Procedures For Applying For Authorisation And Recognition Of Collective Investment S: Fill & Download for Free

India does not have a dedicated cybersecurity law. The Information Technology Act 2000 (the IT Act) read with the rules and regulations framed thereunder deal with cybersecurity and the cybercrimes associated therewith. The IT Act not only provides legal recognition and protection for transactions carried out through electronic data interchange and other means of electronic communication, but it also contains provisions that are aimed at safeguarding electronic data, information or records, and preventing unauthorised or unlawful use of a computer system. Some of the cybersecurity crimes that are specifically envisaged and punishable under the IT Act are hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft.In accordance with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (the CERT Rules), the Computer Emergency Response Team (CERT-In) has been established as the nodal agency responsible for the collection, analysis and dissemination of information on cyber incidents and taking emergency measures to contain such incidents.Other relevant rules framed under the IT Act in context of cybersecurity include:the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (the SPDI Rules), which prescribe reasonable security practices and procedures to be implemented for collection and the processing of personal or sensitive personal data;the Information Technology (Information Security Practices and Procedures for Protected System) Rules 2018 (the Protected System Rules), which require specific information security measures to be implemented by organisations that have protected systems, as defined under the IT Act. More information on protected systems is provided in ‘Scope and jurisdiction’; andthe Information Technology (Intermediaries Guidelines) Rules, 2011 (the Intermediaries Guidelines), which require intermediaries to implement reasonable security practices and procedures for securing their computer resources and information contained therein. The intermediaries are also required to report cybersecurity incidents (including information relating to such incidents) to CERT-In.Other laws that contain cybersecurity-related provisions include the Indian Penal Code 1860 (IPC), which punishes offences, including those committed in cyberspace (such as defamation, cheating, criminal intimation and obscenity), and the Companies (Management and Administration) Rules 2014 (the CAM Rules) framed under the Companies Act 2013, which requires companies to ensure that electronic records and security systems are secure from unauthorised access and tampering.In addition to the above, there are sector-specific regulations issued by regulators such as the Reserve Bank of India (RBI), the Insurance Regulatory and Development Authority of India Act 1999 (IRDA), the Department of Telecommunication (DOT) and the Securities Exchange Board of India (SEBI), which mandate cybersecurity standards to be maintained by their regulated entities, such as banks, insurance companies, telecoms service providers and listed entities.Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?Regulated entities operating in sensitive sectors, such as financial services, banking, insurance and telecommunications, have exhibited higher standards of cybersecurity preparedness and awareness, partly because of regulatory intervention as well as voluntary compliance with advanced international standards. Sectors such as e-commerce, IT and IT-enabled services that have seen infusion of foreign direct investment have also proactively deployed robust cybersecurity frameworks and policies to counter the evolving nature of cyber fraud as they have borrowed advanced cybersecurity practices and procedures from their parent entities in the United States, the European Union and other matured jurisdictions.With the rise of digital payments, cybercrimes involving payment transactions in the online space have significantly increased and become complex. While the RBI has been active in requiring companies operating payment systems to build secure authentication and transaction security mechanisms (such as 2FA authentication, EMV chips, PCI DSS compliance and tokenisation), given that these payment companies often offer real-time frictionless payments experiences to their consumers, it leaves less time for banks and other entities operating in the payment ecosystem to identify and respond to cyberthreats. In light of the above, there is an increased need to identify and develop cybersecurity standards commensurate with the nature of information assets handled by them, and the possible harm in the event of any cybersecurity attack, to ensure that these emerging risks are mitigated.Has your jurisdiction adopted any international standards related to cybersecurity?Yes, the SDPI Rules framed under the IT Act require body corporates that handle sensitive personal data or information to implement 'reasonable security practices and procedures' by maintaining a comprehensive documented information security programme. This programme should include managerial, technical, operational and physical security control measures that are commensurate with the nature of the information being protected. In this context, the SPDI Rules recognise the International Standard ISO/IEC 27001 on Information technology – Security techniques – Information security management systems – Requirements as one such approved security standard that can be implemented by a body corporate for protection of personal information. All body corporates that comply with this standard are subject to audit checks by an independent government-approved auditor at least once a year or as and when they undertake a significant upgrade of their processes and computer resources.Sector-specific regulators have also prescribed security standards specifically applicable to regulated entities. For instance, the RBI guidelines mandate banks to follow the ISO/IEC 27001 and ISO/IEC 27002 standards for ensuring adequate protection of critical functions and processes. Similarly, SEBI requires stock exchanges, depositories and clearing corporations to follow standards, such as ISO/IEC 27001, ISO/IEC 27002 and COBIT 5.What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?While there is no specific statutory provision that requires information security personnel to keep directors informed of an organisation's network preparedness, in the event of a cybersecurity breach, the persons in charge of an organisation are required to demonstrate before regulators that they have implemented security control measures as per their documented information security programmes and information security policies. Therefore, it would be necessary for these persons to be aware of and updated about the information security preparedness of their organisation to effectively discharge their responsibilities.Section 85 of the IT Act also specifically states that in case of any contravention of the provisions stipulated thereunder, any person who is in charge of supervising the affairs of a company will be liable and proceeded against, unless he or she is able to prove that contravention took place without his or her knowledge, or that he or she exercised all due diligence to prevent such contravention. Therefore, personnel can protect themselves from liability by being aware of and deploying adequate cybersecurity measures.Separately, as per the CAM Rules, the managing director, company secretary, or any other director or officer of the company (as may be decided by the board) is responsible for the maintenance and security of electronic records. This person is required to, inter alia, provide adequate protection against unauthorised access, alteration or tampering of records; ensure that computer systems, software and hardware are secured and validated to ensure their accuracy, reliability and accessibility; and take all necessary steps to ensure the security, integrity and confidentiality of records. Any failure by such personnel in this regard may be construed to be a breach of their duties towards the organisation.How does your jurisdiction define cybersecurity and cybercrime?Under the IT Act, ‘cybersecurity’ means protecting