A judgment for the ages

ALL WP(C) No.494 of 2012 Right to Privacy

“Nine judges of this Court assembled to determine whether privacy is a constitutionally protected value. The issue reaches out to the foundation of a constitutional culture based on the protection of human rights and enables this Court to revisit the basic principles on which our Constitution has been founded and their consequences for a way of life it seeks to protect. This case presents challenges for constitutional interpretation. If privacy is to be construed as a protected constitutional value, it would redefine in significant ways our concepts of liberty and the entitlements that flow out of its protection.”

Advertisements

Call for Applications – Research Positions at CCG

The Centre for Communication Governance at the National Law University Delhi (CCG) invites applications for various research positions across its teams on a full time basis.

About the Centre

The Centre for Communication Governance is the only academic research centre dedicated to working on information law and policy in India and in a short span of five years has become a leading centre on information policy in Asia. It seeks to embed human rights and good governance within communication policy and protect digital rights in India through rigorous academic research and capacity building.

The Centre routinely works with a range of international academic institutions and policy organizations. These include the Berkman Klein Center at Harvard University, the Programme in Comparative Media Law and Policy at the University of Oxford, the Center for Internet and Society at Stanford Law School, Hans Bredow Institute at the University of Hamburg and the Global Network of Interdisciplinary Internet & Society Research Centers. We engage regularly with government institutions and ministries such as the Law Commission of India, Ministry of Electronics & IT, Ministry of External Affairs, the Ministry of Law & Justice and the International Telecommunications Union. We work actively to provide the executive and judiciary with useful research in the course of their decision making on issues relating to civil liberties and technology.

CCG has also constituted two advisory boards, a faculty board within the University and one consisting of academic members of our international networks. These boards will oversee the functioning of the Centre and provide high level inputs on the work undertaken by CCG from time to time.

About Our Work

The work at CCG is designed to build competence and raise the quality of discourse in research and policy around issues concerning civil liberties and the Internet, cybersecurity and global Internet governance. The research and policy output is intended to catalyze effective, research-led policy making and informed public debate around issues in technology and Internet governance.

More details about the different teams at CCG can be found here.

Role

CCG is a young and continuously evolving organization and the members of the centre are expected to be active participants in building a collaborative, merit led institution and a lasting community of highly motivated young researchers.

Selected applicants will ordinarily be expected to design and produce units of publishable research with Director(s)/ Senior Staff members. They will also be recommending and assisting with designing and executing policy positions and external actions on a broad range of information policy issues.

Equally, they will also be expected to participate in other work, including writing opinion pieces, blog posts, press releases, memoranda, and help with outreach. The selected applicants will also represent CCG in the media and at other events, roundtables, and conferences and before relevant governmental, and other bodies. In addition, they will have organizational responsibilities such as providing inputs for grant applications, networking and designing and executing Centre events.

Qualifications

  • The Centre welcomes applications from candidates with advanced degrees in law, public policy and international relations.
  • All candidates must preferably be able to provide evidence of an interest in human rights / technology law and / or policy / Internet governance/ national security law as well. In addition, they must have a demonstrable capacity for high-quality, independent work.
  • From programme officer upwards, a Master’s degree from a highly regarded programme may count towards work experience.
  • In addition to written work, a project/ programme manager within CCG will be expected to play a significant leadership role. This ranges from proactive agenda-setting to administrative and team-building responsibilities.
  • Successful candidates for the Project / Programme Manager position should show great initiative in managing both their own and their team’s workloads. They will also be expected to lead and motivate their team through high stress periods and in responding to pressing policy questions.

However, the length of your resume is less important than the other qualities we are looking for. As a young, rapidly-expanding organization, CCG anticipates that all members of the Centre will have to manage large burdens of substantive as well as administrative work in addition to research. We are looking for highly motivated candidates with a deep commitment to building information policy that supports and enables human rights and democracy.

At CCG, we aim very high and we demand a lot of each other in the workplace. We take great pride in high-quality outputs and value individuality and perfectionism. We like to maintain the highest ethical standards in our work and workplace, and love people who manage all of this while being as kind and generous as possible to colleagues, collaborators and everyone else within our networks. A sense of humour will be most welcome. Even if you do not necessarily fit requirements mentioned in the two bulleted points but bring to us the other qualities we look for, we will love to hear from you.

[The Centre reserves the right to not fill the position(s) if it does not find suitable candidates among the applicants.]

Positions

Based on experience and qualifications, successful applicants will be placed in the following positions. Please note that our interview panel has the discretion to determine which profile would be most suitable for each applicant.

