1. Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
India does not have a dedicated cybersecurity law. The Information Technology Act 2000 (the IT Act) read with the rules and regulations framed thereunder deal with cybersecurity and the cybercrimes associated therewith. The IT Act not only provides legal recognition and protection for transactions carried out through electronic data inter- change and other means of electronic communication, but it also contains provisions that are aimed at safeguarding electronic data, information or records, and preventing unauthorised or unlawful use of a computer system. Some of the cybersecurity crimes that are specifically envisaged and punishable under the IT Act are hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft.
In accordance with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (the CERT Rules), the Computer Emergency Response Team (CERT-In) has been established as the nodal agency responsible for the collection, analysis and dissemination of information on cyber incidents and taking emergency measures to contain such incidents.
Other relevant rules framed under the IT Act in context of cyber- security include:
• the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (the SPDI Rules), which prescribe reasonable security practices and procedures to be implemented for collection and the processing of personal or sensitive personal data;
• the Information Technology (Information Security Practices and Procedures for Protected System) Rules 2018 (the Protected System Rules), which require specific information security measures to be implemented by organisations that have protected systems, as defined under the IT Act. More information on protected systems is provided in ‘Scope and jurisdiction’; and
• the Information Technology (Intermediaries Guidelines) Rules, 2011 (the Intermediaries Guidelines), which require intermediaries to implement reasonable security practices and procedures for securing their computer resources and information contained therein. The intermediaries are also required to report cybersecurity incidents (including information relating to such incidents) to CERT-In.
Other laws that contain cybersecurity-related provisions include the Indian Penal Code 1860 (IPC), which punishes offenses, including those committed in cyberspace (such as defamation, cheating, criminal intimation and obscenity), and the Companies (Management and Administration) Rules 2014 (the CAM Rules) framed under the Companies Act 2013, which requires companies to ensure that electronic records and security systems are secure from unauthorised access and tampering.
In addition to the above, there are sector-specific regulations issued by regulators such as the Reserve Bank of India (RBI), the Insurance Regulatory and Development Authority of India Act 1999 (IRDA), the Department of Telecommunication (DOT) and the Securities Exchange Board of India (SEBI), which mandate cybersecurity standards to be maintained by their regulated entities, such as banks, insurance companies, telecoms service providers and listed entities.
2. Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
Regulated entities operating in sensitive sectors, such as financial services, banking, insurance and telecommunications, have exhibited higher standards of cybersecurity preparedness and awareness, partly because of regulatory intervention as well as voluntary compliance with advanced international standards. Sectors such as e-commerce, IT and IT-enabled services that have seen infusion of foreign direct investment have also proactively deployed robust cybersecurity frame- works and policies to counter the evolving nature of cyber fraud as they have borrowed advanced cybersecurity practices and procedures from their parent entities in the United States, the European Union and other matured jurisdictions.
With the rise of digital payments, cyber-crimes involving payment transactions in the online space have significantly increased and become complex. While the RBI has been active in requiring companies operating payment systems to build secure authentication and trans- action security mechanisms (such as 2FA authentication, EMV chips, PCI DSS compliance and tokenisation), given that these payment companies often offer real-time friction-less payments experiences to their consumers, it leaves less time for banks and other entities operating in the payment ecosystem to identify and respond to cyber threats. In light of the above, there is an increased need to identify and develop cybersecurity standards commensurate with the nature of information assets handled by them, and the possible harm in the event of any cybersecurity attack, to ensure that these emerging risks are mitigated.
3. Has your jurisdiction adopted any international standards related to cybersecurity?
Yes, the SDPI Rules framed under the IT Act require bodies corporate that handle sensitive personal data or information to implement ‘reasonable security practices and procedures’ by maintaining a comprehensive documented information security programme. This programme should include managerial, technical, operational and physical security control measures that are commensurate with the nature of the information being protected. In this context, the SPDI Rules recognise the International Standard ISO/IEC 27001 on Information technology
– Security techniques – Information security management systems
– Requirements as one such approved security standard that can be implemented by a body corporate for protection of personal information. All bodies corporate that comply with this standard are subject to audit checks by an independent government-approved auditor at least once a year or as and when they undertake a significant upgrade of their processes and computer resources.
