[Yearbook] Information and Technology Act: Salient Features

and Provisions
1. Introduction
2. Timeline of Events
3. Why was IT Act 2000 amended in 2008?
4. Data privacy
5. Definitions
6. What is the punishment for cyber crimes?
7. Who can conduct RAIDS AND INVESTIGATION for Cybercrimes?
8. About the Author
This is a guest article written by Mr.Krapesh Bhatt, an IT Security
professional from Surat.

Introduction
Dear All, Firstly, I would like to thank Mrunal for providing me with the
opportunity to write and come up with the article which provides
information on our IT ACT.
I am motivated to write this article relating to Our Information
Technology Act and its related amendments so as to spread the
awareness of the Act.
I have tried to make the IT Acts major sections which come in our
daily lives simpler to understand. As India is one of few countries
in the world which enacted the law specially to curb cyber crime
a positive approach in this direction.
The countries which have their own cyber laws are U.S, U.K,
Japan, European Union, Australia, Germany, Singapore, Belgium,
Brazil, Canada, Italy, and France. India has too joined the club
and framed laws to curb cyber crime.

Timeline of Events
1. The ministry of commerce, Govt. of India drafted the guidelines
as Ecommerce Act 1998, since the ministry of Information
Technology was absent at that time.
2. Later on coming to existence, this was re-drafted as Information
Technology bill 1999
3. This draft was placed in the parliament in Dec 1999 and passed
in May 2000.
4. After the Assent of president, the bill finally came to effect from
17th Oct 2000. This came to be known as IT ACT 2000
5. It was amended in 2008.

Why was IT Act 2000 amended in 2008?

1. The main intent to pass the 2000s Act was to provide legal
recognitions to transactions carried out by means of electronic
data interchange and other means of electronic communications,
commonly known as electronic commerce, which involved the
use of alternatives to paper based methods of communication
and storage of information and to facilitate the filing of
documents of government agencies.
2. But Cyber crime was not looked upon in this act. Even after
passing the Act, there was still need to address the specific cyber
crimes that were taking place along with the technological
advancement.
3. Since the Booming growth of BPO industry and increasing
dependence on computers and networks, the incidents of leaking
of private data from the BPOs, Banks, Healthcare sectors,
telecommunication industry gave rise to provide for a strict
legislation to protect the data privacy of all the customers and
corporations.
4. Also, the crimes related to privacy breach were rising but as
there was no legal framework, specific to the incidents, the IT
ACT 2000 seemed ineffective.

5. With the developing demands, the amendments in the IT ACT

2000 were made and IT ACT 2008(amendment) was passed
finally on 23rd December 2008.

Data privacy
As Data privacy remains prime importance to the topic of discussion, I
will discuss the section related to Section 43A of the amended Act
which covers all the sectors of Indian economy. Section 43A was
inserted After Section 43 of the parent Act.
As per the stated Act, in Section 43A of the amended act, stats as
follows:
43A. Where a body corporate, possessing, dealing or handling any
sensitive personal data or information in a computer resource which it
owns, controls or operates, is negligent in implementing and
maintaining reasonable security practices and procedures and thereby
causes wrongful loss or wrongful gain to any person, such body
corporate shall be liable to pay damages by way of compensation to
the person so affected.

Definitions
Body Corporate
reasonable security
practices and
procedures
sensitive personal data
or information

Means any company and includes a firm, sole proprietorship or other

association of individuals engaged in commercial or professional
activities;
Means security practices and procedures designed to protect such
information from unauthorized access, damage, use, modification,
disclosure or impairment.
It means
1. Password;
2. Financial information such as Bank account or credit card or
debit card or other payment instrument details;
3. Physical, physiological and mental health condition;
4. Sexual orientation;
5. Medical records and history;
6. Biometric information;

7. any detail relating to the above clauses as provided to body

corporate for providing service; and
8. Any of the information received under above clauses by body
corporate for processing, stored or processed under lawful
contract or otherwise.

(SOURCE: IT ACT 2008 Amendment, Sec 43A)

What are the responsibilities of a company handling personal data?

Now, we try to understand the procedures and practices needed to
safeguard the sensitive personal data from being stolen, modified
without consent of owner, misused or sold in underground markets.
lets make it simple to understand this rule. Say for eg.
1. We have a bank, and as we all know, it deals with sensitive
personal data of its customers in its computer networks/servers.
Our names, account numbers, passwords, Date of birth, Sex,
credit/Debit card details, etc.
2. Therefore, to make sure the bank complies with Mandate of IT
ACT, it needs to either get certify with ISO 27001 (world
renowned standard for data protection) or it may develop its own
security manual which describes full indepth details of its IT
assets, the Life cycle of assets, the physical security
measures(viz. CCTVs, Locks, vaults, fire prevention/detection,
temperature controls in server rooms, security guard details and
so on).
3. It should also have a detailed Business Continuity plan (In case of
any natural/manmade calamity the organization must have a
detailed backup process so as to continue its business),
4. Other applicable procedures of separation of duties of key
personals, background checks of employees before employing,
etc.
5. Not only Banks, but the BPOs/KPOs, hospitals, and various other
businesses which deals with sensitive personal data, need to
comply with this act.

What is the punishment for cyber crimes?

SECTION OF
OFFENCE
THE ACT
Section 65

Tampering with computer source documents.

Section 66

Hacking & Breach of confidentiality of

personal information as per sec.43 & 43A

Section 66A
Section 66B

Sending offensive messages through

communication service, etc.
Dishonestly receiving stolen resource or
communication device.

PENALTY
Imprisonment up to 3 years or a
fine of 2 lakh rupees, or both.
Imprisonment up to 3 years or a
fine up to 5 lakh rupees or both.
(For Hacking, fine is 2 lakh
rupees, imprisonment is 3 years)
Imprisonment of 3 years & fine.
Imprisonment of 3 years & fine.

Section 66C &

Identity theft
D
Section 66E
Section 66F
Section 67,
67A & B
Section 67C

Imprisonment up to 3 years &

fine up to 1 lakh rupees.
Imprisonment up to 3 years or
Violation of personal Privacy
fine not exceeding 2 lakh rupees
or with both.
Cyber terrorism
Imprisonment for life.
Publishing or transmitting obscene material Imprisonment term up to 5/7
in electronic form./pornography/child
years and fine up to 10 lakh
pornography
rupees.
Failure to preserve and retain information by Imprisonment for 3 years and
intermediaries
fine.

Who can conduct RAIDS AND INVESTIGATION for

Cybercrimes?
As per the act, previously, a police officer not less than a rank of
DySP can investigate or conduct a raid at a public place without a
warrant, but as per the amendment, the rank of Police Inspector
can investigate the offences and conduct raids. (Section 78amended)
Also, As per the provisions in the act, and according to section
46(amended), adjudicating officer shall exercise jurisdiction to
adjudicate matters in which claim for injury or damage does not
exceed 5 crore. If this claim exceeds above 5 crore, then the
matter is looked upon by the competent court.