  • Programme Officer (2-4 years’ work experience)
  • Project Manager (4-6 years’ work experience)
  • Programme Manager (6-8 years’ work experience)
  • Associate Director (8+ years’ work experience)

A Master’s degree from a highly regarded programme might count towards work experience.

CCG staff work at the Centre’s offices at National Law University Delhi’s campus. The positions on offer are for duration of one year and we expect a commitment for two years.

Remuneration

The salaries will be competitive, and will usually range from ₹50,000 to ₹1,20,000 per month, depending on multiple factors including relevant experience, the position and the larger research project under which the candidate can be accommodated.

Where candidates demonstrate exceptional competence in the opinion of the interview panel, there is a possibility for greater remuneration.

Procedure for Application

Interested applicants are required to send the following information and materials by July 30, 2017 to ccgcareers@nludelhi.ac.in.

  1. Curriculum Vitae (maximum 2 double spaced pages)
  2. Expression of Interest in joining CCG (maximum 500 words).
  3. Contact details for two referees (at least one academic). Referees must be informed that they might be contacted for an oral reference or a brief written reference.
  4. One academic writing sample of between 1000 and 1200 words (essay or extract, published or unpublished).

Shortlisted applicants may be called for an interview.

Law Enforcement Initiatives Towards Tackling Cyber Crime in India

Cyber crime has been rising across India. This post reviews advancements in policing technologically advanced crimes and considers potential next steps. 

With rising instances of cybercrime being noted across the country, the need for vigilance in the cyber sphere has been highlighted by a number of commentators. These crimes have gained attention subsequent to the notification of demonetization, with rising online banking transactions and a governmental push towards a digital economy.

Several new issues stemming from the distrust in digital payment systems have been reported. For example, the cybercrime cell of the Mumbai Police has received several reports of a scam characterized by persons receiving fraudulent calls allegedly from banks, discussing a new RBI policy. These calls informed consumers that credit and debit cards were soon to be deactivated, but if they released their card details, they would be permitted to continue usage. Once released, these details were misused. While issues such as these do not require extensive cyber expertise to resolve, their incidence is on the rise. Countering them requires banks as well as law enforcement agencies to increase their efforts towards educating new adopters.

More concern may be caused by technology-intensive hacking attacks, both from within the country and outside. Recent instances include the hostilities faced by several Telangana-area software companies by alleged Pakistani attackers, as well as attacks by the group known as Legion. Their actions allegedly include the hacking of the twitter and email accounts of Rahul Gandhi, Vijay Mallya and Barkha Dutt, among others. There has also been an upswing in ransomware attacks recently, with over 11,000 attacks being reported in just three months. Reports of India’s first online Ponzi scheme are also now coming to light. This is despite the fact that that 80% of cybercrimes remain unreported according to recent news reports. This post will review some initiatives taken towards the more efficient investigation of cybercrime by law enforcement across the country.

Cyber Policing in India

Crime and Criminal Tracking Network and Systems (CCTNS)

Approved by the Cabinet Committee on Economic Affairs in 2009, with an allocation of INR 2 billion, the CCTNS is a project under the National e-Governance Plan. It aims at creating a nationwide networking infrastructure for an IT-enabled criminal tracking and crime detection system. The integration of about 15,000 police stations, district and state police headquarters and automated services was originally scheduled to be completed by 2012. However, this still remains incomplete.

Apart from the slow pace of implementation and budgetary problems, on-the-ground hurdles to fully operationalizing CCTNS include unreliable Internet connectivity and under-trained personnel at police stations. Other issues include unavailability of facilities for cyber forensic analysis in most locations, and lack of awareness regarding online citizens’ services such as verification of tenants and employees and clearance for processions and events.

Online Complaints

The Central Government, in response to queries by the Supreme Court regarding measures taken to tackle cybercrime, recently announced that they would be setting up a ‘Centre Citizen Portal’. This portal will allow citizens to file complaints online with respect to cybercrimes, including cyber stalking, online financial fraud and others, suffered or observed by them.

The governmental response also details the proposed process, stating that any such complaint on the portal will trigger an alert at the relevant police station and allow the police department to track and update its status, while the complainant too would be able to view updates and escalate the complaint to higher officials.

Cyber Police Stations

Cyber police stations generally include trained personnel as well as the appropriate equipment to analyse and track digital crimes. Maharashtra, where cybercrime has risen over 140% in recent times, and which had the dismal distinction of only recording a single conviction related to cybercrime last year, is converting its existing cybercrime labs into cyber police stations. This will mean there is a cyber police station in each district of the state. The initiative in Maharashtra is useful especially because of the rise in online transactions in Tier II and Tier III cities and the rising cybercrime related thereto. However, despite the rise in cybercrime, complaints remain of low reportage and low success rates in solving crime. Police officers point to problems processing evidence, with complex procedures being required to retrieve data on servers stored abroad.

