In the last few years, cyber security has assumed tremendous significance. The number of cyber security breaches is constantly growing with each passing day. As a result, the annual cost of cybercrime is constantly increasing. As per a recent survey, it has been estimated that the total global cost of cybercrimes is $445 billion. Hence, the protection and preservation of cyber security becomes an important priority for all stakeholders.
In the Indian context, it is perceived that cyber security is primarily a governmental responsibility. However, nothing can be farther than the truth. Cyber security as a phenomenon refers to security of computer networks and computer systems which are used for accessing the electronic ecosystem. While it is absolutely clear that the Government is responsible for protection of cyber security of governmental networks, it also needs to be appreciated in the peculiar context of Indian conditions that a large number of computer systems constituting Critical Information Infrastructure of the country are located in private hands. Examples include telecommunication networks, insurance networks and private banking networking apart from private medical health network. In such a scenario, therefore, it becomes imperative that the private sector also needs to appreciate its responsibility of protecting and preserving cyber security.
Worldwide, the private sector is now increasingly being exposed to legal consequences for their failure to put in place security mechanisms to prevent hacking and other unauthorized access or cyber security breaches.
Recently, the Ashley Madison website hacking case came to light. The online dating website for married persons was hacked and subscriber details made available. Consequently, legal actions have already been filed in the US for damages for the failure to put in place adequate security to protect the confidentiality of consumers’ data. Increasingly, companies now need to be prepared that they could potentially be sued for cyber security breaches and hence need to incorporate proactive cyber security legal compliances as an integral part of their day-to-day business operations.
When one specifically examines the Indian context, it is clear that India does not have a dedicated law on cyber security. Indian cyber law is grounded in the Information Technology Act, 2000, which is a jack of all trades and master of none. Its amendments in 2008 incorporated various cosmetic amendments including giving a definition of cyber security.
The definition of cyber security inserted by virtue of the Information Technology (Amendment) Act, 2008 is broad enough to mean protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction. Some provisions pertaining to breach of cyber security were added in the Information Technology Act, 2000 but they have not been invoked frequently or efficiently.
Indian cyber law has also come up with the concept of intermediaries. All private and governmental service providers providing services on the network or dealing with third-party data are classified as intermediaries. Intermediaries under Indian cyber law are mandated to exercise due diligence while discharging their obligations under the law. Consequently, some parameters of due diligence were incorporated. In case, if an intermediary is dealing, handling sensitive personal data, additional compliances have been stipulated.
Intermediaries are mandated to implement and maintain reasonable security practices and procedures while they deal, handle or process third party data. ISO 27001 standard has been recognised as one such methodology of reasonable security practices and procedures.
However, when one looks at the complete set of duties and obligations stipulated for intermediaries, one will quickly realize that intermediaries have not been straddled with the responsibility for ensuring protection and preservation of cyber security.
It will be a great step forward if the intermediaries are also handed the responsibility to protect and preserve cyber security. This becomes all the more important as cyber security is as strong as its weakest link and therefore the service providers need to be given the mandatory responsibility to contribute towards protection of cyber security. World over, intermediaries are now increasingly being straddled with these kind of responsibilities.
Further, it is very unfair to expect that the Government would protect networks of the intermediaries when they are dealing, handling or processing third-party data. As such, the Indian law needs to take a stride forward. India needs to come up with a dedicated law on cyber security and needs to specifically address the various complex, complicated yet interconnected issues concerning cyber security ecosystems whether it is encryption, protection of critical information infrastructure, surveillance, monitoring, online liberty, privacy or any other aspect.
The announcement of the Digital India program has been met with tremendous enthusiasm. For the success of the governmental programs like Digital India and Make in India, it becomes imperative that more focus needs to put on cyber security and the compliances of connected regulations by all stakeholders. As time passes by, India has to start inculcating the culture of cyber security as a way of life.
We need to ensure that education concerning cyber security and cyber law needs to start at a very early age as an integral part of the school curriculum. In this regard, appropriate reforms in the education curriculum needs to be put in place.
Cyber security today is presenting large amount of challenges and as such legal frameworks need to have appropriate flexibility so as to meet with the emerging challenges of the evolving paradigm of cyber security as time passes by.
(Pavan Duggal is an advocate in the Supreme Court of India, and president of cyberlaws.net)