of social media to spread false rumors, creating disharmony in the society etc.

The decriminalization of defamation is already under challenge in the Supreme Court and hence instead of attempting to define “Criminal defamation through electronic documents” as a replacement section of Section 66A,  we can simply link “E-defamation” to what is available in IPC by a clarification that any offence under Section 499 of IPC with the use of electronic documents shall be construed as an offence under IPC . The civil aspects of E-defamation can be covered separately with the introduction of a new section say 43B.

Additionally we should not forget to retain the other aspects of Section 66A which Supreme Court in its misplaced activist approach failed to protect. This includes harassment through e-mail and messaging through communication devices, the sending of phishing mails, spamming etc.

We trust that the expert panel under the chairmanship of MR T K Vishwanathan takes into account these suggestions before finalizing their recommendations.

Naavi

You can now seek any Clarification

on Cyber Laws of India through your mobile by using this Android App

Available on Google Play Store