information, equipment, devices, computers, computer resources, communication devices and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction. ‘Cybercrime’ on the other hand has been defined by the National Cyber Crime Reporting Portal (a body set up by the government to facilitate reporting of cybercrime complaints) to ‘mean any unlawful act where a computer or communication device or computer network is used to commit or facilitate the commission of crime’.The courts in India have also recognised cybercrime (eg, the Gujarat High Court in the case of Jaydeep Vrujlal Depani v State of Gujarat R/SCR.A/5708/2018 Order), to mean ‘the offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet (networks including but not limited to Chat rooms, emails, notice boards and groups) and mobile phones (Bluetooth/SMS/MMS)’.While the IT Act does not make any distinction between cybersecurity and data privacy, in our view, these issues are distinct but also deeply interconnected as ensuring privacy of an individual's data requires adequate cybersecurity processes to be implemented by organisations. Further, cybersecurity and information security frameworks are developed by organisations at a broader level to build resilience against various forms of cyberthreat, including cybercrimes that entail more extensive engagement with regulatory authorities depending on the extent of harm caused, the nature of information handled by the body corporate, sector sensitivities, etc.What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?As mentioned above, as per the SPDI Rules, any body corporate that possesses, deals with or handles any sensitive personal data or information in a computer resource is required to implement prescribed security standards (ISO/IEC 27001 on Information technology – Security techniques – Information security management systems – Requirements).Sector-specific cybersecurity measures have been made mandatory by regulators for some regulated businesses. For instance, in the banking sector, the RBI requires banks to undertake certain security measures including, inter alia, logical access controls to data, systems, application software, utilities, telecommunication lines, libraries and system software; using the proxy server type of firewall; using secured socket layer (SSL) for server authentication; and encrypting sensitive data, such as passwords, in transit within the enterprise itself. The RBI specifically mandates that connectivity between the gateway of the bank and the computer system of the member bank should be achieved using a leased line network (and not through the internet) with an appropriate data encryption standard and that 128-bit SSL encryption must be used as a minimum level of security.Additionally, in the telecommunications sector, the licence conditions imposed by the DOT require every licensee to implement the following measures:ensure protection of privacy of communication so that unauthorised interception of messages does not take place;have an organisational policy on security and security management of its network, including network forensics, network hardening, network penetration tests and risk assessment; andinduct only those network elements into its telecom network that have been tested as per relevant contemporary Indian or international security standards (eg, the IT and ITES elements) against the ISO/IEC 15408 standards (eg, the ISO 27000 series standards for information security management systems and the 3GPP and 3GPP2 security standards for telecoms and telecoms-related elements).Scope and jurisdictionDoes your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?The IT Act and related laws are equally applicable to cyberthreats involving intellectual property and grant similar protection.Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?As per section 70 of the IT Act, the government may notify any computer resource that affects the facility of critical information infrastructure (CII) to be a ‘protected system’. CII means any computer resource of which the incapacitation or destruction can have a debilitating impact on national security, economy, public health or safety. Under the Protected System Rules, specific cybersecurity practices are applicable in the context of a protected system, such as setting up an information security steering committee (Committee) to approve all information security policies relating to the protected systems, designating a chief information security officer and carrying out vulnerability, threat or risk analysis on an annual basis. Significant changes in network configuration would need to be approved by the Committee, and organisations would need to ensure timely communication of cyber incidents to the Committee.Under the provisions of the IT Act, a nodal body – the National Critical Information Infrastructure Protection Centre (NCIIPC) – has been set up to work in the interest of CII protection. The NCIIPC is authorised to reduce vulnerabilities of CII against cyberterrorism, cyber warfare and other threats. Certain identified CIIs are in sectors such as transport, telecoms, banking, insurance, finance, power, energy and governance.The cybersecurity provisions relating to specific sectors are described in ‘Legislation’ and ‘Increased Protection’.Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?In a recent judgment of Justice K S Puttaswamy (Retd) and Anr v Union of India and Ors (Writ Petition (Civil) No. 494 of 2012), the Supreme Court of India held the right to privacy to be a fundamental right that is an intrinsic component of the right to life and personal liberty under article 21 of the Constitution of India and therefore a basic right of all individuals. Although there are precedents where the courts have held private communications between individuals to be covered within the purview of 'right to privacy', there are also precedents where Indian courts have admitted recordings obtained without consent as valid evidence. Given that this issue is unsettled, permissibility of recordings will need to be determined on a case-by-case basis.In any case, the SPDI Rules require body corporates to disclose personal data or sensitive personal information subject to prior consent of the data subject. However, this condition can be waived if the disclosure is to government agencies mandated under the IT Act for the purpose of verification of identity, or for the prevention or investigation of any offences, including cybercrimes.Certain laws, such as the Indian Telegraph Act 1885 (the Telegraph Act) and the IT Act, permit governmental and regulatory authorities to access private communications and personally identifiable data in specific circumstances. The Telegraph Act empowers the government to intercept messages in the interest of public safety, national security or the prevention of crime, subject to certain prescribed safeguards. In that scenario, the telecoms licensee that has been granted a licence by the DOT is mandated to provide necessary facilities to the designated authorities of the central government or the relevant state government for interception of the messages passing through its network.The IT Act also grants similar authority to the government and its authorised agencies. Any person or officer authorised by the government (central or state) can, inter alia, direct any of its agencies to intercept, monitor or decrypt, or cause to be intercepted, monitored or decrypted, any information that is generated, transmitted, received or stored in any computer resource, in the event it is satisfied that it is necessary or expedient to do so in the interest of sovereignty and the integrity of India, the defence of India, the security of the state, friendly relations with foreign states, public order or preventing incitement to the commission of any cognisable offence relating to the above, or for the investigation of any offence. In our view, the instances described in the IT Act can be relied on by the government agencies to intercept data for cybersecurity incidents if they relate to contravention or investigation of any crime.What are the principal cyberactivities that are criminalised by the law of your jurisdiction?Cybercrime activities are specifically dealt with under the IT Act. It prescribes