Legal Framework & Background
With the evolution of the technological era and an increasing dependency on the internet for a variety of businesses and individuals to carry out their day-to-day tasks, it has become more important than ever to assess the legal framework regarding issues of cybersecurity. One of the main central legislations regarding cybersecurity is the Information Technology Act of 2000 (IT Act) along with its ancillary rules and regulations. The IT Act provides for protection with regards to online transactions and privacy of personal data stored with the databases of different business entities operating in the online medium. Along with that it also has provisions to prevent unlawful or unauthorized access to computer systems holding valuable personal data of the users. Actions like hacking, phishing, malware attacks, and identity thefts among others are made punishable under the IT Act. The administration of provisions and dealing with threats of cybersecurity under the IT Act is done by the Computer Emergency Response Team (CERT-In) which was set up by the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (CERT-In Rules). The threats of cybercrime are dealt with by the National Cyber Crime Reporting Portal, which is a government body set up to create a redressal platform for crimes that are perpetuated through the use of the internet. Cyber crimes and cyber security issues are different from each other. The Cyber Crime Reporting Portal defines cyber crimes as “any unlawful act where a computer or communication device or computer network is used to commit or facilitate the commission of a crime” whereas the CERT-In Rules define issues of cyber security as “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes in data, information without authorization.”
The Indian Government has also divided the cyber security spectrum into two halves, which are the ‘Non-Critical Infrastructure’, which is being regulated by the CERT-In, and the ‘Critical Information Structure’ which is being regulated by the National Critical Information Infrastructure Protection Center (NCIIPC).
CERT-In
The regulatory body of CERT-In performs the functions of collection, analysis, and dissemination of information on cyber security incidents, issuance of guidelines, and advisory work. CERT-In is authorized to seek information and issue directions as it sees fit to service providers, intermediaries, data centers, body corporates, or any individuals. Through the exercise of its powers, it issued the CERT-In directions in the year 2022 to further strengthen the cyber security measures in India.
In recent times, the CERT-In has passed some new regulations on April 28th, 2022 to address the issues of cyber security reporting, making it obligatory for all Indian companies, service providers, intermediaries, data centers, and businesses to report and identify cybersecurity incidents and data breaches within a time-frame of 6 hours. These new regulations are now a part of Section 70B of the IT Act of 2000. The affected businesses that fail to comply with the 6-hour deadline may face up to 1-year imprisonment along with significant penalties and non-compliance fines.
NCIIPC
The NCIIPC was established by the Indian Government in the year 2014 under the provisions of the IT Act 0f 2000 under Section 70A. This is located in New Delhi and is part of the National Technical Research Organization (NTRO). This body is responsible for the ‘Critical Information Structure’ which is basically defined as “facilities, systems or functions whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation”. In essence, this body regulates, monitors, and reports national-level threats to the critical information infrastructure. The NCIIPC was successful in the implementation of a variety of guidelines for policy guidance, knowledge sharing, and increasing awareness of cybersecurity concerns for organizations so as to be able to conduct preemptive measures in certain sectors impacted by the NCIIPC, specifically the sectors of power and energy.
Information Technology (Amendment) Act of 2008
This was an attempt to amend and re-invigorate the IT Act of 2000. It was passed in the year 2008 and came into effect in 2009. This Amendment Act updated and redefined the terms for current use. It broadened the definition of cybercrime and expanded upon the validation of electronic signatures among a variety of other improvements like improving cybersecurity measures and forensics, providing for legal recognition of cybersecurity of different organizations, establishment of a legal framework for digital signatures, and recognition and regulation of intermediaries among others.
Rules & Regulations under the IT Act
There are other ancillary rules and regulations framed under the umbrella of the IT Act. These are the following: –
The Information Technology (Reasonable Security practices and procedures and sensitive personal data or information) Rules 2011 or the SPDI Rules, are the rules which prescribe the reasonable security practices and procedures to be followed for the purposes of collection and processing of sensitive personal data. These rules provide for the regulation of the intermediaries, penalties, and violation fees for the practices of cybercrime, cheating, slander, and censoring/restricting of certain words and phrases among others.
The Information Technology (Information Security Practices and Procedures for Protected System) Rules 2018 acts in tandem with the parent IT Act and other rules and regulations, requiring specific information security measures to be implemented by businesses and legal entities that use protected systems.
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, or the Intermediary Guidelines put a requirement on the intermediaries to implement reasonable security practices and procedures to secure their computer resources and the sensitive or personal information it contains. These intermediaries are also required to report incidents of cybersecurity to the CERT-In.
Other Cybercrime and Cybersecurity related regulations & Provisions
The Indian Penal Code,1860 also has penal provisions relating to cybercrime which include defamation, cheating, fraud, etc. along with the Companies (Management and Administration) Rules 2014 which was passed under the ambit of the Companies Act of 2013 and requires body corporates to ensure the electronic records and the security systems are secure from unauthorized access.
National Cyber Security Strategy 2020
The Indian Government laid down a plan for the improvement of the cyber security framework which is still being developed pending reviews from the National Security Council Secretariat. The main goal of this strategy is to serve as official guidance to the stakeholders, policymakers, and corporate leaders to prevent cyber security incidents, cyber terrorism, and corporate espionage in the online medium. It also has as its goal, an improvement to the cyber security audit quality so that organizations are able to better conduct their reviews of cybersecurity framework and knowledge. This goal is an attempt to improve auditors of cyberspace to improve their standards of security while encouraging organizations to improve their security setups.
Telecom Regulatory Authority of India (TRAI) & the Department of Telecommunications (DoT)
TRAI is a regulatory body and the DoT is a separate executive department of the Ministry of Communication in India. Both of these bodies work hand-in-hand to govern and regulate telephone operators and service providers. In 2018, TRAI released recommendations for telecom providers on the subject of privacy, security, and ownership of data in the Telecom Sector. In the recommendations, TRAI aims to address new responsibilities in the governance of consumer data as most digital transactions are made via the use of mobile phones.
Data Protection Bill 2023
The Digital Personal Data Protection Bill, 2023 was recently approved by the Union Cabinet and set to be tabled in the Parliament in the upcoming monsoon session. This Bill is aimed at the protection of personal data by way of empowerment of the Indian government to protect data and levy penalties on businesses or legal entities that violate the provisions of the Bill, if and when passed. The penalty the Bill authorizes to be levied is up to a maximum of Rs.250 crore with a possibility to increase the cap to an amount of Rs.500 crore with the approval of the cabinet. The Bill also paves the way for the formation of a Data Protection Board so as to be able to monitor the implementation of the provisions of the Bill while also aiming to provide for a consent-based data collection method.
References
Cybersecurity Laws and Regulations Report 2023 India (iclg.com)
Top Cybersecurity Regulations in India [Updated 2023] | UpGuard
India’s 6-Hour Data Breach Reporting Rule (Clearly Explained) | UpGuard
Microsoft PowerPoint – DIA_Presentation 09.03.2023 (meity.gov.in)
Cybersecurity 2023 (azbpartners.com)
Personal Data Protection Bill, 2023, gets Cabinet’s approval – The Hindu BusinessLineHefty fines, free flow of information: Key points of Data Protection Bill – India Today