Further, there have been complaints in Bengaluru of the limited jurisdiction of cyber police stations. Pursuant to a standing order of the DG & IGP of Bengaluru City Police issued in June 2016, only cases with damages of over INR 5 lakh can be registered at cyber police stations in case of bank card fraud. In cases of online cheating, only those instances where damages exceed INR 50 lakh are amenable to the jurisdiction of cyber police stations. All other cases are to be registered with the local police station which, unlike cyber police stations, do not generally include trained personnel or the appropriate equipment to analyse and track digital crimes.

While the order is undoubtedly creating problems for cybercrime victims, it was made taking into account the woefully under-resourced cybercrime police station in Bengaluru which, at the time, consisted of a 15-member staff with two vehicles at its disposal.

Predictive Policing

Predictive policing involves the usage of data mining, statistical modeling and machine learning on datasets relating to crimes to make predictions about likely locations for police intervention. Examples of predictive policing include hot-spot mapping to identify temporal and spatial hotspots of criminal activity and regression models based on correlations between earlier, relatively minor, crimes and later, violent offences.

In 2013, the Jharkhand Police, in collaboration with the National Informatics Centre, began developing a data mining software for scanning online records to study crime trends. The Jharkhand Police has also been exploring business analytics skills and resources at IIM-Ranchi, in order to tackle crime in Jharkhand.

The Delhi Police has tapped into the expertise at the Indian Space Research Organisation in order to develop a predictive policing tool called CMAPS – Crime Mapping, Analytics and Predictive System. The system identifies crime hotspots by combining Delhi Police’s Dial 100 helpline calls data with ISRO’s satellite imagery and visualizing it as cluster maps. Using CMAPS, Delhi Police has slashed its analysis time from the 15 days it took with its erstwhile mechanical crime mapping to the three minutes it takes for the system to refresh its database.

The Hyderabad City Police is in the process of building a database, called the ‘Integrated People Information Hub’ which, according to the City Police Commissioner, would offer the police a “360-degree view” of citizens, including names, aliases, family details, addresses and information on various documents including passports, Aadhaar cards and driving licenses.

The data is combed from a wide-ranging variety of sources, including information on arrested persons, offenders’ list, FIRs, phone and electricity connections, tax returns, RTA registrations and e-challans. It is further indexed with unique identifiers, and is used to establish the true identity of a person, and present results to relevant authorities within minutes. While the system is aimed at curbing criminal activity and detecting fraud, a lack of clearly identified cyber security and privacy protocols is a worrying sign.

Conclusion

We recently reviewed the National Crime Records Bureau’s statistics relating to cybercrime, as set out in their Crime in India Report 2015. Some concerns that stemmed from the figures set out in the report were the low conviction rates and high pendency of cases. Experts have linked these issues, amongst other things, with the limited mechanisms available for cyber policing and the effectively-defunct status of the cyber tribunals. A recent report by the Bureau for Police Research and Development also highlighted resource constraints affecting police stations, with several stations lacking basic necessities such as a vehicle or a phone connection. Over five lakh posts sanctioned posts also remain vacant.

Given resource limitations, both in fiscal terms and relating to trained personnel, it is heartening to see the steps that have been taken towards efficient cyber-policing. While this post highlights some steps that have been taken in major jurisdictions, there are several initiatives even in non-metro cities towards tackling cybercrime. A National Cybersecurity Co-ordination Centre is also due to be launched around June this year. In a recent response to the Supreme Court, additional solicitor general Maninder Singh also informed the Court of substantial investments being made by the Central Government towards police and judicial training and towards the creation of cybercrime prevention cells. It is hoped that these measures will help to stem the growing tide of cybercrime in India.

 

Cybersecurity in the Financial Sector: An Overview

Sowmya Karun 

In the Union Budget for 2017-18, Finance Minister Mr. Arun Jaitley announced the setting up of a dedicated Computer Emergency Response Team for the Financial Sector (Cert-Fin). The proposed emergency response team is slated to work in co-ordination with financial sector regulators and other stakeholders.

This announcement comes on the heels of the Government’s demonetisation initiative. Demonetisation led to a substantial rise in the volume of digital payments and the use of instruments such as mobile wallets. The cumulative growth of electronic transactions has been reported to range between 95 per cent and 4,025 per cent from November 8 till December 27, 2016. This transition towards digital payments in the financial sector is slated to continue, with one report predicting that by 2020, the digital payments industry will grow to over $500 billion and contribute 15% to the national GDP.