penalties ranging from fines to imprisonment for various types of cyber activities, including hacking, tampering of computer source code, denial-of-service attacks, phishing, malware attacks, identity fraud, electronic theft, cyberterrorism, privacy violations and the introduction of any computer contaminant or virus.How has your jurisdiction addressed information security challenges associated with cloud computing?There are no separate set of laws or regulations that regulate the provision of cloud computing services in India. However, given that cloud computing services are rendered and received over the internet or through the digital medium, certain provisions of the IT Act, the SPDI Rules and the Intermediaries Guidelines may be relevant to these services.For instance, the SPDI Rules allow a body corporate to transfer data to any other body corporate or a person in India or in any other country that ensures the same level of data protection that is adhered to by the body corporate. However, the transfer may be allowed only if it is necessary for the performance of a lawful contract between the body corporate and the data subject or where the person has consented to the data transfer. Accordingly, in our view, any entity engaged in the cloud computing business will need to ensure that it maintains the same level of information security standards as that of the data controller (ie, the person collecting the information from the data subject).Also, depending on the business model, a cloud services provider may fall within the definition of an intermediary under the IT Act (defined as any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecoms service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cybercafes). As an intermediary, the cloud service provider will need to comply with due diligence measures to claim safe harbour protection from liability arising from the content stored by it. These due diligence measures include taking all reasonable steps to secure its computer resource and the information contained therein by adopting the security practices prescribed under the SPDI Rules, as mentioned in ‘Legislation’.How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?The IT Act is applicable in India and also applies to any offence committed outside India if the act that constitutes the offence involves a computer, computer network or computer resource in India. Hence, the applicability of this law is agnostic to the presence of foreign organisations in India so long as users in India can access the services provided by the organisations and the operation of the services amounts to the contravention of any provision described thereunder.Best practiceIncreased protectionDo the authorities recommend additional cybersecurity protections beyond what is mandated by law?In addition to the minimum cybersecurity standards mentioned in ‘Legislation’, various regulatory bodies have advised businesses to adopt more robust measures in areas of cybersecurity. For example, the Ministry of Communication and Information Technology released the National Cyber Security Policy in 2013, which recommended creating a secure cyber ecosystem and strengthening laws, and creating mechanisms for the early warning of security threats, vulnerability management and the response to security threats. The policy intended to encourage all organisations to develop information security policies integrated with their business plans and implement the policies in accordance with international best practices. This policy is expected to be updated in 2020.Under the Digital India initiative, the Ministry of Electronics and Information Technology (MeitY) has set up the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre), operated by CERT-In, to work with internet service providers and product or antivirus companies to provide information and tools to users on botnet and malware threats. Similar proactive measures are deployed by sector-specific regulators from time to time.How does the government incentivise organisations to improve their cybersecurity?In recent years, the government has rolled out some beneficial measures to incentivise both public and private sector organisations to improve cybersecurity standards. One example is the Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products notified by MeitY on 2 July 2018, wherein cybersecurity was named as a strategic sector, and it was further mentioned that government procurement agencies will give preference to domestically manufactured or produced cybersecurity products.Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?In addition to the IT Act and the applicable rules framed thereunder, industry-specific standards have been prescribed by specific regulators. Some examples are given below.Financial sector: the RBI has issued various guidelines for ensuring cybersecurity and the handling of cyber fraud within the banking sector. They can be accessed at www.rbi.org.in and include the:Cyber Security Framework in Banks, prescribing standards to be followed by banks for securing themselves against cybercrimes;Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs), prescribing certain basic cybersecurity controls for primary urban cooperative banks;Sharing of Information Technology Resources by Banks – Guidelines, ensuring that privacy, confidentiality, security and business continuity are fully met;Information Technology Framework for the NBFC Sector, 2017, focusing on IT policy, IT governance information and cybersecurity; andWorking Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, prescribing IT policy and outsourcing guidelines and recommendations.Insurance sector: the insurance sector is subject to the Guidelines on Information and Cyber Security for Insurers, issued by the IRDA. Under these guidelines, the insurers are responsible for putting in place adequate measures to ensure that cybersecurity issues are addressed. Insurers are also mandated to appoint a chief information security officer, formulate a cyber crisis management plan and conduct audits.Are there generally recommended best practices and procedures for responding to breaches?Depending on the nature and the extent of the cybersecurity incident and the sensitivity of the sector, cyber incident response strategies may differ from one business to another. Some common measures that are recommended include:deploying a detailed information security policy to be approved by the board;conducting regular transaction monitoring;conducting information security risk assessments;setting up risk mitigation and transition plans;updating relevant stakeholders within the organisation on their role in advance; andallocating appropriate personnel to engage with regulatory authorities and to deal with clients, service providers, etc.Many companies also prefer to conduct regular assessment of the vulnerabilities in their systems, including by inviting focused hacking. Depending on the sector, organisations can also reach out to CERT-In and seek advice on incident recovery, containing the damage and restoring their systems to operation. From time to time, CERT-In also issues advisories on actions recommended for parties that have been affected by cybersecurity incidents.Information sharingDescribe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?The CERT Rules require individuals and corporate entities affected by certain types of cybersecurity incidents to mandatorily report the incidents to CERT-In. In addition, it is also possible for individuals and organisations to voluntarily report any other cybersecurity incidents and vulnerabilities to CERT-In and seek requisite support and technical assistance to recover from them. Whether timely and voluntary reporting will help mitigate imposition of a penalty for failing to implement reasonable security practices will be a fact-specific assessment.How do the government and private sector cooperate to develop cybersecurity standards and procedures?The government issues consultation papers to invite feedback and suggestions from the private sector, which aids formulation of policies and laws in respect of cybersecurity. For instance, presently, the government is working with the private sector to develop its 2020 cybersecurity policy. In addition, the