CYBER SECURITY LAW IN INDIA

PAVAN DUGGAL
ADVOCATE, SUPREME COURT OF INDIA
HEAD, PAVAN DUGGAL ASSOCIATES, ADVOCATES

Cyber security is becoming an increasingly important priority for a variety of stakeholders across the world. In fact, cyber security has become the most significant buzzword in international affairs. No wonder, majority of national leaders and their respective engagements have underlined the significance of cyber security. Cyber security is such an important priority that no country can close their eyes to the emerging importance of the said subject.

The Hon’ble Prime Minister of India Mr. Narendra Modi has repeatedly underlined the significance of cyber security. So, when cyber security is given prominence by the political leadership of the country, it is bound to become relevant for both the corporate and the governmental sectors.

Cyber security in India is expected to become huge. Gartner has predicted that the size of cyber security market in India will grow very rapidly. Security spending will continue to grow in 2016 when revenue is projected to reach $1.23 billion. Security services (that includes consulting, implementation, support and managed security services) revenue accounted for 57 percent of this total revenue in 2014, and this proportion will increase to 60 percent by 2019.[1]

According to a report by CISO Platform, “as a number of transactions are increasing on the Internet, concerns for security will also increase and create good future growth prospects for the Indian security industry.” [2]

Nasscom estimated the IT Security market at USD77 billion in 2015 and growing at over 8 percent annually.[3]

The aforesaid figures, apart from underlining the significance of cyber security, also need to be a wakeup call for companies operating in India to tighten their belts and have the appropriate relevant compliances in place where protection and preservation of cyber security is concerned.

At this juncture, it is important to understand the Indian position on cyber security. At the outset, it needs to be appreciated that India does not have a dedicated legislation on cyber security. The Author has underlined in the last many years the distinct need for India to have in place a dedicated legislation on cyber security.

However, India has in place different laws which impact cyber security. India has in place its mother legislation to deal with data and information in the electronic form. This is the Indian Cyberlaw being the Information Technology Act, 2000.

At the time when the said legislation was enacted in the year 2000, cyber security was not a priority. In fact, the word “cyber security” didn’t find mention in the said legislation. However, it needs to be stated that the law did come up with provisions which are aimed at protecting the security of computer systems and computer networks e.g. Section 66 of the Information Technology Act, 2000 made hacking a cybercrime and a non-bailable offence punishable with 3 years imprisonment and INR 2,00,000 fine. Further, breach of somebody’s computer systems or computer networks without his permission and the subsequent copying, downloading or extracting of information as also introducing computer contaminants was made a ground for seeking damages upto INR 1,00,00,000.

Meanwhile, India began to see a huge growth of mobile revolution in India. The 26/11 Mumbai attacks were the wakeup call for the Indian Government. Within 30 days of the said attacks, the Government of India had amended the Information Technology Act, 2000 by virtue of the Information Technology (Amendment) Act, 2008. These amendments came into force on 27th October, 2009.

One of the most important feature of the said amendments was that the amended Information Technology Act, 2000 defined the term “cyber security” under Section 2(1)(nb) thereof. By virtue of the 2008 amendments, cyber security has been defined in extremely broad terms under the Information Technology Act, 2000.

Section 2(1)(nb) has given far more wider definition of the term “cyber security” to also incorporate protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction.

Thus, the legal concept of cyber security in India is concerned with the protection and preservation of the following:-

a) Information
b) Equipment
c) Devices
d) Computer
e) Computer resource
f) Communication device and
g) All information shared therein.

All the aforesaid need to be protected from the following activities:
a) Unauthorised access.
b) Unauthorised use.
c) Unauthorised disclosure.
d) Unauthorised disruption.
e) Unauthorised modification or
f) Unauthorised destruction.

This definition has now added a new dimension to the concept of cyber security. This definition is also in sync with the current prevailing times, where computers, computer systems, computer networks, computer resources and communication device are increasingly being adopted and used, which can access the Internet and can store huge volumes of information.

Further, the Indian law has also come up with various obligations pertaining to protection and preservation of cyber security. It has recognized that breach of cyber security could lead to criminal consequences and acts. As such, Section 66 of the Information Technology Act, 2000 has been amended to transform into a broad Section to cover all computer related offences. Thus, any act dishonestly or fraudulently breaches the cyber security of a computer system or computer network, would qualify to be an offence as part of the mother umbrella under the computer related offences as defined under Section 66 read with Section 43 of the Information Technology Act, 2000. The said offence has also covered the instances of not just breaching cyber security but also of downloading, copying or extracting data and information in the electronic form on computer systems and computer networks without the permission of the owner or person incharge of the same dishonestly or fraudulently.

Further, the acts of introducing computer contaminants in the computer systems has also been brought within the ambit of computer related offences. Further, diminishing of value and utility of information done dishonestly or fraudulently without the permission of the owner or person incharge of computer system or computer network has also been made as an offence. All the aforesaid acts have now been made as offences punishable with 3 years imprisonment and INR 5,00,000. The coverage of the law is expanded to include variety of instances and acts which could constitute cyber security breaches. However, the law has made the said offences as bailable offences where the person is entitled to bail as a matter of right.

Further, the law has come up with the concept of protected system. The concept of protected system has been defined to include any particular computer system or computer network as protected system and if someone tries to access or misuse the same, that act has been itself made as an offence punishable with life imprisonment and fine.

