In the last few years, cyber security
has assumed tremendous significance. The number of cyber security
breaches is constantly growing with each passing day. As a result, the annual cost of cybercrime is constantly increasing. As per a recent survey, it has been estimated that the total global cost of cybercrimes is $445 billion. Hence, the protection and preservation of cyber security
becomes an important priority for all stakeholders.
In the Indian context, it is perceived that cyber security
is primarily a governmental responsibility. However, nothing can be farther than the truth. Cyber security
as a phenomenon refers to security of computer networks and computer systems which are used for accessing the electronic ecosystem. While it is absolutely clear that the Government
is responsible for protection of cyber security
of governmental networks, it also needs to be appreciated in the peculiar context of Indian conditions that a large number of computer systems constituting Critical Information Infrastructure
of the country are located in private hands. Examples include telecommunication networks, insurance networks and private banking networking apart from private medical health network. In such a scenario, therefore, it becomes imperative that the private sector
also needs to appreciate its responsibility of protecting and preserving cyber security.
Worldwide, the private sector
is now increasingly being exposed to legal consequences for their failure to put in place security mechanisms to prevent hacking
and other unauthorized access or cyber security
Recently, the Ashley Madison website hacking
case came to light. The online dating website for married persons was hacked and subscriber details made available. Consequently, legal actions have already been filed in the US for damages for the failure to put in place adequate security to protect the confidentiality of consumers’ data.
Increasingly, companies now need to be prepared that they could potentially be sued for cyber security
breaches and hence need to incorporate proactive cyber security
legal compliances as an integral part of their day-to-day business operations.
When one specifically examines the Indian context, it is clear that India
does not have a dedicated law on cyber security.
Indian cyber law is grounded in the Information
Technology Act, 2000, which is a jack of all trades and master of none. Its amendments in 2008 incorporated various cosmetic amendments including giving a definition of cyber security.
The definition of cyber security
inserted by virtue of the Information
Technology (Amendment) Act, 2008 is broad enough to mean protecting information, equipment, devices, computer, computer resource, communication device and information
stored therein from unauthorised access, use, disclosure, disruption, modification or destruction. Some provisions pertaining to breach of cyber security
were added in the Information
Technology Act, 2000 but they have not been invoked frequently or efficiently.
Indian cyber law has also come up with the concept of intermediaries.
All private and governmental service providers providing services on the network or dealing with third-party data
are classified as intermediaries. Intermediaries
under Indian cyber law are mandated to exercise due diligence while discharging their obligations under the law. Consequently, some parameters of due diligence were incorporated. In case, if an intermediary is dealing, handling sensitive personal data, additional compliances have been stipulated.
are mandated to implement and maintain reasonable security practices and procedures while they deal, handle or process third party data.
ISO 27001 standard has been recognised as one such methodology of reasonable security practices and procedures.
However, when one looks at the complete set of duties and obligations stipulated for intermediaries, one will quickly realize that intermediaries
have not been straddled with the responsibility for ensuring protection and preservation of cyber security.
It will be a great step forward if the intermediaries
are also handed the responsibility to protect and preserve cyber security.
This becomes all the more important as cyber security
is as strong as its weakest link and therefore the service providers need to be given the mandatory responsibility to contribute towards protection of cyber security.
World over, intermediaries
are now increasingly being straddled with these kind of responsibilities.
Further, it is very unfair to expect that the Government
would protect networks of the intermediaries
when they are dealing, handling or processing third-party data.
As such, the Indian law needs to take a stride forward. India
needs to come up with a dedicated law on cyber security
and needs to specifically address the various complex, complicated yet interconnected issues concerning cyber security
ecosystems whether it is encryption, protection of critical information
infrastructure, surveillance, monitoring, online liberty, privacy or any other aspect.
The announcement of the Digital India
program has been met with tremendous enthusiasm. For the success of the governmental programs like Digital India
and Make in India, it becomes imperative that more focus needs to put on cyber security
and the compliances of connected regulations by all stakeholders. As time passes by, India
has to start inculcating the culture of cyber security
as a way of life.
We need to ensure that education concerning cyber security
and cyber law needs to start at a very early age as an integral part of the school curriculum. In this regard, appropriate reforms in the education curriculum needs to be put in place.
today is presenting large amount of challenges and as such legal frameworks need to have appropriate flexibility so as to meet with the emerging challenges of the evolving paradigm of cyber security
as time passes by.
(Pavan Duggal is an advocate in the Supreme Court of India, and president of cyberlaws.net)