National Cyber Security Coordinator and the Data Security Council of India have recently launched an online repository on cyber tech called ‘Techsagar’ to facilitate exchange and collaboration on matters of innovation and cybersecurity between businesses and academia. It is intended to provide an overview of India's cybersecurity preparedness and relevant stakeholders.InsuranceIs insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?Cybersecurity insurance has gained momentum in India. It is aimed at shielding online users against the damage and loss that may arise as a result of unauthorised disclosure of or access to personal and financial data. Cyber insurance is prevalent in the banking, IT and ITES, retail and manufacturing sectors.EnforcementRegulationWhich regulatory authorities are primarily responsible for enforcing cybersecurity rules?CERT-In is the nodal agency recognised under the IT Act for the coordination of cyber incident response activities and the handling of cybersecurity incidents. Further, the government has also established certain authorities and agencies for according protection specifically to the critical infrastructure of India, such as the NCIIPC, which was created to assess and prevent threats to vital installations and critical infrastructure in India. As and when a cybersecurity incident is determined, individuals and organisations can seek remedy from the adjudicating authorities appointed under the IT Act.Sector-specific regulators have also attempted to enforce compliance with their respective information security standards. For example, the RBI imposed a monetary penalty of 1 million rupees on the Union Bank of India for non-compliance with the directions of the Cyber Security Framework in Banks.Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.Given that CERT-In is the national agency responsible for cybersecurity, it has the authority to call for information and give directions to service providers, intermediaries, data centres, body corporates and any other person to perform their functions under the IT Act and the CERT Rules. Failure to respond to CERT-In's information requests is subject to monetary penalties.Further, the adjudicating authorities appointed under the IT Act have powers of a civil court to call for evidence and documents, and summon witnesses in connection with an inquiry into any contravention under the IT Act.As per the provisions of the IT Act, for national security and for investigation of any offence (including cybersecurity offences), authorised government officers can issue orders to intercept, monitor or decrypt any computer resource, ask intermediaries to provide access to any information or to block access to any information stored, received or generated in any computer resource. Additionally, law enforcement agencies can be authorised to monitor and collect traffic data or information generated, received or transmitted in any computer resource, and can confiscate any computer resource in respect of which any contravention of the IT Act has been carried out.Indian law also provides law enforcement authorities with various other mechanisms to pursue, investigate and prosecute cyber criminals. For instance, the IPC is a comprehensive code intended to cover most substantive aspects of criminal law. Criminal activities punishable under the IPC do extend to the online cyberspace infrastructure and will be dealt with in the same manner.What are the most common enforcement issues and how have regulators and the private sector addressed them?Regulators in India have relied on provisions of the IT Act and the IPC to prosecute entities found to be non-compliant with mandatory information security requirements; however, from a practical perspective, enforcement agencies often face challenges in prosecuting offshore entities that do not have business presence in India, as well as affixing liability in multilayered business outsourcing structures. The absence of a comprehensive data protection law that allocates cybersecurity responsibilities between all relevant stakeholders is also a concern. Over time, the private sector and the government have felt the need to develop more cybercrime and prosecution expertise among the police personnel responsible for prosecuting offences under the IT Act, and specific local cyber cells have been set up to address this gap.What regulatory notification obligations do businesses have following a cybersecurity breach? Must data subjects be notified?There is no specific requirement under the IT Act to inform the data subject of a cybersecurity incident. However, under the Intermediaries Guidelines, the intermediary is required to inform CERT-In of cybersecurity breaches as soon as possible. Further, specific types of cybersecurity incidents (target-scanning or probing of critical networks or systems, unauthorised access of an IT system and data, malicious code attacks, identity theft, spoofing, phishing, etc) have to be mandatorily reported to CERT-In by service providers, intermediaries, data centres and body corporates within a reasonable time of the occurrence or noticing the incident to aid timely action.In addition, sector-specific regulators have their own reporting requirements. For instance, the RBI requires banks to comply with the Cyber Security Framework in Banks, which, inter alia, requires banks to report cybersecurity incidents to the RBI within two to six hours.PenaltiesWhat penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?The IT Act provides for penalties for varied instances of cybersecurity breach, some of which are described here. Section 43 of the IT Act provides that any person accessing a computer or a computer system or network without permission of the owner, downloading copies and extracting any data or causing disruption of any system will be liable to pay damages to the person affected. Section 66 of the IT Act also provides for punishment of imprisonment for a term up to three years or with a fine of up to 500,000 rupees if the person dishonestly or fraudulently commits the offence.Section 66C of the IT Act provides that a person who, fraudulently or dishonestly, makes use of the electronic signature, password or any other unique identification feature of any other person will be punished with imprisonment of up to three years and will also be liable for payment of a fine of up to 100,000 rupees.Additionally, the IT Act provides for imprisonment of up to one year or a fine of up to 100,000 rupees, or both, for any failure by an entity (service provider, intermediary, data centre, body corporate, etc) to provide requisite information requested by CERT-In. Furthermore, sector-specific authorities (such as the RBI) may also levy penalties for non-compliance with their respective cybersecurity standards.What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?Any failure by intermediaries to report cybersecurity incidents to CERT-In is punishable under the IT Act by a monetary penalty not exceeding 25,000 rupees. Any failure of a body corporate to report specific cyber breaches mandated under the IT Act is punishable by the same amount. Further, if CERT-In specifically requests for any information from an entity (including the service provider, intermediary or body corporate), then a failure to submit the information is punishable by imprisonment of up to one year or a fine which may extend to 100,000 rupees, or both.In addition, sector-specific regulators have their own reporting requirements. For instance, failure to report within the timelines prescribed for banks under the Cyber Security Framework in Banks may result in the imposition of penalties by the RBI.How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?There is no specific private remedy available; however, the IT Act makes statutory remedies available to persons affected. Section 43A of the IT Act expressly provides that whenever a body corporate possesses or deals with any sensitive personal data or information, and is negligent in maintaining reasonable security practices and procedures that in turn cause wrongful loss or wrongful gain to any person, the body corporate shall be liable to pay damages to the person affected. Therefore, the affected party may initiate a civil action against the