Asian perspectives on Cybersecurity

All aspects of our lives, be they medicine, astronomy, finance, law, social life and almost everything else, are either driven by, or indirectly dependent on computers for propagation and existence. While computers have made our lives easy, they have also introduced new sets of challenges.

As Bill Gates, the founder of Microsoft, famously said: “The computer was born to solve problems that did not exist before.” Be that as it may, certain challenges emanating from dependence on computers can have an adverse effect on society, and society cannot be protected unless there is a strong and robust legal framework. This article aims to cover the statutes that currently govern cybersecurity and data privacy in India.

With the advent of digitalization in all sectors of life, the initial steps taken by the government were towards recognition of electronic records, and recognition and sanction of digital processes. In this regard, several existing laws were amended to meet new challenges arising from digitalization.

The IT Act broadly encompasses various cyber-offences and cyber-contraventions. Almost all the known activities that constitute a criminal offence relating to information technology are covered by the IT Act.Nonetheless, the first major step taken towards cybersecurity in India was the enactment of the Information Technology Act, 2000 (IT Act). The jurisprudential development that followed, although very scant, did pave way for further evolution, and led to the Information Technology (Amendment) Act that was passed in 2008.

  • Hacking. Although the IT Act does not give specific reference to hacking, section 43 of the IT Act provides that if any person accesses a computer, computer system or computer network without permission of the owner (sub-section a), or downloads, copies and extracts any data (sub-section b), or causes disruption of any system (sub-section e), such person will be liable to pay damages by way of compensation to the person affected. Section 66 of the IT Act further provides that the offences mentioned in section 43, which includes hacking, could attract imprisonment for a term of up to three years, or a fine of up to US$7,100, or both.
  • Phishing. The IT Act does not specifically define phishing. However, sections 66C and 66D of the IT Act provide punishment for offences that are types of phishing. Section 66C provides that whoever, fraudulently or dishonestly, makes use of electronic signatures, passwords or any other unique identification features of any other person faces imprisonment for up to three years and a fine of up to US$1,300. Apart from the IT Act, section 419 of the Indian Penal Code, 1860, also provides similar punishment for cheating by impersonation.
  • Malware/virus attacks. Under sub-section c of section 43 of the IT Act, if any person introduces any computer contaminant or computer virus to a computer resource without the owner’s permission, such person is liable to pay damages by way of compensation. Such acts also attract punishment under section 66 of the act.
  • Cyber-terrorism. Cyber-terrorism was specifically covered in the IT Act by way of the amendments introduced in 2008, with the addition of the new section 66F. Under section 66F, if an offence is committed with an intent to threaten the unity, integrity, security or sovereignty of India, or to strike terror in people, or the conduct causes death or injuries to persons, damage to property or disruption of services and supplies essential to life, or adversely affects the critical information infrastructure, it would constitute cyber-terrorism and may attract imprisonment for life.

The field of information technology evolves rapidly, and with time, the Government of India continues to frame several rules and regulations to broaden the scope of the IT Act to keep pace with new challenges. Over time, the government has framed various rules, a few of which play a significant role in cybersecurity and data privacy:

  1. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 (SPDI rules);
  2. The Information Technology (Intermediaries Guidelines) Rules 2011;
  3. The Information Technology (Guidelines to Cyber Cafe) Rules 2011;
  4. The Information Technology (Electronic Service Delivery) Rules 2011;
  5. The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In rules); and
  6. The Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018.

Various IT rules enacted by the government have laid significant obligations on persons and organizations to ensure secured practices, and to report cybersecurity incidents. The above-mentioned CERT-In rules require individuals and corporate entities affected by any “cybersecurity incident” to report it to the Indian Computer Emergency Response Team (CERT-In). Cybersecurity incident means any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly applicable security policy.

CERT-In has been constituted to respond and co-ordinate an action during cybersecurity emergencies, and offer information to help improve cybersecurity.

No doubt the disputes arising from the IT Act will encounter deeper questions on technology that require special expertise to resolve. Thus, the IT Act provides for the appointment of special “adjudicating officers” for disputes arising from the act, and the decisions of those adjudicating officers are appealable again to an appellate tribunal specifically constituted under the act.

Under section 48(1) of the IT Act 2000, the Ministry of Electronics and Information Technology established the Cyber Regulations Appellate Tribunal (CRAT) in October 2006. The IT (Amendment) Act 2008 renamed the tribunal the Cyber Appellate Tribunal (CyAT). Pursuant to the IT Act, any person aggrieved by an order made by the Controller of Certifying Authorities, or by an adjudicating officer under this act, may prefer an appeal before the CyAT.

India has taken significant steps in ensuring the protection of personal data, and endeavours to bring its legal framework on par with the global course. One part of the rules and regulations aim to put an obligation on the organizations to ensure proper infrastructure and security to protect data coming into their possession. As per the SPDI rules, companies and organizations storing data such as financial, health, passwords, biometrics, etc., should have policies that contain technical, operational and physical security control measures commensurate to the information assets sought to be protected.

The other part of the rules defines what are personal data, and the policies that must be adhered towards data privacy and the disclosure of information. Rule 2(i) of the SPDI rules provides that personal information means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Rule 3 classifies certain information as sensitive data such as passwords, financial information, physical and mental health conditions, sexual orientations, biometrics, etc.

Under these rules, any corporate or person is required to explicitly disclose (on the website, or in any contract) the statements of its policies relating to personal data, the purpose of collection and usage of such information, the policy on the disclosure of information, and also reasonable security procedures adopted. These rules ensure that the personal data are secured and the person divulging such data knows the purport of the collection of such data, and whether the organization seeking such data ushers any confidence that it would be protected.

With growing complexities, the inadequacies of the existing law on data privacy were recognized. In August 2017, the need for a more robust law to protect personal data was recognized by the Supreme Court of India, in Justice KS Puttaswamy v Union of India. It explicitly recognized an individual’s fundamental right to privacy and the need for stronger protection of personal data.

It was closely followed by the release of the report and draft law by the Committee of Experts, chaired by Justice BN Srikrishna. A Data Protection Bill, 2019, is currently pending before India’s parliament, which is in line with the draft law of the Committee of Experts and also resonates with the 2018 EU General Data Protection Regulation (GDPR).

Given the dynamic nature of IT, the laws relating to it also undergo a continual process of evolution, at a faster pace than other laws. India’s government has recognized this dynamism and is continually reforming laws on information technology by widening the scope of the IT Act from time to time.

Recently, with the introduction of the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, and the Data Protection Bill, the government has recognized the importance of further fortifying the laws on data privacy, which is a positive direction to instil confidence in cross-border flow of information.

Article by Manisha Singh and Varun Sharma, 1st published on Asia Business Law Journal.

Asian perspectives on cybersecurity laws