Reasonable Security Practices and Procedures and Sensitive Personal Data in India-provisions required

ITA Reasonable Security Practices and Procedures and Sensitive

Personal Data or Information Rules 2011

The Personal Information Security Rules were notified in April 2011 and serve as

the most comprehensive form of data protection in India. The Rules prescribe procedures

and protocol by which body corporate must adhere to. The Rules can be brought in line

with the National Privacy Principles through the following changes:

1. Notice

Existing Provisions

o Privacy Policy: Anybody corporate that collects, receives, possesses, stores,

deals, or handles information must provide a privacy policy that provides for clear

and easily accessible statements of its practices and policies, type of personal or

sensitive personal data or information collected, purpose of collection and usage

of such information, disclosure of information, and reasonable security practices

and procedures. Rule 4

o During Collection: While collecting information directly from the person

concerned the body corporate shall take steps to ensure that the individual knows

that the information is being collected, the purpose for which the information is

being collected, the intended recipients of the information, the name and address

of the agency collecting the information and the agency that will retain the

information. Rule 5(3)

Missing Provisions

o Data Breach: If a data breach occurs, affected individuals must be notified

immediately.

o Legal Access: If information is legally accessed, the access must be notified at the

close of the investigation.

o Change in privacy policy: Any changes in a body corporate privacy policy

should be notified to the public and the individual.

o Process to access and correct: At the time of collection body corporates must

provide notice of the processes available to data subjects to access and correct

their own personal information.

2. Choice & Consent

Existing Provisions

o Individual Consent: Body corporates must obtain consent in writing through

letter or Fax, or email from the provider of the sensitive personal data or

information regarding purpose of usage before collection. Rule 5(1)

o Right to withdraw and opt in/opt out: Prior to collection of information, body

corporate must provide the individual not to provide the data sought. The provider

of information will have the right to withdraw consent at any time while availing

services. Rule 5(7)

Missing Provisions

o Mandatory provision: When provision of information is mandated by is should

be in compliance with all other National Privacy Principles. Information collected

on a mandatory basis should be anonymized within one year if published in public

databases.

3. Collection Limitation

Existing Provisions

o Necessary & Relevant: Body corporate shall not collect sensitive personal data

unless the information is collected for a lawful purpose connected with a function

or activity of the body corporate. The collection of sensitive personal data is

considered necessary for the purpose. Rule 5(2)

4. Purpose Limitation

Existing Provisions

o Definition of Sensitive Personal Data: password, financial information such as

Bank account or credit card or debit card or other payment instrument details,

physical, physiological and mental health conditions, sexual orientation, medical

records and history, biometric information, any detail relating to the above as

provided to body corporate for providing service, any of this information received

by body corporate for processing, stored or processed under lawful contract. Any

information that is available or accessible in public domain or furnished under the

Right to Information Act, 2005 will not be regarded as sensitive personal data. Rule 3

o Retention: The Body Corporate holding sensitive personal data will not retain

that information for longer than is required for the purposes for which the

information may be lawfully used or is required under any other law in force.Rule 5(4)

o Use: The information collected will be used for the purpose for which it has been

collected. Rule 5(5)

Missing Provisions

o Adequate and Relevant: Personal data collected and processed by an

organization must be adequate and relevant to the purposes for which they are

processed.

o Change in purpose: If there is a change in purpose, this must be notified to the

data subject.

o Destruction: After personal information has been used in accordance with the

identified purpose, it must be destroyed as per the identified procedures.

o Data Retention: Data retention mandates by the government should be in

compliance with the National Privacy Principles.

5. Access & Correction

Existing Provisions

o Access: Body corporate must permit the providers of information, when

requested, to review the information they had provided and ensure that any

personal information or sensitive personal data or information found to be

inaccurate or deficient shall be corrected or amended as feasible. Rule 5(6)

Missing Provisions:

o Confirmation of personal information: Data subjects should be able to confirm

that an organization holds or is processing information about them.

o Copy of personal information: Data subjects should be able to obtain a copy of

the personal data undergoing processing.

o Limitation to Access: The information may not be given or access permitted if it

is not possible to do so without disclosing information about another person unless

that persona has consented to the disclosure.

