Cyber Security Issues For Law Firms, Lawyers And Legal Professionals

Conceptual keyboard - Law (blue key with scales symbol)Cyber security is an issue that is an alien concept for most lawyers and law firms. They believe that they have nothing to do with cyber security. But this is a misconception because just like other organisation, law firms must also ensure robust security and cyber security for their digital infrastructures and physical locations. Law firms are also required to formulate and strictly implement specific and exclusive cyber security best practices for lawyers and law firms.

Even among those who are aware of cyber security issues, most of the lawyers and law firms consider cyber security an area meant for IT professionals to be managed. They believe that their job is done when the matter is discussed and assigned to the IT guy. However, the problem with this approach is that it ignores the ground reality that cyber security is an organisational goal and not a division/department or individual goal. After all cyber security is as strong and effective as its weakest link and human beings are undoubtedly the weakest link in the cyber security chain.

Now the problem with cyber security is that none can ensure 100% cyber security and if an organisation or individual is claiming so, it/he is not familiar with the concept of cyber security. Whether you are working on Internet or Intranet, cyber security always remains a big security issue. This is more so when social engineering is used to trap employees having access to sensitive and crucial information about an organisation’s database or systems.

Some organisations also allow their employees to work on bring your own devices (BYOD) principle. So even if there is no Internet connection, such device can both introduce a malware and help in stealing of confidential information. Use of personal e-mails for work purposes is also another issue that law firms and other organisations must take care of. Sensitive documents can be e-mailed at personal e-mail ids of the employees of a law firm and can compromise the privacy and data protection safeguards put at place at the organisational level.

At Perry4Law Organisation (P4LO) we take civil liberties and commercial interests of the clients very seriously. This is the reason why we have launched the exclusive techno legal Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) so that techno legal cyber security issues can be managed in most effective manner. However, this level of cyber security and civil liberties protections comes at a cost. For instance, we do not disclose the list or names of our clients publically or even after request from a potential client to ensure best privacy and cyber security. Many clients do not understand the significance of this practice and they misjudge it as lack of expertise/clients. They also fail to understand that we would extend the same level of privacy, data security and cyber security to their own information and documents.

Nevertheless, we at Perry4Law Organisation (P4LO) firmly believe that it is a sane and cyber secure choice to lose new clients than to compromise the privacy and cyber security of existent clients and we would continue this practice of non disclosure.

Perry4Law Organisation (P4LO) and Perry4Law’s Techno Legal Base (PTLB) have also released two cyber security trends in India for the year 2017 for various stakeholders. They can be found at P4LO and PTLB respectively.  These trends are also applicable to law firms, lawyers and legal professionals. For instance, use of cloud computing for legal services has both advantages and disadvantages. On the brighter side, we have reduced costs and on the negative side we have issues of data breach, cyber attacks and privacy violations. Thus, a law firm or lawyer must decide what model best serves its purpose. But whatever models the law firm or lawyers chooses, cyber security, privacy protection and data protection must be top priority of such law firm or lawyer. We at Perry4Law Organisation (P4LO) believe that cyber security is more a good procedure and discipline than a combination of hardware and software. Without cyber hygiene, no hardware or software can protect the crucial documents.

Further, we also believe that open source hardware and software are very effective in ensuring cyber security, data protection and privacy protection by law firms and lawyers. Simply because something is free does not mean it is ineffective or weak. Similarly, simply because some company is charging big amount from a law firm or lawyers for cyber security does not guarantee that cyber security would be there.  In short, it is not what tool or software you have got but how you use a tool or software for best possible results. In essence this means presence of cyber security skills with good cyber hygiene and best practices.

Those who cannot ensure cyber security best practice culture at their respective law firms can at least ensure the bare minimum safeguards. Perry4Law Organisation (P4LO) and CECSRDI suggest that these safeguards must include upto date antivirus and firewalls, good malware removal tool, end to end encryption of communications and documents, multiple secure channels of documents sharing and management, etc. There are many good and open source alternatives available for all these areas and law firms and lawyers can take benefit of the same. Perry4Law Organisation (P4LO) and CECSRDI hope that law firms and lawyers would find these tips useful and productive.

Posted in Uncategorized | Leave a comment

Techno Legal Startups And Entrepreneurship Trends Of India 2017 By Perry4Law Organisation (P4LO)

Startups And Entrepreneurship Trends In India 2017The socio economic conditions of India are apt for startups and entrepreneurs of India. Till now they have been given a complete freedom to conduct their business in free and regulation free manner. However, this scenario is going to change in the year 2017 that would witness consolidation of e-commerce and various startup businesses. Further, regulatory compliances and transparency would also be crucial in 2017.

In this article, Perry4Law Organisation (P4LO) has underlined the possible trends and techno legal compliance and regulatory requirements for various startups and entrepreneurs that are trying their level best to dominate Indian markets. These are as follows:

(1) Ease Of Business Doing: Indian government would be very much interested in ensuring a good and effective ease of business doing in India for startups and entrepreneurs. Till now business doing in India is not an easy task though many positive steps have been taken by Indian government in this regard. The year 2017 may see some more efforts in this regard from Indian government. However, we at Perry4Law Organisation (P4LO) strongly recommend that ease of business doing at the cost of ignoring regulatory compliances is no more a viable option for Indian government. We have already delayed regulatory compliance for areas like e-commerce, online pharmacies, online gaming and gambling, bitcoin, cyber security, cyber law due diligence (pdf) etc and continuing this approach in 2017 would be counter productive.

(2) Effective Dispute Resolution: Disputes resolution in India is a very complicated, time consuming and expensive process. Businesses engaged in disputes cannot wait for decades to get their disputes resolved. Although India has adopted ambitious projects like national e-governance plan (NeGP) and digital India yet none of them have been able to resolve this problem. Even alternative dispute resolution (ADR) methods like arbitration are suffering from many problems. However, what is most troublesome part is that India has not been able to establish e-courts and use online dispute resolution (ODR) for effective dispute resolution and ease of business doing in India. As a result, arbitration for commercial disputes and international commercial arbitration in India are not getting the response they must get.

Perry4Law Organisation (P4LO) has suggested the first ever techno legal ODR model for national and international stakeholders for various fields and businesses. Interested stakeholders may see the Online Dispute Resolution and Cyber Arbitration project for more details. This is the first ever ODR platform for India that is covering most comprehensive techno legal dispute resolution services for national and international stakeholders in India. We hope this initiative would help in ensuring an effective and alternative dispute resolution mechanism that is much needed for ensuring ease of business doing in India. Startups and entrepreneurs would be using more and more ODR and e-courts facilities in 2017 and P4LO would be happy to extend its techno legal expertise to Indian government and various stakeholders in this regard.

(3) Digital India: Digital India project of Indian government would be tested very rigorously in the year 2017 by startups and entrepreneurs. It would be a big challenge for the Indian government to ensure cyber security and civil liberties aspects of digital India in the year 2017. In 2016 digital India project lacked regulatory framework and procedural safeguards that customers, startups and entrepreneurs would demand in the year 2017. Without these essential attributes, digital India would fail to meet its aims and objectives.

(4) Digital Payments: Online payments and digital payments have a special role to play for online businesses, e-commerce and electronic delivery of services to the citizens. Startups and entrepreneurs would introduce disruptive Fintech and digital payment models in the year 2017. However, they would also be required to comply with privacy, data security and cyber security aspects of digital payments that are presently missing.

(5) Cyber Security: Cyber security is a major cause of concern for India. All digital projects and dealing must be supported with a robust and resilient cyber security system. However, cyber security infrastructure in India is still not robust and resilient. Even the cyber security trends of India 2017 have raised many crucial and alarming issues that must be urgently managed by Indian government. The year 2017 would see increased role of higher management in ensuring cyber security policies and compliances.

(6) Cyber Law: Cyber law compliances would take a front seat in the year 2017 for startups and entrepreneurs. Right now not many e-commerce ventures and businesses are complying with cyber law requirements of Information Technology Act, 2000. This would change in 2017 as Indian government would be pushing more cyber law compliance on the part of these startups and entrepreneurs.

(7) Cyber Law Due Diligence: One of the most technical and complicated compliance requirement of Information Technology Act, 2000 is ensuring cyber law due diligence (pdf). Cyber law due diligence is a techno legal aspect of compliance that needs a continuous effort on the part of top management and ground level force alike. As of now, startups, entrepreneurs, e-commerce businesses, etc are not managing cyber law due diligence on many counts. Indian government must make it sure that these stakeholders comply with the same on priority basis.

(8) Director’s Obligations: Directors of startups, entrepreneurs, Indian companies and banks are also required to comply with cyber law and cyber security requirements under the Information Technology Act, 2000, Indian Companies Act, 2013, etc. Compliance requirements on the part of Indian directors would increase in the year 2017 and this would also help in strengthening of cyber security in India.

(9) Intellectual Property Protection: Startups and entrepreneurs would be protecting their intellectual property rights (IPRs) like trademark, patents, designs, etc in the year 2017. Indian government has announced many initiatives to promote, encourage and strengthen IPRs of these stakeholders. But they are slow in taking advantage of these schemes and concessions. Perry4Law Organisation (P4LO) strongly recommends that startups and entrepreneurs must take advantage of these schemes and protect their IPRs to maximum possible extent.

