Author Archives: novojuris

Notification of Companies (Acceptance of Deposits) Second Amendment Rules, 2019

The Ministry of Corporate Affairs (the MCA) vide its Notification dated 30 April 2019, has amended the Companies (Acceptance of Deposits) Rules, 2014. This amendment is in relation to its earlier notification dated 22 January 2019 which mandated the non-government companies to file Form DPT 3 providing particulars of transactions that have not been considered as deposit under the Companies Act 2013 or both as on 22 January 2019. With this amendment, the MCA has amended to mandate the Companies to provide aforesaid information as on 31 March 2019. Further, it has extended the due date for filing Form DPT 3 from 22 April 2019 to 30 June 2019.

Source: http://www.mca.gov.in/Ministry/pdf/CompaniesAcceptanceDepositsSecAmendRules_01052019.pdf

Advertisements

SEBI Guidelines to determine allotment and trading lot size for Real Estate Investment Trusts (REITs) and Infrastructure Investment Trusts (InvITs)

The Securities and Exchange Board of India (SEBI) recently amended the SEBI (Infrastructure Investment Trusts) Regulations, 2014 (“InvIT Regulations”) and SEBI (Real Estate Investment Trusts) Regulations, 2014 (“REIT Regulations”) vide notification dated 22 April, 2019.

With the amended regulations notified, the minimum subscription requirement has been reduced and the trading lot in terms of number of units have been defined for publicly offered InvITs and REITs. Also, limits for aggregate consolidated borrowings and deferred payments, net of cash and cash equivalents, have been increased to seventy percent of the value of the InvIT assets.

Further, the said amendments have also laid down the manner of determining the minimum allotment requirement for publicly offered InvITs and REITs. Following are the guidelines:

  1. For Initial Offer:
    1. Each allotment value shall not be less than Rs. 1,00,000/- for InvITs and Rs. 50,000/- for REITs, where such lot consists of 100 units.
    2. Allotment to any investor shall be made in the multiples of a lot.
  2. For Follow-on offer:
    1. The minimum allotment shall be of such number of lots as it had at the time of the initial offer and the value shall not be less than Rs. 1,00,000/- for InvITs and Rs. 50,000/- for REITs. Also, each lot shall consist of such number of units in its trading lot as it had at the time of the initial offer.
    2. Allotment to any investor shall be made in the multiples of a lot.

With respect to the publicly offered InvITs and REITs whose units are listed on the date of this notification i.e., 22 April, 2019, the recognized Stock Exchanges in conference with such InvITs and REITs, determine the number of units in the trading lot within 22 October, 2019.

Additional Financial Disclosure for InvITs:

As per regulation 20(3)(b) of the InvIT Regulations, the InvITs who have their aggregate consolidated borrowings and deferred payments above 49 percent shall disclose the following items additionally to financial disclosures (As stipulated by circular CIR/IMD/DF/127/2016 dated November 29, 2016):

  1. Asset cover available;
  2. debt-equity ratio;
  3. debt service coverage ratio;
  4. interest service coverage ratio;
  5. net worth;

The aforesaid amendments are aimed at providing flexibility to the issuers in terms of fundraising and increasing the access of these investment vehicles to investors.

Source: https://www.sebi.gov.in/web/?file=https://www.sebi.gov.in/sebi_data/attachdocs/apr-2019/1556017751762.pdf#page=1&zoom=auto,-16,800

Draft Enabling Framework for Regulatory Sandbox

In July 2016 the Reserve Bank of India (RBI) had setup an inter-regulatory Working Group to look into and report on various aspects relating to fintech. One of the key recommendations of the Working Group was the introduction of an appropriate framework for a regulatory sandbox. Thus on 24th April 2019, the RBI has come out with a Draft Enabling Framework for Regulatory Sandbox (“Draft Framework”).

Before we proceed with the details regarding the Draft Framework it is important to understand the concept of a regulatory sandbox.  Regulatory sandbox (RS) refers to live testing of new products or services in a controlled/ tested regulatory environment for which the regulators may permit certain relaxation in the regulations only for the limited purpose of testing. The RS allows the entities to test their product in a controlled environment before a wider-scale launch. Thus the RS at its core is a formal regulatory programme for market participants to test new products, services, business models with customers in a live environment subject to certain safeguards and oversights.  Further, RBI in its Working Group Paper also discussed the concept of an ‘innovation hub’ which provides support, advice or guidance to regulated or unregulated firms in navigating the regulatory framework or identifying the legal issues.

