Monday, May 22, 2017

Cyber ransom attack: why lawyers and courts should worry more

When I was a student of undergraduate Law college, we were never sent for internship by colleges, to be more specific, the traditional university –colleges, whose duty was limited to hold classes, yearly(and not semester) examinations and give us the students the degree certificates. Children of lawyers and judges had a smooth path to the courts and to the practice through their parents. Many of us whose parents were not lawyers, used to hang out with these friends to get reference to join other law-firms or lawyers. We juniors had to do a lot of paper work and physical work to retain our jobs: we had to take notes from our seniors, their clients, make files to put the papers in proper sequences, make noted from the books for helping the seniors for next day’s arguments and sit with the stenographer –cum-computer operator to help him understand our illegible handwritings to make notices, petitions, affidavits etc. Most of the times, these computer operators had their own files saved for specific formats. We had to narrate him/her the names of the parties, the case numbers, and special points that may make the case very different from the format stored in there. 90% of these computers were not connected with internet. They were used for file storing only. I doubt way back in 1999-2001 how many government offices had computers used for anything other than file storing. It was mainly for this that the earlier version of our Information Technology Act,2000 did not have specific provisions damaging computer network system or hacking or unauthorised access to the computer through spreading malware etc. This is evident from the modern version of S.43 of the Information Technology Act (which was amended vide Information technology Amendment Act, 2008), which speaks about penalties and compensations for damage to computer, computer system etc. However, these “file storing” computers were prone to get virus attacks by external devices including floppies. We also did have some few personal computers lawyer’s offices which were connected with internet to receive mails, mainly instructions from overseas clients or clients staying in outstation. But these were considered as “luxury” and these lawyers were considered as that special group of lawyers who were “cyber savvy” not because they could produce electronic evidences because at that time mails/messages/ call logs were hardly recognised as proper evidences even though we had the amendment –wave touching the traditional evidence Act as well; but because they could go back to their chambers and see instant communications/instructions  from their clients and were able to bring back some thing called “printed  emails” not as an evidence, but as a reference-note. Quite at this time 9/11 happened in the US and everyone including we the lawyers also suddenly became alert about cyber security. But still, we got to see heavily protected lawyer’s bureaus and desks which contained most confidential data about their clients. It was not the soft copies, but the papers and in some cases, some physical objects like the knife or a piece of cloth etc which used to attract our attention as “sensitive” “confidential” materials which may turn the lives of the clients as well as ours if we assist our seniors in protecting these as best evidences.  With change of time, almost all lawyers became cyber savvy in this way or that especially because we started storing the confidential data of the clients in soft copies. Now, let us understand what is meant by sensitive information which may be considered as part of confidential data. S.3 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 defined sensitive personal data as 
 (i) password;
(ii) financial information such as Bank account or credit card or debit card or
other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and
(viii) any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise.
But importantly, this definition also includes a third party, i.e., the “body corporate” for providing services. Now, let us check the definition of body corporates which is defined under S.43A of  the Information technology Act, 2000(amended in 2008). It says in explanation (i) "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities. Very broad interpretation of this may include lawyers as well who may provide professional counselling. 
But without going into the examination of whether lawyers may held responsible as body corporates in the straight sense, I would like to emphasise on the point that lawyers also collect confidential data and they are at risk of  security infringement too. In my recently published writeup “the ransom attack that may make the women cry” published in the WION news @ I mentioned that every data saver including lawyers may also be at risk for any sort of malware attack. As such, when lawyers store confidential including sensitive data about clients, they must be ethically bound to protect it against any such cyber attack as well. 
Now, we may also need to shift our attention to the courts as store house of data as well.  Presently, courts have widened options for filing of cases or getting access to the judgements or orders by creating court websites which may not only work as a store house of information for millions of justice seekers, but also an information house of millions of lawyers, law students as well as researchers. Unlike lawyers, who may maintain strict confidentiality about the data /information provided by their clients to them for litigation purposes, we often get to see information being exposed in the court websites, especially in cases of judgements. The recent understanding of the courts have however made it mandatory to keep the party’s name confidential when the case is about child sexual abuse or victimisation of women. But still then, the courts play major role in storing confidential data about the litigants, which if exposed, may make the lives and reputation of justice seekers at stake. 
Surprisingly, the Information Technology Act, 2000(amended in 2008) has not emphasised on this issue separately. The chapters including chapter IX which speaks about penalty, compensation and damage to the computer, computer system, network etc, liability to protect the data penality for failure of the same by the body corporate etc, power to adjudicate etc, and chapter XI which speaks about the offences  speaks about liability of the data string houses, individual perpetrators and government stakeholders to intercept etc, but does not specifically mention about categories of service sectors and their liabilities. 
While it has been upheld that lawyers will come under the scope of Consumer protection Act unlike doctors or health sector stake holders like the hospitals or clinics, we must understand that by saying this, we can not escape our moral duties to protect the clients or litigant’s vital information which may be stored with lawyers or digital store houses of the courts. Infact as I mentioned in the write-up mentioned above, each of these sectors including lawyers and courts may be attacked by cyber perpetrators who are now playing a crucial role in “hacxtortion : hacking and extortion” (as was coined by me in the above writeup) of money for giving back the encrypted files. We have already seen that National Health services in the United Kingdom had been badly affected by this ransom malware. It is high time that lawyers, law firms and courts must audit their cyber securities to save the valuable data and take preventive steps against such ransom attack.