Feb 26, 2020

Cyber breaches in India: Is India Inc ready?

‘If one thing can prevent the Internet of Things from transforming the way we live and work, it will be a breakdown in security.’[1]

With the advancements in technology over the last few decades, the manifold surge in the volume of online transactions; and in the Indian context, the Government’s propagation of the ‘Digital India’ initiative, the internet has become a parallel universe.

The present-day dependence on smartphones and internet for social media activities and financial transactions such as online shopping, bill payments, money transfers, travel bookings, etc. marks a significant step towards a global integration of financial technology platforms and simultaneously calls for enhanced levels of data security and cyber protection.

What is a Cyberbreach?

The term ‘cyber breach’ is not defined under any law. It refers to illegal internet-mediated activities that often take place in global electronic networks.[2]

In other words, any offence – civil or criminal, when committed with the involvement of a computer or a computer system, device, network, resource or generally over the internet is a ‘cyber breach’ or ‘cybercrime’.

The Threats

Whether it is the most recent Marriott Hotels’ mega data theft of 500 million users, the Facebook-Cambridge Analytica data scandal of 2018, or Google’s China service attacks in 2009, cybercrimes have affected all industry sectors across the world for quite some time now.

The internet is prone to all forms of cyberbreaches, be it intrusive offences such as hacking or data espionage, or computer related offences such as viruses, malware, cyber-frauds, cyber-thefts (whether of data, property or identity), cyber forgery, etc., or content related such as pornography, hate speeches, etc. While threats such as pornography and cyber terrorism involve an inherent element of criminality and are generally outside the confines of the corporate world, cyber breaches such as hacking, data thefts, electronic frauds, privacy breaches, piracy, etc. are largely relevant to India Inc.

Abuse cases are evolving on a day-to-day basis and as opposed to the traditional transaction-centric frauds, the new-age cybercriminals are focusing more on sophisticated cybercrimes, such as long-term sleeper frauds, account takeovers, developing synthetic identities, etc.

The growing focus on making electronic transactions more seamless and convenient has also led to an enormous increase in vulnerability of electronic transactions.

Regretfully, Indian law has not kept pace with the advancements in technology, mainly because the law-making approach in India is largely reactive than proactive.

Legal Recourse

Attributable mostly to the lack of awareness of cyber threats in India and the low priority accorded to prevention of cybercrimes, Indian cyber laws are not one of the most stringent. While the Information Technology Act 2000 (ITA) is the umbrella legislation dealing with cyber offences, references to other cyber offences can also be found in the Indian Penal Code, 1860, Copyright Act, 1957, Indian Telegraph Act, 1885, Companies Act, 2013, the Competition Act, 2002, etc.

The ITA contains provisions which are aimed at safeguarding electronic data, information or records, and prevention of unauthorized or unlawful use of a computer system. It imposes monetary liability for unauthorized access to a computer system, failure to protect data or information, wrongful disclosure or misuse of personal data, etc.

Under the provisions of the ITA, cyber breaches are adjudicated by an ‘adjudicating officer’ who may hold the person guilty of an offence liable to pay compensation to the person(s) affected by such offence. Appellate remedies are also available.

Cyber offences may also be reported to law enforcement authorities in the same manner as any other offences. One may either approach the specialized cybercrime cells of police stations for reporting cybercrimes or certain additional specialized bodies/forums set-up particularly for recording and investigating cyber breaches.

In the recent past, the Government has also taken significant steps in the direction of augmenting the cybercrime investigation infrastructure in India and creation of specialized reporting mechanisms and laboratories such as the Cybercrime Reporting Portal[3] for registering crimes against women and children online. This is in addition to the existing Indian Computer Emergency Response Team (Cert-In) under the ITA[4].

Recently the Government has also inaugurated the National Cyber Forensic Lab[5] and the Delhi Police has launched a Cyber Prevention, Awareness & Detection Centre.

Are we ready?

1. Cyber laws in India are inadequate and still evolving. To add to that, the lackadaisical enforcement of this otherwise limited set of laws is of little help. Indian law makers have usually followed a reactive approach and new laws are mostly triggered by occurrence of adverse incidents which come to light mostly through judicial interference.

2. The slow progress in implementation of cyberlaws is also attributable to the lack of awareness of privacy rights and the low priority accorded to protection of personal information in India. MNCs are typically cognizant of cyber and data protection issues owing to the experience from other jurisdictions. However, majority of the Indian corporates do not consider these issues with the desired seriousness.

3. Fortunately, there have been some recent developments in the field of data protection, albeit due to judicial intervention – the Personal Data Protection Bill, 2019[6] is a welcome step in this direction.

4. Courts in India have played an instrumental role in the formulation of IT infrastructure in India, be it the recognition of right to privacy as a fundamental right in the recent case of Justice K. S. Puttaswamy (Retd.) v. Union of India[7] or provision of immunity / safe harbor to intermediaries for content posted on their websites pursuant to the Bazee.com case (Avnish Bajaj v. State[8]; Sharat Babu Digumatri v. Government of NCT of Delhi[9]).

