Day: January 10, 2018

  Technology laws exist in India since 2000; however, with the advent of smart phones, and with wide internet penetration, the awareness and development of these laws have gradually increased. When I started practicing in cyber laws, smart phones were very new in India – a very few people owned them. But we have seen how during the last decade, society has changed and adapted to the technology, and also how technologies are being misused for committing frauds, thefts and other crimes. Over a few years, there has been an exponential rise in cyber-crimes – about 300% in the last one year in India alone. Today, there is a digital element everywhere. We find cyber-crime all around us, in various forms. Hacking, data theft, unauthorized access and cyber pornography are the most happening crimes. Besides, Internet has become a medium to commit conventional crimes such as theft, fraud and adultery. For example, most matrimonial offenses in divorce cases lie in the whatsapp chats, facebook posts and e-mails, which contain the evidence of adultery and cruelty. Online matrimonial portals have become the playground for fraudsters which are out to dupe gullible people seeking life partners. Social engineering is another way of phishing and vishing scams. I believe, almost every reader of this article must by now have received one or the other phishing/ vishing email with the subject ‘a beautiful woman is seeking a partner’ or an e-mail ‘proclaiming you have inherited a fortune,’ or a call ‘asking you to reset your debit card PIN number’ – all these clearly show how criminals have evolved from pick pocketing to committing credit/ debit card frauds and ATM skimming. Information Technology Act The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is the primary law in India dealing with the cybercrime and electronic commerce. A brief outline of some of the provisions of the Act as amended in 2008 read with the Rules thereunder are elucidated hereunder. Section 66A This section was the one of the most controversial ones. It came in the limelight because under this section, arrests could be made for anything that caused annoyance or menace to another on the internet. It was struck off by the Supreme Court as the terms ‘menace’ and ‘annoyance’ are ambiguous and there can be no standard to define what is menacing or annoying for every individual in society. Section 43A This Section of the Information Technology Act imposes a liability of upto INR 5 crores on a body corporate who fails to secure the sensitive personal data of any individual which would include clients, employees and any other third parties whose data is stored by them. This is a very huge penalty and no other law in India imposes such a high penalty. There is a clear distinction between sensitive personal data and information (SPDI) and personal information (PI). SPDI includes, but is not limited to biometric information, sexual orientation, credit/ debit card data, and bank account details and passwords; whereas personal information (PI) includes any information which can be used to identify an individual like age, name, telephone number, address etc. The Intermediary Guidelines of 2011 render for an intermediary liable for failure to protect both SPDI and PI. Indian law is clearly very comprehensive that covers PI as well, unlike the laws of many countries which offer protection to SPDI only. There are provisions for penalizing for theft where any person receives or and retains a stolen computer device including smart phones (Section 66B); for identity theft where one uses the identity of someone else on the internet (66C); and for cyber impersonation where one impersonates as someone else on Internet (66D), including offenders who make fake social media profiles. Section 67, 67A and 67B deal with Cyber Pornography that do not render online pornography illegal. Creating and distributing pornography online is an offence however, downloading the same for private viewing is not an offence, with an exception of child pornography where even downloading is an offence. Duty of companies (Section 72A) Companies have a duty to protect the data of their clients and users especially if the same is contractually agreed. In case of failure, they are penalized under Section 72A of the Act. The Act defines an ‘Intermediary’ as any person who on behalf of another person stores or transmits a message or provides any service with respect to that message. This definition includes telecom service providers, internet service providers, web-hosting service providers, search engines, online-payment sites, online auction sites, online market places and cyber cafes. Section 79 of the Act is very crucial and provides respite to Intermediaries to some extent from an absolute liability. The requirement for liability under this section is the receipt of actual knowledge of offence by Intermediary and has been combined with a notice and take down duty. There is a time limit of 36 hours to respond to such a request and if an intermediary refuses to do so, it can be dragged to the court as a co-accused. These safe harbour provisions are available under the Amendment Act of 2008 only to an intermediary whose function is limited to giving access to a communication network over which information, made available by the third party, is transmitted or temporarily stored or where the intermediary does not initiate the transmission, does not select the receiver of the transmission and does not select or modify the information contained in the transmission. Authorities under the Act Cases of violations of the Information Technology Act are filed before the Adjudicating Officer appointed under this Act – one for each State. Appeals from the orders passed by Adjudicating Officer are filed before the Cyber Appellate Tribunal in New Delhi. The Court of the Adjudicating Officer is bound by the Rules of the Civil Procedure Code. An appeal from the Order of the Cyber Appellate Tribunal lies before the High Court, and appeals from all matters of the High Court lie before the Supreme…

