India is speeding up the web ladder to touch yet another milestone this year - flaunting the 2nd largest internet user base of a stout 560 million users. The pandemic will push this number further in 2021 as the predictions stumble up to a minimum of 600 million users.
But on the flip side, these incontestable figures reinforce the need for a robust cybersecurity framework of the nation.
With constant digitization and data growth, it is pivotal to armor up with the necessary resources, including comprehensive training, to assure data privacy and cybersecurity in India. Plus, with cybersecurity being a $6.7 billion industry, there is a greater need for stern and rigid cyber laws in India.
Increasing Attacks on Cybersecurity System
Cybercrimes are currently ruling major newspaper headlines globally - causing unanticipated damages across industries and individuals. The predominant forms of cyber thefts include - data breach, identity theft, financial theft, and internet time thefts, amongst others.
Though cybersecurity is advancing every day, hackers are also constantly upping their game and finding ways to break into new systems. This reinforces the need not only for better cybersecurity systems but robust cyber laws as well.
Further, to mitigate the cyber crimes and to curb the efforts of the fraudsters, lawmakers need to be abreast of the potential loopholes in the cybersecurity landscape and fix them in real-time. Persistent efforts with constant vigil are crucial to controlling the escalating risks nationwide.
Introduction to Cyber Laws in India
The United Nations Commission on International Trade Law embraced the model law on e-Commerce to spearhead legal uniformity globally in 1996. The General Assembly of the UN-endorsed this model law as the backbone of the cyber laws of different countries. Soon, India became the 12th country to legitimize cyber regulations.
Post the initial draft created by the eCommerce Act led by the Ministry of Commerce in 1998; the revised Information Technology Bill was passed in May 2000.
Finally, things came under control, with the inception of the Information Technology Act, back in October 2000. This Act intricately traced each trifling activity or transaction on the internet, cyberspace, and the World Wide Web. Each minuscule action, as well as its reaction in the global cyberspace, imposed severe legal implications and penalty angles.
The Act swiftly amended the traditionally-set Indian Penal Code 1860, the Bankers' Books Evidence Act 1891, the Indian Evidence Act 1872, and the Reserve Bank of India Act 1934. These amends aimed to tone up all electronic transactions/communications bringing them under the radar by granting strict legal recognition.
One significant step towards this was accepting digital signatures as legal authentication. This had far broader ambitions covering other tech-driven authentication forms like bio-metrics. Further, the popularity of electronic fund transfers and electronic data storage attested to the need and success of the futuristic vision behind the IT Act.
Regulatory Framework of Cyber Security Laws
There are five predominant laws to cover when it comes to cybersecurity:
Information Technology Act, 2000
The Indian cyber laws are governed by the Information Technology Act, penned down back in 2000. The principal impetus of this Act is to offer reliable legal inclusiveness to eCommerce, facilitating registration of real-time records with the Government.
But with the cyber attackers getting sneakier, topped by the human tendency to misuse technology, a series of amendments followed.
The ITA, enacted by the Parliament of India, highlights the grievous punishments and penalties safeguarding the e-governance, e-banking, and e-commerce sectors. Now, the scope of ITA has been enhanced to encompass all the latest communication devices.
The IT Act is the salient one, guiding the entire Indian legislation to govern cyber crimes rigorously:
- Section 43 - Applicable to people who damage the computer systems without permission from the owner. The owner can fully claim compensation for the entire damage in such cases.
- Section 66 - Applicable in case a person is found to dishonestly or fraudulently committing any act referred to in section 43. The imprisonment term in such instances can mount up to three years or a fine of up to Rs. 5 lakh.
- Section 66B - Incorporates the punishments for fraudulently receiving stolen communication devices or computers, which confirms a probable three years imprisonment. This term can also be topped by Rs. 1 lakh fine, depending upon the severity.
- Section 66C - This section scrutinizes the identity thefts related to imposter digital signatures, hacking passwords, or other distinctive identification features. If proven guilty, imprisonment of three years might also be backed by Rs.1 lakh fine.
- Section 66 D - This section was inserted on-demand, focusing on punishing cheaters doing impersonation using computer resources.
Indian Penal Code (IPC) 1980
Identity thefts and associated cyber frauds are embodied in the Indian Penal Code (IPC), 1860 - invoked along with the Information Technology Act of 2000.
The primary relevant section of the IPC covers cyber frauds:
- Forgery (Section 464)
- Forgery pre-planned for cheating (Section 468)
- False documentation (Section 465)
- Presenting a forged document as genuine (Section 471)
- Reputation damage (Section 469)
Companies Act of 2013
The corporate stakeholders refer to the Companies Act of 2013 as the legal obligation necessary for the refinement of daily operations. The directives of this Act cements all the required techno-legal compliances, putting the less compliant companies in a legal fix.
The Companies Act 2013 vested powers in the hands of the SFIO (Serious Frauds Investigation Office) to prosecute Indian companies and their directors. Also, post the notification of the Companies Inspection, Investment, and Inquiry Rules, 2014, SFIOs has become even more proactive and stern in this regard.
The legislature ensured that all the regulatory compliances are well-covered, including cyber forensics, e-discovery, and cybersecurity diligence. The Companies (Management and Administration) Rules, 2014 prescribes strict guidelines confirming the cybersecurity obligations and responsibilities upon the company directors and leaders.
The Cybersecurity Framework (NCFS), authorized by the National Institute of Standards and Technology (NIST), offers a harmonized approach to cybersecurity as the most reliable global certifying body.
NIST Cybersecurity Framework encompasses all required guidelines, standards, and best practices to manage the cyber-related risks responsibly. This framework is prioritized on flexibility and cost-effectiveness. It promotes the resilience and protection of critical infrastructure by:
- Allowing better interpretation, management, and reduction of cybersecurity risks – to mitigate data loss, data misuse, and the subsequent restoration costs
- Determining the most important activities and critical operations - to focus on securing them
- Demonstrates the trust-worthiness of organizations who secure critical assets
- Helps to prioritize investments to maximize the cybersecurity ROI
- Addresses regulatory and contractual obligations
- Supports the wider information security program
By combining the NIST CSF framework with ISO/IEC 27001 - cybersecurity risk management becomes simplified. It also makes communication easier throughout the organization and across the supply chains via a common cybersecurity directive laid by NIST.
As human dependence on technology intensifies, cyber laws in India and across the globe need constant up-gradation and refinements. The pandemic has also pushed much of the workforce into a remote working module increasing the need for app security.
Lawmakers have to go the extra mile to stay ahead of the impostors, in order to block them at their advent.
Cybercrimes can be controlled but it needs collaborative efforts of the lawmakers, the Internet or Network providers, the intercessors like banks and shopping sites, and, most importantly, the users.
Only the prudent efforts of these stakeholders, ensuring their confinement to the law of the cyberland - can bring about online safety and resilience.
Related blogs to cybersecurity laws-