Introduction
The 21st century has enormously witnessed different forms of cyber-crime related activities including but not limited to cyberbullying, cyberstalking, online job frauds, online sextortion, vishing, smishing, credit card fraud or debit card fraud, impersonation and identity theft and so on, pursuant to which it has become crucial for the introduction of cyber security laws in all aspects of internet, world wide web and cyberspace transactions related activities.
Cybersecurity involves protecting internet-connected systems from cyberthreats such as malware, viruses and other malware. Data centres and other computerized systems are protected by this practice by individuals and enterprises. Besides preserving a good security posture, cybersecurity can also be used to defend an organization or user from hateful attacks in which their data or systems are accessed, modified, deleted, destroyed, or extorted as well as preventing attacks that aim to disrupt the operation of a system or device. Cyber laws deal with all legal issues relating to internet crimes. Cyber laws have gained great momentum due to the increasing number of internet users.
As a result of the increasing use of technology in India, cyber security is essential in protecting the interests of people using the internet every day. The Government of India has brought various law for governing the cyber-crime under the Information Technology Act, 2000 read with the rules, Indian Penal code, 1860 and Cybersecurity Framework (NCFS).
This article aims to provide a general overview over the aforementioned laws in order enable one to determine its scope and impact with regard to dealing with cyber-crimes in India.
Legislations governing Cyber security
Information Technology Act, 2000
The Information technology Act, 2000 (“IT Act”) is the primary frame work for cyber security and provides the whole enquiry process for governing cyber-crimes. The IT Act contains provisions for the protection of electronics records. Moreover, with the amendment to the IT Act introduced in 2008, the legislature brought in the laws that relate to the cyber security.
Pursuant to section 43 (a) to (j) of the IT Act, it provides penalty and compensation pertaining to cybercrimes such as damage to computer properties, computer system, computer data etc. The provision list outs various civil offences which can be committed using a computer and liability towards payment of damages by way of compensation. The scope of the IT Act is broad enough to cover the consequence if a body corporate fails to protect the sensitive personal data. This has increased the body corporate’s responsibility in protecting the data with reasonable security practice and procedure.
Section 65 to 74 attracts criminal offences related to computer source. Chapter XI of the IT Act provides for the offences which fall under criminal offences and provides the punishment for committing such offences. Section 66 to 66F talks about offences relating to cyberstalking, online job frauds, identity theft cyber terrorism, violation of privacy, sending offensive messages. The power to the authority to give directions are mentioned under section 68 to 69B and section 70 to protect the system.
The following are the key rules framed under the IT Act in framework of Cybersecurity laws include:
- The Information Technology (Reasonable Security Practices and Procedures and sensitive personal Data or Information) Rules, 2011, under which entities that hold delicate private information of individuals are required to maintain specified security standards.
- The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, which governs the role of intermediaries, including social media intermediaries, in preventing harmful content from being transmitted online, in order to keep users’ data safe.
- The Information Technology (The Indian Computer Emergency Response Team (“Cert-In”) and Manner of performing Functions and Duties) Rules, 2013 paves a number of ways in CERT-In’s functioning. It is mandatory that a 24-hour incident response helpdesk be available at all times, as per Rrule 12. Cybersecurity incidents can be reported by individuals, organizations, and companies to Cert-In. According to the Rules, certain incidents must be reported immediately to Cert-In as listed in the Annexure.
- The Information Technology (Guidelines for cyber cafe) 2011 wherein it is mandated that cybercafés register with a proper agency and keep records of users’ identities and the websites they visit.
- The Information Technology (Information Security Practices and Procedures for Protected system) Rules 2018, which mandates organisations possessing protected systems to implement specific information security measures.
Indian Penal Code, 1860 (“IPC”)
The provisions of IPC intend to enhance the deterrence towards compliance with IT Act by providing punishment pertaining to commission of cyber-crimes. For suppose, email abuse is a cyber-crime whose offence is dealt under section 500 of IPC. Similarly, forgery of electronic document or part of an electronic document with the intent to commit forgery will fall within the ambit of section 463 of IPC. Section 420 can also be interpreted to include cyber fraud as part of the provision. Section 354D and 345D deals with stalking and cyberstalking and the punishment for such offence ranges up to 3 years imprisonment for first offence and 5 years for second offence. Section 379 states about punishment for theft which, pursuant to judicial determination and interpretation, includes cyber theft such as hijacking electronic devices, stolen data and stolen computers with an imprisonment of 3 years or with fine or with both. Criminal intimidation and cyber defamation by way of anonymous communication is an offence under the section 507 and 503 of IPC with an imprisonment which extends to two years.
Cybersecurity Framework
Apart from the aforementioned legislations, as part of the global certification process, India has been approved with the Cybersecurity framework (NCFS) by the National Institute of Standard and Technology (NIST). Procedures, ethics, and best practices are included in the NIST Cybersecurity Framework for handling cyber-related risks responsibly. Cybersecurity risk can be managed more efficiently using the NIST CSF framework coupled with IS/ISO/IEC 27001 standards. Additionally, NIST’s cybersecurity directive promotes effective communication within and across supply chains through easier collaboration.
As part of the IT act, the national cyber security policy (2013) was established to protect information infrastructure in cyber space, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities, minimize damage from cyber incidents, through a combination of institutions, people, processes, technology, and cooperation. National Critical Information Infrastructure Protection Centre (NCIIPC) has been established for protection of critical information infrastructure in the country. Educate individuals, companies, and government entities about current and potential cyber security threats and share timely information so that they can take proactive, preventive, and protective measures. The National Cyber Coordination Centre (NCCC) was formed to make sure all entities have timely access to information to enable proactive, preventive, and protective actions.
Enforcement agencies under Cybersecurity rules
The authorities play an important role in the enforcement of cyber security rules as they can stop cyber-crime from happening or identify the person or the organisation behind the crime and punish them accordingly. In accordance with the IT Act, the CERT-In coordinates cyber incident response activities and handles cyber incidents. Besides developing the National Critical Information Infrastructure Protection Centre, the Ministry of Communication and Information Technology has developed other infrastructure to combat cybercrime such as critical installations and critical infrastructure. Individuals and organizations can seek relief under the IT Act when a cybersecurity incident is determined. The cyber-crime investigation cell takes up the case related to any cyber security issues and investigates and catches the person behind the actions of cybercrime. All the appeals of matter related to cybersecurity are taken by the cyber appellate tribunal which was established under the IT Act. The Cyber Appellate tribunal has got power to regulate the proceedings and at the place of its sittings.
The RBI has also been attempting to bring in regulation to combat the online banking fraud by notifying standards to be followed by all the banks for securing their server against cybercrime and creating awareness among people about online frauds in banking sector. On regular basis, the banks notify its customers about the online fraud and intimates them towards RBI prescribed procedure on how to claim compensation from such online frauds. The RBI has mandated the banks to create a separate helpline for speedy disposal of the cybercrime. Stock brokers and depository participants are required to submit periodical reports to stock exchanges/depositories detailing cyberattacks and coercions experienced by these entities, along with actions taken to mitigate these attacks, coercions and vulnerabilities under SEBI’s ‘Cyber Security & Cyber Resilience Framework’ for Stock Brokers and Depository Participants.
Author: Dippyaman Bhattacharya, Associate.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter and that the same shall not be treated as legal advice. For any queries, the author can be reached at dippyaman@samistilegal.in