Sector-specific regulators have also prescribed security standards specifically applicable to regulated entities. For instance, the RBI guide- lines mandate banks to follow the ISO/IEC 27001 and ISO/IEC 27002 standards for ensuring adequate protection of critical functions and processes. Similarly, SEBI requires stock exchanges, depositories and clearing corporations to follow standards, such as ISO/IEC 27001, ISO/ IEC 27002 and COBIT 5.
4. What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
While there is no specific statutory provision that requires information security personnel to keep directors informed of an organisation’s network preparedness, in the event of a cybersecurity breach, the persons in charge of an organisation are required to demonstrate before regulators that they have implemented security control measures as per their documented information security programmes and information security policies. Therefore, it would be necessary for these persons to be aware of and updated about the information security preparedness of their organisation to effectively discharge their responsibilities.
Section 85 of the IT Act also specifically states that in case of any contravention of the provisions stipulated thereunder, any person who is in charge of supervising the affairs of a company will be liable and proceeded against, unless he or she is able to prove that contravention took place without his or her knowledge, or that he or she exercised all due diligence to prevent such contravention. Therefore, personnel can protect themselves from liability by being aware of and deploying adequate cybersecurity measures.
Separately, as per the CAM Rules, the managing director, company secretary, or any other director or officer of the company (as may be decided by the board) is responsible for the maintenance and security of electronic records. This person is required to, inter alia, provide adequate protection against unauthorised access, alteration or tampering of records; ensure that computer systems, software and hardware are secured and validated to ensure their accuracy, reliability and accessibility; and take all necessary steps to ensure the security, integrity and confidentiality of records. Any failure by such personnel in this regard may be construed to be a breach of their duties towards the organisation.
5. How does your jurisdiction define cybersecurity and cybercrime?
Under the IT Act, ‘cybersecurity’ means protecting information, equipment, devices, computers, computer resources, communication devices and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction. ‘Cybercrime’ on the other hand has been defined by the National Cyber Crime Reporting Portal (a body set up by the government to facilitate reporting of cybercrime complaints) to ‘mean any unlawful act where a computer or communication device or computer network is used to commit or facilitate the commission of crime’.
The courts in India have also recognised cybercrime (eg, the Gujarat High Court in the case of Jaydeep Vrujlal Depani v State of Gujarat R/ SCR.A/5708/2018 Order), to mean ‘the offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet (networks including but not limited to Chat rooms, emails, notice boards and groups) and mobile phones (Bluetooth/SMS/MMS)’.
While the IT Act does not make any distinction between cybersecurity and data privacy, in our view, these issues are distinct but also deeply interconnected as ensuring privacy of an individual’s data requires adequate cybersecurity processes to be implemented by organisations. Further, cybersecurity and information security frameworks are developed by organisations at a broader level to build resilience against various forms of cyberthreat, including cybercrimes that entail more extensive engagement with regulatory authorities depending on the extent of harm caused, the nature of information handled by the body corporate, sector sensitivities, etc.
6. What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
As mentioned above, as per the SPDI Rules, any body corporate that possesses, deals with or handles any sensitive personal data or information in a computer resource is required to implement prescribed security standards (ISO/IEC 27001 on Information technology – Security techniques – Information security management systems – Requirements).
Sector-specific cybersecurity measures have been made mandatory by regulators for some regulated businesses. For instance, in the banking sector, the RBI requires banks to undertake certain security measures including, inter alia, logical access controls to data, systems, application software, utilities, telecommunication lines, libraries and system software; using the proxy server type of firewall; using secured socket layer (SSL) for server authentication; and encrypting sensitive data, such as passwords, in transit within the enterprise itself. The RBI specifically mandates that connectivity between the gateway of the bank and the computer system of the member bank should be achieved using a leased line network (and not through the internet) with an appropriate data encryption standard and that 128-bit SSL encryption must be used as a minimum level of security.
