Technology Laws & Cyber Security Essentials in New Age India
Technology laws exist in India since 2000; however, with the advent of smart phones, and with wide internet penetration, the awareness and development of these laws have gradually increased. When I started practicing in cyber laws, smart phones were very new in India – a very few people owned them. But we have seen how during the last decade, society has changed and adapted to the technology, and also how technologies are being misused for committing frauds, thefts and other crimes. Over a few years, there has been an exponential rise in cyber-crimes – about 300% in the last one year in India alone.
Today, there is a digital element everywhere. We find cyber-crime all around us, in various forms. Hacking, data theft, unauthorized access and cyber pornography are the most happening crimes. Besides, Internet has become a medium to commit conventional crimes such as theft, fraud and adultery. For example, most matrimonial offenses in divorce cases lie in the whatsapp chats, facebook posts and e-mails, which contain the evidence of adultery and cruelty. Online matrimonial portals have become the playground for fraudsters which are out to dupe gullible people seeking life partners. Social engineering is another way of phishing and vishing scams. I believe, almost every reader of this article must by now have received one or the other phishing/ vishing email with the subject ‘a beautiful woman is seeking a partner’ or an e-mail ‘proclaiming you have inherited a fortune,’ or a call ‘asking you to reset your debit card PIN number’ – all these clearly show how criminals have evolved from pick pocketing to committing credit/ debit card frauds and ATM skimming.
Information Technology Act
The Information Technology Act, 2000 (also known as ITA-2000, or the IT Act) is the primary law in India dealing with the cybercrime and electronic commerce. A brief outline of some of the provisions of the Act as amended in 2008 read with the Rules thereunder are elucidated hereunder.
Section 66A
This section was the one of the most controversial ones. It came in the limelight because under this section, arrests could be made for anything that caused annoyance or menace to another on the internet. It was struck off by the Supreme Court as the terms ‘menace’ and ‘annoyance’ are ambiguous and there can be no standard to define what is menacing or annoying for every individual in society.
Section 43A
This Section of the Information Technology Act imposes a liability of upto INR 5 crores on a body corporate who fails to secure the sensitive personal data of any individual which would include clients, employees and any other third parties whose data is stored by them. This is a very huge penalty and no other law in India imposes such a high penalty.
There is a clear distinction between sensitive personal data and information (SPDI) and personal information (PI). SPDI includes, but is not limited to biometric information, sexual orientation, credit/ debit card data, and bank account details and passwords; whereas personal information (PI) includes any information which can be used to identify an individual like age, name, telephone number, address etc.
The Intermediary Guidelines of 2011 render for an intermediary liable for failure to protect both SPDI and PI. Indian law is clearly very comprehensive that covers PI as well, unlike the laws of many countries which offer protection to SPDI only.
There are provisions for penalizing for theft where any person receives or and retains a stolen computer device including smart phones (Section 66B); for identity theft where one uses the identity of someone else on the internet (66C); and for cyber impersonation where one impersonates as someone else on Internet (66D), including offenders who make fake social media profiles.
Section 67, 67A and 67B deal with Cyber Pornography that do not render online pornography illegal. Creating and distributing pornography online is an offence however, downloading the same for private viewing is not an offence, with an exception of child pornography where even downloading is an offence.
Duty of companies (Section 72A)
Companies have a duty to protect the data of their clients and users especially if the same is contractually agreed. In case of failure, they are penalized under Section 72A of the Act.
The Act defines an ‘Intermediary’ as any person who on behalf of another person stores or transmits a message or provides any service with respect to that message. This definition includes telecom service providers, internet service providers, web-hosting service providers, search engines, online-payment sites, online auction sites, online market places and cyber cafes.
Section 79 of the Act is very crucial and provides respite to Intermediaries to some extent from an absolute liability. The requirement for liability under this section is the receipt of actual knowledge of offence by Intermediary and has been combined with a notice and take down duty. There is a time limit of 36 hours to respond to such a request and if an intermediary refuses to do so, it can be dragged to the court as a co-accused.
These safe harbour provisions are available under the Amendment Act of 2008 only to an intermediary whose function is limited to giving access to a communication network over which information, made available by the third party, is transmitted or temporarily stored or where the intermediary does not initiate the transmission, does not select the receiver of the transmission and does not select or modify the information contained in the transmission.
