Naavi.org

Naavi has been in discussion with some Insurance Companies about the need for DPDPA Risk Insurance. I am not sure if any of the leading Insurance Companies have introduced specific insurance policies to cover the DPDPA Risks while some are extending their liability policies to respond to enquiries if any.

I would like to draw the attention of the viewers to many of the discussions on Cyber Insurance in this website in which we have highlighted that in India, Insurance contracts are considered “Contracts of Good Faith” or “Uberrimae Fidei” contracts. What this means is that at the time of underwriting a Cyber Insurance Contract, it is for the insured to provide a good faith disclosure of risks and if any of these disclosures are found to be wrong, the insurance claim may be disallowed later.

Data Fiduciaries should therefore think twice and check the proposals made along with the disclosures carefully before placing their reliance on the coverage they may obtain from the policies.

Ideally the following Risks need to be covered by a Data Fiduciary as “DPDPA Non Compliance Risk”

1. Penalties to be imposed by the Data Protection Board when an inquiry is conducted and the organization is found non compliant.
2. Expenses incurred for Data Breach investigation, Forensic and legal consultancy in case of suspected and actual data breaches
3. Third party liability to data principals arising out of data breach.

Data Fiduciaries need to ensure if all these risks are covered or only the expenses related to the data breach investigation and defence of liabilities are covered.

The third party liabilities are difficult to estimate since it depends on the claims that can be made by data principals. The penalties could be large and may extend upto Rs 250 crores.

The actual extent of penalty may also depend on the security measures that an organization may have implemented.

Hence estimating the value of the Insurance Policy required by an organization and setting a fair premium is a challenge.

At the same time, a Pre-Underwriting audit and Post Claim submission audit becomes important steps that both the insured and the insurer should consider before fixing the premium as well as settling a claim.

We look forward to a response from the Insurance Companies in India if they are ready to provide the DPDPA Risk Insurance.

Considering the “Good Faith” nature of Insurance Contracts and disputes that may arise regarding “Proximate cause of loss” , Insurers are advised to be careful and seek advise from experts before finalizing the contracts. They should not expect that the “Insurance Brokers” provide the necessary guidance since they have their own vested interests. Hence it is preferable for the Data Fiduciaries to seek independent consultants to assist them in choosing a DPDPA Insurance policy.

Reference Articles

DPDPA Insurance and Insurability Assessment

A Golden era for Insurance Industry ushered in through Personal Data Protection Act of India

Should there be Insurance for DPDPA Fine?

Cyber Insurance and Data breach Liabilityhttps://www.naavi.org/wp/cyber-insurance-and-data-breach-liability/

Other articles

In what can be considered as a historical event where a global leader explained his philosophy of life with the world, Indian Prime Minister Mr Narendra Modi lived upto his acronym “Namo” and explained some of his thoughts which are relevant to the business also.

One of the gems of wisdom that Mr Modi stated is the difference between Information and Knowledge. He emphasized that Knowledge evolves through processing, reflection & Understanding and is not just a collection of facts.

https://www.threads.net/@kumardeepam/post/DHSlEPmMJ2a/media

I would like to relate this statement to the approach of FDPPI in its training programs such as C.DPO.DA. When Naavi focuses on preparing the professionals for the C.DPO.DA. Certification, he focusses on trying to convert the words in the DPDPA to practical implications. This is the biggest differentiation of FDPPI’s certification vs other certifications.

One of the next programs that FDPPI is conducting for C.DPO.DA. aspirants is coming up in April 2025 where over 3 hours each weekend, Naavi will explain his understanding of DPDPA in the context of its implementation in the corporate environment.

This program should be a trendsetter in the domain of DPDPA Training in India and I invite all the aspiring Lead Implementers of DPDPA compliance, aspiring auditors and aspiring trainers to be part of this event. Register today and not miss an opportunity to interact with this “Exploration of Knowledge”.

Check here for registration.

Here is a continuation of Naavi’s series of videos on DGPSI.

Naavi Academy has started a series of videos explaining DGPSI as a framework for compliance of DPDPA.

Here is an introductory video:

Yesterday we started a new round of discussion advocating the need to modify the well known CIA triad approach to Information Security to add “Preservation of Value of Data”. While all data has a value, the proposed concept of V & V was central to the security of Personal Data where there was a need to protect the personal data in such a manner that there would be a reduction of Risk of penalty under the Data Protection regulations.

Let us try to explore this further.

When I published the book “Guardians of Privacy…a comprehensive handbook on DPDPA 2023 and DGPSI” which I suppose some of you must have read, I had published a Security

approach (Page 210) in the form of a “Septagon” as follows.

This was an upgradation from the “Security Pentagon which I had proposed much earlier as part of the Theory of Information Security Motivation and had included the requirements of Privacy through the “Governance”, “Compliance” and “Legal Basis” aspects in replacement of “Non Repudiability” which was included in the “Authentication” itself.

These seven boundaries of Personal Data Protection represented the requirements of protecting the Personal Data in the current generation of Data Protection laws much better than the CIA concept which was used earlier by the community.

While the “Legal basis” and “Compliance” include the “Privacy Concepts’, the “Governance” includes the concepts such as Recognition and preservation of the value of data and other aspects such as Distributed Responsibility or concepts such as “Data is created by technology but interpreted by humans”, which are not today part of Compliance but are considered essential for implementation of DGPSI framework.

The mod CIA V&V concept is therefore another expression of this personal data security pentagon. While “Governance” represents the first V in CIA V&V, “Compliance” represents the second “V”.

If we had used the acronym of the parameters used in the security pentagon, we would have arrived at CIA-ALCG as an extension of the familiar CIA. The CIA in CIA-ALCG is of course used as “Modified CIA” as explained in the article yesterday.

It is time that we shift our Information Security focus from CIA to CIA-ALCG as we migrate from “Information Security” to “Personal Data Security”. This would be also applicable where the context is security of both personal and non personal data.

Yes, I am once again challenging the age old ISO concept much to the discomfort of some professionals who are having a role set problem as ISO auditors. But this is inevitable as the society moves from Information Security of all Data as one objective to Information Security under ITA 2000 and Personal Data Security under DPDPA 2023 (and other laws) as an objective of protecting personal and non personal data together in an organization. It is for the same reason that I repeatedly hold that ISO 27001 is necessary but not sufficient for Personal Data Protection and we need to implement DGPSI instead as the framework of choice.

Request for comments from professionals.