Pages

Monday, June 27, 2011

Caveat Emptor ?

The bank was taken aback by the order of the IT secretary of Tamilnadu as the adjudicator under the Information Technology Act, when he directed the bank to pay Rs 12.85 lacs as the compensation to an Abu Dhabi based NRI for the loss suffered by him in a “Phishing Fraud” . (1)

“Phishing” is a security risk that many computer users are getting to be familiar. In this case the account holder received an email that appeared genuine, which asked him to provide the use rid and password for his internet banking account to avoid his account getting closed. He parted with these details and he lost about Rs 7,00,000 from his account.

The bank took a view that the loss is on account of the carelessness of the account holder and refused any compensation as they had advised all account holders not to part with their userid and password to anybody. How could he be so irresponsible and give away his password and then claim that the bank should compensate him? But the adjudicator did not agree to this point of view.

This is an interesting dilemma for all entities like banks and depositories that provide online service to their clients. Where does their liability end for the loss suffered by their clients? Under what circumstances will they continue to be liable even if the loss was the outcome of a failure by the account holder?

Similar issues have been there with respect to offline transactions too. For example the loss suffered by credit card holders on account of misuse of their card details or loss of money from the bank account by fraudulent instructions.

One of the accepted doctrines in legal theory is that the entity that is best equipped to manage the risk should be liable to the loss arising out of such risk. This doctrine has been followed not just in online transaction. It has been used in fixing liability in terms of workplace accidents, accidents in amusement park and and so on.

For many this may look very unfair. Shouldn’t the responsibility of the service provider end when it has put in place risk containment measures and warned the users about the potential risks? Why should it bear the brunt of a fraud when ingenious souls manage to find a way around the protective walls?

There are studies comparing the incidents of banking frauds between the countries that placed the primary responsibility on the service provider and on the customer. These studies showed that when the legal structure supported the above doctrine the extent of fraud was much less. The service providers continuously upgraded their risk containment systems as they could not hide behind “fine prints” in the forms that they make their clients sign and the disclaimers that they publish. They cannot limit their risk with firewalls and dematerialized zones in their data centers. They have no option but innovative in saving their clients from their own foolishness. They are forced to look for patterns, trends, exceptions, track locations from where the transaction originate, raise alert when exceptions occur and so on. But if still a client is faced with a loss, he is compensated unless they can prove the customer connivance or involvement. We can’t just declare “Caveat Emptor”.

Risk mangment therefore becomes a managerial decision, may be more than technical solutions. (Read on Digital Security – Business, People and Economics for some more thoughts on this)

Ref: (1) https://indialawnews.org/tag/human-rights/

"Customers don't expect you to be perfect. They do expect you to fix things when they go wrong." Donald Porter, British Airways

If you like this post, share it with your friends


Sunday, June 12, 2011

Matter of Right

Government of India had put out a draft bill on Electronic Service Delivery (ESD) for public comments. The key features of this scheme are

i) Every department of the government should mandatorily make its service to citizen available through electronic mode.

ii) This ESD should be made operational within five years of enactment of this bill. Extension for another three years will be allowed if there are valid reasons for this delay.

iii) Within six months of enactnment of this bill, every department should publish the list of services which will come within the ESD commitment.

iv) As in the case of the Right to Information Act (RTI), the proposed ESD act provides for Commissions at center and state level to ensure that the expectation under the act is delivered and failure is met with punitive action.

This right for ESD proposed to be guaranteed under an act of the parliament can be seen as maturing of various e-Governance initiatives that the government has been taking in a variety of fields for more than a decade. India is considered to be a powerhouse in the field of ICT and we practically run the back-office operations for the whole world. With this, this should be an easy target. But is it?

World e-Government ranking undertaken by United Nations gives India a rank of 119 out of 192 countries it surveyed in 2010. As my friend Neel pointed out, “How come even after more than a decade of e-Gov initiatives at the highest level, we still want six months for all departments to publish the list of services they can make available electronically and we need five to eight years for this to be fructify?” Reasons are many; but the following appear to be the most fundamental of them.

i) Many of the e-Gov initiatives are computerization of existing operations of the departments, heavily accented to MIS reports for internal consumption and upword reporting.

ii) Processes were not fine-tuned with a citizen focus. Committed service levels or actual performance levels were seldom benchmarked or published

iii) Solution implementation was more activity based than outcome based. Often vendors saw their role as software developers or as hardware suppliers and not as service providers.

iv) More attention was given to the automation of front end without getting the back-end streamlined and automated. In many instances sufficient consideration was not given to building electronic repository of the records and masters or ensuring high data quality which are the foundation blocks for electronic service delivery.

This problem is not unique to government computerization efforts. In many private sector companies also the computerization took this route. To begin with computer was a perk and status symbol for the boss. Then it became a department initiative. It was much later an integrated corporate wide strategy got evolved in progressive companies.

Similarly, in government initially it started as a privilege for the big bosses. Then it became a department initiative left to the interest of the head of the department. Integrated service delivery is still a dream. (read on "India gets a CIO- Part II")

Now when we attempt to make electronic service delivery a matter of right we have to give more attention to the lacuna highlighted above else we will not be able to live up to our promise or the expectation of our citizens and the commissioners will end up inundated with grievances.

Picard: Come back! Make a difference!
Kirk: I take it the odds are against us and the situation’s grim.
Picard: You could say that.
Kirk: If Spock were here, he’d say that we are irrational, illlogical human beings for going on a mission like this... Sounds like fun!

-Star Trek: Generations

If you like this post, share it with your friends