Let's Build a Responsible Cyber Society



Are You ITA 2008 Compliant?

Every Company CEO in India needs to ask this question to himself. “Are We ITA 2008 Compliant?”. Every Director of a Company and also every IAS officer in charge of an e-governance project should also ask this question to himself.

If he does not know the answer, it is time to explore what is the Compliance prescription under ITA 2008, the amended Information Technology Act 2000 which was notified for effectiveness from October 27, 2009.

For simplicity, let me say ITA 2008 is bigger than SOX…bigger than HIPAA..bigger than Data Protection Act.. if what you know these terms mean.

Why? .. because non compliance of ITA 2008 can bring in financial liabilities to your company and may even land the CEO or a Director in jail.

Let’s see some of the areas that should make a CEO sit up and take notice.

Any company which receives, stores or transmits data on behalf of another person has an obligation to excercise “Due Diligence” which interalia includes

a) Identifying which of the information is “Sensitive Personal Information” and

b) Follow reasonable security practices to protect them.

c) Understand the data retention requirements and implement systems to comply with them

d) Understand that the GOI has the powers to block, intercept or ask for data decryption keys, information on data traffic etc

e) Expect you to conduct e-audit of all the documents you maintain in e-form

f) Adhere to the encryption policies as may be announced etc

g) Ensure that without the permission of the owner of an information does not even provide access to the information to others

h) Ensure that any security obligations agreed to in a contractual agreement are not breached

Failure to comply with the above may result in damages payable for which there is no specified upper limit, besides possible imprisonment of upto 7 years.

It is also necessary for Companies to understand that even if any of their employees contravene the provisions of the Act including committing of such personal offences such as searching for child pornography using the corporate network, then there could be vicarious liabilities on the organization and its Directors and Executives.

Prevention of these liabilities requires a Cyber Law Compliance Programme with special focus on ITA 2008. Even if the organization is ISO 27001 certified, it is recommended that the organization should review its security and examine ITA 2008 compliance.

The clock has already started ticking from October 27, 2009. All company secretaries need to immediately put up a note to their Board that a Board meeting is called for to examine the risk exposure of the company to ITA 2008 and to recommend necessary action. This is the first step in due diligence under ITA 2008 for a corporate entity.

Hope your company has started the compliance drive.. Wish you all the best..

Just in case you need to clarify what more needs to be done, check out for more information at www.naavi.org.



November 4, 2009

Related Articles:

Are You Cyber Law Compliant?

Recent Articles on ITA Amendment Act :   

Copy of ITA 2008 : 

Comparison: ITA 2000 Vs ITA 2008  : 

Indian Information Security Framework-IISF 309

Copy of Notification on ITA 2008



 Comments are Welcome at naavi@vsnl.com