negligent body corporate, making it liable to pay damages.Further, a civil action may also be brought against any person who, without permission of the owner of a computer or a computer system or network, does any of the acts mentioned under section 43 of the IT Act, including but not limited to accessing or securing access to the computer or computer system or network, downloading or extracting any data from it, contaminating it with a virus or other malware, or causing any damage to it.Threat detection and reportingPolicies and proceduresWhat policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?See ‘Legislation’, ‘Scope and jurisdiction’ and ‘Increased protection’.Describe any rules requiring organisations to keep records of cyberthreats or attacks.Generally, no specific record-keeping requirements have been prescribed for cyber threats or attacks; however, maintaining records may become necessary to adhere to security standards. For instance, CERT-In issued the CERT-In Security Guidelines CISG-2009-01, which describe a ‘log’ as a record of actions and events that take place on a computer system. The guidelines recommend that organisations have appropriate auditing policies in place that efficiently collect the information logs relating to events, including critical events occurring in the network and systems. No specific timeline for record-keeping has been prescribed.Sector-specific regulators have prescribed storage requirements for regulated entities. For instance, the IRDA issued the Guidelines on Information and Cyber Security for Insurers, which require all registered insurance companies to retain security logs of different systems and devices to be maintained for a minimum period of six months. The guidelines also mandate implementation of an incident management system that should include security incident reporting and recording.Lastly, in accordance with the Cyber Security and Cyber Resilience framework for Stock Brokers and Depository Participants issued by SEBI, stockbrokers and depository participants are required to ensure that records of user access to critical systems are logged for audit and review purposes, and the logs should be maintained and stored in a secure location for a period not less than two years.Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.Reporting under the IT ActThe CERT Rules permit cybersecurity incidents to be reported by any person to CERT-In. However, specified types of cybersecurity incidents (target-scanning or probing of critical networks or systems, unauthorised access of an IT system and data, malicious code attacks, identity theft, spoofing, phishing, etc) need to be mandatorily reported to CERT-In by service providers, intermediaries, data centres and body corporates within a reasonable time of the incident occurring or being noticed to aid timely action.The Intermediaries Guidelines require the intermediaries, as part of their due diligence obligations, to notify CERT-In of security breaches. CERT-In publishes the formats for reporting cybersecurity incidents on its website from time to time, which requires mentioning the time of occurrence of the incident, the type of incident, information regarding the affected systems or network, the symptoms observed, the relevant technical systems deployed, the actions taken, among others.Reporting in other sectorsIn addition to the reporting requirements under the IT Act, separate reporting requirements exist in respect of cybersecurity incidents in other regulated sectors. For instance, the Cyber Security Framework in Banks issued by the RBI requires banks to inform the RBI of any cybersecurity incident within two to six hours of the breach. Similarly, as per the Guidelines on Information and Cyber Security for Insurers issued by the IRDA, insurers are required to report cybersecurity incidents that critically affect business operations and a large number of customers within 48 hours of having knowledge of the cybersecurity incident.Time framesWhat is the timeline for reporting to the authorities?See ‘Regulation’ and ‘Policies and procedure’.ReportingDescribe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.See ‘Regulation’. There is no obligation to report cybersecurity threats or breaches to the general public or affected parties.Update and trendsUpdate and trendsWhat are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?There is a renewed focus on cybersecurity practices in India, both from the government and the private sector. Many of the gaps existing in the current law (in terms of liability, penalty, reporting, disclosures, etc) are likely to be addressed in the new Personal Data Protection Bill 2019, which is expected to be passed in Parliament next year. We expect the private sector to intensify its engagement with the government in this area in view of the Digital India initiative, the increased volume of financial transactions online and the high level of reporting of cybersecurity attacks in India. The government is expected to develop a focused approach towards cybersecurity preparedness and awareness, including introducing its cybersecurity policy in 2020.The authors wish to thank Shagun Badhwar and Sana Khan for their assistance in the preparation of this chapter.Source - google.co.in

“https://journals.sagepub.com/doi/abs/10.1177/154193129103502030”“Bias in Police Line-ups and its Reduction by an Alternative Construction ProcedureThe present research examined whether eyewitness identification -produced by law enforcement personnel are biased or suggestive. Experienced police officers were asked to construct two six-face photographic line-ups, first using their usual (traditional) method, and second using an alternative method. The primary basis of the traditional method is that foils are selected based on their similarity to the target. The alternative method includes foils that are not only similar to the target but also similar to other foil faces in the line-up. Both types of line-ups were shown to subjects who had not seen the faces before (mock witnesses) and were asked to guess the respective targets. The results showed that mock witnesses selected the targets significantly more often than expected by chance (1/6 probability) when embedded in the traditional line-ups, thus demonstrating that these line-ups were suggestive. Mock witnesses did not select alternative-method targets more often than expected by chance. These results indicate that foil selection procedures incorporating foil-to-foil similarity produce fairer line-ups than those exclusively based on target similarity. Implications for forensic line-up construction procedures and for future research are discussed.ReferencesBrigham, J. C., Ready, D. J., Spier, S. A. (1990). Standards for evaluating the fairness of photograph lineups. Basic and Applied Social Psychology, 11, 149–163.Google ScholarBuckhout, R. (1977). Son of Sam: Eyewitness descriptions. Social Action and the Law, 4, 19–23.Google ScholarDoob, A. N., Kirshenbaum, H. M. (1973). Bias in police lineups: Partial remembering. Journal of Police Science and Administration, 1, 287–293.Google ScholarEllis, G. D., Shepherd, J. W., Davies, G. M. (1980). The deterioration of verbal descriptions of faces over different delay intervals. Journal of Police Science and Administration, 8, 101–106.Google ScholarLaughery, K. R., Duval, G., Wogalter, M. S. (1986). Dynamics of face recall. In Ellis, H. D., Jeeves, M. A., Newcombe, F., Young, A. W. (Eds.), Aspects of face processing (pp. 373–387). Dordrect, Netherlands: Martinus Nijhoff.Google ScholarLaughery, K. R., Jensen, D. G., Wogalter, M. S. (1988). Response bias with prototypic faces. In Gruneberg, M. M., Sykes, R., Morris, P. (Eds.), Practical Aspects of Memory: Current Research and Issues (pp. 157–162). Chichester: Wiley.Google ScholarLuus, C. A. E., Wells, G. L. (in press). Eyewitness identification and the selection of distractors for lineups. Law and Human Behavior..Google ScholarMalpass, R. S., Devine, P. G. (1983). Measuring the fairness of eyewitness identification lineups. In Lloyd-Bostock, S.M.A., Clifford, B.R. (Eds.), Evaluating witness evidence (pp. 81–102). London: Wiley.Google ScholarMalpass, R. S., Devine, P. G. (1984). Research on suggestion in lineups and photo-spreads. In