Chapter 5: Cyber law

3
 4

Cyber law in India is incorporated in the Information Technology Act, 2000

(IT Act 2000)
The IT Act 2000 chiefly covers:
a. e-Commerce in India
b. E-Governance in India
c. Cyber contraventions
d. Cyber crimes
Section 65. Tampering with computer source documents.
Whoever knowingly or intentionally conceals, destroy, or alter any computer source code used for a
computer, computer program, computer system or computer network, when the computer source
code is required to be kept or maintained by law for the time being in force, shall be punishable with
imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Explanation - For the purposes of this section, "computer source code" means the listing of
programs, compute commands, design and layout and program analysis of computer resource in any
form.

Section 66. Hacking with Computer System. –

(1) Whoever with the intent of cause or knowing that is likely to cause wrongful loss or damage to
the public or any person destroys or deletes or alters any information residing in a computer
resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.
(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine
which may extend up to two lakh rupees, or with both.

Cracking:
It means an illegal access. Access includes the entering of another computer system where it is
connected via public communication networks or to a computer system on the same network, such
as LAN (Local area network) or Internet within an organization.

Fraud on the Internet:

Internet fraud is a common type of crime whose growth has been proportionate to the growth of
Internet itself. It is referred to a form of white collar crime. Generally, the Internet provides
companies and individuals with the opportunity of marketing their produce on the net. It is easy for
people with fraudulent intention to make their messages look real and credible. There are
innumerable scams and frauds most of them relating to investment schemes. The following are
some of them:
Bulletin Boards:
Sharing investor information and often fraud is occurred causing loss of millions who bank on them.
Credit card fraud:
It is another fraud committed with fast growth of E-commerce. Frequent fraud reports involve
undelivered and on-line services; damaged, defective, mispresented or underdelivered
communications, auction sales, pyramid schemes and multi-level marketing and most common of
them are credit card fraud.
E-mail scams:
It is used to spread bogus investment schemes or to spread false information about the company.

Section 67. Publishing of information which is obscene in electronic form. –

Whoever publishes or transmits or causes to be published in the electronic form, any material which
is lascivious or appeal to the prurient interest or if its effect is such as to tend to deprave and corrupt
persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter
contained or embodied in it, shall be punished on first conviction with imprisonment of either
description for a term which may extend to five years and with fine which may extend to one lakh
rupees and in the event of a second or subsequent conviction with imprisonment of either
description for a term which may extend to ten years and also with fine which may extend to two
lakh rupees.

Section 68. Power of the Controller to give directions. –

(1) The Controller may, by order, direct a Certifying Authority or any employee of such Authority to
take such measures or cease carrying on such activities as specified in the order if those are
necessary to ensure compliance with the provisions of this Act, rules or any regulations made
thereunder.
(2) Any person who fails to comply with any order under sub-section (1) shall be guilty of an offence
and shall be liable on conviction to imprisonment for a term not exceeding three years or to a fine
not exceeding two lakh rupees or to both.

Section 69. Directions of Controller to a subscriber to extend facilities to decrypt information. –

1. If the Controller is satisfied that it is necessary or expedient so to do in the interest of the
sovereignty or integrity of India, the security of the State, friendly relations with foreign
States or public order or for preventing incitement to the commission of any cognizable
 offence, for reasons to be recorded in writing, by order, direct any agency of the
Government to intercept any information transmitted through any computer resource.
2. The subscriber or any person in-charge of the computer resource shall, when called upon by
any agency which has been directed under sub-section (1), extend all facilities and technical
assistance to decrypt the information.
3. The subscriber or any person who fails to assist the agency referred to in sub-section (2)
shall be punished with an imprisonment for a term which may extend to seven years.

Section 70. Protected system. -

(1) The appropriate Government may, by notification in the Official Gazette, declare that any
computer, computer system or computer network to be a protected system.
(2) The appropriate Government may, by order in writing, authorize the persons who are authorized
to access protected systems notified under sub-section.
(3) Any person who secures access or attempts to secure access to a protected system in
contravention of the provisions of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall also be liable to fine.