In the last few years, cyber security has assumed tremendous significance. The number of cyber security breaches is constantly growing with each passing day. As a result, the annual cost of cybercrime is constantly increasing. As per a recent survey, it has been estimated that the total global cost of cybercrimes is expected to cross USD 6 trillion by 2021. Hence, the protection and preservation of cyber security becomes an important priority for all stakeholders. Author: Pawan Duggal – Advocate,  Supreme Court of India Head, Pavan Duggal  Associates, Advocates; & President, Cyberlaws.net   In the Indian context, it is perceived that cyber security is primarily a governmental responsibility. However, nothing can be farther than the truth. Cyber security as a phenomenon refers to security of computer networks and computer systems which are used for accessing the electronic ecosystem. While it is absolutely clear that the Government is responsible for protection of cyber security of governmental networks, it also needs to be appreciated in the peculiar context of Indian conditions that a large number of computer systems constituting critical information infrastructure of the country are located in private hands. Examples include telecommunication networks, insurance networks and private banking networking, apart from private medical health network. In such a scenario, therefore, it becomes imperative that the private sector also needs to appreciate its responsibility of protecting and preserving cyber security Worldwide, the private sector is now increasingly being exposed to legal consequences for their failure to put in place security mechanisms to prevent hacking and other unauthorized access or cyber security breaches. The Ashley Madison website hacking case has brought to the fore front a renewed sensitization of a new kind of legal liability. The online dating website for married persons was hacked and subscriber details were made available. Consequently, legal actions have already been filed in the US for damages for the failure to put in place adequate security to protect the confidentiality of consumers’ data. Increasingly, companies now need to be prepared that they could potentially be sued for cyber security breaches and hence need to incorporate proactive cyber security legal compliances as an integral part of their day-to-day business operations. When one specifically examines the Indian context, it is clear that India does not have a dedicated law on cyber security. Indian cyber law is grounded in the Information Technology Act, 2000, which is a jack of all trades and master of none. Its amendments in 2008 incorporated various cosmetic amendments including giving a definition to the cyber security. The definition of cyber security inserted by virtue of the Information Technology (Amendment) Act, 2008 is broad enough to mean protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. Some provisions pertaining to breach of cyber security were added in the Information Technology Act, 2000 but they have not been invoked frequently or efficiently. Indian cyber law has also come up with the concept of intermediaries. All private and governmental service providers providing services on the network or dealing with third-party data are classified as intermediaries. Intermediaries under Indian cyber law are mandated to exercise due diligence while discharging their obligations under the law. Consequently, some parameters of due diligence were incorporated. In case, if an intermediary is dealing, handling sensitive personal data, additional compliances have been stipulated. Intermediaries are mandated to implement and maintain reasonable security practices and procedures while they deal, handle or process third party data. ISO 27001 standard has been recognised as one such methodology of reasonable security practices and procedures. However, when one looks at the complete set of duties and obligations stipulated for intermediaries, one will quickly realize that intermediaries have not been straddled with the responsibility for ensuring protection and preservation of cyber security. It will be a great step forward if the intermediaries are also handed the responsibility to protect and preserve cyber security. This becomes all the more important as cyber security is as strong as its weakest link and therefore the service providers need to be given the mandatory responsibility to contribute towards protection of cyber security. World over, intermediaries are now increasingly being straddled with these kind of responsibilities. Further, it is very unfair to expect that the Government would protect networks of the intermediaries when they are dealing, handling or processing third-party data. As such, the Indian law needs to take a stride forward. India needs to come up with a dedicated law on cyber security and needs to specifically address the various complex, complicated yet interconnected issues concerning cyber security ecosystems whether it is encryption, protection of critical information infrastructure, surveillance, monitoring, online liberty, privacy or any other aspect. The announcement of the Digital India program has been met with tremendous enthusiasm. For the success of the governmental programs like Digital India and Make in India, it becomes imperative that more focus needs to put on cyber security and the compliances of connected regulations by all stakeholders. As time passes by, India has to start inculcating the culture of cyber security as a way of life. We need to ensure that education concerning cyber security and cyber law needs to start at a very early age as an integral part of the school curriculum. In this regard, appropriate reforms in the education curriculum needs to be put in place. Cyber security today is presenting large amount of challenges and as such legal frameworks need to have appropriate flexibility so as to meet with the emerging challenges of the evolving paradigm of cyber security as time passes by.