Recent Posts

Pages: [1] 2 3 ... 6
1
As India is marching towards the goal of being Digital India, it is imperative to consider related issues as well. These issues can be legal or technical or both. In other words, techno legal challenges are bound to occur when we would try to implement the noble goal of Digital India. The Companies Act, 2013 of India has also introduced cyber law, cyber security and other techno legal liability and obligations on the part of directors of Indian companies. Some of the techno legal challenges would originate due to cyber crimes, cyber attacks, cyber espionage, cyber terrorism, etc. It is obvious that losses in the form of money and materials would be there. It is also clear that companies and individuals who would be victims of such cyber nuisance would be required to get themselves proper insurance covers.

Cyber crimes and cyber attacks insurance in India is still maturing. We have very few insurance companies in India that are providing cyber insurance policies in India. Further, we have few takers of cyber liability insurance in India. Even the legal issues of cyber liability insurance in India are not clear.

For instance it is still not clear for which categories cyber liability insurance is available and what the exempted categories are in this regard. Further, fine details of these cyber liability insurances are also not clear to both insurance companies and those seeking the insurance. This would raise disputes while redeeming these cyber liability insurances in future.

Many times cyber crimes and cyber attacks originate from outside the India. How would these cyber intrusions be investigated, traced back and prosecuted in India is a big challenge before the law enforcement agencies of India. It would require significant skills on the part of insurance companies as well to ascertain the origin of such cyber attacks and cyber crimes and meet the requirements of cyber liability insurance accordingly. In short, conflict of laws in cyberspace is a major challenge and hurdle before insurance companies providing cyber liability insurance in India.

We at Perry4Law believe that cyber liability insurance agreements must be thoroughly drafted keeping in mind the genuine interests of both insurance company and the insured subject. Cyber liability insurance involves high stakes and so the premium is also high. It would be a futile and frustrating exercise if after facing a cyber attack, the insured sum is also not released citing some clause or provision in the cyber liability insurance agreement.

In their own interest, those seeking cyber liability insurance must get the insurance agreement vetted by suitable techno legal professionals or law firms of their choices. While choosing the concerned legal expert or law firm, the companies and individuals must ensure that such legal experts or law firms are maintaining a proper cyber security mechanism to protect sensitive and crucial information pertaining to their clients.

The cyber security obligations of law firms in India are increasing and they cannot afford to take the data of their client causally. Law firms in India must also keep in mind the legal obligations arising out of privacy and data protection (PDF) norms as applicable in India from time to time. We wish all the best to both insurance companies and the insurance seekers regarding cyber liability insurance issues.

Source: Global ICT Policies And Strategies.
2
Insurance business is well structured and well established in India. Even the regulatory framework in the traditional insurance sector is well managed by Indian government. With the passage of time, new avenues are now available for the insurance business. One such avenue comes from the adoption of information and communication technology (ICT) in our daily lives and the misuse of the same by criminal elements. Perry4Law has been advocating use of cyber insurance since 2004 and from that year onwards we have been keeping a close watch upon the developments in this field at both national and international levels. Cyber insurance was adopted by developed nations earlier than India as it is only now that Indian insurance companies and Indian companies and other individuals have realised the importance of cyber insurance.

Information Technology Act, 2000 (IT Act 2000) prescribes adoption of adequate cyber security practices and cyber law due diligence (PDF) by Indian companies and individuals. Even technology companies, financial institutions and e-commerce websites are required to observe cyber due diligence in India and this requirement cannot be ignored anymore. A special attention must be given to the Information Technology (Intermediaries Guidelines) Rules 2011 (PDF) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (PDF) by those engaged in technology related business in India.

Regulatory compliance requirements under the Indian Companies Act 2013 (PDF) have added many legal obligations on the part of Indian companies and their directors. These include the liability of directors for cyber law and cyber security breaches and a liability for not following cyber law and cyber security legal obligations while conducting the functions of their respective companies.