6. Disclosure of Information

Existing Provisions

O Consent for Disclosure: Disclosure of sensitive personal data or information by

body corporate to any third party shall require prior permission from the provider

of such information, unless disclosure has been agreed to by contract or is

necessary by legal obligation. Rule 6

o Prohibition on publishing: The body corporate will not publish the sensitive

personal data or information. Rule 6(3)

o Non-disclosure: The third party receiving the sensitive personal data will not

disclose it further. Rule 6(4)

o Transfer of Information: A body corporate may transfer sensitive personal data

to any body, organization, or country that ensures the same level of data

protection. The transfer can only take place for the performance of a lawful

contract or where the transfer has been consented to. Rule 7

Missing Provisions

o Notice of disclosure: Body corporate must provide notice of disclosure to third

parties.

o Bound to Principles: All third parties must be bound to the National Privacy

Principles.

Conflicting Provisions

o Authorized Agencies: Information will be share with Government Agencies

mandated under law without obtaining prior consent for the purposes of

verification of identity, for prevention, detection, investigation including cyber

incidents, prosecution, and punishments of offences. Rule 6

7. Security

Existing Provisions

o Security standards: A body corporate or person must have a comprehensive

documented information security program and information security policies that

contain managerial, technical, operational, and physical security control measures.

In the event of a breach, the body corporate must be able to demonstrate that they

have implemented security control measures. This includes being IS/ISO/IEC

27001 compliant. Rule 8(1)

o Audit: On any annual basis the body corporate must undergo an audit of his/her

reasonable security practices. Rule 8(4)

8. Openness

Missing Provisions

Transparency: Body corporate must make available to the public information

regarding the steps taken to ensure compliance with the National Privacy Principles

9. Accountability

Existing Provisions

· System of Complaints: Body Corporates must address any discrepancies and

grievances of their provider of the information with respect to the processing of

information in a time bound manner. To achieve this, a Grievance Officer must be

appointed to address these grievances. Rule 5(9)

Missing Provisions

o External verification: All processes related to the handling of sensitive personal

information [in addition to security systems] should undergo external verification

on a regular basis.

o Support to Privacy Commissioner: Body corporate should be held responsible

for giving support to the Privacy Commissioner and complying with general/specific

orders of the privacy commissioner.

10. Verification

Existing Provisions:

· Liability of accuracy: A body corporate is not responsible for the authenticity of

the personal information or sensitive personal data or information supplied by the

provider of information. Rule 5(6)

**Source - Report of the Group of Experts on Privacy

Adv Prashant Mali took session for police officers from 4 states on "IT Act, 2000,Digital Evidence,Investigation etc " at the Rajasthan Police Academy,Jaipur for a course named "Investigation of Cyber Crime" Sponsored by Bureau of Police Research &Development(BPR&D) in India.

Officers were found concentrating due to high number of Information technology related cases in almost all the police stations including those from rural areas

Computer Forensics Tools – Attacks-Legal Stand

Attacks on Computer Forensics Tools – Legal Stand

Direct attacks on the computer forensics process are the newest type of Anti-Forensics and potentially the most threatening.

There are six phases in the process of digital forensics; all are open to attack:

1. Identification refers to the method by which an investigator learns that there is some incident to investigate. This phase can be undermined by obscuring the incident, or hiding the nexus between the

digital device and the event under investigation.

2. Preservation describes the steps by which the integrity of the evidence is maintained. This phase can be undermined by interrupting the evidence chain or calling into doubt the integrity of the evidence

itself.

3. Collection is the process by which data from the evidence medium is acquired. This step can be undermined by limiting the completeness of the data being collected or calling into question the

hardware, software, policies, and procedures by which evidence is gathered.

4. Examination addresses how the evidence data is viewed. This part of the process can be undermined by showing that the tools themselves are inadequate, incomplete, or otherwise not scientifically valid.

5. Analysis is the means by which an investigator draws conclusions from the evidence. This phase relies on the tools, investigative prowess of the examiner, and the rest of the evidence that was found. If a

case hinges solely on digital evidence, the interpretation of the evidence is the part most open to attack.

