Data Protection and Cyber Crimes under the Amended Information Technology Act Kamlesh Bajaj, CEO, Data

Security Council of India

India is the hub of global outsourcing to IT and BPO companies. Combined revenue of the IT and IT EnabledServices(ITES)thatincludesBusinessProcessOutsourcing(BPO)wasUSD52billionintheyear 200708. This sector has had phenomenal compounded annual growth of over 30% over the last few years.Eveninthisyearofglobalfinancialmeltdown,industryrevenuehasgrownby1820%overthe previousyear.Over2 millionprofessionalsaredirectlyemployedin thissector,whileanother8 to10 millionareemployedincateringtotheirneedsinsuchareasastravelandhospitality.Anydisruptionin the IT and BPO industry has the potential to affect large employment in the country. For India to maintainitsleadershipinthisfield,andtofurthergrowit,certainenablersarenecessaryinfacttheir needhasbeenfeltbytheindustryforseveralyears.Mostnotableamongthemistherequirementto strengthen data protection legal regime so as to make global dataflows to India more trustworthy. NASSCOM had taken this up with the government and contributed to the amendments to the InformationTechnologyAct,2000whilethesewerebeingframed.ITandITESindustryexpectationwas toseetheamendedITActaddressconcernsondataprotection,andtocreateamorepredictivelegal environmentforthegrowthofecommerceandegovernancethatincludeselectronicsignatures,data leakage,cybercrimesamongothers. TheITAct,2000providesforthefollowing: BasiclegalframeworkforECommercetopromotetrustinelectronicenvironment Acceptanceofelectronicdocumentsasevidenceinacourtoflaw. Acceptanceofelectronicsignaturesatparwithhandwrittensignatures. ECommerceandEGovernanceasmajorapplicationsthroughlegalsanctityaccordedto electronicrecordsanddigitalsignatures Acceptanceofelectronicdocumentsbythegovernment. Definingofdigitalsignaturesbasedonasymmetricpublickeycryptography EstablishmentofCertifyingAuthoritiestoissuedigitalsignaturecertificatesforauthentication ofusersinecommerce&egovernance Provisionsfordealingwithoffencesinthecyberspaceintheformofhackersandother criminalstryingtogainaccessintodatabasesandotherbusinesssitescybercriminalswillnot remainunpunished AdjudicatingOfficers,asfasttrackcivilcourtsforawardingcompensationtovictimsofcyber attacks EstablishmentofCyberAppellateTribunaltotryappealsunderthisActforspeedyadjudication AppropriatechangesintheBankersActandtheIndianEvidenceAct.

Amendments to the IT Act have addressed industrys concerns on data protection issues in that it createsanenablinglegalenvironmentinIndiathataddressesbreachesofconfidentialityandintegrityof data. TheamendmentstotheITActarebroadlycategorizedasfollows:

 1. New definitions include communication device, cyber caf, cyber security, electronic signature,andIndianComputerEmergencyResponseTeam. a. Communication device is defined as cell phones, personal digital assistants or combination of both or any other device used to communicate, send or transmit any text,video,audioorimage.Itisthusaverygeneralterm. b. CybercafisdefinedasanyfacilityfromwhereaccesstotheInternetisofferedbyany personintheordinarycourseofbusinesstothemembersofthepublic. c. SomeoftheearlierdefinitionsintheActthathavebeenredefinedinclude:computer network,information,andintermediarytomakethemmoreprecise. d. Reviseddefinitionofintermediaryinsubsection2(w)isasfollows:intermediarywith respecttoanyparticularelectronicrecords,meansanypersonwhoonbehalfofanother personreceives,storesortransmitsthatrecordorprovidesanyservicewithrespectto thatrecordandincludestelecomserviceproviders,networkserviceproviders,internet serviceproviders,webhostingserviceproviders,searchengines,onlinepaymentsites, onlineauctionsites,onlinemarketplacesandcybercafes.Allserviceprovidersarethus clearlyidentifiedasintermediaries. 2. Intermediaries:ChapterXIIonnetworkserviceprovidershasbeenrenamedasIntermediaries nottobeliableincertaincases.Section79inthischaptersetsoutconditionsexplicitlyunder whichanintermediarywillnotbeliableforanythirdpartyinformation,data,orcommunication link made available or hosted by him. As long as an intermediarys function is limited to providing access to a communication system over which information is transmitted or temporarily stored or hosted; and the intermediary does not initiate transmission or select or modifytheinformation;andobservesduediligenceandalsoobservesguidelinesprescribedby thecentralgovernment,hewillnotbeliableforanyinformation.However,iftheintermediary conspires or abets or induces an unlawful act; or does not take steps to remove or disable accesstoamaterialonbeingnotifiedbyagovernmentagencythatitisbeingusedtocommitan unlawful act, then he will be held liable. This is certainly much more transparent since exemption from liability for any unlawful content/information using an intermediarys infrastructureisclearlystated;governmentismandatedtoprescribeanyguidelinesthatitmay requireintermediariestofollow;conditionsunderwhichhewillbeheldliableforunlawfulacts arealsostated. a. An intermediary has to comply with the central government guidelines, under section 67C,forpreservationandretentionofinformationasmaybespecifiedforsuchduration andinsuchmannerandformat.Failuretodososhallbepunishedwithimprisonmentof uptothreeyearsandofafine.Onceagainthedutiesofintermediariesareexpectedto be clearly known since the government will make the procedure transparent through issuanceofguidelines.