Eligibility criteria of an applicant

The Draft Framework lays down the eligibility criteria for participating in the RS. The target applicants for entry in the RS are fintech firms which meet the prescribed conditions of a start-up by the Government. The focus of the RS is to encourage innovation where (a) there is an absence of regulations, (b) there is a need to temporarily ease the regulations for the proposed innovation, and (c) the proposed innovation shows promise of easing the delivery of financial services.

The RS shall begin the testing process with 10-12 selected entities through a comprehensive selection process which has been detailed under the ‘Fit and Proper criteria for selection of participants in the RS’. The entities should satisfy the following conditions: (a)  the entity should be a company incorporated and registered in India and should be “Start up” , (b) the entity should have a minimum net worth of Rs 50 lakhs as per its latest audited balance sheet, (c) the promoters/ directors of the entity should be fit and proper and a declaration should be made to that effect, (d) the conduct of the bank accounts as well as the entity’s promoters/directors should be satisfactory, (e) a satisfactory CIBIL or equivalent credit score of the promoters/directors of the entity is required, (f) applicant should showcase that their product/services and ready for deployment in the broader market, (g) entity should demonstrate arrangements to ensure compliance with regulations on consumer data protection and privacy, and (h) the entity should have adequate safeguards related to the IT system to ensure safety of data and records.

The fintech solution proposed by the applicant should highlight the existing gap in the financial system and demonstrate that there is a regulatory barrier that prevents the deployment of the product/service. Additionally, the applicant should clearly define the test scenarios and the expected outcomes from the sandbox experimentation and an acceptable exit and transition strategy in case the fintech driven solutions are discontinued or deployed on a broader scale after exiting the RS. To this effect, the applicant is required to share the result of the proof of concept/ testing of use cases including any relevant prior experiences before getting admission into RS for testing.

Design features of the RS

The RS may run a few cohorts i.e. end-to-end sandbox process, with a limited number of entities in each cohort testing their products in a stipulated time. The RS shall be based on different subjects focusing on areas such as financial inclusion, payments, digital KYC, etc. Though these cohorts may run for varying time period but it should ordinarily be completed within 6 months.

The innovative products/services which could be considered for testing under RS would include retail payments, money transfer services, market places lending, digital KYC, financial advisory services, smart contract, cybersecurity products, etc. On the other hand, the innovative technology which could be considered for testing under RS would include data analytics, API services, applications using block chain, AI and machine learning applications and mobile technology applications.

Regulatory requirements for RS applicant and exclusions from RS

The regulatory requirements which shall be mandatorily adhered to by the applicant are: (a) customer privacy and data protection, (b) security of transactions, (c) KYC/ AML/ CFT requirements, (d) secure storage of and access to payment data of stakeholders, and (e) statutory requirements.

However, an entity would not be suitable for RS if the proposed financial service is similar to a product/service/technology which already is being offered in India unless the applicant can show that either a different technology is gainfully applied or the same technology is being used in a more effective and efficient manner. Accordingly, the Draft Regulations have put together an indicative negative list of products/ services/ technology which may not be accepted for testing. The list includes businesses related to credit registries, credit information, crypto-currency, initial coin offerings and chain marketing services.

Extending or Exiting the RS

In case the sandbox entity requires an extension of the sandbox period it shall apply to the RBI within one (1) month before the expiration of the sandbox period. Further, RBI at its discretion can discontinue the RS testing for an entity if it does not achieve the intended purpose or if the entity is unable to comply with the relevant regulatory requirements.  The sandbox entity may exit from the RS on its own by informing the RBI one week in advance.