Foreign companies and e-commerce websites having a business presence in India would now be required to register in India. This would also make them amendable to Indian laws and to face legal obligations for their non compliances. For instance, the recent cyber breach at Target Corporation has exposed it to litigation in multiple jurisdictions around the world.

Cyber breaches in India would raise complicated cyber law issues in the near future. For instance, cyber security issues of e-commerce business in India need to be discussed and implemented by Indian government and insurance companies. Similarly, cyber due diligence must also be outlined and implemented for online payment makers. Maintenance and inspection of document in digital form under corporate laws of India would also raise privacy, data protection (PDF) and cyber security issues.

All these aspects need a dedicated techno legal framework that is presently missing in India. Similarly, corporate frauds investigations in India would need scientific technologies and methods like e-discovery, cyber forensics, etc. If cyber security (PDF) and cyber forensics (PDF) trends in India are considered, this is a big challenge for Indian government, insurance companies and other corporate stakeholders. If cyber insurance has to be considered to be a potential source of revenue by insurance companies and adequate protection by Indian company ies, they have to work hard in their respective fields.

Merely entering into an insurance agreement for cyber insurance purposes would create more trouble than solutions as complicated techno legal issues are involved in international cyber crime and cyber attack cases. For instance, insurance companies and affected companies may also face and have to tackle conflict of laws in cyberspace, authorship attribution for cyber crime and cyber attacks, refusal and non cooperation by foreign governments and companies in cyber crimes investigations, etc.
In these circumstances, not only the cyber insurance agreements must be properly drafted by insurance companies but techno legal investigation skills must also be used for investigating cyber crimes and cyber attacks cases by both the affected companies and insurance companies.

Source: International Legal Issues Of Cyber Security.
3
Cyber insurance in India has become an acceptable reality in India these days. Many companies have shown their interests in obtaining cyber insurance and some of them have actually obtained the same. Before taking up a cyber insurance policy in India, the concerned company or individual must be well aware of the techno legal compliance requirements of India and the potential cyber risks. This alone would help it/him/her to take the most appropriate cyber insurance policy.

Similarly, an improper cyber insurance policy that is not covering the cyber risks in entirety and leaves scope for ambiguity and legal complications while claiming the insured amount should be avoided. A techno legal vetting of cyber insurance polices obtained in India is an absolute must before obtaining the same.

Just like legal due diligence, a techno legal cyber insurance policy due diligence must be conducted before signing any such cyber insurance policy. The terms and conditions of such cyber insurance policy must be thoroughly analysed line by line to avoid any unfavorable and surprise outcome. Merely signing of a cyber insurance policy does not mean that in case of a cyber breach the concerned insurance company would release the insured amount.

Insured companies and individuals who have obtained a cyber insurance policy must also be aware if the issues like privacy, data protection (PDF), data security, e-discovery, cyber forensics, cyber crimes investigation, etc. This does not mean that those insured themselves must be capable of managing the techno legal aspects of these issues and fields.

Similarly, insurance companies must also make it sure that Indian companies and other stakeholders have already introduced and implemented cyber security best practices, cyber forensics best practices, e-discovery best practices, cyber law due diligence (PDF), e-commerce due diligence, etc. This would prevent future disputes between the insurance companies and the insured stakeholders when a cyber breach occurs. Insurance companies can also provide a more comprehensive cyber insurance policy to those companies and individuals who can demonstrate using of a robust cyber security infrastructure and techno legal best practices for their business activities.

We at Perry4Law believe that there is an urgent need to formulate suitable techno legal regulations for various sectors, including cyber insurance in India. In particular, Indian government needs to enact cyber security laws, data security laws, privacy laws, data protection laws, cyber security breach disclosure laws, etc. As on date, all of these laws are missing and this has created a state of uncertainty and chaos in Indian cyberspace. This environment is also not conducive for the growth and adoption of cyber insurance in India.

Source: Cyber Laws In India.
4
Mobiles are believed to play a major role in the successful implementation of the Digital India project of Indian government. From mobile commerce to mobile banking, the Indian government is betting big upon mobiles and their use for public delivery of services through electronic means. Of course, this big scale use of mobiles will also give rise to cyber law and cyber security issues that Indian government must be well prepared to deal with in future.
 