Authorities under the Act
Cases of violations of the Information Technology Act are filed before the Adjudicating Officer appointed under this Act – one for each State. Appeals from the orders passed by Adjudicating Officer are filed before the Cyber Appellate Tribunal in New Delhi. The Court of the Adjudicating Officer is bound by the Rules of the Civil Procedure Code.
An appeal from the Order of the Cyber Appellate Tribunal lies before the High Court, and appeals from all matters of the High Court lie before the Supreme Court.
New avenues in Information Technology Laws
Technology has advanced and the laws intend to encompass all the new developments too.
E-commerce
E-commerce laws are a specialization in Cyber laws that cover everything right from terms & conditions to FDI in e-commerce. It is a full spectrum of all legal aspects involved in the ecommerce business.
Blockchain legal compliance
Blockchain means distributed ledger. Blockchain laws are another new arena in technology laws. The ledger contains a continuous and complete record (the chain) of all transactions performed which are grouped into blocks. A block is only added to the chain if the nodes, which are members in the block chain network with high level computing capacity.
Blockchains have legal issues associated with them such as –
- As the nodes can be placed anywhere in the world, it can cross the boundaries of jurisdiction.
- Risk to customers of trading in case of accounts settled or not correctly settled.
- Ownership of Intellectual Property.
- Data privacy of end users.
- Working with decentralised autonomous organisations.
Internet of Things (IoT) legal compliance
With the advent of smart technology and machine-to-machine communication which is nothing but the Internet of Things, there are a large number of legal issues which have to be addressed by the IoT companies and multiple compliances needed from their end. Data Controllers and Data Processors are within the ambit of IoT companies.
The main legal issues for IoT Companies are:-
- Liabilities of Data Processors because of non-compliance of privacy laws and information technology laws and Rules.
- Liability for acts of sub-processors appointed by Data Processors.
- Liability of suppliers in handling personal data and compliance with privacy regulations.
IoT Companies need to implement the following –
- Privacy impact assessment.
- Information technology law compliance audit.
- Implementation of privacy by design and a privacy by default.
- Adoption of security by design methodology.
Smart city legal compliance
Smart cities are connected with usage of vast amount of data in keeping with development of technology and innovations. We enable these companies to comply with laws on protection of personal data along with the Intellectual Property Laws.
Smart Cities compliances –
- Regulations pertaining to innovation and communication technologies.
- Data Protection laws and compliance.
- Privacy laws.
- Cyber security and information technology law compliance.
- Environment protection legislations.
- Intellectual property rights complance and licensing.
- Banking and finance laws.
- Procurement rules.
- Laws regulating energy.
Artificial intelligence laws
Till now the law governs the conduct of human or sometimes machine, but what if machines become like humans and perform all functions which could otherwise be performed by humans only. Artificial Intelligence comes here in the picture. For example a car is driven by a human and if there is an accident the driver is heldliable, but what if the car is auto-driven. In this case the negligence comes to the car makers and the person who designs the model. So government needs to interfere here, to standardize the model and avoid such conflicts. As there are regulatory bodies introduced, there are legal compliance also. Organizations need to get legally secure while developing or distributing artificial intelligence based products.
FinTech laws
These are provisions of technology law which govern the usage of technology in financial sector and include the laws governing artificial intelligence aspects of Fintech.
GDPR legal compliance
As the government is making legal obligations for using and storing data in your softwares or systems, every organization needs to finalize what data they can store and in which format, according to their software category. Government has divided systems in different categories according to their usability and consumer type. GDPR is applicable if you are handling data of any EU citizen or dealing with any EU company and soon India is also adopting this standard for Data privacy.
Methods to combat cyber crimes in companies
Companies need to adopt booth proactive and reactive efforts to combat cyber crimes. Reactive method includes cyber forensics and cyber crime investigation. However, proactive methods ensures the cyber safety of the company. Following proactive methods are a must:
- Information technology law compliance audits.
- Cyber security audits.
- Cyber threat intelligence.
- Cyber disaster management. Cyber disaster management and policy development are of key importance as they enable a company to function in an auto-mode and take all necessary steps in case of a cyber disaster ensuring business continuity and reputation protection.
Jan 15, 2018
Author By Advocate Puneet Bhasin