 b. Finally, under section 69B, an intermediary, when called upon by a designated governmentagency,hastoprovidetechnicalassistanceandextendallfacilitiestosuch an agency to enable online access or to secure and provide online access to the computer resource generating, transmitting, receiving or storing such traffic data or information. Failure to do so shall make an intermediary liable for punishment with imprisonmentofuptothreeyearsandafine. c. Under section 70A on critical infrastructure protection, service providers, intermediaries, companies and others will have to provide information to the agency (IndianComputerEmergencyResponseTeam)asmayberequiredbyitindischargeof its functions, in accordance with procedures that shall be prescribed by this nodal agency. 3. Data protection new clause 43A: The existing Act provides for penalty for damage to computers, computer systems under the title Penalty and Adjudication in section 43 that is widelyinterpretedasaclausetoprovidedataprotectioninthecountry.Unauthorizedaccessto acomputer,computersystemorcomputernetworkispunishablewithacompensationofupto onecrorerupees.Thissectionhasbeenimprovedtoincludestealingofcomputersourcecode forwhichcompensation canbeclaimed.(Computersourcehasbeendefined)Dataprotection has now been made more explicit through insertion of a new clause 43A that provides for compensation to an aggrieved person whose personal data including sensitive personal data maybecompromisedbyacompany,duringthetimeitwasunderprocessingwiththecompany, forfailuretoprotectsuchdatawhetherbecauseofnegligenceinimplementingormaintaining reasonable security practices. Further, reasonable security practices and procedures will constitute those practices and procedures that protect such information from unauthorized access, damage, use, modification, disclosure or impairment as may be specified in an agreement between the parties or as may be specified in any law in force. In the absence of such an agreement or any law, the central government will prescribe security practices and proceduresinconsultationwithprofessionalbodiesorassociations. a. ThisexplanationgivesscopeforrecognitionofsecurityprofessionalbodiessuchasData SecurityCouncilofIndia(DSCI),whichisanindustryinitiativepromotedbyNASSCOM. ThebestpracticesandstandardsforsecuritythatDSCImayprescribetotheITandBPO companies may be accepted by the government. Regulation of companies for compliancewithsuchstandardsandpracticescanfallwithintheambitofDSCI. b. Sensitive personal information may be prescribed by the central government in consultation with professional bodies or associations. In the context of outsourcing to India, this can be defined to be in line with compliance requirements of the EU Data ProtectionDirectiveandUSlawssuchasHIPAAorGLBA. 4. Penaltyforbreachofconfidentialityandprivacy:Undersection72itispresentlyrestrictedto thosewhogainaccesstoanelectronicrecordordocumentunderthepowersconferredunder

