You are here: Home » Opinion » Special » On The Beat
Business Standard

Cyber security no longer a governmental responsibility

It is imperative that the private sector also appreciates its responsibility of protecting and preserving cyber security, especially when working with intermediaries

Pavan Duggal  |  New Delhi 

Pavan Duggal
Pavan Duggal

In the last few years, has assumed tremendous significance. The number of breaches is constantly growing with each passing day. As a result, the annual cost of cybercrime is constantly increasing. As per a recent survey, it has been estimated that the total global cost of cybercrimes is $445 billion. Hence, the protection and preservation of becomes an important priority for all stakeholders. In the Indian context, it is perceived that is primarily a governmental responsibility. However, nothing can be farther than the truth. as a phenomenon refers to security of computer networks and computer systems which are used for accessing the electronic ecosystem. While it is absolutely clear that the is responsible for protection of of governmental networks, it also needs to be appreciated in the peculiar context of Indian conditions that a large number of computer systems constituting Critical of the country are located in private hands. Examples include telecommunication networks, insurance networks and private banking networking apart from private medical health network. In such a scenario, therefore, it becomes imperative that the also needs to appreciate its responsibility of protecting and preserving Worldwide, the is now increasingly being exposed to legal consequences for their failure to put in place security mechanisms to prevent and other unauthorized access or breaches. Recently, the Ashley Madison website case came to light.

The online dating website for married persons was hacked and subscriber details made available. Consequently, legal actions have already been filed in the US for damages for the failure to put in place adequate security to protect the confidentiality of consumers’ Increasingly, companies now need to be prepared that they could potentially be sued for breaches and hence need to incorporate proactive legal compliances as an integral part of their day-to-day business operations. When one specifically examines the Indian context, it is clear that does not have a dedicated law on Indian cyber law is grounded in the Technology Act, 2000, which is a jack of all trades and master of none. Its amendments in 2008 incorporated various cosmetic amendments including giving a definition of The definition of inserted by virtue of the Technology (Amendment) Act, 2008 is broad enough to mean protecting information, equipment, devices, computer, computer resource, communication device and stored therein from unauthorised access, use, disclosure, disruption, modification or destruction. Some provisions pertaining to breach of were added in the Technology Act, 2000 but they have not been invoked frequently or efficiently. Indian cyber law has also come up with the concept of All private and governmental service providers providing services on the network or dealing with third-party are classified as under Indian cyber law are mandated to exercise due diligence while discharging their obligations under the law. Consequently, some parameters of due diligence were incorporated. In case, if an intermediary is dealing, handling sensitive personal data, additional compliances have been stipulated. are mandated to implement and maintain reasonable security practices and procedures while they deal, handle or process third party ISO 27001 standard has been recognised as one such methodology of reasonable security practices and procedures. However, when one looks at the complete set of duties and obligations stipulated for intermediaries, one will quickly realize that have not been straddled with the responsibility for ensuring protection and preservation of It will be a great step forward if the are also handed the responsibility to protect and preserve This becomes all the more important as is as strong as its weakest link and therefore the service providers need to be given the mandatory responsibility to contribute towards protection of World over, are now increasingly being straddled with these kind of responsibilities. Further, it is very unfair to expect that the would protect networks of the when they are dealing, handling or processing third-party As such, the Indian law needs to take a stride forward. needs to come up with a dedicated law on and needs to specifically address the various complex, complicated yet interconnected issues concerning ecosystems whether it is encryption, protection of critical infrastructure, surveillance, monitoring, online liberty, privacy or any other aspect. The announcement of the Digital program has been met with tremendous enthusiasm. For the success of the governmental programs like Digital and Make in India, it becomes imperative that more focus needs to put on and the compliances of connected regulations by all stakeholders. As time passes by, has to start inculcating the culture of as a way of life. We need to ensure that education concerning and cyber law needs to start at a very early age as an integral part of the school curriculum. In this regard, appropriate reforms in the education curriculum needs to be put in place. today is presenting large amount of challenges and as such legal frameworks need to have appropriate flexibility so as to meet with the emerging challenges of the evolving paradigm of as time passes by.

(Pavan Duggal is an advocate in the Supreme Court of India, and president of

First Published: Mon, October 05 2015. 09:36 IST