"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Cyber security
1. Structuring a National Strategy to secure
Cyberspace:
Solutions for India
Netsecure Technology
http://ww.netsecure.in
2. Part 1 - The need for a national strategy
• Examining national objectives
• Structuring a policy
• Current law in India
Part 2 – Case Study: Data Privacy and National
Compliance [Challenges and Strategies]
• Data Protection legislation around the world
• European Commission Directive and the UK Act
• Data Protection model: the United States
• Balancing Privacy and Security
4. Speed and Convenience
• Technological advances in data
storage and transmission Mobile access
Personalised and tailored
Data mining sophistication
• Globalisation of communications -
Loss of control
the internet
Insecurity
Lack of confidence
• Convergence and standardisation Increased scepticism
of technologies Low uptake of eCommerce
• Increasing importance of data
processing
5. Cyberspace> as introduced by William Gibson [A place
governed by its own laws] - “a consensual
hallucination” [William Gibson, Neuromancer]
A contradiction? Greek <kybernetes> means
„steersman‟ of a ship
“Law and Borders”: the „independent‟ theory of
cyberspace law [David Post and David Johnson,
Stanford Law Review]
Benkler‟s layers – the physical, the code and content [in
communications theory]
Lessig <Code and other laws of Cyberspace>
6. Securing “Indian” Cyberspace [regulations and the
history of trade – towards pax mercatur]
The basic premise: the machine or the medium
Adaptability and Enforcement of Indian law – lessons
from the American experience [Adobe Systems v.
Dmitry Skylarov]
Systematic collaboration between vendors and
customers to secure interoperable government and
industry enterprise information systems
Enhance collaboration between law enforcement and
industry to prevent and prosecute cyber crimes
7. Understanding the role of the medium – incidental
[blackmail, stalking]; content [obscene or sensitive
material]; integrity [unauthorised access and/or
modification]
The criminal act – discovery [detection] and analysis
The Cybercrime Manual – fostering preparedness
Focussing on „relevant‟ issues and appropriate
classification of offences
Cyber forensics and the collection of evidence
Crisis management [internal and external]
8. The Team [Member of the Board, Human Resources Manager, Chief Information
Officer, Legal Counsel, E-Risk Management Consultant, Internet Security
Expert, Cyberinsurance broker]
Utilising and factoring security tools – Digital signatures are a ‘sign of our times’
Understanding and evaluating risks [internal and external]
Allocating roles and responsibilities - Structuring the audit process [examining use and
abuse]
Ten Tips – [i] Firewalls with secure passwords; [ii] correct installation and maintenance
[the human angle]; [iii] encryption; [iv] assign network administrators a security role;
[v] External consultants and auditors; [vi] periodic security audits; [vii] do not ignore
‘small company’ security needs; [viii] limit access to the computer room; [ix] educate
employees about the dangers of social engineering; [x] educate employees on potential
threats.
9. A training process for law enforcement
The Basics: the “machine” and the “medium” – What is
a Cybercrime?
Develop programs that promote a culture of security
within and across enterprises, including corporate
governance, integration of physical and cyber
security, and cyber ethics from school to the office
Engage with industry, academia and government in
both countries to foster research and development and
collaborative education efforts in information security
10. Stake your territory: the applicable law
Have the final say: the invitation to treat
On your own terms
Is it secure?
The customer is always right!
Privacy policy and data protection
Protecting your brand: Domain names and trademarks in general
The copyright ‘catch’
Chat online [Bulletin Board/Service Provider Liability]
12. A fundamental human right
the right of the individual to be let alone
• Information Privacy (data protection) - personal data
• Bodily privacy - invasive procedures - search, drug testing; genetic
testing; etc
• Communications Privacy - mail, telephone, e-mail etc
• Territorial privacy - domestic privacy; CCTV; ID checks etc
“Public” aspects - surveillance, police powers and national security
“Private” aspects - commercial use of data
13. Overview - major International and US regulations
1948 UN Universal Declaration of Human Rights
HUMAN RIGHTS
1970 US Fair Credit Reporting Act
1974 US Privacy Act
1976 International Covenant on Civil and Political Rights
1980 OECD Guidelines on Protection of Privacy
1980 US Privacy Protection Act
1995 European Commission Directive on Data Protection
1994 US Communications Assistance to Law Enforcement Act
1996 US Health Insurance Portability and Accountability Act
1998 US Children's Online Privacy Protection Act
1998 European Member States implement Directive
1999 US Financial Services Modernization Act
BUSINESS ISSUES
14. There is no general privacy or data protection law in India:
• Constitution Article 21
Right to life and liberty, interpreted by Supreme Court as including the
“right to be let alone”
• International Covenant on Civil and Political Rights 1966 Article 17:
No one shall be subject to arbitrary or unlawful interference with his
privacy, family, home or correspondence, nor to unlawful attacks on his
honour and reputation. Everyone has the right to the protection of the law
against such interference or attacks.
