Naavi.org

I refer to my earlier writings about the need for insuring of risks arising out of non compliance of data protection regulations.

Ref: A Golden Era for Insurance Industry ushered in through Personal Data Protection Act of India

Now with the adoption of DPDPA 2023 and the imminent release of the DPDPA Rules, it has become necessary for Companies to start reviewing their DPDPA Risk Containment policy.

The estimation of the risk starts with the “Gap Analysis” which gives an early indication of how the Rs 250 crore Plus risk could affect the company theoretically. Companies put in place Risk mitigation efforts but the residual risk after mitigation has to be either absorbed or covered through appropriate insurance.

We do expect that the DPB will be considerate and adopt a soft approach towards imposing any penalties. Hence the real risk of administrative penalties for a company which in good faith has implemented DPDPA compliance can be considered much less. However, when a breach does occur, the cost of making improvements to the system following an inquiry by DPB is a reality and has to be covered along with whatever penalties are imposed. The cost of conducting a Data Breach Analysis will also be substantial.

Most Companies do use the services of the Big Four and spend huge money for both gap analysis and data breach analysis.

Presently Cyber Insurance policies do cover the losses to the first party in terms of expenses, liability arising out of claims by victims which we may call as the third party losses arising out of the breach. The “Administrative Penalties” are a new development in India and hence existing policies may not provide adequate coverage for the same.

While the Insurance Companies and the IRDAI needs to think of appropriate upgradations of their current policies even as they think of updating their own Cyber Security Policies to include DPDPA Compliance, FDPPI is launching on its Sixth anniversary on September 17 2024, an “DPDPA Readiness Assessment” (DPRA) at a minimal cost. The assessment based on a set of parameters evaluates the DPDPA readiness in terms of a DTS (Data Trust Score).

This DRA should also be considered as “DPDPA Insurability Assessment” which the Insurance Companies may use to accept any request for underwriting and fixing the premium.

The evaluation itself may be a “DPDPA Insurability Index” (DII) which should be either qualitative such as “Fair”, “Good” and “Excellent”. The “Good” index could be fitted to the normal premium level where as “Fair” may involve a surcharge and “Excellent” a discount in the premium. The assessment would be based on an interview by an auditor with a key executive of the organization, ideally the CEO.

In the event of a data breach there may be an assessment of the Claim which is an assessment which apart from identify the expenses incurred will also evaluate the root cause of breach to identify the negligence factor of the organization to assist the Insurance Companies to determine the claim. This Data Breach Claim Assessment (DBCA) may determine whether the Insurer approves the claim and if so to what extent.

The DRA is presently available for service through Ujvala Consultants Pvt Ltd while the DBCA is under development and identification of technology partners for technical evaluation of a data breach.

On or after 17th September 2024, the DRA would be available for companies.

Naavi

USA has passed a federal Act called “Quantum Computing Cybersecurity Preparedness Act”. The Act was signed on December 21 2022 with different timelines for implementation. The concept of a legislation urging the Federal Agencies in US to be prepared for Quantum attacks even before the use of Quantum computing has become commercially relevant is a principle that needs a special commendation.

It is natural for organizations like FDPPI or Naavi to say “Be Ready” and start compliance from today since DPDPA 2023 is “Due Diligence” under ITA 2000. But what USA has done with its Quantum Computing Cybersecurity Preparedness Act is that there is a legislative compulsion to make Federal agencies start their security preparedness in advance.

This “Preparedness Act” has mandated certain agencies like OMB (Office of Management and Budget), CISA (Cyber Security and Infrastructure Agency) and NIST (National Institute of Standards and Technology) to start acting and given them time lines.

It has mandated that within 180 days, the OMB shall issue guidance on the migration of IT to post-quantum cryptography and to set budgets. Such efforts are expected to include creating an inventory of assets where there is an exposure of Quantum Cryptographic risks. Again, within 1 year the heads of CISA and National Cyber Director shall provide information on the inventory of such assets to OMB. The NIST shall also issue guidelines for post quantum cryptography standards. It is under this mandate that NIST came out with three standards on August 13, 2024. The Private sector though not part of this mandate is likely to follow suit to enhance their reputation and be eligible for Government Contracts.