Wells, G.L., Loftus, E.F. (Eds.), Eyewitness testimony: Psychological perspectives (pp. 64–91). Cambridge: Cambridge University Press.Google ScholarMarwitz, D. B., Wogalter, M. S. (1988). Bias in photo-spreads of faces: A comparison of two lineup construction methods. Proceedings of the Human Factors Society 32nd Annual Meeting (pp. 541–543), Santa Monica, CA: Human Factors Society.Google ScholarNavon, D. (1990). How critical is the accuracy of an eyewitness memory? Another look at the issue of lineup diagnosticity. Journal of Applied Psychology, 75, 506–510.Google ScholarNosworthy, G. J, Lindsay, R. C. L. (1990). Does nominal lineup size matter? Journal of Applied Psychology, 75, 358–361.Google ScholarOrne, M. (1962). On the social psychology of the psychology experiment. American Psychologist, 17, 776–783.Google ScholarShepherd, J. W. (1986). An interactive computer system for retrieving faces. In Ellis, H. D., Jeeves, M. A., Newcombe, F., Young, A. W. (Eds.), Aspects of Face Processing (pp. 398–409). Dordrect: Martinus Nijhoff.Google ScholarShepherd, J. W., Davies, G. M., Ellis, H. D. (1978). How best shall a face be described? In Gruneberg, M. M., Morris, P. E., Sykes, R. N. (Eds.), Practical Aspects of Memory. London: Academic Press.Google ScholarShepherd, J. W., Ellis, H. D., Davies, G. M. (1982). Identification Evidence: A Psychological Evaluation. Aberdeen, Scotland: Aberdeen University Press.Google ScholarUnited States v. Wade. (1967). 388 U.S. 218.Google ScholarWall, P. M. (1965). Eye-Witness Identification in Criminal Cases. Springfield, IL: Thomas.Google ScholarWells, G. L., Luus, C. A. E. (1990). The diagnosticity of a lineup should not be confused with the diagnostic value of non-lineup evidence. Journal of Applied Psychology, 75, 511–516.Google ScholarWogalter, M. S., Jensen, D. G. (1986). Response bias in lineups with prototypic faces. In Proceedings of the Human Factors Society 30th Annual Meeting (pp. 725–728), Santa Monica, CA: Human Factors Society.Google ScholarWogalter, M. S., Marwitz, D. B., Leonard, D. C. (1991). Suggestiveness in photospread lineups: Similarity induces distinctiveness. Unpublished manuscript, Rensselaer Polytechnic Institute, Troy, NY.Google Scholar”“https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/831750/RUSI_Report_-_Algorithms_and_Bias_in_Policing.pdf”“Data Analytics and Algorithmic Bias in PolicingSUMMARY• The use of data analytics and algorithms for policing has numerous potential benefits, but also carries significant risks, including those relating to bias. This could include unfair discrimination on the grounds of protected characteristics, real or apparent skewing of the decision-making process, or outcomes and processes which are systematically less fair to individuals within a particular group. These risks could arise at various stages in the project lifecycle.• Algorithmic fairness cannot be understood solely as a matter of data bias, but requires careful consideration of the wider operational, organisational and legal context, as well as the overall decision-making process informed by the analytics.• While various legal frameworks and codes of practice are relevant to the police’s use of analytics, the underlying legal basis for use must be considered in parallel to the development of policy and regulation. Moreover, there remains a lack of organisational guidelines or clear processes for scrutiny, regulation and enforcement. This should be addressed as part of a new draft code of practice, which should specify clear responsibilities for policing bodies regarding scrutiny, regulation and enforcement of these new standards.POLICE USE OF DATA ANALYTICS IN ENGLAND AND WALESUK police forces collect vast amounts of digital data, but have historically lacked the technological capabilities to effectively analyse this data to improve operational effectiveness and efficiency. However, police forces are increasingly adopting advanced analytical tools to derive insights from the data they collect, to inform decision-making, resource prioritisation and risk assessment in a range of contexts. The analytical tools used by police forces increasingly employ forms of machine learning, often referred to as artificial intelligence.However, this latter description is ambiguous and poorly defined, so for the purposes of this paper the technology in question is referred to as ‘machine learning’. Machine learning algorithms are currently used for various policing purposes, including: facial recognition and video analysis; mobile phone data extraction; social media intelligence analysis; predictive crime mapping; and individual risk assessment. This report focuses on these latter two applications of machine learning, which are frequently referred to as forms of ‘predictive policing’.However, many of the same legal, ethical and policy issues apply to other uses of machine learning in policing, including those linked to classification, explanation and resource allocation. While the use of predictive policing tools in the UK can be traced back to at least 2004, advances in machine learning have enabled the development of more sophisticated systems, which are now used for a wider range of functions. The use of algorithms to make predictions about future crime and offending raises considerable legal and ethical questions, particularly concerning the risk of bias and discrimination.DOES IT WORK ?Before discussing the risks of bias arising from predictive policing technology, it is important to address the fundamental question – ‘does it work?’ It is beyond the scope of this paper to critically assess the (dis)advantages of a risk assessment-focused approach to resource allocation, or to discuss the semantic nuances associated with defining ‘risk’. However, on the basis that police forces must target limited resources to places and people identified as posing the greatest ‘risk’ (of offending or victimisation), this paper’s starting point is to question whether algorithmic tools are effective in assisting the police to identify and understand this risk.Effectiveness and accuracy are intrinsically linked to ethics and legality: if it cannot be demonstrated that a particular tool or method is operating effectively and with a reasonable degree of accuracy, it may not be possible to justify the use of such a tool as necessary to fulfil a particular policing function. First, in relation to predictive mapping, empirical evidence has demonstrated that the deployment of predictive mapping software could increase the likelihood of detecting future crime events when compared to non-technological methods, resulting in net reductions in overall crime rates. Research shows that random foot patrolling has a negligible impact on detecting and preventing crime, because crime is not uniformly distributed in time and space.By contrast, ‘hotspot’ policing – whereby high-risk locations are identified and patrol resources concentrated in those areas – has been shown to result in crime suppression not just at the deployment location but also in surrounding areas. In the UK, field trials have found predictive mapping software to be around twice as likely to predict the location of future crime as traditional intelligence-led techniques (whereby analysts manually identify future hotspots). Despite its apparent effectiveness, the use of predictive mapping software by UK police forces has been limited. In many cases, its use has amounted only to short-term trials that did not result in full-scale deployment.The evidence is less clear when it comes to the accuracy of individual risk-assessment tools, largely due to a lack of research on the algorithms in use. Nevertheless, there is a large body of research dating back more than 60 years comparing the accuracy of ‘unstructured’ professional judgement and statistical (‘actuarial’) forecasting methods, which it is not possible to discuss here. Various meta-analyses and systematic reviews have found that – under controlled conditions – statistical forecasting consistently outperforms unstructured professional judgement in a range of decision-making contexts, including offender risk assessment.However, experts disagree over the predictive validity of statistical risk-assessment tools. Predictive validity can be understood as ‘the extent to which