Mobile phones have become ubiquitous these days. They are used for multiple purposes ranging from personal use to mobile banking. Cyber criminals have also realised the importance of mobile phones for committing cyber crimes and financial frauds. This is also the reason why malware writers are also writing mobile phone specific malware to steal confidential and sensitive information.
 
Mobile cyber security in India has become a cause of concern these days. Mobile phones are now proposed to be used for mobile banking and mobile governance in India. Naturally, we must ensure robust mobile cyber security in India. An electronic authentication policy of India can help in more active and secure mobile usages in India. Mobile governance and e-authentication in India are also closely related and with the proposed electronic delivery of services in India this is also a must have requirement.
 
For the time being we have no implementable electronic delivery of services policy of India though it may be in pipeline. Indian government is working in the direction of ensuring electronic delivery of services in India. In fact a legal framework titled electronic delivery of services bill 2011 (EDS Bill 2011) was also proposed by Indian government in the past. The same has still to become an applicable law in India. Once the EDS Bill 2011 becomes an applicable law, governments across the India would provide electronic services through various modes, including mobile phones. This requires putting a robust and reliable mobile security infrastructure in India.

However, using of mobile phones for commercial and personal transactions in India is also risky. For instance, the mobile banking in India is risky as the present banking and other technology related legal frameworks are not conducive for mobile banking in India. Similarly, we do not have a well developed e-governance infrastructure in India. As a result India is still not ready for m-governance.
 
We at Perry4Law Organisation (P4LO) believe that the biggest hurdles before the mobile related uses in India pertain to use of weak encryption standards and non use of mobile cyber security mechanisms in India. Absence of encryption laws in India has further made the mobile security very weak in India. The ever evolving mobile malware are further increasing the woes of mobile users’ world wide. As on date the malware are defeating cyber security products and services with ease.
 
It is high time for India to seriously work upon mobile cyber security aspects as soon as possible. The policy decisions in this regard must be taken urgently and must be implemented as soon as possible.

Source: Cyber Security Issues In India.
5
Internet of things (IoT) is the new buzz word these days. Everybody is talking about IoT because it has great business, commercial and personal use potential. IoT combines software, hardware and a communication infrastructure so that systems/devices can contact and communicate with each other in a non intrusive and automatic manner. Like any other technology, IoT has its own used and challenges. 

For instance, IoT can be used for smart grids, smart cities,  e-health, etc and thereby reduce their cost of operation and improve their productivity. However, IoT also has civil liberties and cyber security challenges to manage. Cyber criminals have already started abusing IoT controlled devices for launching malicious cyber attacks. As the technology protocols for IoT are still evolving, it is very difficult to avoid such cyber attacks.

Similarly, on the legal framework front, IoT has yet to be suitably regulated around the world. India has no dedicated law for IoT and some guidance can be found from the Information Technology Act, 2000 (IT Act, 2000). Indian government has issued the draft IOT Policy of India (pdf) and Revised Draft IOT Policy of India (pdf) but they are not sufficient to manage the complicated techno legal issues of IoT.

IoT is essential part of Digital India project of Indian government that is already heading towards rough waters in the absence of adequate cyber security and civil liberties protections. For instance, ensuring of cyber security for smart grids and smart cities is still a distant dream for Indian government. Similarly, IoT and Smart cities have to manage civil liberties issues as well that are presently ignored by Indian government.

Perry4Law Organisation (P4LO) has launched a dedicated and exclusive techno legal centre of excellence (CoE) for Internet of things (IoT) in India. We have covered many techno legal issues there that Indian government is required to manage in near future. We have been managing these issues for long and we would discuss the same at our CoE-IoT website in more details in our subsequent posts.

P4LO would help national and international IoT stakeholders in formulation and implementation of techno legal frameworks so that adoption and use of IoT can be as smooth and hassle free as possible.