6. Presentation refers to the methods by which the results of the digital investigation are presented to the court, jury, or other fact-finders. If the evidence is otherwise solid, anti-forensics tools and methods will be used to attack the reliability and thoroughness of the reports -- or the examiner.

Courts throughout the world have long had to deal with scientific evidence and have had to establish rules for

what is acceptable and unacceptable in this realm.

In the U.S., the guiding principle in federal courts and many

state courts is patterned after the seminal case of Daubert v. Merrell Dow Pharmaceuticals (SC- United States-1993). According to Daubert, a judge can determine the admissibility of scientific evidence

based upon four factors:

• Testing: Can -- and has -- the procedure been tested?

• Error Rate: Is there a known error rate of the procedure?

• Publication: Has the procedure been published and subject to peer review?

• Acceptance: Is the procedure generally accepted in the relevant scientific community?

Landmark cyber law - IT Act, 2000 case law - judgement from India -Maharashtra

If a employer gets his employees or ex employees bank statement without his knowledge it amounts to DATA THEFT . This cannot be produced even in a Court of LawThis is a landmark judgement(order) delivered by Maharashtra Adjudicator in Our clients favour this will prevent misuse of an individual’s bank statement in India. The judgement has ruled that this amounts to Data Theft of Sensitive Personal Information under Section 43(b) Read with Section 66 of the Information Technology (IT) Act, 2000(INDIA). I had represented and argued this matter for my client Amit Patwardhan-CEO of Heko Chains in India (a German Company)
Case Details :Amit Patwardhan Vs Rud Indiia & Vipin Rao - 1 of 2013Case Details :Amit Patwardhan Vs Rud Indiia & Vipin Rao - 1 of 2013Case Details :Amit Patwardhan Vs Rud Indiia & Vipin Rao - 1 of 2013This judgement could be downloaded at following link of Maharashtra Government Website - DIThttp://it.maharashtra.gov.in/SITE/Upload/ACT/AmitPatwardhanVsRudIndiaVipinRao%2015Apr%202013%20Rajesh%20Aggarwal.pdf

A New Virus Warning in Indian Cyber Space - -

Warning of A NEW VIRUS 

A new virus or variant has been found to be "spreading fast" in the Indian cyberspace which cleverly steals bank account details and passwords of the user once it is clicked.It is the new and suspected variant of malware family called 'Win32/Ramnit'.
Ramnit worm spreads by infecting or modifying files existing on target systems such as (EXE, dll or html) and creating a newsection so as to modify the entry point to that section.
This virus, "steals credentials like file transfer protocol passwords, bank account logins, infects removable media, changes browser settings and downloads and executes arbitrary files".The virus is so potent, that it has ability to hide itself from anti-virus solutions and acquires various aliases to attack a genuine system or Internet-based connection which works to play emails and other user services.
The virus is such lethal in its operations that it "infects the removable media by copying itself to its recycle bin and creates an autorun.Inf file".

Once the system is infected, the malware injects its malicious code into windows executables, html files or dlls to communicate with its command and control server, thereby compromising the security of the online system.

Counter Measures in this regard.
1. users should not download and open attachments in emails received from untrusted users or unexpectedly received from trusted users, one should exercise caution while visiting links to web pages and users should not visit untrusted websites.

2. Enable firewall at desktop and gateway level and disable ports that are not required, avoid downloading pirated software, keep up-to-date patches and fixes on the operating system and application softwares and keep up-to-date anti- virus and anti-spyware signatures at desktop and at gateway level.

Law Perspective: If gross negligence or guilty mind is found then Spreading of Virus is a cognizable crime under the section 43(c) read with section 66 of The IT Act,2000 in India. It attracts upto 3 Years of imprisonment or upto Rs. 5Lakhs of fine or both. 

5 things you should consider removing or not posting to Facebook

5 things you should consider removing or not posting to Facebook and/or other social networks.

1. You or Your Family's Full Birth Dates and Address
We all love getting happy birthdays from our friends on our Facebook wall. It makes us feel all warm inside knowing that people remembered and cared enough to write us a short note on our special day. If you are having a private party, leave the address off Facebook, unless you are in a public place. We have all seen what happens in the media, when you or your friends privacy settings are compromised. The problem is when you list your birthday and your address, you are providing identity thieves with 2 of the 3 or 4 pieces of personal information that is needed to steal your identity. It's best to not list the address or the birth date at all, but if you must list the birth date, at least leave out the year. Your real friends should know this info anyway.

