You are here: Home » Opinion » Special » On The Beat
Business Standard

Cyber security no longer a governmental responsibility

It is imperative that the private sector also appreciates its responsibility of protecting and preserving cyber security, especially when working with intermediaries

Pavan Duggal  |  New Delhi 

Pavan Duggal
Pavan Duggal

In the last few years, cyber security has assumed tremendous significance. The number of cyber security breaches is constantly growing with each passing day. As a result, the annual cost of cybercrime is constantly increasing. As per a recent survey, it has been estimated that the total global cost of cybercrimes is $445 billion. Hence, the protection and preservation of cyber security becomes an important priority for all stakeholders.

In the Indian context, it is perceived that cyber security is primarily a governmental responsibility. However, nothing can be farther than the truth. Cyber security as a phenomenon refers to security of computer networks and computer systems which are used for accessing the electronic ecosystem. While it is absolutely clear that the Government is responsible for protection of cyber security of governmental networks, it also needs to be appreciated in the peculiar context of Indian conditions that a large number of computer systems constituting Critical Information Infrastructure of the country are located in private hands. Examples include telecommunication networks, insurance networks and private banking networking apart from private medical health network. In such a scenario, therefore, it becomes imperative that the private sector also needs to appreciate its responsibility of protecting and preserving cyber security.

Worldwide, the private sector is now increasingly being exposed to legal consequences for their failure to put in place security mechanisms to prevent hacking and other unauthorized access or cyber security breaches.

Recently, the Ashley Madison website hacking case came to light. The online dating website for married persons was hacked and subscriber details made available. Consequently, legal actions have already been filed in the US for damages for the failure to put in place adequate security to protect the confidentiality of consumers’ data. Increasingly, companies now need to be prepared that they could potentially be sued for cyber security breaches and hence need to incorporate proactive cyber security legal compliances as an integral part of their day-to-day business operations.

When one specifically examines the Indian context, it is clear that India does not have a dedicated law on cyber security. Indian cyber law is grounded in the Information Technology Act, 2000, which is a jack of all trades and master of none. Its amendments in 2008 incorporated various cosmetic amendments including giving a definition of cyber security.

The definition of cyber security inserted by virtue of the Information Technology (Amendment) Act, 2008 is broad enough to mean protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction. Some provisions pertaining to breach of cyber security were added in the Information Technology Act, 2000 but they have not been invoked frequently or efficiently.

Indian cyber law has also come up with the concept of intermediaries. All private and governmental service providers providing services on the network or dealing with third-party data are classified as intermediaries. Intermediaries under Indian cyber law are mandated to exercise due diligence while discharging their obligations under the law. Consequently, some parameters of due diligence were incorporated. In case, if an intermediary is dealing, handling sensitive personal data, additional compliances have been stipulated.

Intermediaries are mandated to implement and maintain reasonable security practices and procedures while they deal, handle or process third party data. ISO 27001 standard has been recognised as one such methodology of reasonable security practices and procedures.

However, when one looks at the complete set of duties and obligations stipulated for intermediaries, one will quickly realize that intermediaries have not been straddled with the responsibility for ensuring protection and preservation of cyber security.

It will be a great step forward if the intermediaries are also handed the responsibility to protect and preserve cyber security. This becomes all the more important as cyber security is as strong as its weakest link and therefore the service providers need to be given the mandatory responsibility to contribute towards protection of cyber security. World over, intermediaries are now increasingly being straddled with these kind of responsibilities.

Further, it is very unfair to expect that the Government would protect networks of the intermediaries when they are dealing, handling or processing third-party data. As such, the Indian law needs to take a stride forward. India needs to come up with a dedicated law on cyber security and needs to specifically address the various complex, complicated yet interconnected issues concerning cyber security ecosystems whether it is encryption, protection of critical information infrastructure, surveillance, monitoring, online liberty, privacy or any other aspect.

The announcement of the Digital India program has been met with tremendous enthusiasm. For the success of the governmental programs like Digital India and Make in India, it becomes imperative that more focus needs to put on cyber security and the compliances of connected regulations by all stakeholders. As time passes by, India has to start inculcating the culture of cyber security as a way of life.

We need to ensure that education concerning cyber security and cyber law needs to start at a very early age as an integral part of the school curriculum. In this regard, appropriate reforms in the education curriculum needs to be put in place.

Cyber security today is presenting large amount of challenges and as such legal frameworks need to have appropriate flexibility so as to meet with the emerging challenges of the evolving paradigm of cyber security as time passes by.

(Pavan Duggal is an advocate in the Supreme Court of India, and president of

Dear Reader,

Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor

First Published: Mon, October 05 2015. 09:36 IST