In a previous post, we had examined the legal and policy regime relating to digital payments in the country. In this post, we examine technological vulnerabilities in the financial sector, as well as measures taken towards strengthening cybersecurity.

Cyber Security Vulnerabilities in the Financial Sector

The exponential growth in digital payments in India and the push towards a cashless economy has renewed focus on the need to strengthen financial cybersecurity. Banks and financial institutions are extremely vulnerable to various forms of cyberattacks and online frauds. India has steadily moved up the ranking for countries with the highest number of financial Trojan infections over the past three years. At least forty percent of Banking, Financial Services and Insurance (‘BSFI’) businesses have been attacked at least once. A six-fold increase in credit and debit card fraud cases has been reported over the past three years. In addition to core banking, additional services like e-banking, ATM and retail banking are also increasingly vulnerable to cybercrime. Mobile frauds are also expected to grow to 60-65% in 2017, which is especially alarming because 40-45 % of financial transactions are being conducted on mobile devices today.

The Indian banking landscape has seen several large-scale cyberattacks over the past year. Since June 2016, the SWIFT systems of four Indian banks have been targeted.  In October 2016, in what was the largest data breach in the country ever, 32 lakh debit cards of various banks were subject to a cyber malware attack.  Earlier this year, it was reported that hackers had infiltrated the systems of three government-owned banks to generate false trade documents. The increased focus on cybersecurity in banks follows not only domestic incidents but global developments as well. In its bulletin on security measures, for instance, the Reserve Bank of India makes reference to the Carbanak Gang which targeted bank’s internal systems across Russia and Ukraine to conduct a robbery of around $ 1 billion. Closer home, in February 2016, there was an attempted heist of around $951 million from the Bangladesh Bank.

Cyber Security Framework for Banks

In October 2016, the Reserve Bank of India directed banks to implement a security policy containing detailing their strategy to for dealing with cyber threats and including tangible “cyber-hygiene” measures. This was following a renewed emphasis on the early implementation of the RBI’s Cyber Security Framework in banks. The RBI had first notified the Cyber Security Framework (‘Framework’) in Banks in June 2016. The Framework was a successor to broad guidelines on information security and cyber frauds which had been issued in line with the recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds in 2011.

The Framework is geared towards minimising data breaches and implementing immediate containment measures in the event of such breaches. It emphasises the urgent need to put in place a robust cyber security and resilience framework and to ensure continuous cybersecurity preparedness among banks. The Framework also mandates the adoption by banks of a distinct cybersecurity policy to combat threats in accordance with “complexity of business and acceptable levels of risk” within a set deadline. Further, the Framework requires the earliest setting up of Security Operations Centres within banks for continuous surveillance; disallowing unauthorised access to networks and databases; protection of customer information; and the evolution of a cyber crisis management plan.

Other Measures by the RBI and the Government

The RBI has also identified the need to evolve a framework for co-ordination and information sharing between financial institutions and public authorities in the event of cyber attacks. To this end, the RBI recently appointed its first information security officer and has formalised a sectoral sharing interface called the Indian Banks- Centre for Analysis of Risks and Threats (IB-CART). Further, the RBI also issued an ultimatum to banks, requiring them to report any breach of security immediately. Banks have been given until March 31, 2017 to put in place appropriate mechanisms.

Previously, there was limited reporting by banks as they were reluctant to report cyberattacks fearing devaluation of brand equity. Even in the event of large-scale cyberattacks, such as the above-mentioned malware infection which affected 32 lakh cards, it took six weeks to detect the fraudulent transactions. To counter this, and to enhance cyber resilience, the Institute for Development and Research in Banking Technology (‘IDBRT’) has been attacking vulnerabilities in banks’ security networks. This will enable them to share feedback with banks to improve their resilience.  Further, the Chief Information Security Officers of banks have also set up a forum to discuss cyberattacks and to share information, manage and plan for issues related to information security. The Ministry for Electronics and Information Technology has also formally urged banks to co-operate with the CERT-In for carrying out audits and other measures to strengthen their cybersecurity systems.

Conclusion

While these proactive steps being taken by the RBI and the Government are timely and much-needed, the resilience of our banking infrastructure against cyber attacks will depend on co-ordinated action from all stakeholders. The Cyber Security Framework must be strictly implemented in a timely manner, with regular audits to ensure comprehensive compliance. Cybersecurity at banks and financial institutions needs to be prioritised as part of the design architecture and must not remain restricted to reactive fire fighting during crises. Cyber security solutions must be deliberately designed to enable stemming of cyber attacks in real time.  Experts also suggest that the most effective ways to move forward with digitisation in order to ensure banks remain completely secure include the embracing of crypto-currencies and blockchain technology. Further, the Information Technology Act, 2000 is also ripe for a complete overhaul to counter the increased security risks in a cashless economy. These measures, of course, must also be accompanied by attempts to ensure widespread consumer education and awareness.

