Crime Branch Advisory
The Nigerian Scam
New Cyber Security Infrastructure unveiled by Information Technology Act 2000 Amendment
[P.S: Comments made here in are the first reactions based on the Bill. Further developments in the form of rules and notifications are awaited.. Naavi ]
The unveiling of the amendments which has transformed ITA 2000, the landmark cyber legislation in India which was first enacted with effect from October 17, 2000, ( the new version of the Act is herein referred to as ITA 2008) has provided a new focus on Information Security in India.
So far, Information Security Experts have been speaking on "Cyber Law Compliance" as a part of "Techno Legal Information Security" and advising Companies to formulate an appropriate plan of action to comply with cyber laws as a part of the IS practice. Now this association of Cyber Law into the Information Security domain has gained additional importance due to some amendments that have been made to ITA 2000.
The amended Act is making a sincere effort to bring in a complete information security infrastructure into the industry.
The first observation that we can make in this regard is a new legal definition that has been given to the term "Cyber Security" under the newly inserted section 2( nb) which states as under.
Section 2 (nb) (Inserted Vide ITAA 2008)
"Cyber Security" means protecting information, equipment, devices, computer, computer resource, communication device and information stored threin from unauthorized access, use, disclosure, disruption, modification or destruction.
The term incorporates both the physical security of devices as well as the information stored there in. It covers "Protection from unauthorised access, use, disclosure, disruption, modification and destruction"
To support the development of the Cyber Security infrastructure, the amendments also focus on
a) Defining penalties for violation
b) Defining appropriate level of compensation
b) Setting up an authority for implementation
Penalties for Violation
In defining the penalties for violation, we may specially note that a new offence has been defined which recognizes the need to specially penalize the "Theft" of computer or other communication devices.
Under the newly added Section 66B, the receiver of a stolen computer resource may be liable for punishment.
The section reads:
Sec 66B: Punishment for dishonestly receiving stolen computer resource or communication device (Inserted Vide ITA 2008)
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.
Under this section, receiving a stolen Computer, or a Mobile or even a CD, or an e-mail containing stolen information may be punishable with 3 years of imprisonment. The offence would be cognizable and compoundable. For being liable, the person should receive the information "Dishonestly" and should be aware that it is "Stolen".
With this section, Police may to book all Mobile theft or laptop theft cases under this section. So far we were trying to convince the Police that any theft of Computer device would be "Diminishing the value of information residing there in" and therefore should be booked under Section 66. Now it may be easy to convince the Police.
Along with the change made to Section 78 and 80 of the ITA 2000 bringing down the level of investigation to the Inspectors from DSPs, the number of Complaints which need to be registered under "Cyber Crimes" will now increase many folds and the Police need to work over time to get trained in the handling of Cyber Crimes.
Additionally, Section 43 read with other changes increase the possibility of compensation from a maximum of RS 1 crore to even beyond RS 5 crores. Though the fast track "Adjudication" is restricted to cases where the compensation is upto RS 5 crores, there is no upper limit on the compensation to be claimed.
The newly added Section 43 (j) tries to expand the cases where compensation can be claimed to cases of a person without the permission of the owner of a computer, computer resource
"steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage,"
In this section, "Computer Source code" means "the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form". This again makes it easy for Police to understand how to treat a complaint from a software company about stolen data.
The penalty for stolen data does not end with the perpetrator of the offence as far as the victim is concerned. The provisions on "Data Protection" extend the liability for lack of Cyber Security to the Companies too.
Under the newly introduced Section 43A,
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.
It may be noted that there is no upper limit to the liability under this section.
In understanding the responsibilities under this section, the term "Reasonable Security Practices" becomes vital.
As per the explanation to the section,
"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
Additionally, Under Section 72 A, there is a provision for Criminal prosecution for breach of information security. This section states,
Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person shall be punished with imprisonment for a term which may extend to three years, or with a fine which may extend to five lakh rupees, or with both.
Note again that this offence is cognizable.
Further under Section 85, the Company as well as its Directors or Officers in charge of business "shall be" held guilty of the offence is committed "by the Company".
Thus the "Vicarious Liability" on the Companies for "Data Protection" has been hardened.
Under Section 67 C, a further responsibility has been cast on "Intermediaries" (Which now includes body corporates" to retain information for a certain time to be specified by the Central Government. The section reads
(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section
(1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
This is an important provision that will pull up ISPs, MSPs and others who today shirk from the responsibility of preserving information which would serve as evidence in case of Cyber offences. (Duration for which information has to be preserved need to be prescribed in the rules and notifications)
As a part of the need to monitor Cyber Security, under Section 69 B,
(1) The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.
(2) The Intermediary or any person in-charge of the Computer resource shall when called upon by the agency which has been authorised under sub-section
(1), provide technical assistance and extend all facilities to such agency to enable online access or to secure and provide online access to the computer resource generating , transmitting, receiving or storing such traffic data or information.
(3) The procedure and safeguards for monitoring and collecting traffic data or information, shall be such as may be prescribed.
(4) Any intermediary who intentionally or knowingly contravenes the provisions of sub-section
(2) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
Explanation: For the purposes of this section,
(i) "Computer Contaminant" shall have the meaning assigned to it in section 43
(ii) "traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information.
Apart from throwing open registration and investigation of Cyber Crimes to Inspector level, at the national level, a new "Nodal Agency" comes into being for implementation of Cyber Security.
Under Section 70
The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of Cyber Security,-
(a) collection, analysis and dissemination of information on cyber incidents
(b) forecast and alerts of cyber security incidents
(c) emergency measures for handling cyber security incidents
(d) Coordination of cyber incidents response activities
(e) issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents
(f) such other functions relating to cyber security as may be prescribed
Under Section 70 (B)
For carrying out the provisions of sub-section (4), the agency referred to in sub-section (1) may call for information and give direction to the service providers, intermediaries, data centers, body corporate and any other person
Under Section 70 (B)(7)
Any service provider, intermediaries, data centers, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6) , shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both.
The cumulative effect of the above provisions of ITA 2008 is to create a new Cyber Security Implementation infrastructure in India and is considered a highly positive development in the industry.
The next steps to be watched are of course how the provisions would be actually implemented through appropriate rules and regulations.
Source : Naavi