 this Act. A new section 72A has been added that provides for punishment for disclosure of informationinbreachofalawfulcontract.Anypersonincludinganintermediarywhohasaccess to any material containing personal information about another person, as part of a lawful contract, discloses it without the consent of the subject person will constitute a breach and attract punishment with imprisonment of up to three years, and/or a fine of five lakh rupees. This is a strong deterrent, and also will bring those responsible for breaching data confidentiality, under lawful contracts, to justice. Along with section 43A, section 72A strengthensthedataprotectionregimeinthecountry.Itwillgoalongwayinpromotingtrustin transborderdataflowstoIndia. 5. Cybercrimes:Existingsections66and67onhackingandobscenematerialhavebeenupdated bydividingthemintomorecrimespecificsubsectionstherebymakingcybercrimespunishable. Section69hasalsobeenrewrittentoincludecyberterrorismthroughnewclauses69Aand69B. Moreover,requirementofaDSPtoinvestigatecybercrimeshasbeenrelaxedaninspectoris nowcompetenttoinvestigatecrimes underthisAct.Traffic data,logsandinformation willbe required to be maintained by intermediaries for cyber security, under sections 67C, 69B and 70A;asperproceduresandsafeguardsthatwillbeprescribedbythecentralgovernment.This will ensure availability of cyber forensic data, which is essential for investigation and prosecutionofcybercrimes. a. Section 66: hacking as a term has been removed. This section has been aligned with section43oncompensationagainstdamage.Inadditiontothecompensationu/s43,a personwhodishonestlyorfraudulentlygainsaccesstoacomputersystemanddamages itordiminishesitsvalueorcausesdisruption,willalsobepunishedwithimprisonment ofuptothreeyearsand/orafineoffivelakhrupees. b. Subsection 66A: provides for punishment for sending offensive messages, including attachments, through communications service up to three years imprisonment, and/orafine. c. Subsection 66B: provides for punishment for dishonestly receiving stolen computer resourceorcommunicationdeviceuptothreeyearsimprisonment,and/orafineof onelakhrupees. d. Subsection 66C: provides for punishment for identity theft up to three years imprisonment,and/orafineofonelakhrupees. e. Subsection 66D: provides for punishment for cheating by personation up to three yearsimprisonment,and/orafineofonelakhrupees. f. Subsection 66E: provides for punishment for violation of privacy up to three years imprisonment,and/orafineoftwolakhrupees.(forintentionallycapturing,publishing ortransmittingtheimageofaprivateareaofanypersonwithouthisorherconsent)

 g. Subsection66F:providesforpunishmentforcyberterrorismuptolifeimprisonment. Cyberterrorismisdefinedascausingdenialofservice,illegalaccess,introducingavirus inanyof thecriticalinformationinfrastructureofthe countrydefinedu/s70withthe intenttothreatentheunity,integrity,securityorsovereigntyofIndiaorstriketerrorin the people or any section of the people; or gaining illegal access to data or database that is restricted for reasons of the security of state or friendly relations with foreign states. h. Section 67: it has been revised to include the transmission of obscene material in electronicforminadditiontoitspublishing.Punishmentforpublishingortransmitting obscene material in electronic form has, however, been reduced from five to three years, while the fine has been increased from one to five lakh rupees. For second offence,imprisonmenthasbeenreducedfromtentofiveyears,andfineincreasedfrom twototenlakhrupees. i. Section 67A: provides for punishment for publishing or transmitting of material containingsexuallyexplicitactinelectronicformimprisonmentofuptofiveyearsand afineoftenlakhrupees;forsecondoffenceimprisonmentofuptosevenyearsanda fineoftenlakhrupees. Section 67B: provides for punishment for publishing or transmitting of material depictingchildreninsexuallyexplicitactinelectronicformimprisonmentofuptofive years and a fine of ten lakh rupees; for second offence imprisonment of up to seven yearsandafineoftenlakhrupees.

j.

k. Section67C:providesforpreservationandretentionofinformationbyintermediariesas may be specified for such duration and in such manner and format as the central governmentmayprescribe.Failurecomplyshallbepunishablebyimprisonmentofupto threeyearsandafine. l. Section69:theearlierprovisionhasbeenrevisedwhiletwonewsubsectionshavebeen added, namely 69A, and 69B. Powers under section 69 were earlier vested with the Controller of Certifying Authorities for directing any agency of the government to interceptanyinformationtransmittedthroughacomputerresource.Therevisedsection empowersthecentralgovernmentorastategovernmenttodirectanyagencyofthe governmenttointercept,monitorordecrypt;orcausetobeintercepted,monitoredor decrypted;anyinformationgenerated,transmitted,receivedorstoredinanycomputer resourceunderconditionsofthreattonationalsecurityorfriendlyrelationswithforeign states. The procedure and safeguards for such interception or monitoring shall be prescribed by the government. This will make the application of section 69 more transparentunlikethesamesectioninthepreviousversionsincesuchprocedureswere not mandated for the government to prescribe. An intermediary not complying with suchdirectionsshallbepunishedwithanimprisonmentofuptosevenyearsandafine.