scores on an assessment tool are able to predict some outcome measure’. However, if a statistical tool is used to make predictions at the individual level, the uncertainty associated with any single event probability is very large. As summarised by Alan A Sutherland and colleagues, ‘predictive judgments are meaningful when applied to groups of offenders. However, at an individual level, predictions are considered by many to be imprecise’.Put simply, high accuracy rates at the group level can often conceal very low accuracy rates for specific individuals or groups of individuals within that larger group. All individual predictions are associated with a confidence interval (a margin of error), which is often not taken into account when reporting the overall ‘predictive accuracy’ of the tool. Academic experts interviewed for this study expressed reservations regarding the ability of algorithmic tools to predict future crime, indicated by comments such as ‘there are a lot of myths around machine learning tools and what they can do.One of the things that machine learning is really terrible at is predicting rare and infrequent events, especially when you don’t have loads of data’. With this in mind, the more infrequent the event the tool is trying to predict, the less accurate it is likely to be. Furthermore, accuracy is often difficult to calculate, because when an individual is judged to pose a risk of offending, an intervention is typically delivered which prevents the predicted outcome from happening.Authorities cannot know what may have happened had they not intervened, and therefore there is no way to test the accuracy (or otherwise) of the prediction. Independent, methodologically robust evaluation of trials is essential to demonstrate the accuracy and effectiveness of a particular tool or method. If such evaluation does not demonstrate the tool’s effectiveness and proportionality, continued use would raise significant legal concerns regarding whether use of the tool was justified to fulfil a particular policing function, requiring the police force to review its design and operational use. Conversely, if there is evidence that a new capability is beginning to perform well, it is important to invest in building the evidence base for its effectiveness, with processes in place for ongoing evaluation.THE CURRENT LANDSCAPEIn England and Wales, a small number of police forces have developed machine learning algorithms to assess reoffending risk for known offenders in the force area, to inform prioritisation of operational activity and to assist decision-making at the entry point to the criminal justice system. For instance, Durham Constabulary’s Harm Assessment Risk Tool uses random forest forecasting (a form of supervised machine learning) to classify individuals in terms of their likelihood of committing a violent or nonviolent offence over the next two years.The purpose is to assist officers in assessing offenders’ eligibility to participate in the Checkpoint Programme, a voluntary out-of-court disposal scheme designed to reduce reoffending by addressing the underlying factors causing individuals to engage in crime. Avon and Somerset Constabulary uses similar technology to assess factors such as likelihood of reoffending, likelihood of victimisation/vulnerability, and likelihood of committing a range of specific offences. Through an app on their mobile devices, neighbourhood officers can instantly access the risk profiles for each offender registered in the force area, which are recalculated on a daily basis.West Midlands Police are developing a similar offender assessment system as part of their Data Driven Insights project, while Hampshire Constabulary is developing a machine learning predictive tool to assess risk of domestic violence offending. The current technological landscape was described by one police officer interviewed as a ‘patchwork quilt, uncoordinated and delivered to different standards in different settings and for different outcomes’.However, the use of analytics and algorithms by police forces in England and Wales is likely to grow in both scale and sophistication in the coming years. It is essential to build a stronger evidence base on the effectiveness and reliability of different systems, and to develop a clearer legal, policy and regulatory framework to ensure proportionate and ethical use of this increasingly powerful technology.EMERGING FINDINGSInterviews conducted to date evidence a desire for clearer national guidance and leadership in the area of data analytics, and widespread recognition and appreciation of the need for legality, consistency, scientific validity and oversight. It is also apparent that systematic investigation of claimed benefits and drawbacks is required before moving ahead with full-scale deployment of new technology. As one law enforcement practitioner commented, ‘there’s as much value in understanding what doesn’t work, as what does’, but to achieve this, controlled space for experimentation is required, recognising that ‘policing is about dealing with complexity, ambiguity and inconsistency’.Lessons can be learned from recent trials of live facial recognition, particularly concerning the need to demonstrate an explicit legal basis for the use of new technology, the need for clearer guidance relating to trials and evaluation, and the importance of meaningful public engagement during the development and testing phase. The development of a draft Code of Practice provides an opportunity, not only to consider bias, but to improve understanding of the application of data analytics in different contexts, and of methods of assessing potential benefits and intrusions. It will be incumbent on users to evidence such assessments when determining whether use of a particular tool can be deemed ‘necessary’, in order to decide whether there are less intrusive means of achieving the same policing aim.Any new code of practice for algorithmic tools in policing should establish a standard process for model design, development, trialling, and deployment, along with ongoing monitoring and evaluation. It should provide clear operationally relevant guidelines and complement existing authorised professional practice and other guidance in a tech-agnostic way.86 Existing surveillance codes and related inspections were suggested by a number of interviewees as a potential model. The new code should ensure sufficient attention is paid to meeting legal and ethical requirements throughout all stages of the product lifecycle, from project inception through to model procurement, development and testing, including ongoing tracking and mitigation of discrimination risk when the tool is deployed operationally, and oversight of the ultimate decision-making process the analytical insights are feeding into.A new code should specify clear roles and responsibilities regarding scrutiny, regulation and enforcement, including the roles of the College of Policing, the National Police Chiefs’ Council, Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services and the Home Office, and potentially other regulatory bodies such as the Information Commissioner’s Office and Investigatory Powers Commissioners. The code should also establish standard processes for independent ethical review and oversight to ensure transparency and accountability and facilitate meaningful public engagement before tools are deployed operationally, and oversight of the ultimate decision-making process the analytical insights are feeding into.A new code should specify clear roles and responsibilities regarding scrutiny, regulation and enforcement, including the roles of the College of Policing, the National Police Chiefs’ Council, Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services and the Home Office, and potentially other regulatory bodies such as the Information Commissioner’s Office and Investigatory Powers Commissioners. The code should also establish standard processes for independent ethical review and oversight to ensure transparency and accountability and facilitate meaningful public engagement before tools are deployed operationally”.