5. The financial sector is the most affected by challenges of forgery, payments frauds, money laundering, etc., and the RBI has been a proactive regulator in focusing on tightening the security norms for tackling these. Measures introduced by the RBI with respect to cyber security in electronic payment transactions such as 2FA authentication, EMV chips, PCI DSS compliance, SMS alerts, tokenization, reporting mechanisms, etc. are intended to help in securing the payments ecosystem since cybercrimes in India are pre-dominantly financial in nature.

Solutions / Ideas

Legislative Support

1. What India needs is a comprehensive cybersecurity legislation protecting against cyber threats, which needs to be supplemented by adequate cyber security infrastructural support from the Government and legal awareness programs from time to time.

2. Support from judiciary in form of necessary interventions from time to time has been the bright spot which, one hopes, will continue to be the guiding light.

3. With the constant evolution in technology, countermeasures and safeguards implemented cannot afford to be static – they too need to constantly evolve.

4. Since the internet knows no bounds, extra-territorial application of cyber laws is no longer a moot point. At the international level, India has not adopted the Convention on Cybercrime (Budapest Convention) for the sole reason that it did not participate in the drafting of the Convention. The Convention is the first international treaty on crimes committed via the Internet and its main objective is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation.[10]

Recommendations for India Inc.

1. Corporates need to put in place efficient and robust countermeasures to prevent cyber breaches. To begin with, an information security policy is a must, along with updated firewall, anti-virus, anti-malware, spam-filters and other such technologies. Mere existence of such policies / technologies is not enough – their adoption and usage need to be ingrained in the day-to-day functioning of an organization.

2. For companies which are sensitive to financial frauds and forgery, robust anti-fraud policies can be implemented with imperative safeguards such as internal approval processes, constant transaction monitoring and reporting mechanisms. Data thefts, breaches or hacking attacks should also be reported to regulators to allow for corrective enforcement action.

3. Depending on the nature of business and the sensitivity of data involved, mechanisms such as periodic security audits, incident reporting, response management and continuous monitoring of technological platforms will be required.

4. For businesses which are data-driven such as KPOs and BPOs or hold sensitive personal information of individuals such as banks, financial institutions, etc., these measures are of paramount importance.

5. Organizations which share data held by them with other third parties need to ensure that effective controls and safeguards for data protection are implemented by such third parties which ensure that data security is not compromised.

Way Forward

The existence of a limitless inter-connected cyber world makes cybercrimes inevitable because it is a law of nature – where there is light, there will be darkness. The only way forward is to deal with the darkness as the benefits of the cyber world outweigh the pitfalls by far.

Multiple stakeholders including regulators, internet service providers, intermediaries, users or processors of information including body corporates, the data subjects and users of the internet themselves should all be collectively invested in their efforts to reduce cybercrimes or at least to mitigate risks or control the fallouts arising from cyberbreaches.

Apart from awareness and cooperation between all stakeholders, adoption of best security practices, continuous monitoring and reporting, a constantly evolving legislative and judicial framework is a necessity as nothing remains stagnant on the internet.

Jatinder Singh Saluja, Senior Associate

[1] Usage of ‘Internet of Things’ in the Oxford Online Dictionary – accessible at https://www.lexico.com/en/definition/internet_of_things (last visited on February 23, 2020).
[2] “An International Perspective on Fighting Cybercrime” by Chang, Weiping; Chung, Wingyan; Chen, Hsinchun; Chou, Shihchieh (2003). Accessible at https://link.springer.com/chapter/10.1007%2F3-540-44853-5_34 (last visited on February 23, 2020).
[3] The portal, launched by the Ministry of Home Affairs under the ‘Cyber Crime Prevention against Women & Children’ scheme and the ‘Indian Cyber Crime Coordination Centre (I4C)’ scheme, is accessible at www.cybercrime.gov.in (last visited on February 23, 2020).
[4]  Cert-In is the nodal agency for the collection, analysis and dissemination of information on cyber incidents and taking emergency measures. Security incidents can be reported to the CERT-In using the website www.cert-in.org.in last visited on (February 23, 2020).
[5] The National Cyber Forensic Lab is a part of the Indian Cyber Crime Coordination Centre initiative.
[6] The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha on December 11, 2019.
[7] Justice K. S. Puttaswamy (Retd.) v. Union of India, Writ Petition (Civil) No. 494/2012, along with other clubbed matters.
[8] Avnish Bajaj v. State, 150 (2008) DLT 769.
[9] Sharat Babu Digumatri v. Government of NCT of Delhi, Criminal Appeal No. 1222 of 2016.
[10] Summary of the Convention on Cybercrime, Budapest, accessible at https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185 (last visited on February 23, 2020).





These are the views and opinions of the author(s) and do not necessarily reflect the views of the Firm. This article is intended for general information only and does not constitute legal or other advice and you acknowledge that there is no relationship (implied, legal or fiduciary) between you and the author/AZB. AZB does not claim that the article's content or information is accurate, correct or complete, and disclaims all liability for any loss or damage caused through error or omission.