Additionally, in the telecommunications sector, the licence conditions imposed by the DOT require every licensee to implement the following measures:
• ensure protection of privacy of communication so that unauthorised interception of messages does not take place;
• have an organisational policy on security and security management of its network, including network forensics, network hardening, network penetration tests and risk assessment; and
• induct only those network elements into its telecom network that have been tested as per relevant contemporary Indian or international security standards (eg, the IT and ITES elements) against the ISO/IEC 15408 standards (eg, the ISO 27000 series standards for information security management systems and the 3GPP and 3GPP2 security standards for telecoms and telecoms-related elements).
7. Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
The IT Act and related laws are equally applicable to cyberthreats involving intellectual property and grant similar protection.
8. Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
As per section 70 of the IT Act, the government may notify any computer resource that affects the facility of critical information infrastructure (CII) to be a ‘protected system’. CII means any computer resource of which the incapacitation or destruction can have a debilitating impact on national security, economy, public health or safety. Under the Protected System Rules, specific cybersecurity practices are applicable in the context of a protected system, such as setting up an information security steering committee (Committee) to approve all information security policies relating to the protected systems, designating a chief information security officer and carrying out vulnerability, threat or risk analysis on an annual basis. Significant changes in network configuration would need to be approved by the Committee, and organisations would need to ensure timely communication of cyber incidents to the Committee.
Under the provisions of the IT Act, a nodal body – the National Critical Information Infrastructure Protection Centre (NCIIPC) – has been set up to work in the interest of CII protection. The NCIIPC is authorised to reduce vulnerabilities of CII against cyberterrorism, cyber warfare and other threats. Certain identified CIIs are in sectors such as transport, telecoms, banking, insurance, finance, power, energy and governance.
The cybersecurity provisions relating to specific sectors are described in ‘Legislation’ and ‘Increased Protection’.
9. Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
In a recent judgment of Justice K S Puttaswamy (Retd) and Anr v Union of India and Ors (Writ Petition (Civil) No. 494 of 2012), the Supreme Court of India held the right to privacy to be a fundamental right that is an intrinsic component of the right to life and personal liberty under article 21 of the Constitution of India and therefore a basic right of all individuals. Although there are precedents where the courts have held private communications between individuals to be covered within the purview of ‘right to privacy’, there are also precedents where Indian courts have admitted recordings obtained without consent as valid evidence. Given that this issue is unsettled, permissibility of recordings will need to be determined on a case-by-case basis.
In any case, the SPDI Rules require body corporates to disclose personal data or sensitive personal information subject to prior consent of the data subject. However, this condition can be waived if the disclosure is to government agencies mandated under the IT Act for the purpose of verification of identity, or for the prevention or investigation of any offences, including cybercrimes.
Certain laws, such as the Indian Telegraph Act 1885 (the Telegraph Act) and the IT Act, permit governmental and regulatory authorities to access private communications and personally identifiable data in specific circumstances. The Telegraph Act empowers the government to intercept messages in the interest of public safety, national security or the prevention of crime, subject to certain prescribed safeguards. In that scenario, the telecoms licensee that has been granted a licence by the DOT is mandated to provide necessary facilities to the designated authorities of the central government or the relevant state government for interception of the messages passing through its network.
The IT Act also grants similar authority to the government and its authorised agencies. Any person or officer authorised by the government (central or state) can, inter alia, direct any of its agencies to intercept, monitor or decrypt, or cause to be intercepted, monitored or decrypted, any information that is generated, transmitted, received or stored in any computer resource, in the event it is satisfied that it is necessary or expedient to do so in the interest of sovereignty and the integrity of India, the defence of India, the security of the state, friendly relations with foreign states, public order or preventing incitement to the commission of any cognisable offence relating to the above, or for the investigation of any offence. In our view, the instances described in the IT Act can be relied on by the government agencies to intercept data for cybersecurity incidents if they relate to contravention or investigation of any crime.