Section 71. Penalty for misrepresentation. -

Whoever makes any misrepresentation, to, or suppresses any material fact from, the Controller or
the Certifying Authority for obtaining any license or Digital Signature Certificate, as the case may be,
shall be punished with imprisonment for a term which may extend to two years, or with fine which
may extend to one lakh rupees, or with both.

Section 72. Breach of confidentiality and privacy. -

Save as otherwise provided in this Act or any other law for the time being in force, if any person
who, in pursuance of any of the powers conferred under this Act, rules or regulations made
thereunder, has secured access to any electronic record, book, register, correspondence,
information, document or other material without the consent of the person concerned discloses
such electronic record, book, register, correspondence, information, document or other material to
any other person shall be punished with imprisonment for a term which may extend to two years, or
with fine which may extend to one lakh rupees, or with both.

Section 73. Penalty for publishing Digital Signature Certificate false in certain particulars. –
(1) No person shall publish a Digital Signature Certificate or otherwise make it available to any other
person with the knowledge that-
(a) the Certifying Authority listed in the certificate has not issued it; or
(b) the subscriber listed in the certificate has not accepted it; or
(c) the certificate has been revoked or suspended, unless such publication is for the purposes of
verifying a digital signature created prior to such suspension or revocation.
(2) Any person who contravenes the provisions of sub-section (1) shall be punished with
imprisonment for a term which may extend to two years, or with fine which may extend to one lakh
rupees, or with both.

Section 74. Publication for fraudulent purpose. –

Whoever knowingly creates, publishes, or otherwise makes available a Digital Signature Certificate
for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may
extend to two years, or with fine which may extend to one lakh rupees, or with both.

Section 75. Act to apply for offence or contravention committed outside India. –
(1) Subject to the provision of sub-section (2), the provisions of this Act shall apply also to any
offence or contravention committed outside India by any person irrespective of his nationality.
(2) For the purposes of sub-section (1), this act shall apply to an offence or contravention committed
outside India by any person if the act or conduct constituting located in India.

Section 76. Confiscation. –

Any computer, computer system, floppies, compact disks, tape drives or nay other accessories
related thereto, in respect of the if which any provision of this Act, rule, orders or regulations made
thereunder has been or is being contravened, shall be liable to confiscation:
Provided that where it is established to the satisfaction of the court adjudicating the confiscation
that the person in whose possession, power or control of any such computer, computer system,
floppies, compact disks, tape drives or any other accessories relating thereto is found is not
responsible for the contravention of the provisions of this Act, rules, orders or regulations made
thereunder, the court may, instead of making an order for confiscation of such computer, computer
system, floppies, compact disks, tape drives or any other accessories related thereto, make such
other order authorized by this Act against the person contravening of the provisions of this Act,
rules, orders or regulations made thereunder as it may think fit.

Section 77. Penalties and confiscation not to interfere with other punishments. –
No penalty imposed or confiscation made under this Act shall prevent the imposition of any other
punishment to which the person affected thereby is liable under any other law for the time being in
force.

Section 78. Power to investigate offence. -

Notwithstanding anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), a police
officer not below the rank of Deputy Superintendent of Police shall investigate any offence under
this Act.

Section 79. Network service providers not to be liable in certain cases. –

For the removal of doubts, it is hereby declared that no person providing any service as a network
service provider shall be liable under this Act, rules or regulations made thereunder for any third
party information or data made available by him if he proves that the offence or contravention was
committed without his knowledge or that he had exercised all due diligence to prevent the
commission of such offence for contravention.
Explanation- For the purposes of this section, -
(a) "network service provider" means an intermediary;
(b) "third party information" means any information dealt with by a network service provider in his
capacity as an intermediary;

Security Guidelines
This document provides guidelines for the implementation and management of Information
Technology security. Due to the inherent dynamism of the security requirements, this document
does not provide an exact template for the organizations to follow. However, appropriate suitable
samples of security process are provided for guidelines. It is the responsibility of the organizations to
develop internal processes that meet the guidelines set forth in this document.