 

 

Gaps in the Protection of Critical Information Infrastructures in India

 

Sowmya Karun

In a previous post, we critically examined the legislative and institutional framework for the protection of critical information infrastructures (“CIIs”) in India. The National Critical Information Infrastructure Protection Centre (“NCIIPC”) has since revamped its website. This is a heartening move towards transparency and increased public engagement. According to “data shared by a broad range of NCIIPC constituencies”, a total of around 7.5 million incidents, threat feeds and vulnerabilities were reported from CIIs in 2016. This was reported in the first NCIIPC newsletter. The newsletter further indicated the number of incidents on a monthly basis, the most impacted cities in terms of the volume of cyber attack incidents, the major forms of attacks and the country-wise share of the origins of cyber attacks on CIIs.

Sector-specific guidelines for CII

As recommended in our post, the NCIIPC has been increasing its efforts towards the protection of sectoral critical information infrastructures. There has been particular emphasis on designing sector-specific cyber security practices. For instance, the Ministry of Power has taken steps to sensitize critical organisations in the power sector, following instructions received from the NCIIPC.  This includes the auditing of underlying information infrastructures by CERT-In accredited agencies and the setting up of a dedicated computer emergency response team for the transmission sector. This is especially significant as the deployment of smart grid technologies on a large scale poses unique cybersecurity risks.  Similarly, it has been reported that the NCIIPC has conducted workshops on cyber security and critical information infrastructure protection for the oil and gas industry. Further, the NCIIPC has engaged with the Chief Information Security Officers in strategic and public enterprises (which includes heavy industry and public sector units) for the identification, protection and notification of their CII.

However, the NCIIPC’s attempts to address the claim that there is “an urgent need to evolve sector specific guidelines for handling cyber crises” remain piecemeal and reactive. The transportation sector, for instance, is particularly vulnerable to cyber threats on account of growing dependencies on network based systems for navigation, tracking and positioning, amongst others. There have been reports of Pakistani hackers who have been tapping into air traffic control systems in Jammu as well as gaining access to the GPS data of police vehicles in Madhya Pradesh. These instances represent only the tip of the iceberg when it comes to the capacity of malicious actors to disrupt CIIs in the transportation sector. However, despite these incidents, there have been no reports about the development of sector specific cybersecurity guidelines for the transportation sector. The Long Range Identification and Tracking (LRIT) system under the Ministry of Shipping remains the only transportation to be declared as a “protected system” under the Information Technology Act, 2000.

Information Sharing and Analysis

While the development of sector specific guidelines for cyber-security should continue, it is also necessary to focus on mechanisms for information sharing and analysis across sectors. Information sharing about vulnerabilities, threats and attacks is essential as security solutions cannot be built without shared threat intelligence or co-ordinated responses. In recognition of this, the National Cybersecurity Policy of 2013 (“the Policy”) noted the necessity of establishing a mechanism for sharing information on cyber-security incidents (Paragraph IV(A)(7)). The creation of such a mechanism, according to the Policy, will generate the necessary understanding of  existing and potential threats to enable timely information sharing (Paragraph IV(E)(1)). Prior to the policy, the creation of Information Sharing & Analysis Centres (ISACs) had also been recommended by the Joint Working Group on Engagement with Private Sector on Cyber Security (“JWG”). The JWG conceived of ISACs within various industry verticals with the private sector to co-ordinate with sectoral CERTs as well as CERT-IN.

However, currently, institutional mechanisms for streamlined and prompt sharing of information are not in place for most sectors. An ISAC has been set up at the Institute for Development and Research in Banking Technology (IDRBT), but it remains restricted to financial services. While the Central Government stated that action was initiated in 2014 for the setting up of similar ISACs in the power and petroleum sector, there is no confirmation of the same in the public domain. There is also no clarity on whether ISACs will be instituted for other sectors. There have also been no reports dealing with steps that are being taken for cross-sectoral information sharing and analysis. In a move forward, the NCIIPC has now made available forms for reporting vulnerabilities as well as cyber attacks on critical information infrastructures on its website. However, this is a poor substitute for a mandatory and systematic mechanism for collating information on threats, vulnerabilities and attacks. To this end, it is essential to urgently initiate the setting up of sectoral ISACs, under the guidance of the NCIIPC. A cross-sectoral ISAC, modelled along the along the lines of the National Council of ISACs in the US, could grow to function as an effective platform. It may also prove to be useful to pursue collaborations with existing global information sharing networks (such as the Financial Services Information Sharing and Analysis Centre (FS-ISAC). Similarly, the merging of sectoral platforms to create a collaborative intelligence sharing platform under the National Cybersecurity Co-ordination Centre is recommended.