10. What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
Cybercrime activities are specifically dealt with under the IT Act. It prescribes penalties ranging from fines to imprisonment for various types of cyber activities, including hacking, tampering of computer source code, denial-of-service attacks, phishing, malware attacks, iden- tity fraud, electronic theft, cyberterrorism, privacy violations and the introduction of any computer contaminant or virus.
11. How has your jurisdiction addressed information security challenges associated with cloud computing?
There are no separate set of laws or regulations that regulate the provision of cloud computing services in India. However, given that cloud computing services are rendered and received over the internet or through the digital medium, certain provisions of the IT Act, the SPDI Rules and the Intermediaries Guidelines may be relevant to these services.
For instance, the SPDI Rules allow a body corporate to transfer data to any other body corporate or a person in India or in any other country that ensures the same level of data protection that is adhered to by the body corporate. However, the transfer may be allowed only if it is necessary for the performance of a lawful contract between the body corporate and the data subject or where the person has consented to the data transfer. Accordingly, in our view, any entity engaged in the cloud computing business will need to ensure that it maintains the same level of information security standards as that of the data controller (ie, the person collecting the information from the data subject).
Also, depending on the business model, a cloud services provider may fall within the definition of an intermediary under the IT Act (defined as any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecoms service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cybercafes). As an intermediary, the cloud service provider will need to comply with due diligence measures to claim safe harbour protection from liability arising from the content stored by it. These due diligence measures include taking all reasonable steps to secure its computer resource and the information contained therein by adopting the security practices prescribed under the SPDI Rules, as mentioned in ‘Legislation’.
12. How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
The IT Act is applicable in India and also applies to any offence committed outside India if the act that constitutes the offence involves a computer, computer network or computer resource in India. Hence, the applicability of this law is agnostic to the presence of foreign organisations in India so long as users in India can access the services provided by the organisations and the operation of the services amounts to the contravention of any provision described thereunder.
13. Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
In addition to the minimum cybersecurity standards mentioned in ‘Legislation’, various regulatory bodies have advised businesses to adopt more robust measures in areas of cybersecurity. For example, the Ministry of Communication and Information Technology released the National Cyber Security Policy in 2013, which recommended creating a secure cyber ecosystem and strengthening laws, and creating mechanisms for the early warning of security threats, vulnerability management and the response to security threats. The policy intended to encourage all organisations to develop information security policies integrated with their business plans and implement the policies in accordance with international best practices. This policy is expected to be updated in 2020.
Under the Digital India initiative, the Ministry of Electronics and Information Technology (MeitY) has set up the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre), operated by CERT-In, to work with internet service providers and product or antivirus companies to provide information and tools to users on botnet and malware threats. Similar proactive measures are deployed by sector-specific regulators from time to time.
14. How does the government incentivise organisations to improve their cybersecurity?
In recent years, the government has rolled out some beneficial measures to incentivise both public and private sector organisations to improve cybersecurity standards. One example is the Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products notified by MeitY on 2 July 2018, wherein cybersecurity was named as a strategic sector, and it was further mentioned that government procurement agencies will give preference to domestically manufactured or produced cybersecurity products.
15. Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
In addition to the IT Act and the applicable rules framed thereunder, industry-specific standards have been prescribed by specific regulators. Some examples are given below.
• Financial sector: the RBI has issued various guidelines for ensuring cybersecurity and the handling of cyber fraud within the banking sector. They can be accessed at www.rbi.org.in and include the:
• Cyber Security Framework in Banks, prescribing standards to be followed by banks for securing themselves against cybercrimes;
• Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs), prescribing certain basic cybersecurity controls for primary urban cooperative banks;
• Sharing of Information Technology Resources by Banks – Guidelines, ensuring that privacy, confidentiality, security and business continuity are fully met;
• Information Technology Framework for the NBFC Sector, 2017, focusing on IT policy, IT governance information and cybersecurity; and
• Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, prescribing IT policy and outsourcing guidelines and recommendations.