Source: Perry4Law Blog.
6
Present days critical infrastructures are connected to information and communication technology (ICT) for portability, convenience and remote control purposes. Although this process brings many advantages yet this usage of ICT for critical infrastructures also exposes them for potential cyber attacks.
 
According to the Cyber Security Trends of India 2015 by Perry4Law Organisation (P4LO), Critical Infrastructure Protection in India (PDF) would be required in the year 2015 as India has launched projects like Digital India and Internet of Things (IoT) (PDF). Indian Government needs to work hard in this regard as cyber security challenges in India are very daunting in nature. 

The cyber security challenges before the Narendra Modi government are more demanding than its predecessor government due to heavy reliance upon ICT and technology. However, India is not yet prepared to deal with the same. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must urgently formulate the Cyber Security Policy of India 2015 as the previous policy is just a paper work with no actual benefits. 

Now here lies the real problem. Formulation of a techno legal framework and robust cyber security policy of India 2015 require tremendous techno legal acumen. Further, the actual implementation of the proposed 2015 policy would be even more difficult. This may be the reason that Modi government is shy in bringing any change in the otherwise outdated and redundant 2013 cyber security policy of India. Nevertheless, a call has to be made in this regard and immediate action is need of the hour.
 
It is not the case the Modi government has not taken pro cyber security initiatives in India. Firstly, Modi government has appointed Dr. Gulshan Rai as the first chief information security officer (CISO) of India. Secondly, Narendra Modi has suggested to Nasscom that a task force be set up to solve the growing cyber security menace in India. According to Nasscom the taskforce would be constituted within a period of one month. Now it has been reported that the Grid Security Expert System (GSES) of India has been proposed to be developed by Powergrid. 

GSES would involve installation of knowledge based Supervisory Control and Data Acquisition (SCADA) system, numerical relays and Remote Terminal units upto 132 kV stations and the reliable Optical fibre Ground wire (OPGW) communication system at an estimated cost of around Rupees 1200 crores. The objective of the GSES is implementation of the Automatic Defense mechanism to facilitate reliable and secure grid operation.
 
CECSRDI welcomes this move of Indian government. We have been advocating that a robust cyber crisis management plan of India is need of the hour. A crisis management plan for preventing cyber attacks on the power utilities in India has also been suggested by CECSRDI. We have also suggested that crisis management plan of India for cyber attacks and cyber terrorism is required. Power grids cyber security in India and its challenges are not much known as on date but awareness about the same is fast increasing. The present decision of Indian government to establish GSES is an example of the same.
 
It has also been stated that the Computer Emergency Response Team-India (CERT-IN), Department of Information Technology, Ministry of Communication and Information Technology, Government of India has prepared a Crisis Management Plan (CMP) for countering cyber attacks and cyber terrorism. The CMP intends to prevent large scale disruption in the functioning of critical information systems of Government, public and private sector resources and services. A framework has also been outlined for dealing with cyber related incidents for rapid identification, swift response and remedial actions to mitigate and recover from cyber related incidents impacting critical national processes. 

In December 2010, Ministry of Power had constituted CERTs (Computer Emergency Response Teams) for power sector. At CECSRDI we welcome establishment of these dedicated CERTs as they can manage cyber security issues in a better manner. For instance, CERT-Thermal (nodal agency- National Thermal Power Corporation (NTPC)), CERT-Hydro (nodal agency- National Hydroelectric Power Corporation (NHPC)) and CERT-Transmission (nodal agency- Power Grid Corporation of India Limited (PGCIL) can take necessary action to prevent cyber attacks in their domains. The State Power Utilities have also been advised to prepare their own sectorial Crisis Management Plan (CMP) and align themselves with the Nodal Agencies i.e. NTPC, NHPC & PGCIL and CERT-In for the necessary actions.
 
