The main legislation governing the cyber space in India is the Information Technology Act, 2000 (“IT Act”) which defines cybersecurity as protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. In addition to providing legal recognition and protection for transactions carried out through electronic data and other means of electronic communication, the IT Act and various rules made there under, also focus on information security, defines reasonable security practices to be followed by corporates and redefines the role of intermediaries, recognizes the role of the Indian Computer Emergency Response Team (“CERT-In”) etc.
Additionally, the IT Act also amended the scope of Indian Penal Code, Indian Evidence Act, 1872, The Bankers’ Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto, which were focusing on the regulation of the overly sensitive banking and financial services sector. Incidentally, while there is no comprehensive legislation for the governance of data in the country as on this date, there are sectoral legislations, directions, legal advisories which require specific compliance for the targeted sector.
The IT Act not only extends to the whole of India and, but it is also applicable to any offence or contravention committed outside India by any person. Additionally, the legal sanctions under the IT Act extend to imprisonment, penalties, and also allow for a framework for compensation/ damages to be paid to the claimants. Further, if a body corporate, possessing, dealing or handling any personal data or sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate is liable to pay damages by way of compensation to the person so affected.
REGULATORY FRAMEWORK OF CYBER SECURITY LAWS
There are three predominant laws to cover when it comes to cybersecurity:
Information Technology Act, 2000
The Indian cyber laws are governed by the Information Technology Act, penned down back in 2000. The principal impetus of this Act is to offer reliable legal inclusiveness to eCommerce, facilitating registration of real-time records with the Government. But with the cyber attackers getting sneakier, topped by the human tendency to misuse technology, a series of amendments followed. The ITA, enacted by the Parliament of India, highlights the grievous punishments and penalties safeguarding the e-governance, e-banking, and e-commerce sectors. Now, the scope of ITA has been enhanced to encompass all the latest communication devices. The IT Act is the salient one, guiding the entire Indian legislation to govern cyber crimes rigorously.
Indian Penal Code (IPC) 1980
Identity thefts and associated cyber frauds are embodied in the Indian Penal Code (IPC), 1860 – invoked along with the Information Technology Act of 2000. The primary relevant section of the IPC covers cyber frauds:
- Forgery (Section 464)
- Forgery pre-planned for cheating (Section 468)
- False documentation (Section 465)
- Presenting a forged document as genuine (Section 471)
- Reputation damage (Section 469)
Companies Act of 2013
The corporate stakeholders refer to the Companies Act of 2013 as the legal obligation necessary for the refinement of daily operations. The directives of this Act cements all the required techno-legal compliances, putting the less compliant companies in a legal fix. The Companies Act 2013 vested powers in the hands of the SFIO (Serious Frauds Investigation Office) to prosecute Indian companies and their directors. Also, post the notification of the Companies Inspection, Investment, and Inquiry Rules, 2014, SFIOs has become even more proactive and stern in this regard. The legislature ensured that all the regulatory compliances are well-covered, including cyber forensics, e-discovery, and cybersecurity diligence. The Companies (Management and Administration) Rules, 2014 prescribes strict guidelines confirming the cybersecurity obligations and responsibilities upon the company directors and leaders.
The Cybersecurity Framework (NCFS), authorized by the National Institute of Standards and Technology (NIST), offers a harmonized approach to cybersecurity as the most reliable global certifying body. NIST Cybersecurity Framework encompasses all required guidelines, standards, and best practices to manage the cyber-related risks responsibly. This framework is prioritized on flexibility and cost-effectiveness. It promotes the resilience and protection of critical infrastructure by:
Allowing better interpretation, management, and reduction of cybersecurity risks – to mitigate data loss, data misuse, and the subsequent restoration costs Determining the most important activities and critical operations – to focus on securing them Demonstrates the trust-worthiness of organizations who secure critical assets helps to prioritize investments to maximize the cybersecurity ROI Addresses regulatory and contractual obligations Supports the wider information security program By combining the NIST CSF framework with ISO/IEC 27001 – cybersecurity risk management becomes simplified. It also makes communication easier throughout the organization and across the supply chains via a common cybersecurity directive laid by NIST.
Cybersecurity Compliance Regulation in India – As per Businesses
To ensure the effectiveness of the Indian cybersecurity compliances, the Government has taken several other measures to establish complete cohesion.
The Indian Computer Emergency Response Team or CERT-In, the national nodal agency responsible for prompt responses to the cybersecurity incidents, started official operations back in January 2004. In the latest reforms of the Information Technology Amendment Act, the Indian Computer Emergency Response Team was officially designated as the national agency for cybersecurity preservation. The body acted as the primary task force responsible for:
- Alerts and forecasts preventing cybersecurity incidents
- Defining emergency measures to tackle and mitigate the effects of cyber risks
- Collection, analysis, and responsible dissemination of data on cyber threats
- Constant coordination of cyber response activities
- Issuing best practices, guidelines, and precautions in the public interest for better reporting and management of cyber incidents
More information about the same can be viewed here.
