“Data is more like sunlight than oil …. it is like sunshine, we keep using it, it keeps regenerating”, said the Google Chief Financial Officer, Ruth Porat. However, one never knows as to when this usage and regeneration disguises itself into misappropriation. Data in its crudest form can be used in a manner which is beneficial to the one generating the data, the one who processes it, and anyone who is consuming it. The issue which percolates to the lowest levels, is the security of managing/handling the copious volumes of data which is freely available in this digital ecosystem. As long as you are connected to the internet, you run the risk of being accessible to anyone else who is on the internet, and this applies to your data as well.
Cyber space crime has spared none. It has penetrated all major sectors including, the banking and finance, commercial facilities, postal services, transportation, e-retail platforms, etc. It is present in the form of phishing and social engineering, malware, spear phishing, ransom ware, hacking, software piracy, pornography, cybersquatting, etc.
Some of the major cyber-attacks that have taken place in India in the past are the Union Bank Of India Heist (2016), Wannacry Ransomware (2017), Data Theft At Zomato (2017). Cyber intelligence firm Cyble which dredges the Dark Web has red-flagged hacking episodes at Truecaller, Dunzo, Unacademy, Naukri.com, Bharat Earth Movers Limited (BEML), LimeRoad and IndiaBulls.A recent cyber-attack at one of the nuclear power plants of India and the Prime Minister’s social media handle makes one realize the gravity of the situation.
The main legislation governing the cyber space is the Information Technology Act, 2000 (“IT Act”) which defines cybersecurity as protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. In addition to providing legal recognition and protection for transactions carried out through electronic data and other means of electronic communication, the IT Act and various rules made there under, also focus on information security, defines reasonable security practices to be followed by corporates and redefines the role of intermediaries, recognizes the role of the Indian Computer Emergency Response Team (“CERT-In”) etc. Additionally, the IT Act also amended the scope of Indian Penal Code, Indian Evidence Act, 1872, The Bankers’ Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto, which were focusing on the regulation of the overly sensitive banking and financial services sector. Incidentally, while there is no comprehensive legislation for the governance of data in the country as on this date, there are sectoral legislations, directions, legal advisories which require specific compliance for the targeted sector.
The IT Act not only extends to the whole of India and, but it is also applicable to any offence or contravention committed outside India by any person. Additionally, the legal sanctions under the IT Act extend to imprisonment, penalties, and also allow for a framework for compensation/ damages to be paid to the claimants. Further, if a body corporate, possessing, dealing or handling any personal data or sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate is liable to pay damages by way of compensation to the person so affected.
Some Relevant Rules Framed under the IT Act
Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (“CERT Rules”).
As per the CERT Rules, CERT-In has been established as the nodal agency responsible for the collection, analysis and dissemination of information on cyber incidents and taking emergency measures to contain such incidents. Further, under these Rules, it is mandatory to report to the CERT-In the following instances: (i) a targeted intrusion or the compromising of critical networks or systems; (ii) unauthorized access to IT systems or data; (iii) defacement of websites, malicious code attacks, denial of service and distributed denial of service (DDoS) attacks, attacks on domain name systems and network services; and (iv) attacks on applications such as e-governance and e-commerce. Additionally, it is also possible for individuals and organizations to voluntarily report any other cyber security incidents and vulnerabilities to CERT-In and seek requisite support and technical assistance to recover from them. Unfortunately, the reporting requirements under the law are inadequate and require a revision, for the same is not mandatory and is only a voluntary ask. This allows the entities to do away with the requirement to maintain requisite transparency.
Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (“SPDI Rules”)
THE PERSONAL DATA PROTECTION BILL 2019
In December 2019, a new iteration of the data privacy and protection legislation was introduced, titled the Personal Data Protection Bill 2019 (“PDP Bill”). Section 24 of the PDP Bill directs data fiduciaries (data controller as per the PDP Bill terminology) to implement safeguards for several purposes, including to prevent misuse, unauthorized access to, modification, disclosure, or destruction of personal data. Further, Section 25 deals with the breach of personal data. The clause states that in cases where a data breach may cause harm to the data principal, the data fiduciary must inform the envisaged Data Protection Authority.
In the wake of the growing concerns around privacy and cybersecurity, threats (including political opportunities) are being evaluated by the government and prohibitions pertaining to vulnerable parts of the population (children) and high-risk applications (including e-commerce platforms) have been implemented.
COMBATING CYBER CRIME IN AN INTERCONNECTED WORLD
One of the most relevant references of these times that can be made in the current scenario, is the overbearing dependence of the corporate world on Zoom, which led to a great number of people crashing into ‘office meetings/ Zoom parties’, disrupting the flow of a particular session. Increasingly, individuals, corporates moved from the platform, to [apparently] stricter platforms for work related calls. Even inter-governmental bodies like the European Commission moved away from Zoom, for work related calls, in the wake of this cyber-threat.
Also, because of the seeming incursion of Chinese digital platforms into the ubiquitous web, countries like the United States of America, and India, quickly moved towards banning Chinese apps.
Cyber space infringement is a battle that we fight on everyday basis. India needs stringent laws and policy in place to combat these issues. The extant legal framework does not sufficiently address the concerns of the sector, and there is an imminent requirement to have a comprehensive legislation in place to address the concerns.
As we choose to stay connected, we are moving towards proliferation and assimilation of larger data sets, interacting with one another (big data, machine learning, Artificial Intelligence, Internet of Things); this opens the entire ecosystem to larger threats from social deviants. It is on the individuals as well as the body corporates to preserve the confidentiality, integrity of data, while ensuring that accessibility to the very data is not compromised on any front. As we welcome the impending legislation, companies in the healthcare and the banking & financial services sector are ensuring that they rely on their own technical and organizational security measures to ensure that the data available with them is not corrupted or is subject to any unwarranted and unauthorized access. The proactive vigilance observed by the body corporates and private individuals, is also being supported by the insurance industry, where cyber-security insurances have garnered immense popularity, and are augmenting the lack of an effective legal regime. It is oft said that the future is a click away, it is important that the click does not lead to any pernicious portal.
 An annual study by IBM Security established that in the last year, the average total cost for Indian entities due to security breaches amounted to 140 million, an increase from 9.4% from 2019. Another survey by Barracuda Networks revealed that the abrupt shift to work from home model has exposed many organizations to all sorts of cyber risks. Around 66% of Indian organizations have suffered at least one data breach after shifting to the remote working model, said the global survey by them.India, which is now the world’s second largest internet market, unfortunately and not so shockingly ranks fifth globally when it comes to incidents of cyber-attacks and frauds. According to the Data Security Council of India., the Indian cyber security market is expected to cross $13 billion by 2025.
 Introduction to the IT Act
 Section 1(2) of the IT Act
 Explanation (iii) of Section 43A of the IT Act defines sensitive personal data or information as such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit
 Section 43A of the IT Act
 Rule 8, SPDI Rules.
Author: Shubhangi Agarwal, Associate
Shubhangi Agarwal graduated from ILS Law College, Pune in 2018 and joined Obhan & Associates where she got acquainted with practical aspects of corporate laws and intellectual property laws. Additionally, she was engaged in advising an enterprising and entrepreneurial organization, Devise Electronics Private Limited, Pune.
She has experience with multiple due diligence ranging across industries and also worked on transactional matters in the past involving joint ventures and M&A. She has even appeared before the Trademarks Office, Mumbai, and defended clients’ interest against the show-cause notices issued post the examination of the trademark applications. She has cleared several manuscripts (non-fiction) before publication.