Boundary conditions, transparency, and consumer protection

A sandbox must have a well-defined space and duration for the proposed financial services to be launched and the boundary conditions for the RS shall include the start and end date of RS, target customer type, limit the number of customers involved, transaction ceiling, and cap on customer. Further, the RBI shall communicate the entire RS process including the launch, theme of the cohort, entry and exit criteria on its website to ensure transparency. And as stated earlier before discontinuing/ exiting from the RS, the sandbox entity shall ensure that it meets all the existing obligations towards its customers and entering into an RS does not limit the liability of the entity towards its customers.

Sandbox process and stages

The end to end sandbox process, including the test of the products/ services shall be overseen by the FinTech Unit (FTU) at RBI, and the stages involved in the RS are as follows:

  • Stage 1: Preliminary Screening (4 weeks) – FTU shall ensure that the applicant clearly understands the objectives and principles of the RS, and it is in this phase the application received by the FTU are evaluated and shortlisted who meet the eligibility criteria.
  • Stage 2: Testing Design (3 weeks) – In this phase which lasts for 3 weeks the FTU finalizes the test design through an iterative engagement with the applicant and shall identify the outcome metrics for evaluating the evidence of risk or benefits.
  • Stage 3: Application Assessment (3weeks) – In this phase the FTU vets the test design and proposes regulatory modifications if any.
  • Stage 4: Testing (12 weeks) – The testing may last for a maximum tenure for 12 weeks. In this phase, the FTU generates empirical evidence to assess the test conducted.
  • Stage 5: Evaluation (4 weeks) – The final evaluation of the outcome of testing the products/ services/ technology is confirmed in this phase by RBI. The FTU shall assess the outcome report and decide whether the product/service is viable and acceptable under RS.  

Statutory and legal issues

If the applicant is allowed by the FTU into the RS, the entity would be provided by appropriate regulatory support by RBI in the form of relaxation of specific regulatory requirements during the duration of the RS. However, RBI shall not bear any liability arising from the RS process and any liability arising from the experiment has to be borne by the entity alone. Further, the sandbox entity should ensure that on exiting from the RS or on the completion of the RS process, the sandbox entity should fully comply with all the relevant regulatory requirements.

Source:

1.https://m.rbi.org.in/scripts/PublicationReportDetails.aspx?UrlPage=&ID=920#A_2

2.Report of the Working Group on FinTech and Digital Banking- https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

Valuation for issuance of shares: Which method to choose?

Determining the fair market value (FMV) of unquoted shares may prove to be challenging for companies owing to choose the valuation method. There have been multiple rulings by the Income Tax Appellate Tribunal (the “ITAT”) wherein the methodology adopted by the company for the valuation has been rejected on the grounds of being non-substantial. However, few rulings have also been in favour of Companies where the ITAT has squashed the argument of the Assessing Officer (the “AO”) stating that the tax authorities can scrutinise the valuation report to the extent of finding any arithmetical mistakes and not compel a taxpayer to choose the method of valuation.

Despite Valuation practice being prevalent since the last six decades in India, there is no specific guidance on the same and the debate continues pertaining to the method to be followed.

Valuation Methods as per Rule 11UA of Income Tax Rules, 1962

As per Rule 11UA of Income Tax Rules, 1962, Companies have an option to adopt either the Net Asset Value (the “NAV”) method or the Discounted Free Cash Flow (the “DFCF”) method for valuation purpose. On 24 May 2018, the Central Board of Direct Taxes (CBDT) has amended the Income Tax Rules, 1962, by omitting the words “or an accountant” from rule 11UA(2)(b). As a consequence of such amendment, now only a merchant banker can independently determine the FMV of the unquoted equity shares by using the DFCF method and an accountant is no longer eligible to do this valuation.

Various Case Laws pertaining to the Valuation Methods opted by Companies

Case 1: In the case of M/s. TUV Rheinland NIFE Academy Pvt. Ltd., Vs. The Income Tax Officer, the Company had issued 5,00,000 shares having face value of INR 100 each, at a premium price of INR 479 per share, to its parent, TUV Rheinland (I) Pvt. Ltd. (“TUVR India”). The Fair Market Value (the “FMV”) of the shares was computed as Rs. 479 as per the DFCF Method which was based on the projections of the company’s future cash flows.