(10) Consolidation Of Industry: In the year 2017, investors would exit potential risk ventures and would prefer to invest in top performing companies. This would trigger a consolidation of existing e-commerce and business ventures. As far as startups and entrepreneurship arena of India is concerned, only the most promising and disruptive venture would attract capital and investments from national and international investors. Indian government’s fight against black money would also curb illegal funding and investments from companies and investors that have been circumventing Indian laws so far. Clarity about the foreign direct investment (FDI) regime is also expected in the year 2017 from the Indian government. At the same time, Indian government must prosecute business ventures and e-commerce companies that have circumvented Indian laws and policies regarding FDI and e-commerce. Startups and entrepreneurs must keep their records and businesses clean and trouble free by ensuring techno legal compliances.

(11) Financial Technology: The year 2017 would be a golden year for startups and entrepreneurs exploring financial technology (fintech). Perry4Law Organisation (P4LO) believes that startups and entrepreneurs disrupting Indian markets need to be novel, scalable and flexible in nature. They must also ensure techno legal compliance that most of them are not doing as on date. One of the common misconceptions among startups and entrepreneurs is that techno legal compliances are just cost elements and not necessary. In the long run, legal costs are much lower than the prosecution costs. So it is always better to include legal costs as part of the overheads that must be taken care of at the stage of launch of the venture itself. Perry4Law Organisation (P4LO) has witnessed many ventures that simply collapsed as they failed to adhere to techno legal requirements due to ignorance of them at the very first stage.

(12) Blockchain And Bitcoin:  Fintech companies, startups, entrepreneurs, etc may explore use of Blockchain and bitcoin in the year 2016. Indian government and Reserve Bank of India (RBI) have been analysing blockchain and bitcoin and its possible usages. However, nothing concrete has happened in the year 2016 in this regard. Further, techno legal regulatory compliances and legality of bitcoin in India are still unresolved. The year 2017 may see some positive developments built around blockchain and bitcoin.

(13) Technology Neutral Approach: Perry4Law Organisation (P4LO) has recommended to many of its clients about use of technology neutral approach. Instead of following the masses, startups and entrepreneurs must use neutral technologies that do not depend upon a particular technology, product or services. For instance, reliance upon and use of Aadhaar for fintech or other startups and entrepreneurship ventures is a really bad move that must be avoided at all costs. Instead give multiple choices to customers to use a technology, product or service of their own choice that is not intrusive, not civil liberties violating and much more cyber secure than Aadhaar.

(14) Data Centric Approach: India is fast adopting a data centric approach where data is the king. Many big and foreign technology companies have been running on a data centric approach where that data needs to be protected as per laws of different jurisdictions. Handling of data of consumers would be a big challenge before startups, entrepreneurs, e-commerce players, online businesses, etc in the year 2017. Any data breach would be required to be managed in most effective techno legal methods and practices that are still to be put in place by various stakeholders in India. Even Indian government needs to work on the fronts of data security, data protection, privacy and cyber security as it failed to do so in 2016.

(15) Online Advertisement Industry: Online advertisement industry may witness a growth in India in 2017 due to changing tax structure of India. Local contents would be preferred over foreign contents due to taxation and commercial reasons. Startups and entrepreneurs can encash upon the local contents produced by blogs and websites of repute. However, online advertisement can be successful in India only when there are flexible and lucrative offers as business models of foreign countries are not conducive for Indian scenario.

(16) Online Entertainment And Gaming Industry: Online entertainment and gaming industry would witness a significant increase in the year 2017. This is due to wider availability of smart phones, increasing penetration of Internet and broadband, positive regulatory changes, etc. For instance, video-on-demand, video streaming, etc would increase in 2017. However, intellectual property, privacy and cyber law issues must be taken care of to avoid possible litigations by startups and entrepreneurs. There is a very fine demarcation between online gaming and online gambling and that must not be crossed by startups and entrepreneurs. Further, online gaming in one jurisdiction may be online gambling in another. So gaming startups and entrepreneurs must keep these issues in mind while launching their products and services.

(17) Online Education And Trainings: Online education, trainings and skills development related projects and business ventures would increase in the year 2017. Already some very novel models are operating in India. Perry4Law Organisation (P4LO) has been providing online techno legal education, trainings and skills development programs for long though its techno legal platforms known as Perry4Law’s Techno Legal Base (PTLB)TM and Perry4Law’s Techno Legal ICT Training Centre (PTLITC). We cover fields like cyber law, cyber security, cyber forensics, e-commerce, e-discovery, online dispute resolution (ODR), e-courts, etc. Perry4Law and PTLB are the first in the world to introduce the concept of online internship that is now fast catching up. We would announce more innovative, novel and unique online education and learning methods in the year 2017.

(18) Healthcare Ventures: Healthcare startups and entrepreneurs would flourish like anything in the year 2017 in India. For instance, business fields like telemedicine, online pharmacies, etc would see more interests in 2017. At the same time, Indian government would bring more stringent regulations and laws to manage telemedicine and online pharmacies in India in 2017. It would be a good idea to start complying with techno legal requirements from the very beginning by these business ventures in 2017.

There are many more techno legal aspects that cannot be covered in a single trends analysis. We hope startups, entrepreneurs, e-commerce companies and other business ventures would like this trend and take advantage of the strategies suggested herein.

Posted in Uncategorized | 1 Comment

Cyber Security Trends In India 2017 By Perry4Law Organisation (P4LO)

Praveen Dalal-Managing Partner Of Perry4Law And CEO Of PTLBCyber Security has finally got attention of Indian Government in the year 2016 and the year 2017 may see some more developments in this crucial fields. However, the challenges posed by Cyber Security mandates are still not addressed by India satisfactorily. These challenges were discussed by Perry4Law Organisation (P4LO) in the form of Cyber Security Trends of India 2016. In this article, P4LO would be discussing about Cyber Security Challenges of India that it may face in the year 2017. The same is as follows:

(1) Digital Payments: Demonetisation of high denomination notes in India was the biggest event of India in the year 2016. It was intended to curb black money in India as well as to encourage Digital Payments usage by Indian masses. As Indian Government would focus more on Digital Payments in the year 2017, Cyber Crimes and Cyber Security incidences would increase. We at P4LO strongly recommend establishing suitable Cyber Crime Investigation Infrastructure and Cyber Security Infrastructure in India by Indian Government on priority basis.

(2) Cyber Security Law: The year 2017 would see some positive steps in the direction of enactment of Cyber Security Norms and Laws in India. The Information Technology Act, 2000 (IT Act 2000) may be amended in this regard. However, we at P4LO strongly recommend a “Separate and Dedicated Law” for Cyber Security instead of making suitable amendments in the IT Act 2000.

(3) Cyber Breaches Disclosure Norms: Indian Companies, Banks and Organisations are not at all interested in Cyber Breach Disclosure. In the absence of “Mandatory and Implementable” Cyber Breach Disclosure Norms in India, Cyber Security in India remained in poor condition. This is natural as Indian Government and CERT-In Cannot make effective Cyber Security Policies till they are aware of actual Cyber Security threats. The year 2017 may see an increased focus upon mandatory Cyber Breach Disclosure Norms in India, especially banks.

(4) Banking Cyber Security: Cyber Security of banks in India is a major cause of concern for Indian Government.  Although the Reserve Bank of India (RBI) has prescribed a Cyber Security Framework for banks of India yet almost all of them have failed to comply with the same. RBI had given a deadline of 30-09-2016 to comply with its Cyber Security Directions, but till 31st December 2016 banks have done nothing in this regard. It is also no secret that online banking, debit and credit cards and other modes of digital payments are vulnerable to sophisticated Cyber Attacks. It is only now that Indian Government has reiterated that banks of India have to report any Cyber Attack to the Government and its Authorities within 2 hours of such “Cyber Occurrence”. The year 2017 may witness an increased demand by Indian Government to ensure Cyber Security of banks by the Indian banks.

(5) Digital India: Digital India is an E-Governance project of Central Government that is supplementing the National E-Governance Plan (NEGP) of previous Government. Both Digital India and NEGP lack Cyber Security Capabilities making them vulnerable to sophisticated Cyber Attacks and Malware. In fact, Digital India project is suffering from various Shortcomings and it is heading for Troubled Waters. We at P4LO believe that Digital India project also needs urgent Regulatory Framework and Procedural Safeguards. Without removing these “Obstacles”, Digital India cannot survive in the long run. The year 2017 may see some action in this regard from the Indian Government.

(6) Crisis Management Plan: An effective and robust Cyber Crisis Management Plan is the most essential element of Digital India project of Narendra Modi Government. We may have a Crisis management Plan on papers, but its actual implementation is still missing. That is natural as well as the essential components of an effective Cyber Crisis Management Plan are still missing. These include a strong Cyber Security Law, effective Cyber Breach Disclosure Norms, robust Cyber Security Infrastructure and a “Timely and Effective Response” to various “Cyber Threats”. Clearly, India does not possess even a single of these components. Indian Government may work upon these Components in the year 2017.

(7) Malware: Malware are proving the “Biggest Nuisance” for Indian Government while implementing the Digital Services. In fact, Malware are defeating Cyber Security Safeguards with ease. Even Cyber Security Products and Services are proving “Ineffective” against Malware, especially the Zero Day Vulnerabilities. Indian Government has been working upon a Botnet Cleaning Centre and Malware Removal Centre and that would prove very handy in the year 2017.