This law requires federal agencies to migrate their systems to “Post-Quantum” Cryptography, which is resilient against attacks from Quantum Computers and classical computers.

The RSA (Rivest-Shamir-Adleman) algorithm which is the most commonly used cryptographic algorithm which even India uses in the Digital Signatures is considered vulnerable under Quantum attacks.

If any organization is using cryptographic algorithms like RSA at present then they are considered as not compliant with the “Quantum Computing Cybersecurity Preparedness Act”.

On August 13, 2024, NIST announced approval of three algorithms which are considered “Quantum Safe” Cryptographical algorithms.

These are :

1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
2. FIPS204, Module-Lattice-Based Digital Signature Standard
3. FIPS205, Stateless Hash-Based Digital Signature Standard

FIPS 203 is a general encryption standard, and FIPS 204 and 205 are digital signature standards for authenticating users. Unlike RSA, FIPS 203 and 204 rely on lattice cryptography, which relies on the difficulty of finding the lowest common multiple in a set of numbers. FIPS 205 uses hash functions as its core mathematical problem. Neither cryptographic approach is thought to be susceptible to quantum computing.

NIST’s release of the final post-quantum cryptography standards sets a one-year clock ticking for Office of Management and Budget OMB to issue further guidance preparing agencies for the migration of their data to the new, quantum-resilient standards. 

Agencies are expected to start migrating to post-quantum cryptography quickly once OMB issues further guidance.

The Private Sector needs to follow the new Cryptographic standards at the earliest if they have to remain compliant with the new Act and is able to meet the Quantum risks.

The auditors are now required to provide some guidance to organizations on “Quantum Readiness”.

FDPPI presently has its framework namely DGPSI which is a process based Compliance system. Under DGPSI framework, “Cryptographic Systems” is one process which can be assessed for compliance separately to whatever compliance is required.

In the case of “Quantum Readiness Assessment”, we try to check if the organization is prepared to move to the post quantum cryptographic algorithms. Along with this the awareness of Quantum risks and the inventory of Cryptographic algorithms need to be kept ready before scouting for vendors who can provide replacement of the crypto algorithms.

This type of assessment is new and the SOPs need to be developed. FDPPI is trying to put together an SIG to create such SOPs. Interested members can get in touch with the undersigned.

Naavi

In India it would have been preferable if there had been a similar “DPDPA Preparedness Act”. Instead the DPDPA Rules itself may substitute this requirement and set timelines for the setting up of DPB and for them to roll out certain provisions.

Certain agencies such as SEBI and IRDAI have already issued their own sectoral guidelines for their sectoral organizations to incorporate DPDPA Compliance. Further when the rules are released, the organizations that will be aspiring to apply for registration as “Consent Manager” will require to prepare their platform to comply with the rules.

We are aware that Quantum Computing has been a technology development that has disturbed the Cyber Security community. The reason why the Cyber Security community is worried is that the enormous power of computing that is generated in quantum computing could be used to break cryptographic algorithms used for data security purpose in classical computing.

I donot think the security problems associated with Quantum entanglement or Quantum Interference have been explored enough but some work seems to be in progress for impact of Quantum computing on Cryptographic security arising due to the quantum property of “Super positioning”. It is recognized that encryption tools currently used to protect Banking and retail transactions and digital signatures may be rendered ineffective due to Quantum Attacks.

We are in 2024 end and a survey recently suggested that 78% of large US corporations expect Quantum computing to be in the mainstream by 203o. 73% of the respondents believe that Cyber Criminals will start using the power of quantum computing to decrypt and disrupt today’s cyber security protocols.

Long term security preparedness therefore has to factor in the possibility of Quantum risks in Cyber Security space. Some of the exfiltration attacks occurring now where encrypted files might have been stolen from sensitive organizations may be held by criminals for decryption on a later date when quantum tools are available. “Harvest Now-Decrypt Later” could be a strategy the criminals could be after. The risk is more in the case of data with a long life time value such as financial records, Government records and will be of interest to bad actors.