The Assessing Officer (the “AO”) rejected the valuation report on the grounds that the values were certified by the management of the taxpayer. Further, the AO computed the FMV based on the NAV and concluded that the FMV should be INR 84.20 per share. Hence, the AO passed an order wherein an addition of INR 19.74 crore was made to the taxpayer’s income. Such an addition was made under section 56(2)(viib) of the Income Tax Act, 1961.

The ITAT concluded that the AO had not rejected the choice of valuation method but the valuation entirely justifying that it was non-substantial and there is no proof given for the basis of estimates provided in the valuation. Further, the ITAT also mentioned that the actual figures did not have any relevance with the projections made. Thus, the arguments of the Company were rejected and reference was drawn from the ruling in Agro Portfolio Pvt. Ltd v. ITO wherein the AO can carry out its own independent valuation and adopt the NAV method for this purpose, after rejecting the original valuation by the Company.

Case 2: In the case of Innoviti Payment Solutions Pvt. Ltd. vs. ITO, the Company had issued 10,42,658 shares having face value of INR 10 per share at premium of INR 23.50 per share. The FMV was determined by a Chartered Accountant through the DFCF method.

The same was rejected by the AO mentioning that the accountant has taken haze cash flow as certified by the management and the projections were not verified by the valuer. Further, it also added that the company had failed to provide any basis for the projections and that the management had clearly ignored factors such as performance, growth prospects, earnings capacity, etc. The Bangalore Bench of the ITAT ruled that the projections made in the valuation report should be supported with reasonable certainty and in its absence the valuation report shall be deemed unworkable.

A similar contention was also drawn in the case of 2M Power Health Management Services Pvt. Ltd. vs. ITO.

Case 3: Contrary to the case 1 & case 2 above, the Bombay High Court in the case of Vodafone M Pesa Ltd. v PCIT, ruled that the AO do not have the authority to reject the method of valuation already adopted by the taxpayer. It justified that the AO has the power scrutinize the valuation report and point out any arithmetical error in the same, but not compel the taxpayer to choose an entirely different valuation method.

The Income Tax Rules, 1962 provides for an option to the taxpayer to choose either the DFCF or NAV method of valuation. Thus, the AO could not adopt a method of his choice, especially when Rule 11UA gives an option to the taxpayer to choose the method of valuation. Doing so, the it would render clause (b) of Rule 11UA(2) as purposeless.

The Jaipur Bench of the ITAT had drawn a similar ruling in the case of Rameshwaram Strong Glass Pvt. Ltd. vs. ITO and ACIT vs. Safe Decore Pvt. Ltd.

Concluding thoughts

Based on the various rulings, it can be concluded that the tax authorities do not have the power to order the taxpayer to adopt any particular method of valuation. The taxpayer has the right to choose the DFCF method or the NAV method for valuation as mentioned in the Income Tax Rules, 1962. However, it should be noted that the taxpayer should be able to provide reasonable information to substantiate the projections certified by the management. Since the valuation report shall be subject to scrutiny, the valuer should verify the parameters taken into consideration in preparation of the valuation report and should be in a position to justify the same.

Authors: Alivia Das and Shivani Handa

Extension of due date for filing ACTIVE form

On 21 February 2019, the Ministry of Corporate Affairs (the MCA) had mandated all companies incorporated prior to 31 December 2017, to file Active Company Tagging Identities and Verification (Form INC 22A Active) on or before 25 April 2019. However, after considering the representation received various stakeholders, the MCA vide its Notification dated 25 April 2019, has extended the due date for filing the Form INC 22A Active till 15 June 2019.

Source:http://www.mca.gov.in/Ministry/pdf/CompaniesIncorporationFourthAmendmentRules_25042019.pdf

Amendment to Regulations on Institutional Trading Platform- Innovation Growth Platform 1.0

Background

In the year 2016, Securities Exchange Board of India (SEBI) had introduced Institutional Trading Platform vide amendment to the SEBI Regulations (Issue of Capital and Disclosure Requirements), 2009 (SEBI ICDR Regulation) to facilitate listing of start-ups in sectors like e-commerce, data analytics and bio-technology to raise funds and get their shares traded on stock exchanges. However, due to strict norms and inability to access the platform, this initiative was not effective. In the wake to kick start listing of securities by the start-ups, with effect from 5 April 2019, SEBI further amended the SEBI ICDR Regulation (Amendment Regulation). The Amendment Regulation is notified to bring change in the start-up ecosystem by making the platform more accessible and more attractive for the new age ventures.