(8) Internet Of Things (IoT): Internet of Things (IoT) has seen an exponential growth in recent times. Although India has witnessed a moderate growth in the year 2016 yet in 2017 IoT may pick up a pace in India. This growth would also give rise to novel Techno Legal issues that were unknown to India so far. For instance, Privacy, Data Protection and Cyber Security Issues of Internet of Things (IoT) in India would be required to be managed. Further, Civil Liberties Issues of IoT in India must also be addressed. Although no positive hints have been given by Indian Government in this regard in 2016 yet the year 2017 may see some positive developments in the field of IoT in India.

(9) Smart Cities: Smart Cities is an area where Indian Government has invested very well. We have good “Commercial Policies” regarding Smart Cities in India. But Privacy, Cyber Security and Data Protection Issues for Smart Cities in India are still unresolved in 2016. P4LO hopes that these issues would be resolved by Indian Government in the year 2017.

(10) Cloud Computing Norms: Cloud Computing created interest among many stakeholders in India in the year 2016. The year 2017 would definitely witness a growth in the field of Cloud Computing and Virtualisation as many national and international stakeholders have already taken steps in this direction. Of course, these stakeholders are required to comply with Cloud Computing Legal and Regulatory Requirements as prescribed by Indian Laws. Presently, stakeholders are not aware of the Cloud Computing Legal Issues in India and they consider any Legal Compliance in this regard “Redundant and Unnecessary”. This attitude of stakeholders needs to be changed for their own interests as Compliance is a much better option than Litigation.

(11) Cyber Law Due Diligence: The most ignored aspect of Indian Cyberspace is avoidance of Cyber Law Due Diligence (PDF) by various stakeholders. This is more so regarding the Directors of Indian Companies and Banks that are required to comply with Cyber Law and Cyber Security requirements under the Information Technology Act, 2000, Indian Companies Act, 2013, etc. Compliance requirements on the part of Indian Directors would increase in the year 2017 and this would also help in strengthening of Cyber Security in India.

Perry4Law Organisation (P4LO) hopes that various stakeholders would find Cyber Security Trends in India 2017 by Perry4Law Organisation (P4LO) useful. If you are interested in availing any Techno Legal Cyber Law, Cyber Security and other Regulatory Compliance services from P4LO, please establish a Client Attorney Relationship in this regard so that we may help you.

Posted in Uncategorized | 1 Comment

Digital Payments And Cashless Economy Trends In India 2017 By Perry4Law Organisation (P4LO)

Praveen Dalal-Managing Partner Of Perry4Law And CEO Of PTLBSuccessive Governments in India launched technology driven initiatives like National E-Governance Plan (NEGP), Digital India (DI), etc from time to time. Both NEGP and Digital India are very ambitious and crucial projects for making India a technology giant and world leader in technology goods and services. Just like all projects, NEGP and Digital India are also facing certain challenges and limitations. Nevertheless, they deserve to be continued with adequate Cyber Security, Civil Liberties Protection, Data Security and Data Protection, Privacy Safeguards, etc.

In this trend Perry4Law Organisation (P4LO) is confining itself to the projected trends of Digital Payments and Cashless Economy that may emerge in India in 2017. We would cover Cyber Security and related issues in detail in other trends and development documents.

(1) Demonetisation: The Digital Payments and Cashless Economy Trends 2017 are greatly influenced by the “Demonetisation” exercise that was undertaken by Narendra Modi Government in November 2016. The expression Demonetisation has been used here not in its “Legal Sense” but “Popular Sense”, as is commonly used by public at large. Further, without going into the “Constitutionality” or “Legality” of Demonetisation, it is clear that Government intends to use this opportunity to encourage Digital Payments. We at Perry4Law Organisation (P4LO) believe that Cashless Economy is an “Over Ambitious” and “Unachievable” goal and we must focus upon “Less Cash Economy” instead.

At the same time, “Public Inconvenience” and “Hardships” must be eliminated as much as possible and as soon as possible by Central Government as more than one month has already elapsed.

The idea should be “Long Term Benefits” and not “Long Term Hardships” arising out of Demonetisation. Clearly, the Inconvenience and Hardships are moving away from “Temporary’ to “Long Term” and this is a dangerous scenario to be ignored and continued by Central Government. Even from the perspective of GDP, this is not healthy for our Economy in the long run.

(2) Cyber Law: Information Technology Act, 2000 needs a complete rejuvenation as much has changed since it was formulated in 2000. The idea of stuffing everything into a single law is really bad and we need “Dedicated Laws” for different aspects of Cyber Law, Cyber Security, Cyber Crimes Investigation, Cyber Forensics, E-Discovery, etc. Digital Payments would also require dedicated norms and regulations for proper usage and implementation. The present regulatory regime in this regard is grossly deficient and it cannot accommodate Digital Payments, Online Banking, Payments Banks, Fintech Entrepreneurship, etc.

(3) Cyber Security: Cyber Security is a big “Pain Point” in implementation of NEGP, Digital India, Digital Payments, Cashless Economy, etc. As predicted in Cyber Security Trends of India 2016, the Cyber Security Infrastructure of India remained poor in India in 2016. In the absence of any “Constructive Action” regarding Cyber Security by Central Government in 2016, Cyber Security may remain “Weak” in 2017 as well. More detailed Cyber Security Trends of India 2017 would be provided by Perry4Law Organisation (P4LO) very soon.

 (4) Cyber Security Norms: India has no dedicated Cyber Security Law and this is a serious limitation. This also means that as a Nation, we have failed to understand not only about Cyber Security but also about its possible damages. We cannot draft a suitable and robust Cyber Security Law of India till we first understand the “basics” of Cyber Security. Then we must understand the “technicalities” of Cyber Security keeping in mind the International nature of Cyberspace. It would be futile to pretend that India has a strong Cyber Security Infrastructure when the opposite is the reality. We urgently need dedicated Cyber Security Law and norms for India for successful NEGP, Digital India and Digital Payments.

(5) Cyber Breaches Disclosure Norms: A major reason for poor Cyber Security adoption in India is because there is no “Implementable Legal Obligation” against Companies and Organisations to report serious “Cyber Security Breaches” to Central Government. In India, nobody bothers to report about Cyber Security Incidences and Breaches to Government and Government is unable to ascertain the damage. This is a dangerous situation for Digital Payments and Cashless Economy that Indian is dreaming to be. Imagine a situation where you have been using an “Insecure” Credit Card, Debit Card, E-Wallet or Online Banking Application and neither the Central Government nor the end customer is aware of the same. When the Cyber Breach occurs, you are at the receiving end as there is no “Effective Mechanism” to make Banks, Payment Banks, E-Wallets Service Providers, etc liable for your financial losses.

Central Government cannot formulate effective Cyber Security Policies if it is not aware what is happening on the front of Cyber Attacks and Cyberspace. Perry4Law Organisation (P4LO) requests all stakeholders to “Voluntarily” ensure Cyber Security Breach Disclosure to Central Government, CERT-IN or any other Authority specified by Central Government. This would also help in strengthening of Cyber Security of Digital Payments and making them more “Trustworthy”.

Wherever possible, Perry4Law Organisation (P4LO) would also extend its services “free of cost” to such Companies and Organisations that intend to improve the Cyber Security Infrastructure of India. We would also help them to report the Cyber Security Breaches to “Appropriate Authority” with full “Confidentiality”, as specified by Indian Laws.

(6) Enhanced Role Of RBI: Reserve Bank of India (RBI) has to play a “Pro Active” role to ensure Cyber Security of Banks, Payments Banks, Digital Payments, E-Wallets, Mobile Banking, Online Banking, etc. Mere formulation of “Guidelines” is not enough but RBI must actually implement them as well. Till now this is not happening and Indian Citizens are apprehensive about using Digital Payments. Indians are also not sure whom to approach and how to get their money back if there is a Cyber Crime or Cyber Fraud that has misappropriated their hard earned money. RBI is sitting over these issues and it needs to act fast in this regard in 2017.

(7) Aadhaar: Central Government is pushing usage of Aadhaar too much even if the Supreme Court of India has said that Aadhaar is “Not Mandatory”. Not only forcing Aadhaar is “Unconstitutional” but it also amount to “Contempt of Court” that Central Government and State Government are presently committing. Aadhaar is a “Very Risky Technology” to use, especially for “Online Transactions” and “Biometric Authentications”. In fact, Aadhaar should have been used for “Very Limited” areas only. But the “Omnipresent” nature and use of Aadhaar has put Biometrics and Digital Identities of Indian population at great risk.

Naturally, Aadhaar Enabled Payment System (AEPS) is also suffering from the shortcomings of lack of Cyber Security, Data Security, Privacy Protection and Biometric Security. Once the Biometrics of an individual is gone, there is no looking back. You can change the password of your e-mail account or debit card, but you cannot change your Biometrics and your Digital Identity is gone forever.

(8) Privacy Law: We have no dedicated Privacy Law in India and there is little hope that we would get one in 2017. This is because the Central Government has challenges the “Constitutional Status” of Privacy as a “Fundamental Right” in the Supreme Court of India. And the Supreme Court is sitting over the Privacy issue for long and considering the speed of Supreme Court, it may take another decade before Privacy Right would be adjudicated upon by Supreme Court. Lack of Privacy and Cyber Security is a big concern before people would shift to Digital Payments. If you have no Privacy, Data Security and Cyber Security while using Digital Payments, you would not use it for long and on a permanent basis. The good old cash would come to your rescue in such cases that also has a “low transaction cost” as compared to Digital Payments.