• Insurance sector: the insurance sector is subject to the Guidelines on Information and Cyber Security for Insurers, issued by the IRDA. Under these guidelines, the insurers are responsible for putting in place adequate measures to ensure that cybersecurity issues are addressed. Insurers are also mandated to appoint a chief information security officer, formulate a cyber crisis management plan and conduct audits.
16. Are there generally recommended best practices and procedures for responding to breaches?
Depending on the nature and the extent of the cybersecurity incident and the sensitivity of the sector, cyber incident response strategies may differ from one business to another. Some common measures that are recommended include:
• deploying a detailed information security policy to be approved by the board;
• conducting regular transaction monitoring;
• conducting information security risk assessments;
• setting up risk mitigation and transition plans;
• updating relevant stakeholders within the organisation on their role in advance; and
• allocating appropriate personnel to engage with regulatory authorities and to deal with clients, service providers, etc.
Many companies also prefer to conduct regular assessment of the vulnerabilities in their systems, including by inviting focused hacking. Depending on the sector, organisations can also reach out to CERT-In and seek advice on incident recovery, containing the damage and restoring their systems to operation. From time to time, CERT-In also issues advisories on actions recommended for parties that have been affected by cybersecurity incidents.
17. Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
The CERT Rules require individuals and corporate entities affected by certain types of cybersecurity incidents to mandatorily report the incidents to CERT-In. In addition, it is also possible for individuals and organisations to voluntarily report any other cybersecurity incidents and vulnerabilities to CERT-In and seek requisite support and technical assistance to recover from them. Whether timely and voluntary reporting will help mitigate imposition of a penalty for failing to implement reasonable security practices will be a fact-specific assessment.
18. How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The government issues consultation papers to invite feedback and suggestions from the private sector, which aids formulation of policies and laws in respect of cybersecurity. For instance, presently, the government is working with the private sector to develop its 2020 cyber- security policy. In addition, the National Cyber Security Coordinator and the Data Security Council of India have recently launched an online repository on cyber tech called ‘Techsagar’ to facilitate exchange and collaboration on matters of innovation and cybersecurity between businesses and academia. It is intended to provide an overview of India’s cybersecurity preparedness and relevant stakeholders.
19. Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Cybersecurity insurance has gained momentum in India. It is aimed at shielding online users against the damage and loss that may arise as a result of unauthorised disclosure of or access to personal and financial data. Cyber insurance is prevalent in the banking, IT and ITES, retail and manufacturing sectors.
20. Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
CERT-In is the nodal agency recognised under the IT Act for the coordination of cyber incident response activities and the handling of cybersecurity incidents. Further, the government has also established certain authorities and agencies for according protection specifically to the critical infrastructure of India, such as the NCIIPC, which was created to assess and prevent threats to vital installations and critical infra- structure in India. As and when a cybersecurity incident is determined, individuals and organisations can seek remedy from the adjudicating authorities appointed under the IT Act.
Sector-specific regulators have also attempted to enforce compliance with their respective information security standards. For example, the RBI imposed a monetary penalty of 1 million rupees on the Union Bank of India for non-compliance with the directions of the Cyber Security Framework in Banks.
21. Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
Given that CERT-In is the national agency responsible for cybersecurity, it has the authority to call for information and give directions to service providers, intermediaries, data centres, bodies corporate and any other person to perform their functions under the IT Act and the CERT Rules. Failure to respond to CERT-In’s information requests is subject to monetary penalties.
Further, the adjudicating authorities appointed under the IT Act have powers of a civil court to call for evidence and documents, and summon witnesses in connection with an inquiry into any contravention under the IT Act.
As per the provisions of the IT Act, for national security and for investigation of any offence (including cybersecurity offences), authorised government officers can issue orders to intercept, monitor or decrypt any computer resource, ask intermediaries to provide access to any information or to block access to any information stored, received or generated in any computer resource. Additionally, law enforcement agencies can be authorised to monitor and collect traffic data or information generated, received or transmitted in any computer resource, and can confiscate any computer resource in respect of which any contravention of the IT Act has been carried out.