Key Changes

SEBI has tweaked the existing listing norms of the Institutional Trading Platform and has made the following changes:

Particulars Old Provision Amended Provision
Change of name Earlier it was known as Institutional Trading Platform (ITP) The platform has been renamed as ‘Innovators Growth Platform‘(IGP).
Eligible Issuers In addition to start-ups, any company having Qualified Institutional Buyers (QIBs) as their shareholders to the extent of at least 50% of pre-issue capital was eligible to list on the ITP. IGP has been designed to facilitate listing of the companies that provide products and services or business platforms in the areas of technology, information technology, intellectual property, data analytics, bio-technology or nano-technology are eligible to list on the IGP.
Shareholding Requirement At least 25% of the pre-issue capital to be held by QIBs. Listing can be done by way of IPO or even without an IPO process.

(a)   IPO Process: At least 25% of the pre-issue capital (for at least 2 years) to be held by either: (a) QIBs; (b) a pooled investment fund with minimum assets under management of USD 150 million (subject to meeting other prescribed criteria for such pooled investment fund); (c) accredited investors (not more than 10%); (d) Cat III FPI; or (e) family trusts with net-worth of more than INR 500 Crores.

(b)   Without IPO process: no such minimum offer to the public is required.

Post-issue shareholding Earlier, there was a requirement that no person, individually or collectively with other persons acting in concert, to hold 25% or more of the post-issue capital. This requirement has been done away with.
Minimum application size INR 10 lakh INR 2 lakh (this brings relaxations)
Allocation 75% to institutional investors 25% to non-institutional investors There is no minimum reservation requirement. Also, the allocation will be on proportionate basis to institutional and non-institutional investors.
Minimum number of allottees 200 50
Minimum trading lot INR 10 lakh INR 2 lakh

 

Conclusion

Though very less, off lately we have seen few tech companies like Tejas Networks, Koovs, Matrimony.com, etc. who have taken the IPO route to raise funds. Despite the vagaries of market, going public not only provide recognition but also shows that the start-up is beyond mortality. The Amendment Regulations have tried to simplify the listing norms and with this, SEBI intends to attract a greater number of investors on the IGP and aims to provide a much-needed boost to start-ups looking to access the capital markets.

Source:https://www.sebi.gov.in/legal/regulations/apr-2019/securities-and-exchange-board-of-india-issue-of-capital-and-disclosure-requirements-second-amendment-regulations-2019-_42644.html

Cyber-Security: The Vulnerability of Medical Institutions to Cyber-Attacks

McAfee researchers were able to modify the vital sign data in real time providing false information to medical personnel by switching the heartbeat records from 80 beats a second to zero within five seconds. You would have woken up to news that Medstar patient records database was subject to ransom ware cyber-attack and was asked to pay bitcoins. Unfortunately, the hospital did not have backup of medical records and in some cases, they had to turn away the patients. These incidents, unfortunately, are not stray incidents.

There are various technologies converging and a rapid increase in machine to machine communications.

It is predicted that by 2025, most hospitals will have the ability to network connect more than 90% of their devices.

However, many hospitals are yet to make their data security systems extremely robust. Data privacy and data security are the two important pillars that needs urgent consideration. Just as financial data is loved by the cybercriminals, so is health data becoming a gold-mine with the cyber offenders. Specially so when the hospitals are run on legacy systems or no dedicated framework or surveillance on its own data.

Personally identifiable data is an indicator of an individual, such as  name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;[i]

A number of cyber-attacks on medical institutions are initiated to extract the electronic health records (EHRs). These EHRs may contain personal health information of the patients, their medical history, diagnosis codes, billing information, etc. which can be exploited by the cyber offenders in various manners, for instance to get ransom from the medical institutions or to create fake IDs to buy medical equipment(s) or medication which can be resold or only sold on prescription.

