Adoption of Security Procedures and The IT Act

Introduction:

Life today has become twofold. We live our territorial lives but we are also a part of the virtual world. Our lives have changed dramatically over the years with the advancement in digital technology and a new system of communication. India aces at being a highly adaptive country whether it is cultural, linguistic, or religious diversity. Now it has also adopted a new way of life where digital communication has made its way permanently. We are now connected to people around the globe in ways that we could not possibly have imagined earlier. Cyberspace provides connectivity but it also allows anonymity. Anyone can hide their identity behind the big web. It is hard to track down people, not impossible but hard.

To regulate this we have laws. Since the virtual world is practically a very different arena we need different laws for the same. It is important to regulate the actions of people who have the weapon of anonymity. With the increasing number of users in the cyberspace, cyber-crimes also are at their height. To imagine this world without law gives a good fright. People should be held accountable for their actions. It is only through laws that we can attain this accountability. Moreover, we need laws that are clear and unambiguous but also leave scope for coping up with the advancing technology. For this security standards must be set. There should be procedures to ensure security from one end to the other.

Information Technology Act, 2000

The principal act which contains cyber laws in India is the Information Technology Act, 2000 (IT Act). The act engulfs the spirit of recommendations given by the General Assembly. The act intends to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as electronic commerce, which involve the use of alternatives to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies. [1] One of the most valuable commodities today is information. The integrity of this commodity stays intact only when it is secured and remains confidential. Information in this virtual era whether over public or private networks is prone to virus attacks and hacking.

Therefore it is important to protect this framework by laying down strict security procedures. To enable secure transactions a secure structure is also needed. The objective is to protect the communication i.e. the message. For this reason, the act lays down appropriate security procedures. Section 2(nb) of the act defines cybersecurity as protecting information, equipment, devices, computer, computer, resources, communication devices, and information stored therein from unauthorized access, use, disclosure, disruption, modification, or destruction.[2] The act also talks about secure electronic records and secured electronic signatures.

Section 14 deals with secure electronic records. Any electronic record will be deemed to be secure if any security procedure has been applied to it at a specific point of time from such point of time to the time of verification.[3] It should also be noted that the liability of securing an electronic record is upon the producer of the respective record. It is to be presumed that an electronic record is deemed to be secure when any kind of security procedure is applied to it. It will be secure from the time of its implementation till the time of its verification at the receiver’s end, till the receiver proves it otherwise. The act has also defined the term verification[4] as it showcases two things.

Firstly, it shows if the record was attached to a digital signature by the use of a private key correlating to the public key of the creator. Secondly, it shows if the initial record was retained intact or has been altered since the electronic record was so affixed with the digital signature. Rule 3 of the Information Technology (security procedure) Rules, 2004 also says that any electronic record shall be considered secure if it is substantiated by means of a secure electronic signature.

Section 15 of the IT Act, 2000 defines a secure electronic signature. It says that an electronic signature will be considered as secure if-

1. At the time of affixing the signature creation data, at the time of affixing signature, was under the exclusive control of signatory and no other person; and
2. The signature creation data was stored and affixed in such exclusive manner as may be prescribed[5]

Explanation- “Signature creation data” means the private key of the subscriber in case of digital signature.

Furthermore, u/s 16 the central government is allotted with the discretion of prescribing the security procedures and practices for the purpose of sections 14 and 15. It also says that the central government shall consider the commercial circumstances, the nature of the transaction, and any such related issues and factors as it may deem appropriate. This section is dynamic in nature as it gives the central government the power to alter or adopt any system for securing electronic records and electronic signatures. The central government is also equipped with the power to lay down security procedures in commercial issues, transactions etc. This section also leaves scope for amendments and is therefore flexible.

Information Technology (Security Procedure) Rules, 2004

A national policy on Information Technology was approved by the union cabinet in September 2012. The main aim of the policy was to support the Information and communication technology. This would also address the issues of economic and developmental challenges. The aim was internationally leveraged to gain remarkable global market share in developing technologies and services. High-end technology such as location-based services, cloud computing, utility models, etc. were the major goals. The union government aimed to make all the public services available in electronic mode so that there could be transparency, accountability, efficiency, reliability and to promote decentralization in the government.[6]

The IT Act was enacted with a vision to give a kick start to the digital transaction in India, this act provided a legal facet to all the eCommerce transactions, facilitate e-governance to improve accountability and recognition. One of the major aims was also to prevent computer-based crimes and to lay down procedures in the use of information technology and provide security. Information security is also one of the biggest concerns. It means protecting the information from any unauthorized access, use, disclosure, modification. The IT act lays down security procedures that are well defined and clear but also flexible keeping in mind the advancing technology.