(9) Digital Payments Authority: The year 2017 may see establishment of a Digital Payments Authority by the Central Government. Perry4Law Organisation (P4LO) welcomes such a move on the part of Central Government with a “rider” that Civil Liberties, Cyber Security and Data Security issues must be respected and worked upon by any such future Digital Payments Authority of India.

(10) Skills And Capacity Development: The year 2017 may also witness an increased focus upon skills and capacity developments in terms of Software, Hardware, Cyber Crimes Investigation, Cyber Security Courses and Trainings, etc. Perry4Law Organisation (P4LO) recommends that special focus must be made by Central Government for developing “Indigenous Capabilities” in the fields of Software, Hardware, etc. All Digital Payments Applications and Software must be thoroughly tested by Central Government before using them on mass scale. Fintech Entrepreneurs must also be encouraged to innovate and use “Disruptive Technologies” that can help in achieving the Digital India and Digital payments goals. These Entrepreneurs may be supported with financial aids and grants by Central Government.

Perry4Law Organisation (P4LO) recommends that while supporting Entrepreneurs, there must not be any “Discrimination” between Aadhaar based and non Aadhaar based innovations and technologies. Central Government must adopt a “Technology Neutral” approach with open mind instead of trying to impose and infiltrate Aadhaar into everything.

We hope these Digital Payments and Cashless Economy Trends 2017 of Perry4Law Organisation (P4LO) would be helpful to all stakeholders and Central Government and State Governments would find them useful.

Posted in Uncategorized | 1 Comment

IoT Privacy, Data Protection, Cyber Security And Civil Liberties Issues In India

Praveen Dalal-Managing Partner Of Perry4Law And CEO Of PTLBInternet of things (IoT) has received a very positive response from Indian government and Indian entrepreneurs. Although everybody is very enthusiastic about IoT and its usage in India yet nobody is aware about its usage policies and regulatory framework. This situation has arisen as we have neither a dedicated e-commerce law nor a law governing IoT and its uses in India. As a result everybody is just deploying IoT based systems and devices in India without knowing the seriousness of their actions and omissions.

IoT usage and deployment can give rise to IoT privacy, data protection, cyber security and civil liberty issues in India. However, world over these techno legal issues of IoT are still in infancy stage. India has also been trying to bring a policy and regulatory framework for use of IoT in India by various stakeholders.  Issuance of draft IoT Policy of India (pdf) and Revised Draft IoT Policy of India (pdf) are instances of such efforts but they are not sufficient to cover the areas and operations of innovative technology like IoT.

It is obvious that we need techno legal framework for successful and wide scale use of IoT in India. However, this is a difficult task to manage as we have very few techno legal professionals in India and other jurisdictions that can assist in this regard. This is the reason why India is still struggling to enact privacy, data protection and cyber security laws in India. As a result, India has a very poor track record of civil liberties protection in cyberspace and surveillance and censorship issues of Digital India and Aadhaar projects are in active violation of provisions of Indian Constitution.

Perry4Law Organisation (P4LO) believes that as we would start mass deployment of IoT making it omnipresent, all stakeholders would be apprehensive as the cross linking nature of IoT would offer new possibilities and methods to influence and to exchange data and information. This leads to a variety of existing and new potential risks concerning data security, privacy and data protection, which must be considered in advance. The severity and likeliness of each risk will depend on the circumstances in which each IoT application / system is deployed.

Naturally   privacy, data protection and cyber security are complementary requirements for IoT services in India. In particular, data security and data protection are regarded as preserving the confidentiality, integrity and availability of information provided by Indian citizens. Perry4Law Organisation (P4LO) also believes that cyber security is an essential and basic requirement while providing of IoT related services by the industry or government. This is required not only to ensure information security for the organisation itself but also for the benefit of Indian citizens at large.

For instance, IoT presents a variety of potential security risks that could be exploited to harm consumers by: (a) having unauthorised access and misuse of personal information; (b) facilitating attacks on other systems; and (c) creating risks to personal safety. Similarly, privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. These days behavioural targeting is very common among companies who rely upon historical and real time data to analyse and influence consumer’s interests and choices. Companies might use this data to make credit, insurance, and employment decisions. Even if companies are prevented by law for not taking such a course of action still these risks to privacy and security could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.

Perry4Law Organisation (P4LO) strongly recommends that companies developing IoT products and services in India should implement reasonable security practices and procedures. These must include cyber security best practices, e-discovery best practices, cyber law due diligence (pdf), Internet intermediary liability law compliances, etc. Similarly, there must be a dedicated crisis management plan for cyber attacks against IoT in India so that IoT and critical infrastructures can recover from sophisticated cyber attacks as soon as possible.  For instance, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) has recently published the Guidance on cyber resilience for financial market infrastructures (pdf) (“Cyber Guidance”). As per this Cyber Guidance, the Financial Market Infrastructures (FMIs) must develop cyber capabilities to resume their operations within two hours following a cyber disruption. India must also develop robust and resilient cyber security infrastructure so that systems dependent upon Information and Communication Technology (ICT) can come online as soon as possible.

There are some long-standing Fair Information Practice Principles (“FIPPs”) like notice, choice, access, accuracy, data minimisation, security, and accountability that should apply to the IoT segment.  Indian IoT stakeholders must also follow these principle and privacy and data protection best practices so that IoT services can be provided in a legal and law abiding manner not only in India but also in other jurisdictions. Conflict of laws in cyberspace raise complicated techno legal issues that IoT stakeholders must be prepared to deal with. For instance, recently Microsoft has won a case where the US Government was forcing it to disclose e-mail data and details stored in Ireland’s data center. Microsoft argued that as the data was stored in Ireland, it was subject to Irish rather than US law, regardless of the company providing the infrastructure. Thus, IoT stakeholders from India must be aware of and comply with laws of different jurisdictions if their products and services are also offered in those jurisdictions.

Perry4Law Organisation (P4LO) hopes that IoT stakeholders would find this article useful and we also wish them all the best in their projects and business activities.

Posted in Uncategorized | Leave a comment

Techno Legal Responsive Regulatory Framework For Online Payment Industry Of India By Perry4Law Organisation (P4LO)

Perry4Law Organisation (P4LO)Online payment industry of India is not only unorganised but is also largely unregulated. Even the traditional banks of India are not scrutinised for their business and banking activities. For instance, a majority of banks that have extended their online payment portal services to online gambling, online pharmacy and similar such high risk ventures have not done any sort of cyber law due diligence (pdf) at all. They have simply extended their services to many apparently illegal business activities. Indian government in general and Reserve Bank of India (RBI) in particular are responsible for this lapse of regulatory compliance on the part of Indian banks and e-commerce entrepreneurs.

Recently InMobi paid a fine of $950,000 by a US regulatory body for tracking consumers’ locations without their consent. This is not a case with InMobi alone as almost all the e-commerce ventures in India are not complying with techno legal requirements of Indian and foreign laws. They consider legal compliance as a redundant exercise till some regulatory authority shows them the truth. Mobile application developers are also following this practice of non compliance and they may be prosecuted very soon. In fact, the Supreme Court of India will hear next Wednesday a petition seeking a ban on WhatsApp on the ground that the messaging platform’s end-to-end encryption gives terrorists a means of communication that is impossible to intercept. Maharashtra’s FDA has already ordered filing of FIRs against Snapdeal, its CEO Kunal Bahl, directors and distributors for online sale of prescription drugs. Bitcoin ventures of India are also required to comply with techno legal compliance that they rae presently not doing. This makes their Bitcoin busines sin India illegal and unauthorised. These are just few of the examples of e-commerce and business ventures not complying with techno legal requirements of Indian laws.

Online payment market of India is passing through a turbulent phase. As on date the e-commerce and online business legal compliances are not followed by the online payment industry of India. Even the foreign investors were not very serious about cyber law due diligence in India and they invested blindly in Indian ventures. Now they have realised their mistake and they have already squeezed their funding for Indian ventures. Indian entrepreneurs and e-commerce business houses must understand that techno legal compliance is a long term insurance that they cannot ignore just like cyber insurance and cyber security of their businesses.

As far as mobile payment market is concerned, it is booming but legal compliances are still missing from their agenda. Mobile banking cyber security is another area of concern especially with mass usage of smart phones in India. RBI has been streamlining the financial and banking Sector of India. It constituted the RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (Working Group). The Working Group issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (pdf) to be followed by banks of India. The guidelines have also directed that all banks would have to create a position of Chief Information Officers (CIOs) as well as Steering Committees on Information Security at the board level at the earliest. However, due to lack of enforcement of these guidelines, banks have done little towards cyber security of their business activities.

Reacting to this reality, RBI decided to set up an IT subsidiary that would look into the cyber security matters of banks of India and RBI. As per media reports, a CEO has also been appointed for managing the affairs of the IT subsidiary of RBI. Further, RBI has also issued a cyber security framework for Indian banks and many of the techno legal suggestions of Perry4Law Organisation (P4LO) have been incorporated into the same. Now RBI has released a policy document titled Payment and Settlement Systems in India: Vision-2018 for streamlining the online payment infrastructure of India. The vision document has suggested formulation of a responsive regulatory framework for online payment industry of India. Some of the salient features of the vision document pertaining to techno legal regulatory framework are as follows:

(1) RBI, in consultation with all the stakeholders, will continue its efforts to create a regulatory framework to promote twin objectives of enhanced coverage with interoperability of the payments system and convenience with security for the end-users in sync with emerging developments and innovations.