The prevalence of digital transactions has escalated the cyber risks nation-wide, creating havoc. PCI-DSS regulations apply to all the entities dealing with online transactions. The banking stalwarts, including American Express, Visa, Discover, and MasterCard – joined hands to combat the cyber identity thefts related to credit card frauds. PCI-DSS does not force down any fines or government mandates, but it does standardize all security goals for online transactions. This regulation thrives under positive reinforcement to demonstrate complete adherence to customer data security expectations. However, all companies involved in processing, storing, or transmitting credit card data are recommended to ensure its compliance – to win over customer confidence.
More information can be viewed here.
Reserve Bank of India Act 2018
RBI issued elaborate cybersecurity guidelines that restricted and tested the operations of all urban co-operative banks (UCBs), carefully assessing the evolving IT risk factors. The level of technology adoption and digitization varies across banks and sectors – the RBI Act aims to standardize the security frameworks for all of them. All UCBs need to explicitly jot down their cybersecurity policy, post the approval of their Board or Administrator. Following these guidelines is essential to establish reliable cyber-risk free banking institutions to fight the growing business complexities. While assessing the inherent cyber risks, UCBs should carefully test the adopted technologies, digital products offered, delivery channels, and other external and internal threats. With the nature of risks getting diversified and intensified, the traditional Business Continuity or Disaster Recovery arrangements may not suffice. UCBs need to promptly detect all cyber-intrusions so as to recover/respond/contain the impact of the cyber-attacks.
More information is available here.
In the wake of the escalating cyberattacks on the financial institutes, the Insurance Regulatory and Development Authority of India rolled out a comprehensive cybersecurity framework upholding the security of the insurers. The directives passed by IRDA focuses on the mitigation of external as well as internal threats, preventing cyber frauds, establishing robust business continuity, and risk assessment plan to bolster the backbone of shaping a secured Fintech industry.
The key focus areas for the insurance industry remains:
- Online transaction and messaging frauds
- Data leakage
- IPR violations risk
- Ransomware attack
The Department of Telecommunication has also tightened its claws on cybercrime, data privacy, and consumer security. The designated officials of TRAI (Telecom Regulatory Authority of India) and DOT have amended the cyber laws, underlying their responsibility towards consumer data – as the most critical online transactions are conducted via mobile phones. TRAI, the telecom industry watchdog, is renamed as the Digital Communications Regulatory Authority of India – with modified and intensified powers.
The DOT remains to function as an inter-ministerial body, with the telecom secretary as the highest decision-making authority of the nation. The DOT, in collaboration with the IT ministry, prefers a layered consent architecture focusing on secure personal data processing. The companies have limited rights to collect only the required consumer details after stating the purpose of collection. Further, the data can be stored only for as long as it is necessary.
DOT has confirmed that the internet users will be the final decision-makers on the usage of personal data, topped with their right to withdraw their consent anytime.
In 2018 and 2019, SEBI declared meticulous guidelines for organizations falling within its purview, including Depository Participants, Stock Brokers, Asset Management Companies (AMCs), Stock Exchanges, Mutual Funds, Clearing Corporations and Depositories.
- Dec 03, 2018: SEBI launched Guidelines for Depository Participants and Stock Brokers.
- Jan 10, 2019, SEBI launched Guidelines for Asset Management Companies and Mutual Funds.
- Dec 07, 2018, SEBI Guidelines for Clearing Corporations, Stock Exchanges, and Depositories.
All these guidelines strictly focused on ensuring customer data security and reliability – limiting the rights of all these organizations.
When it comes to cybersecurity concerns, the healthcare industry has always been comparatively slow to adjust. Health Insurance Portability and Accountability Act outlines all prerequisites to prioritize the personal medical history of patients and clients. Medical data of a person is probably the most private one, and HIPAA safeguards it from the vicious hackers and spammers.
Fortunately, the steps to create a sturdy cybersecurity framework for healthcare organizations are not outlandish. In fact, healthcare organizations can follow simple steps like access limitations, virus control, and firewalls, to stay secure.
More information can be viewed here.
Cyber space infringement is a battle that we fight on everyday basis. India needs stringent laws and policy in place to combat these issues. The extant legal framework does not sufficiently address the concerns of the sector, and there is an imminent requirement to have a comprehensive legislation in place to address the concerns.
As we choose to stay connected, we are moving towards proliferation and assimilation of larger data sets, interacting with one another (big data, machine learning, Artificial Intelligence, Internet of Things); this opens the entire ecosystem to larger threats from social deviants. It is on the individuals as well as the body corporates to preserve the confidentiality, integrity of data, while ensuring that accessibility to the very data is not compromised on any front.
As we welcome the impending legislation, companies in the healthcare and the banking & financial services sector are ensuring that they rely on their own technical and organizational security measures to ensure that the data available with them is not corrupted or is subject to any unwarranted and unauthorized access. The proactive vigilance observed by the body corporates and private individuals, is also being supported by the insurance industry, where cyber-security insurances have garnered immense popularity, and are augmenting the lack of an effective legal regime. It is often said that the future is a click away, it is important that the click does not lead to any pernicious portal.