Further, Section 70B is dedicated to the Indian Computer Emergency Response Team (iCERT) as also its functions, duties and connected issues and offences. As the title of Section 70B states, the Indian Computer Emergency Response Team shall serve as the national agency for incident response. This is an unprecedented step as computer emergency response teams across the world are only teams constituted for the purposes of identifying computer emergencies and the response required to deal with such emergencies. It is pertinent to note that huge powers have been given to Indian Computer Emergency Response Team. iCERT has been given the discretion to call for information for the purposes of carrying out the provisions of Section 70B(4). In that context, iCERT has been given the power to give directions to call for information to any of the following:

a) Service providers
b) Intermediaries
c) Data centres
d) Body corporates; and
e) Any other person

Further, iCERT has also been straddled with the responsibility of coming up with appropriate strategies to inform users of computer emergencies happening in India.

Further, the Indian Cyberlaw has now recognized the concept of intermediaries. The term Intermediary” has been defined to include intermediary with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes Telecom Service Providers, Network Service Providers, Internet Service Providers, Web Hosting Service Providers, Search Engines, Online Payment Sites, Online-Auction Sites, Online Market Places & Cyber Cafes. The intermediaries are mandated to exercise due diligence while discharging their obligations under the law. Various parameters of due diligence has been elaborated under the Information Technology Rules, 2011.

Intermediaries are required to maintain and implement reasonable security practices and procedures while dealing, handling or processing sensitive personal data. The Indian Cyberlaw has already recognized the ISO 27001 standards as standards codifying reasonable security practices and procedures. Further, under the obligations stipulated under the law, the intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

The net result of the aforesaid provisions of law is that all entities who qualify as intermediaries are required to contribute towards protection and preservation of computers, computer systems, computer networks, computer resources and communication devices as also data and information in the electronic form.

Further, given the fact that the concept of intermediary has been defined in very broad terms, the net result of the same is that any company operating in India or doing business in India, either physically in India or not, and its services are available within India, would qualify as intermediary and will have to comply with the cyber security terms under the Indian law. In case, the said legal entity has failed to comply with the said obligations, it could be exposed to numerous legal consequences under the Indian law. The legal entity can be sued for damages by way of compensation in special courts under the Indian law. In addition, the top management of entity could also be exposed to potential criminal liability or could be sent to jail.

Thus, when one looks at the existing cyber legal frameworks in India, the Indian cyber legal frameworks has in place various compliance requirements for companies in India.

Thus, seen in totality the nature and scope of the Information Technology Act, 2000, there are various cyber security compliance requirements for companies operating in India or not physically located within the territorial boundaries of India.

While the law has various compliance requirements for companies, the truth is that majority of companies in India are observing the said compliance requirements in breach rather than in observance. A major portion of the same can be attributed to the lack of awareness of the provisions of the Indian Cyberlaw pertaining to cyber security protection. As such, companies operating in India need to tighten their belts and ensure their documented compliances pertaining to cyber security. It will be imperative that companies must engage into gap analysis to identify and understand their current level of cyber security compliances and further needs to be done by them. Further, companies must take immediate steps to ensure that they are on the right side of the law. Ignorance of law is no excuse in the eyes of law and non-compliance could potentially expose the company and its top management to unpleasant and unwanted legal consequences, both civil and criminal.

Given the fact that security is a constantly evolving paradigm and further given the fact that there is nothing known as absolute security, it will be absolutely essential for companies to have their cyber security law audits and further to ensure compliance with legal requirements in India concerning protection and preservation of cyber security. Further, the law gives wide powers to the Government to take action against companies who do not comply with the law. As such, it will be in the best interests of companies concerned who are operating in India or whose operations impacts computer systems and computer networks physically located in India that they comply with cyber security law requirements in India.

Pavan Duggal Associates, Advocates, as a niche technology law firm, has been assisting various companies in their cyber security law gap analysis and further enhancing them to comply with the relevant provisions of the laws prevailing for the time being in force and to protect them from potential exposure to unwanted legal consequences, both civil and criminal.

This assumes more significance as the field of cyber security is a constantly evolving field. Lot of rapid developments are taking place in India. Further, it has been predicted that cyber security is expected to grow to be very big in the country which is already witnessing a huge mobile revolution. In such a scenario, the growth of cyber security in the Indian legal regime is a growing phenomenon.

India is third in terms of internet users. Its internet protocol (IP) traffic would grow sixfold from 2012 to 2017 at a compound annual growth of 44 per cent, said a KPMG report. Due to this, the spend would depend more on the business model rather than size of the company, said some officials.[4]

Indian market for security infrastructure and services is expected to grow to $1.4 billion by 2017.[5]

The information security market in India is expected to grow by 50% in the next three years, according to KPMG.[6]

Thus, in conclusion, it can be stated that cyber security and its legal requirements are going to be essential for the companies operating in India. Hence, it will be prudent to exercise due diligence under the applicable laws and further will be prudent for the companies to get their cyber security law gap analysis done.

Only in compliance, compliance and compliance with the Indian Cyberlaw lies the way for Nirvana for any legal entity dealing with the digital and mobile ecosystem and running its business operations in India.

The author Pavan Duggal, Advocate, Supreme Court of India, is Asia’s & India’s leading expert and authority on Cyberlaw, Cybersecurity Law & Mobile Law and has been acknowledged as one of the top four Cyber Lawyers in the world. He can be contacted at his email addresses pavan@pavanduggal.com and pavanduggal@yahoo.com. More about the Author is available at www.pavanduggal.com and .