(2) The legal framework for payment and settlement systems in the country is provided under the Payment and Settlement Systems Act (the PSS Act), 2007. The PSS Act empowers the Bank to regulate and supervise the payment and settlement systems in the country. In discharging its roles and responsibilities under the Act, the Bank has been putting in place policy framework, issuing guidelines and instructions to banks and authorised payment system operators relating to safety, security and efficiency of payment systems. Besides formulation of new policies and guidelines, existing policies and instructions are all continually reviewed, taking into account the feedback received from the stakeholders.

(3) Taking into account the rapid developments and innovations in the area of payment systems, the Vision-2018 envisages a more responsive regulatory framework based on consultations with stakeholders. The policy framework will support payment system initiatives that enhance access to payment services. The principle of “similar business, similar risk, similar rules” will invariably be applied.

(4) The key focus areas for responsive regulation would be:

(a) New Issues / Areas For Policy Framework

(i) Policy Framework For Central Counter Parties (CCPs): The CCPs are the critical financial market infrastructure (FMI) and the efficient of the same is important. RBI has already declared the policy framework for regulation and supervision of FMIs under the regulatory jurisdiction of the RBI. The PFMIs against which FMIs are assessed lay emphasis on having effective governance framework and management of various risks, including legal, credit and liquidity risks against which FMIs are assessed. To begin with, the RBI would come out with regulations on Governance, Capital/ net worth requirement, registration/authorisation of foreign CCPS. At a later date, RBI may come out with regulations on risk management, if required. This will also serve as effective criterion to measure the equivalence standards of third country regulatory framework for the purpose of recognizing foreign CCPs operating outside and desirous of applying for recognition in India under these regulations.

(ii) Regulation Of Payment Gateway Service Providers And Payment Aggregators: The increasing growth of electronic payments, especially online payments, riding the growth of e-commerce and m-commerce transactions, has brought to the fore the increasing role and importance of entities that facilitate such online payments such as payment gateway providers and payment aggregators. The current guidelines on maintenance of nodal accounts for such intermediaries (monitored through banks) are indirect and address only a few specific aspects of their functioning. Given their increasing role, the guidelines will be revised for the payments related activities of these entities.

(iii) Exit Policy: Co-existence of an exit policy along with the policy on authorisation of entities which participate in the payment and settlement system is essential for the overall hygiene of the ecosystem. The exit policy would lay down the parameters and processes for voluntary exit of a payment system operator (PSO) authorised to operate a retail payment system. Such a policy would ensure that the interests of the consumers and other stakeholders are protected.

(iv) Framework For Imposition Of Penalty: Guidelines and standards for various payment and settlement systems are issued under the provisions of the PSS Act. Non-adherence to these guidelines and standards by participants and operators attract the penal provisions under the PSS Act. A framework for imposition of such penalties under the PSS Act would be put in place.

(v) Monitoring Framework For New Technologies / Innovations: In order to ensure that regulations keep pace with the developments in technology impacting the payment space, the global level developments in technology such as distributed ledgers, blockchain etc. will be monitored, and regulatory framework, as required, will be put in place. Further, the payments eco-system is dynamically evolving with the advancements and innovations taking place, particularly in the area of FinTechs. In order to provide a platform for innovators to showcase their models to the industry, particularly in the areas of interest to payment systems and services, the Reserve Bank has organised an innovation contest through the Institute for Development and Research in Banking Technology (IDRBT). Learnings from such interfaces will also be used as inputs for policy adaptations.

(b) Review Of Existing Policies:

(i) Prepaid Payment Instruments (PPIs): With increase in number of entities authorised to issue PPIs in the country, their usage for purchase of goods and services as well as funds transfer has also been growing. Over the years, the guidelines have been expanded to include several types of PPIs, some of which are not really being issued / used actively. Similarly, with growing use of PPIs, the initial forbearance given on KYC requirements, customer-facing aspects such as safety and security, risk mitigation measures, complaint redressal mechanism, forfeiture of unutilised balances, fraud monitoring and reporting requirements, etc. merit a review. A comprehensive review of the PPI guidelines will be undertaken keeping in view the changing scenario.

(ii) Mobile Banking Guidelines: To promote mobile phones as access channel to payment and banking services, the guidelines will be reviewed to address issues related to customer registration for mobile banking, safety and security of transactions, risk mitigation and customer grievance redressal measures.

(iii) White Label ATM (WLA) Guidelines: These Guidelines, formed with the objective of ensuring expansion of ATM infrastructure in rural and semi-urban areas, have not resulted in the much needed growth in ATM infrastructure in the desired geographical segments of the country due to multiple factors. The WLA Guidelines will accordingly be examined holistically and targets realigned to meet present conditions.

(5) Payment System Advisory Council (PSAC): The Board for Regulation and Supervision of Payment and Settlement Systems (BPSS), set up under the PSS Act, is the apex body for regulating and supervising the payment system related developments and policies in the country. Vision-2018 envisages setting up of a Payments System Advisory Council (PSAC) to assist the BPSS in formulation of new policies, assessing the impact of new technological developments by providing necessary insights about futuristic developments and innovations in the area. The PSAC could have representations from diverse fields such as technology, telecommunication, FinTech, security solution providers, academia, Government, etc. and strive to provide to the BPSS the necessary consultative feedback from stakeholders for making strategic decisions in the area of payment systems.

(6) Amendments To PSS Act: Sound legal basis, including good governance, is the cornerstone for building a safe and efficient payments eco-system. Keeping this in view, amendments relating to settlement finality in the event of Central Counter Party (CCP) being declared insolvent or dissolved or wound down, and statutory charge on escrow account, have been made to the PSS Act which have come into effect from June 01, 2015.The Reserve Bank, as a member of the international Standard Setting Bodies (SSBs), is committed to adopting the international standards including those relating to recovery and resolution of FMIs. Efforts would, therefore, be made to bring in further amendments to the legal framework for addressing issues, such as:

(a) Resolution / insolvency of Central Counter Party (CCP) / Financial Market Infrastructure (FMI).

(b) Non-registration of charge on collateral with CCP: The Companies Act, 2013 has enlarged the meaning of “charge” under that Act, covering the right of system provider to appropriate collateral. In a dynamic market scenario, where the market participants constantly move in and move out the collaterals from the control of the CCP, it is practically impossible to continuously register or modify the charge. Non registration of charge under the Companies Act should not in any manner affect the right of the CCP to appropriate the collaterals and the settlement finality. As legal certainty is extremely crucial in this market, for avoiding litigation, necessary amendment to clarify this position would be taken up.

(c) Better governance in critical payment systems operators both in retail and large value payment systems by appointing observers on the board of the service providers or by appointing additional directors, as required.

(7) Strengthening Reporting Framework Including Fraud Monitoring: This includes:

(a) Reporting Framework: As part of off-site surveillance process, payment system operators (PSOs) are directed to adhere to periodic reporting requirements. The periodic returns would be moved to XBRL system. This would offer major benefits at all stages of business reporting and analysis, aiding in better quality of information and decision-making. In addition, a structured reporting framework for PSOs to communicate the findings of the audit of their IT systems along with their compliance would also be put in place.

(b) Fraud Monitoring: To further strengthen the confidence in the payment systems and minimise instances of frauds, there is a need to monitor the types of frauds that may be taking place in various payment systems. Accordingly, to begin with, a framework for collection of data on frauds in payment systems would be drawn up in consultation with the industry.

Perry4Law Organisation (P4LO) hopes that our readers would find this summary useful.

Posted in Uncategorized | Leave a comment

Malware Are Defeating Cyber Security Safeguards With Ease

Praveen Dalal-Managing Partner Of Perry4Law And CEO Of PTLBCyber Security and Malware are two sides of the same coin. While the former tries to protect critical infrastructures, computer systems, networks, etc yet the latter abhors this same protection. Malware writers are increasingly targeting digital assets to gain control over them and to manipulate them for cyber attacks, cyber crimes and other nefarious activities. We have often heard about machines being turned into botnet and compromised systems to further launch cyber attacks, send spam communications or to deliver malicious codes, software and payloads. A simple search at a customised search engine or with a customised search setting would reveal that Internet is full of unprotected and insecure devices, SCADA systems and computers. Naturally, the critical infrastructures relying upon them are very vulnerable to various forms of cyber attacks.

Malware have years of history and experience behind them to unsettle cyber security initiatives. As these malware evolved, their sophistication and impact has also become elegant. Cyber security service providers and companies are finding it really difficult to match the might of these malware. Some of these malware are so advanced that they are not detected even after many years of their victimisation. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), etc are some of the examples of such malware.

Financial sector has witnessed its own share of malware. For instance, the notorious malware Carbanak was instrumental in stealing about a Billion US Dollars from financial institutions worldwide. Vskimmer Trojan, capable of stealing credit card information from Windows systems, was already in circulation. Similarly, the Malware Dump Memory Grabber was also targeting POS systems and ATMs of major U.S. banks. These malware have created havoc in India and international levels.

Hardware based malware are also common these days. Kaspersky has revealed in the past that intelligence agencies have been using hardware based stealth spyware. These hard drives are manufactured by Western Digital, Seagate, Toshiba and other top manufacturers, thereby making their use a potential cyber hazard. Similarly, Lenovo was accused of pre installing adware in its laptops. We cannot ignore the killer USBs that can damage the system in which they are used. Telecom equipment companies like Huawei and ZTE are already facing heat over cyber security aspects of their telecom equipments in countries like India, Australia, etc. Huawei was also accused of breaching national security of India by hacking base station controller in AP.