 m. Subsection69A:Thisisanewprovisionthatempowersthecentralgovernmenttoissue directions for blocking of websites (blocking for public access of any information throughanycomputerresource).Conditionsunderwhichthismaybedonearesimilar to those under section 69A, and procedures and safeguards subject to which such blockingforaccessbythepublicmaybecarriedout,shallbeprescribedbythecentral government. It may be noted that blocking can only be ordered by the central governmentunlikeinterceptionandmonitoringthatcanbeorderedbythecentralora state government. An intermediary not complying with such directions shall be punishedwithanimprisonmentofuptosevenyearsandafine. n. Subsection69B:Thisisyetanotherprovisionthatempowersthecentralgovernmentto authorize to monitor and collect traffic data or information through any computer resourceforcybersecurity.Anygovernmentagencycanbeauthorizedtomonitorand collect traffic data or information generated, transmitted, received or stored in any computer resource. An intermediary not complying with such directions for enabling online access or to secure and provide online access to the computer resource generating,transmitting,receivingorstoringsuchtrafficdataorinformation;shallbe punishedwithanimprisonmentofuptothreeyearsandafine. o. Section 77: Compensation, penalties or confiscation awarded under the IT Act do not preclude awards of compensation or imposition of penalty or punishment under any otherlaw.However,subsection77Adoesprovideforcompoundingofoffencesexcept fortheawardofpunishmentforlifeimprisonmentorforatermexceedingthreeyears underthisAct. 6. Critical information infrastructure protection: Earlier section 70 on protected systems has beenrevisedtoincludeanycomputeraspartofcriticalinformationinfrastructure(withaclear definition) through an appropriate notification, and two new subsections 70A and 70B have been added to designate a national nodal agency in respect of critical information infrastructure, called Indian Computer Emergency Response Team. This agency will be responsible for all measures including R&D relating to protection of critical information infrastructure. It will discharge wide ranging functions related to cyber security incidents, responding to them, and perform all functions relating to cyber security. Service providers, intermediaries,companiesandotherswillhavetoprovideinformationtotheagencyasmaybe required by it in discharge of its functions, in accordance with procedures that shall be prescribedbythisnodalagency. 7. Examiner of Electronic Evidence: Cyber forensic evidence is critical to trial of cyber criminals. The felt need of an Examiner of Electronic Evidence has been satisfied through section 79A underwhichthecentralgovernmentmayspecifyanydepartment,bodyoragencyofthecentral governmentasanExaminerofElectronicEvidence,forthepurposesofprovidingexpertopinion onelectronicformevidencebeforeanycourt.

 8. ElectronicSignature:TheActhasbeenmadetechnologyneutral.Earlieronlydigitalsignatures basedonasymmetriccryptographywererecognized aselectronic signaturestosignelectronic documents/records.Section3ondigitalsignatureshasbeenreplacedbyelectronicsignatures. Now the central government is empowered to issue any other types of signatures based on new,maturetechnologiesundersection15and16. 9. Electronic contract formation: Section 10A has been added that provides for validity of contractsformedthroughelectronicmeans. 10. Audit of electronic records: Section 7A has been added that provides for audit of documents maintainedinelectronicform. 11. Encryption:Section84Chasbeenaddedthatenablesthecentralgovernmenttoprescribethe modesormethodsofencryptionforsecureuseoftheelectronicmediumandforpromotionof egovernanceandecommerce The amended IT Act is a step in the right direction. It strengthens data protection regime, and makes cyberspace more trustworthy since cyber criminals, whether engaging in data and identity theft, financialfraudsorposingthreattonationalsecuritythroughactsofcyberterrorism,willbebroughtto justice.