Indian law also provides law enforcement authorities with various other mechanisms to pursue, investigate and prosecute cyber criminals. For instance, the IPC is a comprehensive code intended to cover most substantive aspects of criminal law. Criminal activities punishable under the IPC do extend to the online cyberspace infrastructure and will be dealt with in the same manner.
22. What are the most common enforcement issues and how have regulators and the private sector addressed them?
Regulators in India have relied on provisions of the IT Act and the IPC to prosecute entities found to be non-compliant with mandatory information security requirements; however, from a practical perspective, enforcement agencies often face challenges in prosecuting offshore entities that do not have business presence in India, as well as affixing liability in multilayered business outsourcing structures. The absence of a comprehensive data protection law that allocates cybersecurity responsibilities between all relevant stakeholders is also a concern. Over time, the private sector and the government have felt the need to develop more cybercrime and prosecution expertise among the police personnel responsible for prosecuting offences under the IT Act, and specific local cyber cells have been set up to address this gap.
23. What regulatory notification obligations do businesses have following a cybersecurity breach? Must data subjects be notified?
There is no specific requirement under the IT Act to inform the data subject of a cybersecurity incident. However, under the Intermediaries Guidelines, the intermediary is required to inform CERT-In of cybersecurity breaches as soon as possible. Further, specific types of cybersecurity incidents (target-scanning or probing of critical networks or systems, unauthorised access of an IT system and data, malicious code attacks, identity theft, spoofing, phishing, etc) have to be mandatorily reported to CERT-In by service providers, intermediaries, data centres and bodies corporate within a reasonable time of the occurrence or noticing the incident to aid timely action.
In addition, sector-specific regulators have their own reporting requirements. For instance, the RBI requires banks to comply with the Cyber Security Framework in Banks, which, inter alia, requires banks to report cybersecurity incidents to the RBI within two to six hours.
24. What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
The IT Act provides for penalties for varied instances of cybersecurity breach, some of which are described here. Section 43 of the IT Act provides that any person accessing a computer or a computer system or network without permission of the owner, downloading copies and extracting any data or causing disruption of any system will be liable to pay damages to the person affected. Section 66 of the IT Act also provides for punishment of imprisonment for a term up to three years or with a fine of up to 500,000 rupees if the person dishonestly or fraudulently commits the offence.
Section 66C of the IT Act provides that a person who, fraudulently or dishonestly, makes use of the electronic signature, password or any other unique identification feature of any other person will be punished with imprisonment of up to three years and will also be liable for payment of a fine of up to 100,000 rupees.
Additionally, the IT Act provides for imprisonment of up to one year or a fine of up to 100,000 rupees, or both, for any failure by an entity (service provider, intermediary, data centre, body corporate, etc) to provide requisite information requested by CERT-In. Furthermore, sector-specific authorities (such as the RBI) may also levy penalties for non-compliance with their respective cybersecurity standards.
25. What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
Any failure by intermediaries to report cybersecurity incidents to CERT-In is punishable under the IT Act by a monetary penalty not exceeding 25,000 rupees. Any failure of a body corporate to report specific cyber breaches mandated under the IT Act is punishable by the same amount. Further, if CERT-In specifically requests for any information from an entity (including the service provider, intermediary or body corporate), then a failure to submit the information is punishable by imprisonment of up to one year or a fine which may extend to 100,000 rupees,or both.
In addition, sector-specific regulators have their own reporting requirements. For instance, failure to report within the timelines prescribed for banks under the Cyber Security Framework in Banks may result in the imposition of penalties by the RBI.
26. How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
There is no specific private remedy available; however, the IT Act makes statutory remedies available to persons affected. Section 43A of the IT Act expressly provides that whenever a body corporate possesses or deals with any sensitive personal data or information, and is negligent in maintaining reasonable security practices and procedures that in turn cause wrongful loss or wrongful gain to any person, the body corporate shall be liable to pay damages to the person affected. Therefore, the affected party may initiate a civil action against the negligent body corporate, making it liable to pay damages.