Cyber security of automated power grids of India is need of the hour. It is only after a massive power blackout in 2012 that Indian government has woken up to the dangers of cyber attacks against Indian power sector. Based on the recommendations of the Enquiry Committee, constituted by Ministry of Power to enquire into the causes of the grid collapse of 2012, several measures like third party protection audit, review of Unscheduled Interchange mechanism, review of Central Electricity Authority transmission planning criterion, tightening of frequency band, coordinated planning of outages, development of islanding schemes, proper maintenance of under frequency relays etc. have been taken by the Government to prevent grid failures. We welcome these pro active efforts on the part of Indian government.
 
However, it would be really interesting to observe what actual steps would be taken by Modi government to strengthen Indian cyber security. Till now Modi government has not come out with even a single cyber security related policy decision or initiative. These policy decisions and projects, with their own merits and demerits, are the legacy of Congress government. What Modi government would do in this regard is yet to be seen. We wish all the best to Modi government in the field of cyber security and other related projects.
 
Source: Global Techno Legal News And Views.
7
Indian Cyber Security News And Articles / Cyber Security Of Smart Grids In India
« Last post by PTLB on February 12, 2017, 08:23:35 PM »
Utility industry around the world is undergoing radical changes in its structure and business models. It is being reshaped by disruptive technologies, environmental pressures and social expectations. Traditional electric grids are now replaced with smart grids that are controlled by information and communication technology (ICT). In many cases, these utilities are managed through remote administration as well. Power grids are also centrally connected and integrated in nature from the stage of power generation to it transmission and distribution. A compromise of such power grids can lead to power outages/blackout or even damage to power system devices and thereby huge loss to the utilities. This is also the stage and process that makes these utilities vulnerable to cyber attacks.

Naturally smart grids cyber security has become a top priority for governments around the world in these circumstances. The contemporary malware are very sophisticated in nature and they are easily defeating the cyber security products and services. As a result cyber attacks and malware have become a big nuisance for businesses and individuals alike. Smart grids are also facing sophisticated cyber attacks from around the world.

Cyber security issues in India are emerging day by day. Similarly, the cyber security awareness in India is also increasing. However, cyber security capabilities of India are still not up to the mark. Cyber security skills developments in India are urgently required so that both offensive and defensive cyber security capabilities of India can be developed. Keeping this fact in mind, critical infrastructure protection in India in general and cyber security of automated power grids of India in particular must be ensured with latest technology and international best practices. In the past Indian government declared that a Grid Security Expert System (GSES) of India would be developed in India. The same may be a reality very soon keeping in mind the focus upon Digital India project of Indian government.

There would be many cyber security challenges for future smart grids of India. The evolution of SCADA system, deficiencies and shortcomings of existing power devices and vulnerabilities of software managing SCADA systems are areas of special concern for India. Internet is full of unprotected and unsafe devices, SCADA systems and computers. Critical infrastructures protection has also become a major challenge with the SCADA systems still remaining exposed and unprotected. For instance, healthcare industry is facing increased cyber attacks against its critical infrastructures. Cloud computing is also facing low adoption and regulatory issues in India.

Further, renewable energy/distributed generation demands are the added feature of smart grid and due to networked control future power system will be much more vulnerable to cyber terrorism attacks, cyber warfare activities and cyber espionage attempts. Therefore, before switching to smart grids, India must consider cyber security challenges for them as well.

Although India has recognised the significance of cyber security yet its efforts in this direction are still scattered, unstructured and inadequate. Perry4Law Organisation (P4LO) has been advocating for establishing a strong, robust and resilient cyber security infrastructure in India for almost a decade. P4LO also believes that international legal issues of cyber security must be resolved on mutual cooperation basis among various countries. Countries may work in the direction of formulating international cyber law treaty and international cyber security treaty (PDF). Similarly, international legal issues of cyber security and conflict of laws in cyberspace must also be resolved by Indian government. We hope Indian government would resolve the cyber security issues related to smart grids very soon.
8
Websites defacement is a very common problem in Indian cyberspace. It is next to impossible to secure websites and some vulnerability can always be found in one form or other. Whether it is the server side configuration or using of insecure codes and scripts, websites are constantly targeted by crackers. Websites hosted on shared servers are more prone to cyber attackers and compromise of such shared server would result in compromise of all websites hosted on the same.