2. Your Relationship Status
Whether you are in a relationship or not, it may be best not to make it public knowledge. Stalkers would love to know that you just became newly single. If you change your status to "single" it gives them the green light they were looking for to resume stalking now that you're back on the market. It also lets them know that you might be home alone since your significant other is no longer around. Your best bet is to just leave this blank on your profile.

3. Your Current Location
There are a lot of people who love the location tagging feature on Facebook that allows them to let people know where they are 24/7. The problem is that you have just told everyone that you're on vacation (and not at your house). If you add how long your trip is then thieves know exactly how much time they have to rob you. My advice is not to provide your location at all. You can always upload your vacation pictures when you get home or text your friends to let them know how jealous they should be that you're sipping an umbrella drink while they toil away at work.

4. The Fact That You Are Home Alone
It is extremely important that parents make sure their children never put the fact that they are home alone in their status. Again, you wouldn't walk into a room of strangers and tell them you are going to be all alone at your house so don't do it on Facebook either.

We may think that only our friends have access to our status, but we really have no idea who is reading it. Your friend may have had their account hacked or someone could be reading over their shoulder at the library. The best rule of thumb is not to put anything in your profile or status that you wouldnot want a stranger to know. You may have the most stringent privacy settings possible, but if your friends account gets compromised than those settings go out the window.

5. Pictures of Your Kids Tagged With Their Names
We love our kids. We would do anything to keep them safe, but most people post hundreds of tagged pictures and videos of their kids to Facebook without even giving it a second thought. We even go so far as to replace our profile pictures with that of our children.

Probably 9 out of 10 parents posted their child's full name, and exact date and time of birth while they were still in the hospital after delivery. We post pictures of our kids and tag them and their friends, siblings, and other relatives. This kind of information could be used by predators to lure your child. They could use your child's name and the names of their relatives and friends to build trust and convince them that they are not really a stranger because they know detailed information that allows them to build a rapport with your child.

If you must post pictures of your children then you should at least remove personally identifying information such as their full names and birth dates. Untag them in pictures.Your real friends know their names anyway.

I would be a hypocrite if I said that I have completely removed all tagged pictures of my kids on Facebook. It is a daunting task given the amount of pictures that we take as proud parents, but I have started on it and I'll do a little bit each day until it's finished.

Lastly: think twice before you tag pictures of the children of friends and relatives. They might not want you tagging their kids for the reasons mentioned above. You can send them a link to the pictures and they can tag themselves in place of their children if they want to.

Think twice before you tag photos of your friends or relatives, ask them first, they might not want you tagging them for security reasons as mentioned above.

Now A Handbook on Laws of Cyber Warfare by NATO

A handbook by Nato's Co-operative Cyber Defence Centre of Excellence (CCDCOE), located in Tallinn, Estonia is released. The centre was established in 2008 after Estonia suffered massive cyber attacks which wreaked havoc on the country's network infrastructure.

The guidelines include a provision for states to respond with conventional force if cyber attacks by another state resulted in death or significant damage to property. It also states that hackers who take part in online attacks during a war can be legitimate targets even though they are technically civilians and not soldiers.

Some rules that cover conventional warfare such as the Geneva Convention have been adapted to the internet. For example, attacks on certain key civilian sites are outlawed.

In order to avoid the release of dangerous forces and consequent severe losses among the civilian population, particular care must be taken during cyber attacks against works and installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations, as well as installations located in their vicinity. Hospitals and medical units are also to be protected.

Another interesting point is that launching an attack from a neutral country's computer network is forbidden in much the same way that conventional armies aren't allowed to march through a neutral country's territory to attack another country.

The handbook, which is published by Cambridge University Press, is neither an official Nato document nor is it Nato policy. It is merely an advisory manual. Nevertheless, it is a landmark development as it represents the first-ever attempt to codify how international law applies to online attacks. 

You can read it at www.ccdcoe.org/249.html

prashant.mali@cyberlawconsulting.com