As the law enforcement and intelligence agencies wish to engage in illegal and unconstitutional e-surveillance and spying, cyber security of computer systems and mobile phones and their communications are not allowed to be managed in a secured and encrypted manner. For instance, Vodafone has confirmed that India has been using “secret wires” in the telecom infrastructure to indulge in e-surveillance. Indian Department of Telecommunications suppressed the whole incidence with a mere assurance of “investigation” that never made public so far. This is the reason why Indian mobile security is poorer than Pakistan that is using much better and secured communication systems.

There is no dearth of ideas and methodologies that malware owners can use. U.S. law enforcement agencies have been using fake cell phone towers to illegally intercept mobile communications and data. Surveillance hardware and software like Stingray, Triggerfish, etc are commonly used in U.S. and other jurisdictions. It has also been reported that NSA has been using radio waves and malware for engaging in world wide e-surveillance. Even Anti virus updates can be exploited to install malware upon the targeted systems. Thus, whether a computer system is online, offline or an isolate one, the “combined technique” of malware embedded hardware, spyware, malware and radio waves can allow NSA to get the “relevant information” with some effort in this regard. No doubt, U.S. government is also the biggest buyer of malware in the world.

It is obvious that besides having robust and resilient cyber security infrastructures we also need self defence mechanisms to prevent malware from infecting our systems. There are some methods that can be used to minimise cyber attacks and cyber threats from these malware but 100% cyber security is not possible. However, there are limits to legitimate exercise of self defence and it ceases to be available after a point. In the absence of international cyber law treaty and international cyber security treaty (PDF), this limit has to be judged and guided by the principle of private international law.

Nevertheless, complicated techno legal issues in the field of cyber law and cyber security would keep on arising in the absence of international harmonisation. For instance, authorship attribution is a complicated subject that has to be ascertained before a cyber crime or cyber attack liability can be imputed to an individual, nation or organisation. Similarly, whether a victim can launch his/its own cyber attack against the offender is still to be judged by the courts around the world. Nature, scope and prevention of cyber warfare is another complicated area that cannot be resolved by taking recourse of Tallinn Manual. For the time being, malware are clearly winning the fight against the cyber security vendors and if there is no change in the “strategy and mindset” of security stakeholders, this would be the norm for the next decade.

At Perry4Law Organisation (P4LO) we have dedicated a blog titled International Legal Issues of Cyber Attacks and Cyber Security in this regard. The aim is to provide a techno legal database of articles and opinions about international legal issues of cyber attacks, cyber security, cyber crimes and cyber law. It is supported by Centre of Excellence for Cyber Security Research and Development in India (CECSRDI). We would cover more techno legal issues of cyber security, malware and international law at that blog.

Posted in Uncategorized | 9 Comments

Cyber Law Developments In India 2015

Perry4Law-Organisation-P4LOCyber Law of India faced many crucial challenges in the year 2015. The Information Technology Act 2000 (IT Act 2000) was enacted in the year 2000 and it was presumed that the IT Act 2000 would mature with the passage of time. However, the opposite happened in the year 2015 when the Supreme Court of India committed one of the biggest mistakes in the history of Indian Cyber Law. Further, on the Legislative front as well, the year 2015 did not see any development for the Indian Cyber Law. Overall, Cyber Law Developments in India in 2015 were both “Retrograde” and “Ill Conceived”.

Perry4Law Organisation (P4LO) has been providing Cyber Law Trends and Developments in India for long. Our readers and viewers may find the Cyber Law Developments for the year 2013 and 2014 here (PDF) and here respectively. In this work, Perry4Law Organisation (P4LO) is sharing the Cyber Law Developments that took place in the year 2015 in India. These are as follows:

(1) Cyber Law Due Diligence: Cyber Law Due Diligence (PDF) is well established in India. As per the IT Act 2000, all Digital Stakeholders are required to observe Cyber Law Due Diligence to avoid legal sanctions and Internet Intermediary Liability. Instead of Strengthening of Cyber Law Due Diligence, the Judgment of Supreme Court in Shreya Singhal v. Union of India (24th March 2015), Writ Petition (Criminal) No.167 Of 2012 (PDF) has done exactly opposite and made Indian Cyber Law Due Diligence weaker and ineffective. In fact, the Supreme Court of India has “Killed Cyber Law Due Diligence” in India to a great extent. Nevertheless, Cyber Law Due Diligence is still reqired for diverse purposes in India.

(2) Civil Liberties: The year 2015 proved “Really Bad” for Civil Liberties Protection in Indian Cyberspace. Narendra Modi Government and various State Government showed no regard to Privacy Rights of Indian Citizens and they continued to “Impose” Illegal and Unconstitutional Aadhaar for various Government Services like Digital Locker. Further, issues like Cyber Security of Aadhaar, Smart Cities Civil Liberties issues, etc were also ignored by Narendra Modi Government. However, the worst act of Narendra Modi Government and other State Governments is “Deliberate Contempt of Court” by not following the directions of Supreme Court of India that mandates that Aadhaar is “Not Compulsory” for Government Services. This attitude needs to be changed by Narendra Modi and other State Governments in the year 2016.

(3) Inadequate Cyber Law: Cyber Law of India remained ineffective and inadequate in the year 2015 as well. Neither Indian Government nor Indian Parliament showed any interest in strengthening of Indian Cyber Law. Perry4Law Organisation (P4LO) has made certain “Legal Representations” to the Prime Minister’s Office (PMO), Ministry of Home Affiars (MHA), Department of Electronics and Information Technology (DeitY) and Ministry of Information and Broadcasting in this regard. Fortunately, these Ministries have assured Perry4Law Organisation (P4LO) that our “Legal Representations” would be duly considered by them while making the “Amendments” in the IT Act 2000.

(4) Telegraph Law: Indian Telegraph Act is another legislation that required “Suitable Amendments“. As on date we have no Lawful and Constitutional Interception Law in India and E-Surveillance and Telephone Tapping is still done in an “Unconstitutional Manner“. The year 2015 did not brought any positive developments in this regard. We hope in the year 2016 Narendra Modi Government would work in the direction of formulating a Constitutional Interception Law for India.

(5) Digital India: Narendra Modi Government launched the Digital India Project in the year 2015. However, Digital India is not free from Critical Issues and Shortcomings. The chief among them are lack of Cyber Security Infrastructure and disregard to Civil Liberties aspects like Data Protection (PDF) and Privacy Protection. Naturally, Digital India Project is heading towards Rough Waters and Narendra Modi Government must think in this direction in the year 2016.

(6) Online Gambling: Online Gaming and Gambling Law of India was expected to be “Clarified” through a “Conclusive Ruling” from the Supreme Court of India in the year 2015. However, this did not happen as the Supreme Court of India “Refused to Clarify” in this regard. The Supreme Court refused to clarify regarding Legality of Online Rummy and Online Poker in India and this makes the websites managing Online Rummy and Online Poker vulnerable to punishment in the year 2016. Even the Central Government refused to give any opinion in this regard. Further, tax laws and liabilities for online Poker and Online Rummy websites is also not clear. The year 2016 may see some “Clarifications” in this regard from the Narendra Modi Government.

(7) Legality Of Bitcoins In India: The year 2015 did not see any clarity regarding Legality of Bitcoin in India and Legality of Bitcoin is still doubtful in India. In fact, the Reserve Bank of India (RBI) has “Cautioned“the Bitcoin Stakeholders against “Potential Risks” (PDF) of using Bitcoin in India. Thus, as on date use of Bitcoin in India is “Legally Risky“. In short, dealing in Bitcoins in India is still A “Grey Area” and it is not safe to consider it “Strictly Legal” though Indian Corporate is Lobbying for Regulated Digital Currency in India. The bottom line is that Bitcoin Websites and Owners must comply with Indian Laws to stay legal when it comes to use of Bitcoin in India.

(8) Cyber Breaches Insurance: The year 2015 was good as far as Cyber Insurance in India is concerned. Many Companies opted for Cyber Insurance Policies in India in 2015. These polices covered losses arising out of Cyber Threats and Cyber Crimes. However, Cyber Insurance Stakeholders in India are still not aware of the Techno Legal aspects of Cyber Insurance in India. This may give rise to potential disputes and litigations in the near future. We strongly recommend that Cyber Insurance Policies must comply with Techno Legal Requirements as prescribed by IT Act, 2000 and other Laws so that disputes can be minimised to maximum possible extent. It is the prime responsibility of Insurance Companies to draft the Cyber Insurance Agreements in proper and Techno Legal manner.

(9) Online Pharmacies: The year 2015 witnessed an increased interest in Online Pharmacies among the E-Commerce players and Healthcare Stakeholders. However, a dedicated Legal Framework for Online Pharmacies is still missing. Further, most of the Online Pharmacies operating in India are not at all complying with the Techno Legal requirements of Indian Laws.

(10) Cyber Law Obligations Of Directors/Companies: Cyber Law Obligations of Directors of Indian Companies is now well established in India. However, there is insignificant development in this regard at the Board of Directors level. There are very few Directors who are aware of fields like Cyber Law and Cyber Security and even fewer are those who comply with the same. The year 2016 would see an increased focus upon Cyber Law and Cyber Security Obligations of Directors of Indian Companies and their respective Companies.