In India the National Informatics Centre (NIC) manages many issues of hosting of government websites. This is logical as well as government websites may contain sensitive information and data that cannot be stored on private servers.However, even the websites hosted on NIC servers are not immune from cyber attacks.

In the latest case, the website of Ministry of Home Affairs is alleged to be compromised by crackers. It has been blocked for the time being till investigation in this regard is completed. However,  a top official of the Ministry has confirmed that no such cracking incident took place and said that the site was blocked since it was under construction.

We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) firmly believe that Indian government must develop both offensive and defensive cyber security capabilities. Cyber security infrastructure in India is still not effective and it needs rejuvenation and strengthening.

P4LO and PTLB have also released techno legal cyber security trends of India 2017 for various stakeholders, including Indian government. We have outlined the cyber security challenges that Indian government would face in the year 2017.

We have also suggested that with an increased focus upon digital India project, cyber security should be the priority for Indian government. Indian government is already in the process of establishing the national cyber coordination centre (NCCC) of India and NCCC may be functional very soon. Once NCCC is functional, issues like cyber attacks and website defacement would be better managed in India.
9
Cyber Law News Of India / MeitY Is Drafting A Policy On Mobile Wallets And Mobile Banking
« Last post by PTLB on February 11, 2017, 10:25:12 PM »
Demonetisation has given a unique business opportunity to mobile wallets, mobile banking and other forms of digital payments. India is still trying to use digital payments for various purposes as a dominant majority of transactions are conducted through cash transactions. Digital payments are still not been able to make any significant dent in the cash driven economy of India. 

Perry4Law Organisation (P4LO)
has published the Digital Payments and Cashless Economy Trends of India 2017 that has covered many crucial issues regarding use, adoption and safeguards for using digital payments in India. The cyber security trends in India 2017 have also been published by P4LO and PTLB for the benefit of all stakeholders. Collectively, we have provided techno legal digital payments trends of India that can be referred to by various stakeholders.

Now it has been reported that the Ministry of Electronics and Information Technology (MeitY) is drafting a policy on mobile wallets and mobile banking to mitigate the risk of cyber fraud. The government is also considering insurance protection against cyber-crimes. Cyber insurance policies are still not popular in India due to lack of understanding of techno legal issues associated with the same. As for the insurance cover, MeitY will play the role of a facilitator since mobile wallets are regulated by the Reserve Bank of India and insurance companies are controlled by the Insurance Regulatory and Development Authority of India. A legal agency may also be roped in to examine the concerns around digital payments and advise on the need for a new law.

The government is also in the process of launching of National Cyber Security Coordination Centre (NCCC) for an investment of about Rs 900 crore, in order to assess threats in real time and safeguard India’s cyberspace. The premise is ready for NCCC. Recruitment is going to start soon with 55 people on board initially.
10
Cyber security for banks is absolutely essential keeping in mind the increased focus upon digital payments and online banking. However, cyber security of banks in India is still not up to the mark and much has still to do. This is despite the fact that Reserve Bank of India (RBI) has prescribed a cyber security framework for banks in India.Similar is the situation regarding mobile banking in India that is largely insecure and a breading ground for cyber crimes and phishing attacks. Banks of India are also not complying with cyber law of India and cyber law due diligence (pdf) requirements as prescribed by the Information Technology Act, 2000 (IT Act, 2000).

In a positive move, recently RBI issued a directive according to which all banks in India are now required to constitute a separate committee to tackle cyber crime. The committee will give more teeth to the existing security wings that banks already have. The new committee will be headed by top officials of banks and security experts, with four to five members.

We at Perry4Law Organisation (P4LO) welcome this move of RBI and Indian government and hope that this requirement would be a ground reality very soon. We also request banks of India to strictly follow the cyber security and cyber law related obligations for the larger benefit of all stakeholders.
Pages: [1] 2 3 ... 6