Further, a civil action may also be brought against any person who, without permission of the owner of a computer or a computer system or network, does any of the acts mentioned under section 43 of the IT Act, including but not limited to accessing or securing access to the computer or computer system or network, downloading or extracting any data from it, contaminating it with a virus or other malware, or causing any damage to it.
THREAT DETECTION AND REPORTING
Policies and Procedures:
27. What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
See ‘Legislation’, ‘Scope and jurisdiction’ and ‘Increased protection’.
28. Describe any rules requiring organisations to keep records of cyberthreats or attacks.
Generally, no specific record-keeping requirements have been prescribed for cyber threats or attacks; however, maintaining records may become necessary to adhere to security standards. For instance, CERT-In issued the CERT-In Security Guidelines CISG-2009-01, which describe a ‘log’ as a record of actions and events that take place on a computer system. The guidelines recommend that organisations have appropriate auditing policies in place that efficiently collect the information logs relating to events, including critical events occurring in the network and systems. No specific timeline for record-keeping has been prescribed.
Sector-specific regulators have prescribed storage requirements for regulated entities. For instance, the IRDA issued the Guidelines on Information and Cyber Security for Insurers, which require all registered insurance companies to retain security logs of different systems and devices to be maintained for a minimum period of six months. The guidelines also mandate implementation of an incident management system that should include security incident reporting and recording.
Lastly, in accordance with the Cyber Security and Cyber Resilience framework for Stock Brokers and Depository Participants issued by SEBI, stockbrokers and depository participants are required to ensure that records of user access to critical systems are logged for audit and review purposes, and the logs should be maintained and stored in a secure location for a period not less than two years.
29. Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
Reporting under the IT Act:
The CERT Rules permit cybersecurity incidents to be reported by any person to CERT-In. However, specified types of cybersecurity incidents (target-scanning or probing of critical networks or systems, unauthorised access of an IT system and data, malicious code attacks, identity theft, spoofing, phishing, etc) need to be mandatorily reported to CERT-In by service providers, intermediaries, data centres and bodies corporate within a reasonable time of the incident occurring or being noticed to aid timely action.
The Intermediaries Guidelines require the intermediaries, as part of their due diligence obligations, to notify CERT-In of security breaches. CERT-In publishes the formats for reporting cybersecurity incidents on its website from time to time, which requires mentioning the time of occurrence of the incident, the type of incident, information regarding the affected systems or network, the symptoms observed, the relevant technical systems deployed, the actions taken, among others.
Reporting in other sectors:
In addition to the reporting requirements under the IT Act, separate reporting requirements exist in respect of cybersecurity incidents in other regulated sectors. For instance, the Cyber Security Framework in Banks issued by the RBI requires banks to inform the RBI of any cyber- security incident within two to six hours of the breach. Similarly, as per the Guidelines on Information and Cyber Security for Insurers issued by the IRDA, insurers are required to report cybersecurity incidents that critically affect business operations and a large number of customers within 48 hours of having knowledge of the cybersecurity incident.
30. What is the timeline for reporting to the authorities?
See ‘Regulation’ and ‘Policies and procedure’.
31. Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
See ‘Regulation’. There is no obligation to report cybersecurity threats or breaches to the general public or affected parties.
UPDATE AND TRENDS
Update and Trends
32. What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
There is a renewed focus on cybersecurity practices in India, both from the government and the private sector. Many of the gaps existing in the current law (in terms of liability, penalty, reporting, disclosures, etc) are likely to be addressed in the new Personal Data Protection Bill 2019, which is expected to be passed in Parliament next year. We expect the private sector to intensify its engagement with the government in this area in view of the Digital India initiative, the increased volume of financial transactions online and the high level of reporting of cybersecurity attacks in India. The government is expected to develop a focused approach towards cybersecurity preparedness and awareness, including introducing its cybersecurity policy in 2020.
The authors wish to thank Shagun Badhwar and Sana Khan for their assistance in the preparation of this chapter.
Rohan Bagai, Partner
Aprajita Rana, Partner