• Law of privacy (Tort Law) – Action for unlawful invasion of privacy
15. Information Technology Act 2000
• Section 43 (a)
Penalty for unauthorised access to a computer system
• Section 43 (b) -
Penalty for unauthorised downloading or copying of data without permission
• Section 72 -
Offence of accessing any electronic record, book, register, correspondence,
information, document or other material and, without the consent of the
person concerned, disclosing such information to another person
16. • Public Financial Institutions Act of 1993 codifies confidentiality of
bank transactions
• ISPs prohibited from violating privacy rights of subscribers by virtue
of the licence to operate granted by the Department of
Telecommunications
• A general data protection law in India?
National Task Force on IT and Software Development 1998
Submitted “IT Action Plan” calling for “National Policy on Information
Security, Privacy and Data Protection Act for handling of
computerised data” but no Act introduced to date
18. CENTRAL AFRICAN REPUBLIC GIBRALTAR LITHUANIA OURG PAKISTAN SURINAME
AFGHANISTAN CHAD GREECE PALAU SVALBARD AND JAN MAYEN
ALBANIA CHILE GREENLAND LUXEMBOURG PALESTINIAN TERRITORY, OCCUPIED SWAZILAND
ALGERIA CHINA GRENADA MACAU PANAMA SWEDEN
AMERICAN SAMOA CHRISTMAS ISLAND MACEDONIA PAPUA NEW GUINEA SWITZERLAND
COCOS (KEELING) ISLANDS GUADELOUPE MADAGASCAR PARAGUAY SYRIAN ARAB REPUBLIC
ANDORRA COLOMBIA GUAM MALAWI PERU TAIWAN
ANGOLA COMOROS GUATEMALA MALAYSIA PHILIPPINES TAJIKISTAN
ANGUILLA CONGO GUINEA MALDIVES PITCAIRN TANZANIA, UNITED REPUBLIC OF
ANTARCTICA GUINEA-BISSAU MALI POLAND THAILAND
COOK ISLANDS GUYANA MALTA PORTUGAL TOGO
ANTIGUA AND BARBUDA COSTA RICA HAITI MARSHALL ISLANDS PUERTO RICO TOKELAU
COTE D'IVOIRE HEARD ISLAND AND MCDONALD ISLANDS MARTINIQUE QATAR TONGA
ARGENTINA CROATIA HOLY SEE (VATICAN CITY STATE) MAURITANIA REUNION
ARMENIA CUBA HONDURAS MAURITIUS ROMANIA TONGA
ARUBA CYPRUS HONG KONG MAYOTTE RUSSIAN FEDERATION TRINIDAD AND TOBAGO
CZECH REPUBLIC HUNGARY MEXICO RWANDA TUNISIA
AUSTRALIA DENMARK ICELAND MICRONESIA, FEDERATED STATES OF SAINT HELENA TURKEY
AUSTRIA DJIBOUTI INDIA MOLDOVA, REPUBLIC OF SAINT KITTS AND NEVIS TURKMENISTAN
AZERBAIJAN DOMINICA INDONESIA MONACO SAINT LUCIA TURKS AND CAICOS ISLANDS
BAHAMAS DOMINICAN REPUBLIC IRAN MONGOLIA SAINT PIERRE AND MIQUELON TUVALU
EAST TIMOR IRAQ MONTSERRAT SAINT VINCENT AND THE GRENADINES UGANDA
BAHRAIN ECUADOR IRELAND MOROCCO SAMOA UKRAINE
BANGLADESH EGYPT ISRAEL MOZAMBIQUE SAN MARINO UNITED ARAB EMIRATES
BARBADOS EL SALVADOR ITALY MYANMAR SAO TOME AND PRINCIPE UNITED KINGDOM
BELARUS EQUATORIAL GUINEA JAMAICA NAMIBIA SAUDI ARABIA UNITED STATES (safe harbor)
ERITREA JAPAN NAURU SENEGAL US MINOR OUTLYING ISLANDS
BELGIUM ESTONIA JORDAN NEPAL SEYCHELLES URUGUAY