There are security practices and procedures established for personal data and information also. It is contained in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011

Reasonable Security Practices and Procedures and Sensitive Personal Data or Information

A person’s identity is his/her uniqueness. Everybody has a private life with crucial private information. Today, this information is secured digitally. We have technological advancements coming every day and there is a lot of downside to this technology. This downside is not just limited to straining of eyes or health issues but it is well extended to cyber-crimes. Compromising personal data can lead to fraud, monetary theft, identity theft, embarrassment in public, tax fraud, and many such unwanted activities.[7] Hacking of computers, stealing of confidential data or passwords are some of the most common cyber-crimes committed today. In this case, it becomes important to have a security firewall that would protect people from such nuisances.

When the Information technology act came into existence it lacked the provisions and procedures which would protect an individual’s personal information. It was this lacuna that led to the introduction of the information technology bill, 2006. This was called the Information Technology (Amendment) Act, 2008 which came into force on October 27, 2009. This act added section 43A in the IT Act. While exercising the power conferred to the central government by way of clause (ob) of subsection (2) of section 87 read with 43A of IT Act, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 was notified. [8]

These rules are intended to ensure the protection of data and personal information so that it cannot be misused by corporate bodies. The reason behind this is because India is turning to digital platforms for its day to day transactions. In such a case more and more information is shared with corporate bodies handling these platforms. To protect the private individual’s crucial information these rules become necessary.

But as we talk about leakage of private information, it is important to know what comes under the term Sensitive personal data or information.

1. Password
2. Any information which is financial in nature such as details of bank account, credit card, debit card, or any such details for payment platforms
3. Health condition- physical, physiological, or mental health
4. Sexual orientation
5. Records of medical history
6. Biometrics information such as fingerprints, facial patterns, voice etc.
7. Any related information relating to the above clauses provided to any corporate body for services.
8. All of the information obtained under the above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.[9]

Limitation

However, for the purposes of these laws, information that is publicly available or open in the public domain or given under the Right to Information Act 2005 or any other legislation in force, for the time being, shall not be considered confidential personal data or information.

Method and Manner of Data Collection

Rule 5 sets down the requirements for knowledge gathering:

1. It allows the corporate body or any individual on its behalf to receive the information provider’s permission via fax or e-mail before information is obtained.
2. The person should be given the option to give or not give confidential personal details and the option to withhold his consent as well.
3. Personal sensitive data shall not be gathered until such collection is required for a legal reason
4. It can only be used for the purpose for which it is obtained.
5. The corporate body must nominate a complaints officer.[10]

Disclosure of Information to Third Party

The new rules specify that the transmission to any third party of any confidential personal information requires the prior consent of the information provider. However, in the event that the government department uses it for the purpose of prosecuting any cyber-attacks, an exception has been made to include the details. The Government, however, shall declare, in such cases, that it shall not publish or share it with any other citizen. Rule 8 clarifies that, if the corporate body complies with IS/ISO/IEC 27001 requirements, the provision of fair security policies and procedures would be found to have been complied with. Corporate entities that agree with their data security best practice codes must have their codes and policies properly accepted and informed by the central government for successful compliance.[11]

Conclusion

The world has changed today and technology has taken over. With growing technology, the growth of crimes is obvious. The Information technology Act, 2000 has played a vital role in revolutionizing the cyberspace in India. Our lawmakers have enacted these safety rules and regulations keeping in the changing society. There are provisions for safety as well as penalties for any kind of infringement. But these provisions can only work well when there is awareness among the citizens about these. The implementation of these rules and regulations is of utmost importance.

---

References:

[1] The information technology act, 2000, No. 21, Acts of Parliament, 2000 (India).

[2] Ref. sec 2(nb) of Information technology act, 2000.

[3] Ref. Section 14, Information Technology Act, 2000.

[4] Ref. Section 2(1)(zh), Information Technology Act, 2000.

[5] Ref. Section 15, Information Technology Act, 2000.

[6] Cyber Security Hive. (2017). Cyber Laws in India. [online] Available at: https://cybersecurityhive.com/cyber-laws-india/ [Accessed 2 Jan. 2021].

[7] MediaPRO. (n.d.). Personal Information: What It Is and How to Protect It. [online] Available at: https://www.mediapro.com/identifying-personal-information/#:~:text=Security%20is%20another%20important%20reason [Accessed 3 Jan. 2021].

[8] www.lexology.com. (2017). India: Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 | Lexology. [online] Available at: https://www.lexology.com/library/detail.aspx?g=35f56a2a-c77c-49e7-9b10-1ce085d981dd [Accessed 3 Jan. 2021].

[9] Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011. (2011). Available at: https://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf [Accessed 4 Jan. 2021].

[10] Legal Articles in India. (2018). Reasonable security practices and procedures and sensitive personal data or information. [online] Available at: http://www.legalservicesindia.com/law/article/982/6/Reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information [Accessed 5 Jan. 2021].

[11] Supra, n. 9