Skip to main content

Laws and Enforcement About Cybersecurity

 Laws and Enforcement About Cybersecurity

Cyber security in India 



“Data is more like sunlight than oil .... it is like sunshine, we keep using it, it keeps regenerating”, said the Google Chief Financial Officer, Ruth Porat. However, one never knows as to when this usage and regeneration disguises itself into misappropriation. Data in its crudest form can be used in a manner which is beneficial to the one generating the data, the one who processes it, and anyone who is consuming it. The issue which percolates to the lowest levels, is the security of managing/handling the copious volumes of data which is freely available in this digital ecosystem. As long as you are connected to the internet, you run the risk of being accessible to anyone else who is on the internet, and this applies to your data as well.


Cyber space crime has spared none. It has penetrated all major sectors including, the banking and finance, commercial facilities, postal services, transportation, e-retail platforms, etc. It is present in the form of phishing and social engineering, malware, spear phishing, ransom ware, hacking, software piracy, pornography, cybersquatting, etc.


Some of the major cyber-attacks that have taken place in India in the past are the Union Bank Of India Heist (2016), Wannacry Ransomware (2017), Data Theft At Zomato (2017). Cyber intelligence firm Cyble which dredges the Dark Web has red-flagged hacking episodes at Truecaller, Dunzo, Unacademy, Naukri.com, Bharat Earth Movers Limited (BEML), LimeRoad and IndiaBulls[1].A recent cyber-attack at one of the nuclear power plants of India and the Prime Minister’s social media handle makes one realize the gravity of the situation[2].


Regulatory Landscape


The main legislation governing the cyber space is the Information Technology Act, 2000 (“IT Act”) which defines cybersecurity as protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. In addition to providing legal recognition and protection for transactions carried out through electronic data and other means of electronic communication, the IT Act and various rules made there under, also focus on information security, defines reasonable security practices to be followed by corporates and redefines the role of intermediaries, recognizes the role of the Indian Computer Emergency Response Team (“CERT-In”) etc. Additionally, the IT Act also amended the scope of Indian Penal Code, Indian Evidence Act, 1872, The Bankers’ Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto[3], which were focusing on the regulation of the overly sensitive banking and financial services sector. Incidentally, while there is no comprehensive legislation for the governance of data in the country as on this date, there are sectoral legislations, directions, legal advisories which require specific compliance for the targeted sector.


The IT Act not only extends to the whole of India and, but it is also applicable to any offence or contravention committed outside India by any person[4]. Additionally, the legal sanctions under the IT Act extend to imprisonment, penalties, and also allow for a framework for compensation/ damages to be paid to the claimants. Further, if a body corporate, possessing, dealing or handling any personal data or sensitive personal data or information[5] in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate is liable to pay damages by way of compensation to the person so affected[6].


Some Relevant Rules Framed under the IT Act


Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (“CERT Rules”).


As per the CERT Rules, CERT-In has been established as the nodal agency responsible for the collection, analysis and dissemination of information on cyber incidents and taking emergency measures to contain such incidents. Further, under these Rules, it is mandatory to report to the CERT-In the following instances: (i) a targeted intrusion or the compromising of critical networks or systems; (ii) unauthorized access to IT systems or data; (iii) defacement of websites, malicious code attacks, denial of service and distributed denial of service (DDoS) attacks, attacks on domain name systems and network services; and (iv) attacks on applications such as e-governance and e-commerce. Additionally, it is also possible for individuals and organizations to voluntarily report any other cyber security incidents and vulnerabilities to CERT-In and seek requisite support and technical assistance to recover from them. Unfortunately, the reporting requirements under the law are inadequate and require a revision, for the same is not mandatory and is only a voluntary ask. This allows the entities to do away with the requirement to maintain requisite transparency.


Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (“SPDI Rules”)


These SPDI Rules strictly govern the corporate entities that collect and process sensitive personal information in India. The Rules (i) mandate consent for the collection of information; (ii) insist that it be done only for a lawful purpose; (iii) require organizations to have a privacy policy; (iv) set out instructions for data retention; (v) give individuals the right to correct their information, and (vi) impose restrictions on disclosure, data transfer, security measures. Additionally, specific sectors such as banking, insurance, telecom, health, etc., have data privacy provisions under their respective sectoral rules. In absence of a lengthier or stricter legislation, the extant framework at least is in compliance with the basic principles of the data privacy, and provides a wider legroom for the enterprises to adopt the prevalent standards and best practices for the specific industry[7].


THE PERSONAL DATA PROTECTION BILL 2019


In December 2019, a new iteration of the data privacy and protection legislation was introduced, titled the Personal Data Protection Bill 2019 (“PDP Bill”). Section 24 of the PDP Bill directs data fiduciaries (data controller as per the PDP Bill terminology) to implement safeguards for several purposes, including to prevent misuse, unauthorized access to, modification, disclosure, or destruction of personal data. Further, Section 25 deals with the breach of personal data. The clause states that in cases where a data breach may cause harm to the data principal, the data fiduciary must inform the envisaged Data Protection Authority.