BELIZE ETHIOPIA KAZAKSTAN NETHERLANDS SIERRA LEONE UZBEKISTAN
BENIN FALKLAND ISLANDS (MALVINAS) KENYA NETHERLANDS ANTILLES SINGAPORE VANUATU
BERMUDA FAROE ISLANDS KIRIBATI NEW CALEDONIA SLOVAKIA VENEZUELA
FIJI KUWAIT NEW ZEALAND SLOVENIA VIET NAM
BHUTAN FINLAND KYRGYZSTAN NICARAGUA SOLOMON ISLANDS VIRGIN ISLANDS, BRITISH
BOLIVIA FRANCE LAO PEOPLE'S DEMOCRATIC REPUBLIC NIGER SOMALIA VIRGIN ISLANDS, U.S.
BOSNIA AND HERZEGOVINA FRENCH GUIANA LATVIA NIGERIA SOUTH AFRICA WALLIS AND FUTUNA
BOTSWANA FRENCH POLYNESIA LEBANON NIUE SOUTH GEORGIA WESTERN SAHARA
FRENCH SOUTHERN TERRITORIES LESOTHO NORFOLK ISLAND SOUTH KOREA YEMEN
BOUVET ISLAND GABON LIBERIA NORTH KOREA SPAIN YUGOSLAVIA
BRAZIL GAMBIA LIBYAN ARAB JAMAHIRIYA NORTHERN MARIANA ISLANDS SRI LANKA ZAMBIA
BRITISH INDIAN OCEAN GEORGIA LIECHTENSTEIN NORWAY SUDAN ZIMBABWE
TERRITORY GERMANY OMAN
BRUNEI DARUSSALAM GHANA
BULGARIA
BURKINA FASO
BURUNDI
CAMBODIA
CAMEROON
CANADA
CAPE VERDE
CAYMAN ISLANDS
19. Norway Finland
Personal D Reg Act Personal DP Act
In force 14 April 2000 In force 1 June 1999
Sweden Denmark
Personal Data Act Act on Processing f PD
In force 24 October 1998 In force 1 July 2000
Belgium Ireland
Data Protection Act -
In force 1 Sep 2001
Germany United Kingdom
Data Protection Act Data Protection Act
In force 23 May 2001 In force 1 March 2000
Austria Luxembourg
Data Protection Act -
In force 1 January 2000
Canada Mexico Italy Netherlands
PIP&ED Act eCommerce Act Data Protection Act Law on Protection PD ct
Commenced 1 Jan 2001 In force 7 June 2000 In force 8 May 1997 In force 1 Sep 2001
United States (includes) Hong Kong Australia Spain France
CPP Act 1984 Personal Data (Privacy) Privacy Act Data Protection Act -
VPP Act 1988 In force 20 Dec 1996 In force 21 Dec 2001 In force 13 January 2000
COPP Act 1998
In force 21 April 2000 Taiwan New Zealand Portugal Greece
HIPA Act Computer Processed DP Privacy Act Personal DP Act Protection Processing
In force 14 April 2001 In force 11 August 1995 In force 1 July 1993 In force 27 October 1998 In force 10 April 1997
GLB Act
In force 1 July 2001 Switzerland South Korea Eastern Europe
‘General‟ Act Data Protection Act eCommerce Act Estonia (96) Poland (98) Solovak (98) Slovenia (99)
Under consideration In force 1 June 1999 In force January 1999 Hungary (99) Czech (00) Latvia (00) Lithuania (00)
21. • Directive 95/46/EC of the European Commission
• Now implemented in almost all Member States
e.g. UK
previously - UK Data Protection Act 1984
now - UK Data Protection Act 1998 (in force March 2000)
(“DPA”)
22. 1. Personal data must be processed fairly and lawfully
2. Personal data must be collected and used only for notified purposes.
3. Personal data must be adequate, relevant and not excessive.
4. Personal data must be accurate and, where necessary, kept up-to-
date.