Conclusion

To conclude, it is heartening to observe the progressive changes the NCIIPC has made as well as the creation of sector specific guidelines in certain sectors. However, this must progress across various critical sectors in addition to being placed within broader information sharing mechanisms. It is hoped that the NCIIPC will continue on the path of transparency and information sharing in this regard.

Digital Wallet Security: Is there a framework?

Sidharth Deb*

Since the announcement of India’s demonetisation policy, there has been a rapid surge in the number of online wallet transactions. The reasons for this are twofold:

  • Cash scarcity; and
  • The convenience afforded to consumers through e-wallet/online wallet services

In furtherance of the policy of demonetisation, the Indian government has also incentivised online transactions by offering discounts for digital payments.

Interestingly, India was recently ranked as one of the five most vulnerable nations to cyber security threats. This was highlighted by the recent debit and credit card hack which adversely compromised over 3 million accounts. The presence of a trust deficit seems justified when one looks at concerns expressed by both the National Crime Records Bureau (‘NCRB’) in its 2015 Report and the Reserve Bank of India (‘RBI’) . Both institutions have stressed numerous instances where people have been vulnerable to data theft. Further, it has been suggested that mobile wallets are not developed with hardware level security. Such industry practices leave sensitive information more susceptible to cyber threats. There is also a limited legal framework for the use of online payments.

The need for a stronger legal framework which adequately protects people’s financial/ sensitive data is clear. The use of private platforms such as PayTM, MobiKwik and FreeCharge and the launch of the Bharat Interface for Money (‘BHIM’) means digital transactions will only become more ubiquitous. This means that users are exposed to concomitant risks. This post seeks to understand the current legal matrix regulating digital payment security and highlight its inadequacies.

Policy Framework

There is presently no central data protection/ security legislation. Given this background, what India has instituted is a National Cybersecurity Policy, which was released in 2013, by the Ministry for Electronics and Information Technology (‘MEITY’). The document seeks to establish an umbrella framework which “…creates(s) a secure cyber ecosystem in the country, generate adequate trust & confidence in IT systems and transactions in cyberspace and thereby enhance adoption of IT in all sectors of the economy.” It emphasises the need to introduce sector specific policies to ensure data security.  However, there has been no statutory follow-up to this policy.

Keeping this in mind, we examine two legislations which are presently applicable to the digital wallet security landscape. The first is the Information Technology Act, 2000 (which was last amended in 2008) and the other is the Payments and Settlements Act, 2007 under which RBI circulars and guidelines relevant to online security are released.

IT Act, 2000

The two relevant portions of this statute are Section 43A and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Section 43A states that “body corporates” handling sensitive personal data or information must provide reasonable security measures. These measures must be “….designed to protect such information from unauthorised access, damage, use modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law…” Failure to do the same would result in liability to pay the affected party damages. The text informs us that digital wallet companies can contract out, via their terms of service agreements, the data security obligations imposed by this section. It should be noted that services which are provided by entities which are not corporate bodies (such as BHIM, offered by the National Payments Corporation of India) can be exempted from the obligations under this section.

Under this provision, the aforementioned 2011 rules were notified. Rule 3 characterises “sensitive personal data or information” as:

  • “…Password;
  • Financial information such as Bank account or credit card or debit card or other payment instrument details;
  • Physical, physiological and mental health condition;
  • Sexual orientation;
  • Medical records and history;
  • Biometric information;
  • Any detail relating to the above clauses as provided to body corporate for providing service; and
  • Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise…”

The most glaring issue with this rule is its exhaustive nature. It restricts “sensitive data or information” to entries which only fit into one of the eight aforementioned categories. Such restrictiveness, has the capacity to exclude information or data which is stored, handled and processed by modern day online platforms. This indicates the rule’s incomplete applicability in today’s internet landscape.

Rule 8(1) describes reasonable security practices and procedures as companies having “…implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business…”.

However, experts have stated  that most FinTech companies flout the above-discussed requirements.

Payment and Settlements Act, 2007

Section 18 of this statute gives RBI the power to determine appropriate policy for the regulation of electronic payment systems which affect domestic transactions. Section 10(2) gives the RBI the power to determine standards for the management of specific payment systems. Deriving authority from this, the RBI has been releasing annual circulars detailing the issuance and operation  procedures for prepaid instruments. The latest one was released in July 2016.