In the wake of the growing concerns around privacy and cybersecurity, threats (including political opportunities) are being evaluated by the government and prohibitions pertaining to vulnerable parts of the population (children) and high-risk applications (including e-commerce platforms) have been implemented.


COMBATING CYBER CRIME IN AN INTERCONNECTED WORLD


One of the most relevant references of these times that can be made in the current scenario, is the overbearing dependence of the corporate world on Zoom, which led to a great number of people crashing into ‘office meetings/ Zoom parties’, disrupting the flow of a particular session. Increasingly, individuals, corporates[8] moved from the platform, to [apparently] stricter platforms for work related calls. Even inter-governmental bodies like the European Commission moved away from Zoom, for work related calls, in the wake of this cyber-threat[9].


Also, because of the seeming incursion of Chinese digital platforms into the ubiquitous web, countries like the United States of America, and India, quickly moved towards banning Chinese apps[10].


CONCLUSION


Cyber space infringement is a battle that we fight on everyday basis. India needs stringent laws and policy in place to combat these issues. The extant legal framework does not sufficiently address the concerns of the sector, and there is an imminent requirement to have a comprehensive legislation in place to address the concerns.


As we choose to stay connected, we are moving towards proliferation and assimilation of larger data sets, interacting with one another (big data, machine learning, Artificial Intelligence, Internet of Things); this opens the entire ecosystem to larger threats from social deviants. It is on the individuals as well as the body corporates to preserve the confidentiality, integrity of data, while ensuring that accessibility to the very data is not compromised on any front. As we welcome the impending legislation, companies in the healthcare and the banking & financial services sector are ensuring that they rely on their own technical and organizational security measures to ensure that the data available with them is not corrupted or is subject to any unwarranted and unauthorized access. The proactive vigilance observed by the body corporates and private individuals, is also being supported by the insurance industry, where cyber-security insurances have garnered immense popularity, and are augmenting the lack of an effective legal regime. It is oft said that the future is a click away, it is important that the click does not lead to any pernicious portal.


 

Comments

Popular posts from this blog

What is Cyber crime? Meaning & Terminologies

 What is Cyber crime? Meaning & Terminologies   What is cyber crime? Cybercrime is a crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Cybercrime may harm someone's security and financial health. There are many privacy concerns surrounding Cybercrime when confidential information is intercepted or disclosed, lawfully or otherwise. Internationally, both governmental and non-state actors engage in cybercrimes, including espionage, financial theft, and other cross-border crimes. Cyber-crimes crossing international borders and involving the actions of at least one nation-state are sometimes referred to as cyber warfare. Warren Buffet describes Cybercrime as the "number one problem with mankind" and "poses real risks to humanity." A report (sponsored by McAfee) published in 2014 estimated that the annual damage to the global economy was $445 billion. A 2016 report by Cybersecurity

History of Cybercrime and It's Impact on Society

 History of Cybercrime and It's Impact on Society History of Cybercrime The malicious tie to hacking was first documented in the 1970s when early computerized phones were becoming a target. Tech-savvy people known as “phreakers” found a way around paying for long distance calls through a series of codes. They were the first hackers, learning how to exploit the system by modifying hardware and software to steal long distance phone time. This made people realize that computer systems were vulnerable to criminal activity and the more complex systems became, the more susceptible they were to cybercrime. Fast Forward to 1990, where a large project named Operation Sundevil was exposed. FBI agents confiscated 42 computers and over 20,000 floppy disks that were used by criminals for illegal credit card use and telephone services. This operation involved over 100 FBI agents and took two years to track down only a few of the suspects. However, it was seen as a great public relations effort,

Common Computer and Internet Cyber Crimes

 Common Computer and Internet Cyber Crimes The Internet can be a scary place, full of scammers, thieves, and saboteurs. If you think that sounds like an exaggeration, consider this statistic: According to the Norton Cyber Security Insights Report, over 143 million Americans have been affected by computer crimes in the last year, with 80% of those surveyed reporting they or someone they knew had been victimized. With the ubiquity of smartphones and social media reporting our every move, it’s no surprise that cyber-crime is on the rise. From theft to fraud to solicitation, here are nine common Internet crimes that are impacting Americans today. 1. Phishing Phishing is when criminals send fraudulent emails pretending to be from legitimate businesses, in an attempt to collect sensitive, personal information. Often, any links in the email will redirect to a website owned by the scammer, so always be careful about what information you give out on the Internet. 2. Harassment Cyberstalkers use