New Cyber Security Infrastructure unveiled by Information Technology Act
2000 Amendment
[P.S: Comments made here in are the first reactions based on the Bill.
Further developments in the form of rules and notifications are awaited..
Naavi ]
The unveiling of the amendments which has transformed ITA 2000, the
landmark cyber legislation in India which was first enacted with effect
from October 17, 2000, ( the new version of the Act is herein referred to
as ITA 2008) has provided a new focus on Information Security in India.
So far, Information Security Experts have been speaking on "Cyber Law
Compliance" as a part of "Techno Legal Information Security" and advising
Companies to formulate an appropriate plan of action to comply with cyber
laws as a part of the IS practice. Now this association of Cyber Law into
the Information Security domain has gained additional importance due to
some amendments that have been made to ITA 2000.
The amended Act is making a sincere effort to bring in a complete
information security infrastructure into the industry.
Definition:
The first observation that we can make in this regard is a new legal
definition that has been given to the term "Cyber Security" under the newly
inserted section 2( nb) which states as under.
Section 2 (nb) (Inserted Vide ITAA 2008)
"Cyber Security" means protecting
information, equipment, devices, computer, computer resource,
communication device and information stored threin from unauthorized
access, use, disclosure, disruption, modification or destruction.
The term incorporates both the physical security of devices as well as the
information stored there in. It covers "Protection from unauthorised
access, use, disclosure, disruption, modification and destruction"
To support the development of the Cyber Security infrastructure, the
amendments also focus on
a) Defining penalties for violation
b) Defining appropriate level of compensation
b) Setting up an authority for implementation
Penalties for Violation
In defining the penalties for violation, we may specially note that a new
offence has been defined which recognizes the need to specially penalize
the "Theft" of computer or other communication devices.
Under the newly added Section 66B, the receiver of a stolen computer
resource may be liable for punishment.
The section reads:
Sec 66B: Punishment for dishonestly
receiving stolen computer resource or communication device (Inserted Vide
ITA 2008)
Whoever dishonestly receives or retains
any stolen computer resource or communication device knowing or having
reason to believe the same to be stolen computer resource or
communication device, shall be punished with imprisonment of either
description for a term which may extend to three years or with fine which
may extend to rupees one lakh or with both
Under this section, receiving a stolen Computer, or a Mobile or even a CD,
or an e-mail containing stolen information may be punishable with 3 years
of imprisonment. The offence would be cognizable and compoundable. For
being liable, the person should receive the information "Dishonestly" and
should be aware that it is "Stolen".
With this section, Police may to book all Mobile theft or laptop theft
cases under this section. So far we were trying to convince the Police that
any theft of Computer device would be "Diminishing the value of information
residing there in" and therefore should be booked under Section 66. Now it
may be easy to convince the Police.
Along with the change made to Section 78 and 80 of the ITA 2000 bringing
down the level of investigation to the Inspectors from DSPs, the number of
Complaints which need to be registered under "Cyber Crimes" will now
increase many folds and the Police need to work over time to get trained in
the handling of Cyber Crimes.
Additionally, Section 43 read with other changes increase the possibility
of compensation from a maximum of RS 1 crore to even beyond RS 5 crores.
Though the fast track "Adjudication" is restricted to cases where the
compensation is upto RS 5 crores, there is no upper limit on the
compensation to be claimed.
The newly added Section 43 (j) tries to expand the cases where compensation
can be claimed to cases of a person without the permission of the owner of
a computer, computer resource
"steals, conceals, destroys or alters or causes any person to steal,
conceal, destroy or alter any computer source code used for a computer
resource with an intention to cause damage,"
In this section, "Computer Source code" means "the listing of
programmes, computer commands, design and layout and programme analysis of
computer resource in any form". This again makes it easy for Police to
understand how to treat a complaint from a software company about stolen
data.
The penalty for stolen data does not end with the perpetrator of the
offence as far as the victim is concerned. The provisions on "Data
Protection" extend the liability for lack of Cyber Security to the
Companies too.
Under the newly introduced Section 43A,
Where a body corporate, possessing, dealing
or handling any sensitive personal data or information in a computer
resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures
and thereby causes wrongful loss or wrongful gain to any person, such
body corporate shall be liable to pay damages by way of compensation, to
the person so affected.
It may be noted that there is no upper limit
to the liability under this section.
In understanding the responsibilities under
this section, the term "Reasonable Security Practices" becomes vital.
