CIOIN

The question that would occur to any CIO is: Why should Ilook in Indian cyber law? Isn’t that the job of the legal department?

Nothing, however, could be further from the truth.Today, the Indian cyber law is increasingly becoming a centre stage force, one that impacts any company’s operations and activities done using computers, computer systems, computer networks, and data and information in the electronic form.The Indian cyber law is India’s ‘mother legislation’ and impacts all activities within the physical boundaries of India that are associated or connected with the use of computers, computer systems,computer networks, computer resources and communication devices, and data and information in the electronic form.

The Long Road Cyber Law
The Information Technology Act, 2000, was initially meant to be an e-commerce-enabling legislation and focused on providing a legal framework that provided legal validity and enforceability to e-commerce transactions. Over time, there were demands for a change in the law so that it could keep up with changing times.Meanwhile, a lot of other developments took place. The Baazee.com case generated tremendous discussion on the liability of network
service providers. The Government of India set up committees at various points in time to look at proposed amendments.

Then the 26/11 Mumbai attack occurred. These attacks reminded the Government of India of how technology could be misused to impact the sovereignty and integrity of India. Within a month of the attack, the Information Technology (Amendment) Act,2008 was passed. These amendments came into effect from on the 27th of October 2009.
The amended Indian cyber law covers a wide spectrum of activities. Some focus areas of the amended cyber law are
mentioned here. For the first time, the Indian cyber law has defined the concept of cyber security in a legal manner. Cyber security is defined under Section 2(1)(nb) of the amended Information Technology Act, 2000, to mean protecting information, equipment, devices, computer, computer resources,communication devices and information stored in them from unauthorized access, use, disclosure, disruption, modification or destruction.

Various service providers and stakeholders have been straddled with various duties and obligations for the purposes of protecting and preserving the cyber security of computer systems and computer networks.The law has increased liability of paying damages by way of compensation for a variety of activities that are done using computers, computer systems, and computer networks.Further, diminishing the value and utility of electronic information residing in a computer resource without authorization has been made a ground for seeking unlimited damages by way of compensation. Compensation up to Rs 5 crore per contravention can be sought under the Information Technology Act, 2000. In summary, adjudicatory proceedings while the sum of damages by way of compensation beyond Rs 5 crores can be sought in a court of competent jurisdiction.

The Privacy Law
Further, the law has gone ahead and elaborated on the liability of legal entities who handle, deal with, or process sensitive personal data. Any legal entity who handles, processes, or deals with sensitive personal data, is required to maintain reasonable security practices and procedures to ensure the protection of the confidentiality of such data. If they fail to follow reasonable security practices and procedures while handling, dealing with,or processing sensitive personal data or information, and thereby cause loss to any person, then the affected person can sue them for unlimited damages by way of compensation.On 11th April, 2011, the Government of India has notified rules and regulations under the amended Information Technology Act, 2000. The Government has not only defined nuances of various broad parameters given under the Act but has also sought to set up a parallel data protection legal regime.On the same day, the Government of India has notified four sets of rules which are commonly known as Information Technology Rules, 2011. These rules have not only defined what constitutes sensitive personal data, but also define various parameters for security that needs to be adhered to while dealing with sensitive personal data.

The law now provides that sensitive personal data or information means such personal information which consists of information relating to:Passwords; financial information such as bank account,credit card, debit card, or any other payment instrument details;physical, physiological, and mental health condition; sexual orientation; medical records and history; biometric information;any details relating to the above clauses as provided to body corporate for providing service; and any of the information received under above clauses by body corporate for processing,stored or processed under lawful contract or otherwise.So if you are a CIO and your company deals with these kinds of sensitive personal data or information then you need to be concerned. You need to ensure compliance with the law. You further need to ensure that your organization complies with reasonable security practices and procedures. As a CIO, you need to ensure that relevant reasonable security practices are followed by your organization. Further,the amended Indian cyber law has come up with new parameters for liability of intermediaries. Intermediaries have been defined in very broad terms to mean with respect to any particular electronic records, any person who on behalf of another person receives, stores, or transmits that record or provides any service with respect to that record.If your company is an intermediary, then as a CIO, it will be prudent for you to ensure that company is compliant with these mandated rules. Non-compliance with these parameters will expose not just the top management of your company but also you to two kinds of liabilities: Civil liability of imprisonment and fine; and also criminal liability of paying damages by way of compensation.The new amended Indian cyber law has brought in a new era of compliances impacting data and information in the electronic form. Every CIO has now to ensure that compliance under the Indian cyber law is done effectively. Only in ensuring such compliances is the nirvana for the future.