This circular categorised digital wallets such as PayTM, as semi-closed payment instruments. While addressing “Fraud protection and security standards”, it orders such companies to “…put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.” No specific guidance is provided to determine what “adequate information and data security infrastructure” entails. Moreover, it has no reference to any penal measures should a company fail to adhere to these requirements.

The RBI released, in June 2016, a comprehensive cybersecurity framework to regulate banks. They have the authority to contemplate a similar course of action for prepaid instruments. In that vein the RBI in December 2016 released a new notification (under Section 10 (2) read with Section 18 of the Act) addressing “Security and Risk Mitigation Measure(s)…” for prepaid instrument issuers.

In this notification, the RBI acknowledges that without adequate cyber security their push for widespread adoption of digital payments will suffer huge setbacks. To enable a robust and secure digital ecosystem, this notification  orders prepaid instrument issuers to undergo annual system audit reports from qualified auditors. The scope of these system audits includes “hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing the systems and applications, documentation, etc.

Moreover, it  advises all prepaid instrument issuers to carry out a special audit by empanelled auditors of India’s Computer Emergency Response Team (‘CERT-IN’) and to take subsequent appropriate steps as per the findings of the audit. They have also been advised by the RBI’s notification to take “appropriate measures” to mitigate phishing attacks and to disseminate best security practices to their customers periodically. Prepaid instrument issuers have also been asked to take dynamic security measures as per emerging threats and general threat perception.

Conclusion

The Union Minister for electronics and information technology has acknowledged the need for stronger cybersecurity laws. This has been echoed by a subsequent declaration that MEITY plans to review and accordingly update the architecture of the Information Technology Act, 2000. It was further stated that a digital payments division has been set up, which is tasked with reporting unusual activities to CERT-IN. Similarly, in January, 2017, the CMs Committee on digital payments led by Andhra Pradesh Chief Minister Chandra Babu Naidu submitted an interim report to the Prime Minister. This report recommended the adoption of measures which strengthen cybersecurity.

It has also been revealed that the central government is working on a legal framework aiming to shield privacy and financial details of users when they transact online. It hopes to be a comprehensive security regulatory framework which establishes obligations and liabilities to be imposed upon payment companies. It shall cover “e-wallets, payment gateways, prepaid cards and other payment platforms”.

Different legislative routes have been suggested to assure digital security for online transactions. Members of Parliament, such as Mr Rajeev Chandrasekhar, have recommended a central online digital security legislation. One drawback to such a general measure as evidenced is that it would lack specificity. This causes a problem, as generic laws have the scope to overlook problems which are exclusive to specific industries.

To that end, other cyber law experts have recommended  sector specific laws which pertain to digital payments and their security.  For an effective security regime, for the e-Wallet industry, stakeholders must be consulted whilst developing minimum standards of protection afforded to vulnerable information.

The Watal Committee for Digital Payments submitted a report in December, 2016, recommending a new statutory board for regulation and supervision of payments and settlements which is independent of RBI supervision. It further went on to state that the Payment and Settlements Act, 2007 requires updating with explicit mandates for data protection and security keeping in mind consumer interests. Lessons can also be learnt from Indonesia whose central bank, in November 2016 released a comprehensive regulatory system for e-wallet services. It includes compliance requirements with informational security standards.

*Sidharth is currently an intern at CCG. He graduated from WB NUJS in 2016.

Digitisation of Health / Medical Records: Is the law keeping up?

By Smitha Krishna Prasad

Medical and health records are increasingly digitised, and ease of access is considered one of the key benefits of this trend. However, patient privacy and security of such records are important concerns that need to be addressed both under the existing legal framework, and in terms of development of new laws.

Earlier this month, news reports suggested that private medical records of over 35000 patients had been made publicly available through the website of a diagnostic laboratory based in Mumbai. Reports indicate that the website of the lab was hacked. However, other reports specify that the lab has disclaimed liability, stating that any requirement for confidentiality is limited in applicability to doctors only. Further, the lab suggested that since they were shortly to be moving to a different system, there was no urgency in remedying the security flaws.

While the above seems to be an internal security issue on the part of the lab, we have seen that health records are a favourite for hackers, across the world. These records are then either held for ransom or sold by such hackers.