“ Evaluating Line-ups ““ Evaluating Line-ups You Or Others Have Created.The basis for evaluating the fairness of line-ups is outlined briefly in Rule 3 of the APLS White Paper:“The suspect should not stand out in the line-up or photospread as being different from the distractors based on the eyewitness’s previous description of the culprit or based on other factors that would draw extra attention to the suspect.“ (page 24)This concept was reinforced in the report of the Technical Working Group on Eyewitness Evidence, in the National Institute of Justice:“Select fillers who generally fit the witness’ description of the perpetrator. When there is a limited/inadequate description of the perpetrator provided by the witness, or when the description of the perpetrator differs significantly from the appearance of the suspect, fillers should resemble the suspect in significant features.”(page 29)Wells et al. (1998) continue:“[The] extent to which Rule 3 has been met in a given line-up can be tested using a "mock witness" procedure. …. Mock witnesses are people who have never seen the culprit but are given the eyewitness’s verbal description of the culprit, shown a picture of the line-up or photospread, and asked to select the person they think is the suspect in the case. If Rule 3 has been sufficiently met, a mock witness should not be able to select the suspect at a level that exceeds chance expectations based on the number of choices (number of line-up members) that could have been selected. If mock witnesses can deduce who the suspect is under these circumstances, then a concern is raised about whether an eyewitness’s selection was a product of true recognition memory or was due merely to the same deduction process that the mock witnesses apparently used.”Since the foundational paper by Doob and Kirshenbaum (1973) disinterested persons have been used as participants in research studies to evaluate eyewitness line-ups. The process is described in some detail by Malpass, Tredoux & McQuiston-Surrett (2007). Here is a thumbnail description of the process and an example of some ways to represent the results to make them more amenable to interpretation. The basic form of the evaluation is provided for each of the line-up evaluations displayed on this website, but for pedagogic purposes below we provide an extended example from a recent case. It will become apparent that the consequences of bad fillers are failure of the safeguard and inflation of the innocent suspects risk of false identification.Thumbnail description of the mock witness procedure.1. Select your population of participants. It is best to choose participants of the same ethnicity as the original witness(s).2. Provide the information you have chosen to give the participants.The choice of information given to participants is important. Doob and Kirshenbaum (1973) gave them the description given by the witness – that the offender was “very good looking”. The most gross departures from fairness will probably be detected without providing any information, simply saying that the line-up contains a police suspect in a case involving the particular offense in question, and asking participants to choose the line-up member who is the police suspect. For a more sensitive evaluation participants can be given the verbal description provided by the witness. Some aspects of appearance are difficult to capture in facial feature descriptions but easy to denote in other language - like “very good looking”. That information also can be included in a verbal description. The single witness in a recent case described the offender as “he looks like a waiter”. Giving line-up evaluation participants only that information allowed them to choose the suspect at an above chance rate, and line-up fillers were chosen substantially below the expected rate.3. Give whatever information you will provide individually to at least 30 (and preferably 50) participants. Don’t display the line-up and the information you provide at the same time: if you do, the identification process may simply be a feature by feature comparison among faces. Then show participants the line-up and ask them to indicate which line-up member is the suspect. Since this is an informal procedure, simply record their response indicating which line-up member was chosen as one of the numbers 1-6 in the line-up, upper left to lower right.4. Summarize the findings in the manner shown in the Line-up Evaluation Spreadsheet, which you may download here. What follows refers to the spreadsheet.There were three kinds of information given the participants in this case, and combined for analysis. The resulting identification frequencies are these, for line-up positions 1-6 (left to right).21311493The suspect was in position 4 and received the largest number of identifications (14 of 42 = 33%), twice the number expected if only chance factors are influencing participant choices. This identification proportion can be submitted to a statistical test for bias by use of a spreadsheet downloadable from the Eyewitness Identification Research Laboratory website. For guidance in its use and interpretation consult someone in your organization familiar with basic statistics, or call the eyewitness laboratory at 915-539-0510. In this example, the probability of an identification proportion of .33 occurring by chance, rather than some systematic process (bias), is very low (.01232), which is statistically reliable. Some systematic process or influence is very likely to be at work. The results can be presented in graphic form, as shown below. There is one "super filler", in position 2, which is identified at a rate nearly equal to the suspect, which is far above the choice frequency expected by chance.It is obvious that three of the fillers are chosen well below the rate expected if only chance factors are involved. The number of fillers which fulfill their role as safeguards to an innocent suspect can be tested quantitatively through Tredoux' E'. A spreadsheet containing the calculation can be downloaded from the Eyewitness Identification Research Laboratory website. But evaluation of the fillers can most easily be understood by examining them in the order of their identification frequency, (L – R) as shown below.14139321Note that the 3 least frequently chosen fillers total 6 choices, which taken together do not add up to the identification frequency (7) expected of 1 fully appropriate filler. That's nearly one filler but since it takes three to make it up, there are two whole fillers effectively missing. Count the number of persons in the line-up. We have the 3 most frequently chosen plus about 85% of another. Rather than the 6 person line-up that should have been used, we instead have a line-up containing about 3.85 persons. You may think that this is not particularly serious, but consider this: the risk of a false identification has gone from 1 in 6 (16.7%) to 1 in 3.85 (25.9%). There is no one I know who would prefer to bet their freedom on a 26% risk rather than a 17% risk.This illustrates two important points for the analysis of line-up fairness:1. Line-up bias is often produced by inadequate fillers.2. The effectiveness of the line-up as a safeguard against false identification focuses sharply on the effectiveness of the fillers and the setting of risk of false identification that results.ReferencesDevlin, Hon Lord Patrick (1976). Report to the Secretary of State for the Home Department of the Departmental Committee on Evidence of Identification in Criminal Cases. HMSO.Doob, A. N. & Kirshenbaum, H. M. (1973). Bias in police line-ups — partial remembering. Journal of Police Science and Administration, 18, 287-293.Malpass, R. S, Tredoux, C. G. & McQuiston-Surrett, D. E. (2007). Line-up construction and line-up fairness. in R. Lindsay, D. Ross, J. D. Read & M. P. Toglia (Eds.), Handbook of Eyewitness Psychology (Vol. 2): Memory for People. Lawrence Erlbaum & Associates.Scheck, B., Neufeld, P., & Dwyer, J. (2001). Actual Innocence: When Justice Goes Wrong And How To Make It Right. New York: Doubleday.Technical Working Group on Eyewitness Evidence (1999). Eyewitness Evidence: A Guide for Law Enforcement. Washington, D.C.: National Institute of Justice (i-x, 1-44).Wells, G.L., Small, M., Penrod, S., Malpass, R.S., Fulero, S.M., & Brimacombe, C.A.E. (1998). Eyewitness identification procedures: Recommendations for line-ups and photospreads. Law and Human Behaviour, 23(6) 603-647 “.