The risks could be evident in the use of Digital Signatures as well as for Crypto Currency holders.

Even in India where we are still struggling with finding the rules for DPDPA 2023 and the means to identify “Significant Data Fiduciaries”, corporations connected internationally are hearing the questions of “Are you Quantum Ready?”.

One may respond… I am not even Privacy Ready or Digital Signature ready but how can I be expected to be ready for the future risks?..but some organizations are being forced to ask for “Quantum Readiness Audit” and we the Audit community are posing a question to ourselves if we are “Quantum Audit Ready?”

As it always happens, Naavi.org thinks today what others start thinking tomorrow. Hence we start asking this question “Are we Quantum Ready” in terms of providing consultancy and audit directions to clients who may be thinking ahead of others.

We have in the past discussed the Quantum Computing and its impact in legal implementation of an evidence. Some of the earlier articles are given below. We have discussed Super positioning and Entanglement properties in detail but not the “Quantum Interference”. We shall fill up this gap soon. At the same time time has come to go beyond discussing the superficial aspects of Quantum Properties into the aspects of “Quantum Readiness Audit”.

Let us start our journey into expanding the horizon of our DGPSI audit to beyond AI into Quantum Computing Readiness Audit.

Previous Articles:

10th March 2018: Quantum Computing and Emerging Cyber Law Challenges…Are we ready?

16th March 2028: Section 65B in Quantum Computing Scenario

20th June 2018: The Vast and Far Reaching Applications of Quantum Computing

Also Read: Quantum Computing takes a step further

On December 9, 1999, Naavi released his first book, “Cyber Laws for Every Netizen in India”. The book was released in Chennai at the PIB on the same day Information Technology Bill 1999 was presented in the Parliament to replace the Draft E Commerce Act 1998 which was under discussion till then. The book represented my entry into the world of Cyber Laws and even established the trademark character of “Naavi” for the first time.

Then in May 2000, following the outbreak of the “I Love You Virus”, the Bill was quickly passed into a Law and later notified on 17th October 2000 as Information Technology Act 2000. (ITA 2000).

It is this law that was modified in 2008, with ITA amendment act of 2008 and notified on 27th October 2009 in which Section 43A and 72A were present as specific clauses for Data Protection.

Now in 2023, on August 11, the Digital Personal Data Protection Act was passed and anytime in 2024 it is likely to be notified. When this is notified, Section 43A of ITA 2000/8 will be deleted and DPDPA 2023 with its 44 sections will become effective.

All the provisions of the rules of “Reasonable Security Practices” often referred to as SDPI rules which was notified on 11th April 2011, are now contained in the DPDPA 2023. This makes DPDPA 2023 a law that has evolved from ITA 2000. The Section 43A was applicable only for “Sensitive Personal Data” as defined in the ITAA 2008 while Section 72A and several other sections applied to “Personal Data” both sensitive or otherwise.

DPDPA 2023 is therefore a bigger and better version of Section 43A and comes within the current definition of “Due Diligence” or “Reasonable Security Practice” under ITA 2000 making the date of notification of DPDPA 2023 less relevant than many think.

Hence Compliance of DPDPA 2023 is already a mandate of Compliance of ITA 2000/8.

This transition was also reminded to me in another way when I met a journalist (Mr Srikant Govindarajan of CIOL) , yesterday at Bengaluru in a conference related to DPDPA 2023 and he reminded me that he had attended the book launch of the book “Cyber Laws for Every Netizen in India” in Chennai on December 9, 1999.

It was this interaction that reminded me that my career as an ” Author” has actually completed 25 years and has transitioned from the first book on ITA 2000/Cyber Laws to the first book on Data Protection/DPDPA 2023.

It was a reminder of how the 25 years had passed evangelizing the concept of Cyber Law Compliance which is now turned into Privacy and Data Protection Compliance. I suppose in the next one or two years the Data protection phase will merge into DGPSI phase and another book on DGPSI is due as soon as the DPDPA Rules are released.