Take this example. On 12 May 2017 a global ransomware attack, known as WannaCry, affected more than 200,000 computers in at least 100 countries. The ransomware attack also affected 80 out of 236 trusts (medical institutions under NHS) further 603 primary care and other National Health Service (“NHS”) organisations were infected with the ransomware virus including 595 general practitioners. The trusts which were affected with WannaCry ransomware faced issues like patient appointments being cancelled, computer being locked out, diversion of patients from accidents and emergency departments etc.

As reported in the investigation report on the WannaCry ransomware attack on NHS, published by the National Audit Office (“NAO”, an independent parliamentary body in the United Kingdom), all NHS organisations infected with the WannaCry virus had unpatched or unsupported Windows operating systems. NHS Digital (a national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care in England) informed the NAO that the ransomware spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), though there were no instances of the ransomware spreading via NHS mail (the NHS email system).

In India, as reported by multiple news agencies, last year in the month of June Mahatma Gandhi Memorial (a trust run hospital) hospital, Mumbai (MGM Hospital) was affected by a similar cyber-attack where the hospital administrators found their systems locked, and noticed an encrypted message by the attackers demanding ransom in Bitcoins to unlock it. It was reported that the MGM Hospital had lost 15 days’ data related to billing and patients’ history, though the hospital didn’t face any financial loss.

Once these cyber offenders have access to the EHRs, they hold the systems of the medical institutions hostage for ransom, by encrypting all the systems completely inaccessible and unusable for the victimised medical institutions. The vulnerability to such cyber-attacks arises due to many reasons, outdated digital infrastructure or medical personnel not being aware or not trained about cyber-attacks. Cyber offenders may gain access to medical institutions’ systems through various ways and sometimes as simple as (a) using a USB drive; (b) exploiting vulnerable or expired software, (c) stealing medical personnel’s mobile devices, (d) hacking emails, or (e) phishing etc. It is time that our healthcare providers upgrade their technologies, networks, understanding on this subject.

Regulatory bodies across the world have suggested / adopted guidelines and standards to ensure necessary cybersecurity processes and controls which helps medical institutions to mitigate cyber risks and vulnerabilities. For the purpose of this article we will be primarily focusing on various safeguards and standards put in place by European Union and India to deal with such cyber-attacks.

Position in Europe

As a part of the EU cybersecurity strategy, the European Commission adopted the EU Network and Information Security Directive (“NIS Directive”) on 6 July 2016 and the same came into force in August 2016. As the NIS Directive is an EU directive every member state had to adopt a national legislation which would transpose the NIS Directive by 9 May 2018 and identify operators of essential services under the transposed law by 9 November 2018.

The NIS Directive has three major parts to it (i) national capabilities, (ii) cross-border collaborations and (iii) national supervision of the critical sectors including health.

  • National Capabilities: The NIS Directive mandates every member state of the EU to have certain cybersecurity capabilities, e.g. it is a mandate for every member state to have a national Computer Security Incident Response Team (“CSIRT”).
  • Cross Border collaborations: The NIS Directive encourages collaborations between EU member states like the EU CSIRT network, the NIS cooperation group, ENISA etc.
  • National Supervision of critical sectors: As per the NIS Directive every member state shall supervise the cybersecurity of critical market sectors in their respective country including health sector.

Further, as a part of the NIS Directive the NIS cooperation group through ENISA has developed guidelines regarding (i) identification criteria of cyber-attacks, (ii) incident notification, (iii) security requirements for Digital Signal Processors (DSPs), (iii)  mapping of operators of essential services (OES) security requirements for specific sectors including health and (iv) audit and self-assessment frameworks for OESs and DSPs.

With a view to prescribe certain standards of safety and quality, three recognised EU standards organisations namely (a) the European Committee for Standardisation (CEN), (b) the European Committee for Electro-technical Standardization (CENELEC) and, (c) the European Telecommunications Standards Institute (ETSI) were set up. By setting common standards across EU, CEN. ETSI and CENELEC ensures protection of consumers, facilitates cross-border trade, ensures interoperability of goods/products, encourages innovation and technological development, and includes environmental protection and enables businesses to grow.[ii]

The General Data Protection Regulations (“GDPR”)[iii] specifically defines ‘data concerning health’, ‘genetic data’ and ‘bio metric data’ and regards them as ‘special category of data’, this means that parties who are processing special category of data shall comply with additional higher safeguards and process it legitimately. Recital 53 of the GDPR states that special categories of personal data which merit higher protection should be processed for health-related purposes only.