As per the explanation to the section,
"reasonable security practices and procedures" means
security practices and procedures designed to protect such information
from unauthorised access, damage, use, modification, disclosure or
impairment, as may be specified in an agreement between the parties or as
may be specified in any law for the time being in force and in the
absence of such agreement or any law, such reasonable security practices
and procedures, as may be prescribed by the Central Government in
consultation with such professional bodies or associations as it may deem
fit.
Additionally, Under Section 72 A, there is a provision for Criminal
prosecution for breach of information security. This section states,
Save as otherwise provided in this Act or any other
law for the time being in force, any person including an intermediary
who, while providing services under the terms of lawful contract, has
secured access to any material containing personal information about
another person, with the intent to cause or knowing that he is likely to
cause wrongful loss or wrongful gain discloses, without the consent of
the person concerned, or in breach of a lawful contract, such material
to any other person shall be punished with imprisonment for a term which
may extend to three years, or with a fine which may extend to five
lakh rupees, or with both.
Note again that this offence is cognizable.
Further under Section 85, the Company as well as its
Directors or Officers in charge of business "shall be" held guilty of the
offence is committed "by the Company".
Thus the "Vicarious Liability" on the Companies for
"Data Protection" has been hardened.
Under Section 67 C, a further responsibility has been
cast on "Intermediaries" (Which now includes body corporates" to retain
information for a certain time to be specified by the Central Government.
The section reads
(1) Intermediary shall preserve and retain such
information as may be specified for such duration and in such manner and format
as the Central Government may prescribe.
(2) Any intermediary who intentionally or knowingly
contravenes the provisions of sub section (1) shall be punished with an
imprisonment for a term which may extend to three years and shall also be liable
to fine.
This is an important provision that will pull
up ISPs, MSPs and others who today shirk from the responsibility of
preserving information which would serve as evidence in case of Cyber
offences. (Duration for which information has to be preserved need to be
prescribed in the rules and notifications)
As a part of the need to monitor Cyber
Security, under Section 69 B,
(1) The Central Government may, to enhance
Cyber Security and for identification, analysis and prevention of any
intrusion or spread of computer contaminant in the country, by
notification in the official Gazette, authorize any agency of the
Government to monitor and collect traffic data or information generated,
transmitted, received or stored in any computer resource.
(2) The Intermediary or any person in-charge
of the Computer resource shall when called upon by the agency which has
been authorised under sub-section (1), provide technical assistance and
extend all facilities to such agency to enable online access or to secure
and provide online access to the computer resource generating ,
transmitting, receiving or storing such traffic data or information.
(3) The procedure and safeguards for
monitoring and collecting traffic data or information, shall be such as
may be prescribed.
(4) Any intermediary who intentionally or
knowingly contravenes the provisions of sub-section (2) shall be punished
with an imprisonment for a term which may extend to three years and shall
also be liable to fine.
Explanation: For the purposes of this
section,
(i) "Computer Contaminant" shall have the
meaning assigned to it in section 43
(ii) "traffic data" means any data
identifying or purporting to identify any person, computer system or
computer network or location to or from which the communication is or
may be transmitted and includes communications origin, destination,
route, time, date, size, duration or type of underlying service or any
other information.
Implementation Mechanism
Apart from throwing open registration and investigation
of Cyber Crimes to Inspector level, at the national level, a new "Nodal
Agency" comes into being for implementation of Cyber Security.
Under Section 70 (B) (4),
The Indian Computer Emergency Response Team shall
serve as the national agency for performing the following functions in the area
of Cyber Security,-
(a) collection,
analysis and dissemination of information on cyber incidents
(b) forecast and alerts of cyber security incidents
(c) emergency measures for handling cyber security
incidents
(d) Coordination of cyber incidents response
activities
(e) issue guidelines, advisories, vulnerability
notes and white papers relating to information security practices, procedures,
prevention, response and reporting of cyber incidents
(f) such other functions relating to cyber security
as may be prescribed
Under Section 70 (B) (6),
For carrying out the provisions of sub-section (4), the
agency referred to in sub-section (1) may call for information and give
direction to the service providers, intermediaries, data centers, body corporate
and any other person
Under Section 70 (B) (7)
Any service provider, intermediaries, data centers,
body corporate or person who fails to provide the information called for or
comply with the direction under sub-section (6) , shall be punishable with
imprisonment for a term which may extend to one year or with fine which may
extend to one lakh rupees or with both.
The cumulative effect of the above provisions of
ITA 2008 is to create a new Cyber Security Implementation infrastructure in
India and is considered a highly positive development in the industry.
The next steps to be watched are of course how the
provisions would be actually implemented through appropriate rules and
regulations.
Naavi
December 27, 2008
Other Articles on ITA 2008