I hope the almighty provides the opportunity to complete the DGPSI mission successfully in 2025.

When I wrote thee book on Cyber Laws in India, there was no body to even check the proof and point out any corrections. Even when the book “Guardians of Privacy… was published”, there were not many to assist me in proof reading and suggesting improvements. But now we have an army of Data Protection Professionals and hopefully my next book venture will have more experts to assist me.

Naavi

One of our visitors asked me why FDPPI is terming its flagship certification program as C.DPO.DA. (Certified Data Protection Officer and Data Auditor) while all others are only conducting C.DPO. (Certified Data Protection Officer) program. The person also commented if this is another indication of ” What Naavi thinks today, others will think a few years later” and a bit ahead of times? I understand the honest intention of the gentleman but I think I owe an explanation to this comment.

It is true that in the Cyber Law domain, many of my thoughts took years for others to accept and adopt. The concept of CEAC and Section 65B (IEA) Certification was one such which was initiated by me in 2000, presented in a Court in 2004 but it was only in 2012 that Supreme Court recognized the principles of Section 65B certification.

In the Data Protection domain, others are catching up fast and it is expected that others will catch up much faster. Today if Naavi and FDPPI are thinking of C.DPO.DA. as the skill to be developed and certified and DGPSI as the frame of reference for DPDPA compliance to be adopted, DTS as the assessment framework for compliance status of DPDPA, it is expected that others will soon accept and adopt.

We feel that DPO has the responsibility to implement DPDPA compliance within his organization while Data Auditor is the external auditor who has to verify compliance and certify if required.

It is true that the DPDPA 2023 as an act has been passed but it is yet to be notified with rules. Everyone including the Minister responsible believes that draft rules will be released in the next 15 days. On October 14 Delhi High Court is preparing to hear the petition of WhatsApp and Meta challenging the Intermediary Guidelines of ITA 2000. The same companies may be now preparing for challenging the DPDPA Rules and the Act itself in some manner stating that it is unconstitutional.

But Naavi or FDPPI ignores such hurdles placed by “Andolan Jeevies” and proceed with an assumption that MeitY will be mighty enough to roll out the implementation of DPDPA 2023 not withstanding the lobbying by the MNCs.

We therefore expect that DPDPA Compliance requirement will become a reality in 2024 and DPOs will be in action. Data Audit may come in the year 2025 but no skill gets developed overnight. Naavi/FDPPI therefore expects that the need to train one self with the Data Audit requirements will be concurrent with the need to develop DPO skills.

Let those who relish procrastination think that DPDPA 2023 will not be notified in near future, the date of implementation will not be in our lifetime and the Data Auditor concept is unlikely to be implemented by the MeitY, continue to wait .

Let those who think that their GDPR related certifications by international organizations are good enough for DPDPA, continue to think so.

But Naavi and FDPPI will look at the future with the optimism that DPDPA notification is round the corner and there will be a mad rush for compliance there after. It would be a good time for sub optimal automated tools to flood the market but the real fun begins when a good DPB Chairman takes charge. Andolan Jeevies need some body who is happy occupying the position and bide his time for some body some where to lodge a complaint before DPB starts an Inquiry.

It could be a nightmare for the industry if we have an active DPB with a T.N Sheshan kind of Chairman in place. Those who follow the futuristic principles of FDPPI will laugh at that time.

The biggest challenge we see is that in the journey towards being a Data Auditor, the current set of auditors trained and developed on other frameworks will find it difficult to adapt to the requirements of Data Audit under DPDPA. They will still think ISO 27001 is the framework to be used because the 2022 version claims to include “Privacy” and ISO 27701 is more than adequate to meet DPDPA requirement. Only time will tell if it is correct. We donot think so.

But to unlearn the past and re-learn for the future is a tough task which only the wise auditors will be able to understand.

Some of them will be there in the FDPPI Certification program on September 27, 28 and 29 exclusively designed for CERT In Auditors but good enough for others who want to be expert DPO s.

Look for details and register before it is too late.

Naavi