Overall the year 2015 was not good for Cyber Law Developments in India and we expect better results from the year 2016. In order to do so successfully, the Narendra Modi Government must take “Pro Active Approach” towards concepts like Cyber Law and Cyber Security. At a time when Cyber Security Developments in India 2015 and potential Cyber Security Trends In India 2016 are showing “Negative Results”, it would be a “Big Challenge” for the Modi Government to manage these issues. Perry4Law Organisation (P4LO) wishes all the best to Modi Government in this regard with a commitment to help it in every possible manner.

Posted in Uncategorized | Leave a comment

Cyber Security Trends In India 2016

Perry4Law-Organisation-P4LOThe year 2015 witnessed lots of buzzing about Cyber Security in India. From political circles to corporate houses, Cyber Security was a hot topic to discuss. Nevertheless, Cyber Security is still at discussion stage and actual implementation of Cyber Security initiatives and measures in India was still missing in 2015. Perry4Law Organisation (P4LO) provided Cyber Security Developments of India 2015 for its viewers and readers. Our viewers and readers may also be interested in Indian Cyber Security Developments in 2015 provided by P4LO.

In this post we are trying to anticipate the Cyber Security Trends of India 2016. This is in continuation of the Cyber Security Trends of India 2015 as provided by us in 2015. The year 2016 may witness the following Cyber Security Trends in India:

(1) Cyber Security Infrastructure: Cyber Security Infrastructure in India could remain at nascent stage in the year 2016 as well. This is so because till now India is still trying to understand the basic concepts of Cyber Security. We believe that Indian Cyber Security Infrastructure must be urgently “Strengthened” so that sophisticated Cyber Attacks can be suitably managed in India.

(2) International Cyber Security Framework: Cyber Attacks and Cyber Security are International Issues (PDF) and they deserve to be managed at Global Level. Despite this fact we have no “Globally Acceptable” Cyber Law and Cyber Security Treaties. P4LO has been advocating for the formulation of International Cyber Law and Cyber Security Treaty (PDF) for long. Now Indian Government has also decided to stress upon formulation of International Cyber Law and Cyber Security Treaties. This emphasis upon International Legal Cyber Security Framework would further increase in the year 2016. P4LO has dedicated two web resources titled “International Legal Issues Of Cyber Attacks” and “International Legal Issues of Cyber Security” for our readers and viewers. The aim of these web resources is to help both National and International Stakeholders to frame Techno Legal Cyber Security Regulatory Framework at National and International levels respectively.

(3) Digital India And Aadhaar Cyber Security: Digital India project of Narendra Modi Government is a very ambitious technology driven initiative. It can significantly improve the delivery of Public Services in India by using Information and Communication Technology (ICT). However, Digital India is suffering from various “Shortcomings” that need to be eliminated by Modi Government on priority basis. The chief among them are disregard to Civil Liberties like Privacy Protection and Data Protection and lack of Cyber Security Infrastructure to support the Digital India project.

The worst “Illegality and Unconstitutionality” of Digital India project is its “Forceful and Deliberate Reliance” upon Aadhaar that is Not “Not Mandatory“. For instance, Aadhaar has been made compulsory for Digital Locker despite Supreme Court’s contrary directions. This makes even the Digital India project vulnerable to Constitutionality Attacks. Besides, Aadhaar has its own Data Security, Civil Liberties and Cyber Security issues that are still unresolved as on date. There is an urgent need to disassociate Digital India project from Aadhaar project.

(4) Banking Cyber Security: Cyber Security of banks in India is not satisfactory despite the fact that Reserve Bank of India (RBI) has been trying very hard in this regard since 2010. RBI has in the year 2011 mandated that a Chief Information Officers (CIOs) is mandatory for all banks in India. However, till the December 2015, this requirement has not been complied with by most banks of India. Further, banks of India have also failed to ensure Cyber Security Due Diligence that is mandatory for banks in India. Banks in India are not complying with Cyber Security requirements because RBI has not taken any “Deterrent Action” against the defaulting banks. However, the position would change in the year 2016 as RBI has decided to establish an exclusive IT Subsidiary that would manage the Cyber Security related issues of banks of India. P4LO recommends that RBI must make “Surprise Visits” at the banks in order to check their Cyber Security preparedness. Further, Techno Legal Cyber Security Audits must also be undertaken by RBI to check the Cyber Security Infrastructures of banks of India.

(5) Directors’ Cyber Security Obligations: Cyber Security obligations and Cyber Law Due Diligence (PDF) were not taken seriously by Indian Companies and their Directors in the year 2015. However, things are going to change in the year 2016 as Indian Government has been contemplating introduction of Cyber Security Breach Disclosure Norms in India. Cyber Breaches reporting would become mandatory in such circumstances. In fact, the Indian Companies Act, 2013 imposes Cyber Security Obligations upon Directors of Indian Companies. Similarly, the Information Technology Act, 2000 also imposes Cyber Law Obligations upon Directors of Indian Companies. In short, Cyber Law and Cyber Security Obligations of Directors of Indian Companies would tremendously increase in the year 2016.

(6) Botnet Protection: Indian Government announced the establishment of a Botnet cleaning centre in the year 2015 to tackle the menace of Botnet in India. The same may be established in the year 2016 and that would be a good step to strengthen the Cyber Security Infrastructure of India. This initiative would be in addtion of the initiatives like National Critical Information Infrastructure Protection Centre (NCIPC) of India and National Cyber Security And Coordination Centre (NCSC) Of India. According to a report, Botnet are causing losses upto the extent of $6 Million a month for Online Advertisement Industry alone. The exact estimates of financial and other losses caused by Botnet is not possible as many of them use Deep Web and Dynamic DNS, Fast Flux and Bullet Proof Servers that makes it very difficult to trace and remove such Botnet. Use of Anti Forensics methods coupled with absence of a conclusive Authorship Attribution results in lack of imposing of legal responsibility and criminal prosecution of stakeholders responsible for such Botnet, Malware and Cyber Attacks in majority of cases.

(7) Cloud Computing Cyber Security:Cloud Computing industry and services are still taking a shape in India. Business and Entrepreneurs are still trying to acquaint themselves with the Legal and Regulatory requirements of Cloud Computing in India. Although we have no dedicated Cloud Computing Laws in India yet there are many Techno Legal Cloud Computing Due Diligence requirements in India. Due to the Legal Risks associated with Cloud Computing in India, many believe that use of Cloud Computing is not a viable option in India. The year 2016 would bring enhanced Cyber Law, Cyber Security, Data Protection (PDF) and Privacy Protection obligations upon the Cloud Computing Companies and their Directors.

(8) E-Health Cyber Security: Digital India project of Narendra Modi Government is covering E-Health and M-Health aspects as well. Suitable Legal Framework for E-Health/M-Health is urgently required in India and the same may be done in the year 2016 by Indian Government. A National E-Health Authority (NeHA) of India has already been proposed by Indian Government. Further, Electronic Health Record (EHR) Standards in India have also been formulated by Indian Government. Cyber Security of E-Health and M-Health Applications, Devices and Infrastructure could be stressed in the year 2016 in India.

(9) Critical Infrastructure Protection: Critical Infrastructure Protection (CIP) is a big challenge for both national and international stakeholders. Internet is full of unprotected SCADA systems on which various Critical Infrastructures are blindly relying without any Cyber Security protections. Critical Infrastructure Protection in India (PDF) is not in a good condition and Indian Government needs to work real hard in this regard. Indian Government must take Cyber Security very seriously and it is high time to frame a Critical Infrastructure Policy of India.

(10) CISO Culture: The year 2016 would see an increased appointment and participation of Chief Information Security Officer (CISO) in India. Narendra Modi Government has already appointed Dr. Gulshan Rai as the first CISO of India. Further, Companies in India are increasingly becoming aware that a Chief Information Officer (CIO) is need of the hour to protect the interest of the Company in Digital World and Cyberspace. Keeping this in mind both Enterprises and Indian Government are contemplating to increase spending upon Cyber Security Infrastructures of their respective domains.

We hope this illustrative list of Cyber Security Trends in India 2016 would be informative and our readers and viewers would find it useful.

Posted in Uncategorized | 7 Comments

Cyber Security Developments In India 2015 By Perry4Law Organisation (P4LO)

Perry4Law Organisation (P4LO)Cyber Security Trends and Development provide valuable insight into the shortcomings of Cyber Security initiatives of any Nation. Similarly, Cyber Security Trends and Developments of various Nations also help in consolidation of International Legal Issues of Cyber Security. Though we have no globally acceptable International Cyber Security Treaty (PDF), yet global Cyber Security Trends can help in consolidation of International Legal Issues of Cyber Security.

Perry4Law Organisation (P4LO) has been providing Cyber Security Trends and Developments in India for long. We have already provided the Cyber Security Trends and Developments of India 2013 (PDF) and Cyber Security Trends and Developments in India 2014. We have also provided Cyber Security Trends of India 2015 and most of our predictions and analysis were proved true by the unfolded events that took place in Indian Cyberspace and foreign Jurisdictions. Cyber Security Problems and Challenges of India were also highlighted by us.

We also dedicated an exclusive Blog on International Legal Issues of Cyber Security titled International Legal Issues Of Cyber Attacks And Cyber Security, Cyber Terrorism And Cyber Warfare. The aim of this Blog is to provide Techno Legal Cyber Security inputs and suggestions so that International Legal Issues of Cyber Security can be discussed at a single platform.