5. Personal data must only be retained for as long as is necessary to
carry out the purposes for which it is collected.
6. Personal data must be processed in accordance with the rights of
data subjects as set out under the 1998 Act.
23. 7. Appropriate technical and organisational measures must be in place
to protect against unauthorised access, amendment or loss of
personal data. There must be a contractual obligation, in writing, upon
any data processor to comply with the relevant legislation and to
ensure that such measures have been put in place.
8. Personal information must not be transferred out of the European
Economic Area ("EEA") unless the receiving country ensures "an
adequate level of protection" for the rights and freedoms of the data
subjects vis-à-vis the processing of personal data.
24. The Eighth Principle
Personal information must not be transferred out of the European
Economic Area ("EEA") unless the receiving country ensures "an
adequate level of protection" for the rights and freedoms of the data
subjects vis-à-vis the processing of personal data.
25. Notwithstanding lack of country adequate status, a Data Controller can
nevertheless conclude there is adequate protection in respect of a particular
transfer if:
There is sufficient protection for individual data subjects
Having regard to: - nature of data being transferred;
- purposes for processing;
- security measures in place;
- individual rights to redress if things go wrong
Note - all of these could be covered in a Seventh-Principle type contract
27. United States (Federal)
Fair Credit Reporting Act 1970
Privacy Act 1974
Family Educational Rights and Privacy Act 1974
Cable TV Privacy Act 1974
Right to Financial Privacy Act 1978
Privacy Protection Act 1980
Cable Communications Policy Act 1984
Electronic Communications Privacy Act 1986
Video Privacy Protection Act 1988
Employee Polygraph Protection Act 1988 Safe Harbor In effect 2001
Telephone Consumer Protection Act 1991
Driver‟s Privacy Protection Act 1994 • Self certified compliance with
Communications Assistance to Law Enforcement Act 1994
Health Insurance Portability and Accountability Act 1996
„adequate‟ principles
Children's Online Privacy Protection Act 1998 • Regulatory enforcement of trade
Deceptive Mail Prevention and Enforcement Act 1999 practices legislation
Financial Services Modernization Act 1999
‘General‟ Act Under consideration?
28. However, only 356 companies in the whole of the United States
have current Safe Harbor registrations
This raises questions as to the credibility of the safe harbor regime
Safe Harbor also only addresses transfers of data from abroad, and
does not offer comprehensive protection for US citizens
29. Antiterrorism Acts: Issues
USA <the Patriot Act> enhanced investigative powers
26 October 2001 will governments enforce privacy
Canada 16 October 2001 laws?
India <Prevention of Terrorism Act> US, Canada, UK, EU, Australia
easier to use electronic surveillance Thoughts
continue and clarify the mandate of data protection enforcement is
the law enforcement to collect generally complaint based
foreign communications public continually stress privacy
requires individuals who have concerns
information related to a terrorist good privacy is good business
groups to appear before a judge to erosion of privacy is a win for
provide that information terrorism
extending DNA data bank to include
terrorist crimes
31. • Comprehensive Laws governing collection, use and dissemination of
personal data
• Sectoral laws - piecemeal rules for particular industries, types of
information or technologies - piecemeal protection
• Self-regulation - e.g. Safe Harbor - mostly disappointing to date
• Technological solutions - physical and logical security, encryption, etc
- must be combined with legislative protections
32. • To remedy past injustices (e.g. C.Europe, S.America, S.Africa)
• To create confidence and promote e-commerce, m-commerce, ITES
and bioinformatics sectors
• To remove barriers to data transfers from Europe, by ensuring India
is granted “adequate” status
• To ensure enforceability, through a central oversight agency
• Because effectiveness of self-regulation is limited
• Because State governments are already recognising need and
considering own data protection legislation