Implementation of an information security program

Successful implementation of a meaningful information security program rests with the support of
the top management. Until and unless the senior managers of the organization understand and
concur with the objectives of the information security program its ultimate success is in question.
The information security program should be broken down into specific stages as follows:
a. Adoption of a security policy
b. Security risk analysis
c. Development and implementation of a information classification system
d. Development and implementation of the security standards manual
e. Implementation of the management security self-assessment process
f. Ongoing security program maintenance and enforcement and
g. Training

The principal task of the security implementation is to define the responsibilities of persons within
the organization. The implementation should be based on the general principle that the person who
is generating the information is also responsible for its security. However, in order to enable him to
carry out his responsibilities in this regard, proper tools and environment need to be established.

When different pieces of information at one level are integratedto form higher value information,
the responsibility for its security need also should go up in the hierarchy to the integrator and should
require higher level of authority for its access.
It should be clear with respect to each information as to who is its owner, its custodian, and its
users. It is the duty of the owner to assign the right classification to the information so that the
required level of security can be enforced. The custodian of the information is responsible for the
proper implementation of security guidelines and making the information available to the users on a
need to know basis.

Information classification:
Information assets must be classified according to their sensitivity and their importance to the
organization. Since it is unrealistic to expect managers and employees to maintain absolute control
over all information within the boundaries of the organization, it is necessary to advise them on
which types of information are considered more sensitive, and how the organization would like the
sensitive information handled and protected. Classification, declassification, labeling, storage access,
destruction and reproduction of classified data and the administrative overhead created by this
process must be considered. Failure to maintain a balance between the value of the information
classified and the administrative burden placed by the classification system on the organization will
result in long-term difficulties in achieving success.

Confidential is that classification of information of which

unauthorized disclosure / use could result in serious damage
to the organization. Example: strategic planning documents.
Restricted is that classification of information of which unauthorized disclosure / use would not be
in the best interest of the organization and / or its customers. Example: design details, reconstitute
and reconfigure. These applications must be tested as part of the business continuity / disaster
recovery plan.

Fire Protection
1. Combustible materials shall not be stored within 100 meters of the operational site.
2. Automatic fire detection, fire suppression systems and audible alarms are prescribed by Fire
Brigade or any other agency of the Central or State Government shall be installed at the
operational site.
3. Fire extinguishers shall be installed at the operational site and their locations clearly marked
with appropriate signs.
4. Periodic testing, inspection and maintenance of the fire equipment and fire suppression
systems shall be carried out.
5. Procedures for the safe evacuation of personnel in an emergency shall be visibly pasted /
displayed at prominent places at the operational site. Periodic training and fire drills shall be
conducted.
6. There shall be no eating, drinking or smoking in the operational site. The work areas shall be
kept clean at all times.

Environmental Protection
1. Water detectors shall be installed under the raised floors throughout the operational site
and shall be connected to audible alarms.
2. The temperature and humidity condition in the operational site shall be monitored and
controlled periodically.
3. Personnel at operational site shall be trained to monitor and control the various equipment
and devices installed at the operational site for the purpose of fire protection and
environment protection.
4. Periodic inspection, testing and maintenance of the equipment and systems shall be
scheduled.

Physical access:
1. Responsibilities round the clock, seven days a week, three hundred sixty five days a year for
physical security of the systems used for operation and also actual physical layout at the site
of operation shall be defined and assigned to named individuals.
2. Biometric physical access security of the systems shall be installed to control and audit
access to the operational site.
3. Physical access to the operational site at all times shall be controlled and restricted to
authorized personnel only. Personnel authorized for limited physical access shall not be
allowed to gain unauthorized access to restricted area within operational site.
4. Dual control over the inventory and issue of access cards / keys during normal business
hours to the Data Centre shall be in place. An up-to-date list of personnel who possess the
cards / keys shall be regularly maintained and archived for a period of three years.
 5. Loss of access cards / keys must be immediately reported to the security supervisor of the
operational site who shall take appropriate action to prevent unauthorized access.
6. All individuals, other than operations staff shall sign in and sign out of the operational site
and shall be accompanied by operations staff.
7. Emergency exits shall be tested periodically to ensure that the access security systems are
operational.
8. All openings of the Data Centre should be monitored round the clock by surveillance video
cameras.

-----------------------------------------0000000-------------------------------------