Position in India

Personal medical/health information in India is regarded as sensitive personal information as per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 (“Rules”).

The Indian legislature took an important step for addressing issues relating to cyber security when it amended the Information Technology Act, 2000 in 2008, through which they established an Indian Computer Emergency Response Team (CERT), a national agency for incident response. CERT is primarily responsible for handling cyber security incidents occurring in India and analysing information related to cyber-crimes, but among other things CERT is also indulged in issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incident[iv].

CERT-India has been entrusted with performing the following main functions (a) collecting, analysing and disseminating of information on cyber incidents, (b) forecasting and giving alerts on cyber security incidents, (c) laying down emergency measures for handling cyber security incidents, (d) coordinating cyber incident response activities, (e) issuing guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents, and (f) performing any other functions relating to cyber security as may be prescribed[v].

CERT-India in the last five years or so has focused on making various institutions who are highly dependent on cyber/digital networks ‘cyber resilient’. Being cyber resilient allows these institutions which is nothing but a process of effectively anticipating the various threats and the mechanism of dealing with the cyber-attacks. Anticipate, withstand, contain and recover are the 4 main contours of being cyber resilient[vi]:

  • Anticipate: Maintain a state of informed preparedness in order to forestall compromises of mission/ business functions from adversary attacks
  • Withstand: Continue essential mission/business functions despite successful execution of an attack by an adversary
  • Contain: Localize containment of crisis and isolate trusted systems from untrusted systems to continue essential business operations in the event of cyber attacks
  • Recover: Restore mission/business functions to the maximum extent possible subsequent to successful execution of an attack by an adversary
  • Evolve: To change missions/business functions and/or the supporting cyber capabilities, so as to minimize adverse impacts from actual or predicted adversary attacks

To strengthen the framework and to ensure that reasonable security practices and procedures are followed, the Department of Information Technology introduced certain Rules. The Rules requires each and every body corporate including medical institutions who are collecting such sensitive personal information to have security measures as documented in their security policy/programme which is considered to be a reasonable security practice keeping in mind the nature of their business and considering the fact that they are collecting sensitive personal information. One such international standard as recommended under the Rules is the IS/ISO/IEC 27001.

Taking a step further, the Ministry of Health and Welfare has introduced a draft bill for Digital Information Security in Healthcare Act (“DISHA”). One of the key purposes of DISHA is to ensure reliability, data privacy, confidentiality and security of digital health data. DISHA prescribes that the storage of digital health data so collected would be held in trust for the owner and the holder of such data would be considered as the custodian of data thereby making such holder responsible to protect privacy, confidentiality and security of data.

To bring it all together:

Majority of the cyber-attacks reported worldwide are caused due to reasons which sometimes are trivial and perhaps ignored more often, such as out-dated Windows operating system patch, lack of proper anti-virus or reasons such as phishing, lack of awareness among the people about cyber security etc.

EU, through GDPR has made data security an integral part of law and India is taking strong steps have a robust data protection and data security law. Various regulations, programmes, codes, standards etc. discussed in this article are some indicate steps that can be implemented.

Law is just one part to solve the issue. The real question is who is responsible for safety of our personal data, commercial data, data assets etc.? We secure our houses with a lock, burglar alarms, video cams because the house owner wants to protect it. Similarly, individuals, organizations, healthcare personnel, hospitals and other institutions who collect health data for multiple reasons should be aware of various cyber-threats and has to take steps to safeguard its networks and systems from such threats.

References:

[i] Article 4.1 General Data Protection Regulations (GDPR).

[ii]CENELEC, Marketing Standards for Europe, available at: https://www.cencenelec.eu/aboutus/Pages/default.aspx

[iii] GDPR (2016/679) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area

[iv] Section 70B (4) of the Information Technology Act, 2000

[v] Supra footnote 1

[vi] CERT- In, Cyber Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism

 

This article was first published at Innohealth Magazine, Volume IV Issue II