The healthcare industry as a whole is seen as one of the least secure industries globally. At the same time, medical and health records of individuals are increasingly being digitised. Individuals and institutions in the healthcare industry are digitising records within their organisations to improve ease of access. The Ministry of Health and Family Welfare, Government of India, is in the process of setting up an Integrated Health Information Platform, and has issued Electronic Health Record Standards (EHR Standards). The EHR Standards are meant to provide for creation and maintenance of health records in a standardised manner that would allow for interoperability across platforms and institutions across the country. There are many pros and cons to undertaking such a digitisation effort – however, this post is limited to examining the legal framework surrounding such digitisation and the protection of privacy of patients.

Current Legal Framework in India

Today, India does not have a comprehensive privacy law, or an industry specific privacy regulation that focuses on the healthcare / medical industry. We do have the Information Technology Act, 2000 (“IT Act”), and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”), as well as the Indian Medical Council (Professional conduct, Etiquette and Ethics) Regulations, 2002 (“MCI Code of Ethics”).

The MCI’s Code of Ethics provides that physicians must maintain medical records pertaining to patients for a period of 3 years from commencement of treatment. Further, physicians must also make such records available to patients, authorised attendants and legal authorities upon request. Physicians are also required to make efforts to computerise such records. While there is no specific provision on maintenance of privacy and security of these medical records, the MCI Code of Ethics does provide that confidences entrusted by patients to physicians must be not be revealed, unless required by law or in public interest. However, the MCI Code of Ethics is applicable to physicians i.e. doctors with MBBS or equivalent qualifications only.

On the other hand, the IT Act and the IT Rules are wider in application. They deal specifically with electronic records and require any person dealing with certain defined types of sensitive information, including medical records, to undertake data protection and security measures.

Any violation of the MCI Code of Ethics calls for disciplinary action against the concerned physician which could include removal of the physician’s name from the register of qualified physicians. The IT Act however, does not provide for any direct action or penalty in the case of non-compliance with the IT Rules, and relies on the person affected by the non-compliance to take action.

In addition to the MCI Code of Ethics and the IT Act, there are a few other laws such as the Medical Termination of Pregnancy Act, 1971 which provide for maintenance of confidentiality of patient information. However, these are largely specific to certain circumstances and are not comprehensive.

Potential Developments

In the absence of a comprehensive privacy and data protection law in India, some regulators have taken to establishing basic rules to protect consumers and individuals in their respective industries. For instance, the RBI places certain restrictions on the circumstances in which customer information can be shared by banks. Insurance and telecom companies are restricted from transferring certain customer information outside India.

Given the highly sensitive nature of medical / health related information, and recent trends of commoditisation of such information in the black market, such laws are much needed in the healthcare industry.

The EHR Standards do deal with certain aspects of privacy of patients and security of healthcare records. They prescribe several international standards to be adhered to by members of the healthcare industry while dealing with electronic health records. However, they appear to default back to the IT Act as the legislation that would govern the implementation of any data protection measures in relation to such records.

The Human Immunodeficiency Virus and Acquired Immune Deficiency Syndrome (Prevention and Control) Bill, 2014 also provides certain safeguards to ensure the privacy of patients, specifically in relation to their HIV status. Some concerns regarding the provisions of this bill have previously been discussed here. However, this proposed bill is again limited in scope, and does not apply across the medical industry.

Reports suggest that recognising the need for a more comprehensive law, the Central Government has taken up the initiative of drafting a healthcare industry specific privacy and data protection law.

Given that this law would be drafted from scratch, we suggest that it should be (a) holistic i.e. be applicable across the entire healthcare / medical industry, and not specifically to doctors / hospitals, and (b) technology agnostic, addressing medical / health information in any format, digitised or not.

The law should also take into account the internationally recognised privacy / fair information principles. These principles provide, among other things, for (a) collection of data by lawful means, and only when required (b) use of data for the purpose it is collected only, (c) adequate security measures to be undertaken to protect data, and (d) accountability and openness about policies in place for use and protection of data.

Further, to the extent that it provides for the digitisation of records, and implementation of EHR Standards, it should be ensured that, the principles of ‘privacy by design’ should be used. The concept of privacy by design stipulates that privacy and data protection measures must be built into any system as a default, taking a preventative approach to data protection rather than a remedial approach.

Another important concern is enforcement – our current laws such as the IT Act, do not provide for proactive enforcement in case of failure to protect privacy / data of individuals, and leave it up to the affected individuals to act. Ideally, a dedicated regulator with the ability to investigate and direct action against defaulters is required. Perhaps the role of the National e-Health Authority proposed by the Government could be expanded to deal with privacy and security of all health records and information.

While the idea of implementing a health privacy and data protection law is a welcome move, it remains to be seen how far this proposed legislation will go towards fully protecting patients’ rights.