Some of the Cyber Security Developments that took place in India in the year 2015 are as follows:

(1) Constitutional Cyber Security: Indian Constitution was framed many decades ago. It was not possible to include provisions pertaining to Cyber Law and Cyber Security in the year 1950. Perry4Law Organisation (P4LO) has suggested that Cyber Security and allied fields must be suitably incorporated into the Indian Constitution keeping in mind the future requirements. We are already working in this direction and would come up with Constitutional Cyber Security Issues very soon.

(2) Protection Of School Children: The year 2015 witnessed that School Children are vulnerable to many forms of Cyber Threats. These include Social Engineering attacks, Cyber Stalking, Cyber Harassment, etc. A need was felt in India that School Children must be suitably educated about Cyber Issues.

(3) Cyber Law Due Diligence: Cyber Law Due Diligence (PDF) is not in good condition in India. Companies, Individuals and other Stakeholders did not comply with Cyber Law Due Diligence requirements in the year 2015 as prescribed by Information Technology Act, 2000 (IT Act 2000). However, the worst blow came from none other than the Supreme Court of India. Indian Supreme Court has killed Cyber Law Due Diligence to a great extent. As a matter of fact, we need a strong Cyber Law Due Diligence in India unlike the one suggested by the Supreme Court.

(4) Equation Group And NSA: It has been reported that United States National Security Agency (NSA) may have been planting surveillance software into hard drives and other essential computer equipment sold around the world for more than a decade through Equation Group. NSA has also used radio waves for E-Surveillance purposes in the past. Kaspersky Lab has also revealed that hardware based stealth spyware were also used by Intelligence Agencies in the year 2015.

(5) Cyber Security Infrastructure: Cyber Security Infrastructure in India is still not upto the mark till 2015. Indian Cyberspace is vulnerable to diverse form of Cyber Attacks. In these circumstance, it is imperative that Indian Cyber Security Infrastructure must be strengthened to maximum possible extent. Further, Narendra Modi Government must protect Indian Cyberspace on a Priority basis. As on date and till 2015, India is a Sitting Duck in Cyberspace and Civil Liberties Protection regime.

(6) Banking Cyber Security: Cyber Security of Banks in India is still not given priority by Indian Banks in the year 2015. In fact, Reserve Bank of India (RBI) has been trying to strengthen Cyber Security of Indian Banks but with little success. Now RBI has decided to establish an IT Subsidiary for looking into Cyber Security related issues of Banks of India. This can be a significant move on the part of RBI and may force the Banks in India to finally strengthen their Cyber Security in the year 2016.

(7) Smart Cities: Indian Government has announced in 2015 to establish many Smart Cities in India. Such Smart Cities would be dependent upon Information and Communication Technology (ICT) in diverse manner. Since ICT would be used, Smart Cities Cyber Security in India cannot be ignored by Indian Government. Smart Cities in India, like in foreign countries, are facing many Cyber Security problems and challenges that need to be resolved before launching of full fledged project.

(8) Digital India Cyber Security Issues: Digital India is one of the most ambitious Technology Driven projects of the World. However, its strong dependence upon Aadhaar has made it vulnerable to Legal and Constitutional Attacks. Perry4Law Organisation (P4LO) has outlined some Shortcomings of Digital India Project and we hope they would be considered by Indian Government for a better Digital India initiative of India. The most alarming shortcoming in this regard is that Digital India is suffering from lack of Cyber Security Infrastructure. Nothing is more dangerous and more worrisome than implementing the E-Governance and Digital India Projects of India without adequate Cyber Security.

(9) Cyber Security Legal Framework: All Governments need full and complete “Disclosures” of Cyber Security Breaches affecting the lives of their Citizens. Unfortunately, Cyber Security Breach Disclosure Norms in India are still missing in the year 2015. This is because we have an outdated Cyber Law and missing Cyber Security Law in India. Outdated and Unconstitutional Laws like Cyber Law and Telegraph Act must be urgently repealed and new laws must be formulated in this regard. Further, a Techno Legal Framework must be urgently formulated by Indian Government. At the same time we also need the Cyber Security Policy of India 2015 that is a must to strengthen Indian Cyber Security Capabilities. Civil Liberties Issues in Cyberspace like Privacy Protection must also be ensured by the proposed Cyber Security Policy of India 2015.

(10) E-Surveillance in India: Unconstitutional E-Surveillance issues remained intact in India in the year 2015 as well. Projects like Aadhaar, Digital India, Smart Cities, etc are still violating the Civil Liberties of Indian Citizens without any Procedural and Constitutional Safeguards. Telecom giant Vodafone has confirmed existence of Secret Wires for Indian Government E-Surveillance purposes. Although Indian Department of Telecommunication (DOT) promised investigation into this matter but the same remained an “Empty Promise” only. So far DOT has failed to make the “Investigation Report” public. In similar activities, UK’s Government admitted that it indudged in Illegal E-Surveillance over Lawyers Communications. With the combination of Aadhaar and Digital India, India has become the Biggest Digital Panopticon of the World. To make the matter worst, we have no Parliamentary Oversight over this Digital Panopticon of India. Even the Intelligence Agencies of India need Parliamentary Oversight and Reforms.

(11) Cyber Security Legal Practice: The year 2015 is the starting point for Cyber Security Legal Practice World wide. Law Firms around the World have strated exploring Cyber Security Legal Issues as possible areas of practice. However, as on date there are very few Cyber Security Law Firms in the World that are capable of managing Cyber Security Legal Practice. Perry4Law Law Firm is one of such few Law Firms that are providing Cyber Security and Cyber Forensics Legal Services in India and Foreign Jurisdictions. Some Consultancy Firms have also hired Lawyers in India so they they can provide Cyber Security Legal Services in India. However, the “Legality” of this method is yet to be ascertained as in India Lawyers cannot form Partnership with Non Legal Individuals/Firms. Along with the benefits of Cyber Security Legal Practice, Law Firm’s Cyber Security Obligations in India are also increasing.

(12) Cyber Warfare Policy: Cyber Warfare has become a reality in the present Digital Environment. However, India is not prepared to deal with Cyber Warfare that is taking place at the Global scale. Cyber Warfare against India is also happening but we are not capable of detecting the same in a timely and real time manner. Further, even in the year 2015, we have no Cyber Warfare Policy in India (PDF) that can manage the Techno Legal issues of Cyber Warfare. Even the Tallinn Manual on Cyber Warfare is not applicable to International Cyber Warfare Attacks and Defence and every Nation is free to adopt its own methods and procedures in this regard. Related fields like Cyber Terrorism and Cyber Espionage were also not taken care of by Indian Government in the year 2015.

(13) Encryption Law And Policy: In the year 2015 also Indian Government did not pay any attention to Encryption Policy of India (PDF). The net result is that we have neither a dedicated Encryption Law in India nor any Policy regarding Encryption usage in India till 2015. Although Indian Government tried to formulate an Encryption Policy in the year 2015 yet it was poorly drafted and was immediately withdrawn by Indian Government.

(14) Mobile Security: Just like the year 2014, the year 2015 also witnessed a stress upon Mobile Governance usage in India. Similarly, just like 2014, in the year 2015 also no steps were taken by Indian Government towards ensuring Mobile Security in India. This has given rise to additional Mobile Banking Cyber Security Risks before the Banking Industry of India. Fortunately, RBI has decided to set up an IT Subsidiary to look into matters pertaining to Banking Security and Mobile Banking Cyber Security can also be looked into by that IT Subsidiary.

(15) M-Health: India has also stressed upon use of Mobile Health (M-Health) concept for widespread availability of healthcare services to Indian population. Besides inadequate Cyber Security, M-Health is also suffering from lack of Legal Framework to govern the same. The position is that M-Health projects and businesses in india lacks Regulatory Compliances. Due to this Legal Loophole, M-Health service providers are violating other Indian Laws applicable to them.

(16) Cloud Computing: Cloud Computing in India has miserably failed to comply with either the Indian Laws or the absolutely essential Cyber Security requirements. In the absence of dedicated Laws regarding Privacy Protection and Data Protection (PDF), Virtualisation and Cloud Computing are “Legally Risky” and are “Landmines” for Privacy Violation in India. Further, we have no dedicated Law for Cloud Computing in India as well. The position remained the same in the year 2015.

(17) Internet of Things (IOT): Goods and services based upon Internet of Things (IOT) were introduced in India in 2015. This trend is going to increase in the year 2016 as well as Projects like Smart Cities, Digital India, etc would rely upon IOT for proper functioning. Even the draft IOT Policy of India (PDF) and Revised Draft IOT Policy of India (PDF) were released by Indian Government. However, both the IOT Policies of Indian Government failed to address the Civil Liberties issues. Privacy Rights in the Information age (PDF) have to be addressed by Indian Government for new technologies and concepts.

(18) Cyber Insurance: The year 2015 witnessed a booming Cyber Liability Insurance in India. The major reason for the growth of Cyber Insurance Policies in India is the increased numbers of Cyber Crimes and Cyber Attacks in India. However, Cyber Insurance Stakeholders in India have still to understand the technicalities of Techno Legal aspects of Cyber Insurance.

Perry4Law Organisation (P4LO) hopes that our readers would find this research report on Indian Cyber Security Development in India 2015 useful.

Posted in Uncategorized | 2 Comments