1. Legal framework
1.1 Does the law in your jurisdiction distinguish between ‘cybersecurity’, ‘data protection’ and ‘cybercrime’ (jointly referred to as ‘cyber’)? If so, how are they distinguished or defined?
‘Cybersecurity’, ‘cybercrime’ and ‘data protection’ are all recognised concepts under Indian law. While these concepts are related, they address different situations, as outlined below.
‘Cybersecurity’ is defined under the Information Technology Act, 2000 (‘IT Act ’) as the protection of information, equipment, devices, computer resources, communication devices and any information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction. The term ‘cybercrime’ is specifically applicable to any unlawful act in which a computer, device or network is used to commit or facilitate the commission of a crime. The Indian courts have recognised ‘cybercrime’ (Jaydeep Vrujlal Depani v State of Gujarat) to mean an offence that is committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm or loss to the victim, directly or indirectly, using modern telecommunications networks such as the Internet (including chatrooms, emails, notice boards and groups) and mobile phones (Bluetooth/SMS/MMS).
While ‘data protection’ is not expressly defined under Indian law, the IT Act requires compliance with requirements relating to the protection of personal data, including sensitive personal data.
1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?
India does not have a dedicated cyber law. However, the IT Act, read with the rules and regulations framed thereunder, and certain other specific statutes deal with cybersecurity, data protection and cybercrimes.
The IT Act:
· grants statutory recognition and protection to transactions carried out through electronic data interchange and other means of electronic communication;
· aims to safeguard electronic data, information and records; and
· aims to prevent the unauthorised or unlawful use of computer systems.
It also identifies activities such as hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft as punishable offences.
Various rules framed under the IT Act regulate important aspects relating to the cyber sector in India, as follows:
· The Computer Emergency Response Team (CERT-In) was established under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘CERT Rules’) as the administrative agency responsible for collecting, analysing and disseminating information on cyber security incidents, and taking emergency response measures.
· Reasonable security practices and procedures are to be implemented by all companies that process, collect, store or transfer sensitive personal data or information (SPDI), as set out under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’). International Standard ISO/27001 IEC is one of the government-approved standards that can be implemented by companies for the protection of SPDI.
· Specific information security measures are to be implemented by companies that have protected systems, as prescribed under the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 (‘Protected System Rules’). Critical infrastructure is an example of a protected system.
· Intermediaries are regulated under the Information Technology (Intermediaries Guidelines) Rules, 2011 (‘Intermediaries Guidelines’), and must implement reasonable security practices and procedures to secure their computer resources and the accompanying information. Intermediaries are also mandated to report cybersecurity incidents to CERT-In.
Other laws that contain cyber-related provisions include:
· the Indian Penal Code, 1860 (IPC), which punishes offences committed in cyberspace (eg, defamation, cheating, criminal intimation and obscenity); and
· the Companies (Management and Administration) Rules, 2014, which require companies to ensure that electronic records and security systems are insulated from unauthorised access and tampering.
In addition, sector-specific regulations issued by regulators such as the Reserve Bank of India (RBI), the Insurance Regulatory and Development Authority of India (IRDAI), the Department of Telecommunication and the Securities Exchange Board of India (SEBI) mandate minimum cybersecurity standards to be maintained by regulated entities regulated such as banks, insurance companies, telecoms service providers and listed companies.
For instance, RBI guidelines mandate banks to follow the ISO/IEC 27001 and ISO/IEC 27002 standards. Similarly, SEBI requires stock exchanges, depositories and clearing corporations to follow standards such as ISO/IEC 27001, ISO/IEC 27002 and COBIT 5.
1.3 Do special cyber statutes or regulations apply to:
(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Yes. Critical infrastructure is classified as a ‘protected system’ under the IT Act and its operation is subject to the Protected System Rules. Sectors that are typically classified as protected systems include telecoms, banking, insurance, transport, finance, power, energy and governance.
Protected system entities must:
· obtain approval for all information security policies from an information steering committee;
· appoint a chief information security officer;
· conduct vulnerability, threat or risk analysis on an annual basis; and
· ensure the timely reporting of cyber security incidents.
Any significant changes in network configuration are subject to approval by the information steering committee.
The cybersecurity provisions applicable to specific sectors are described in questions 1.2 and 4.1.
(b) Certain types of information (personal data, health information, financial information, classified information)?
India has no dedicated data protection law. However, specific provisions of the IT Act, along with the SPDI Rules, protect both personal information and SPDI, as applicable.
‘Personal information’ has been defined to mean information which relates to a natural person and which, either directly or indirectly in combination with any other available information, is capable of identifying such person. SPDI is a sub-category of personal information and includes specified datasets such as:
· financial information such as bank account, credit card, debit card or other payment instrument details;
· physical, physiological and mental health conditions;
· sexual orientation;
· medical records and history; and
· biometric information.
Section 72A and Section 43A of the IT Act and rules framed thereunder deal with the protection of personal data and SPDI respectively. Some of the requirements include:
· obtaining prior consent;
· maintaining reasonable security standards and procedures, as applicable.
1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?
Yes. The IT Act is applicable to any offence committed in India, or outside India if the act that constitutes the offence involves a computer, computer network or computer resource located in India. The application of this provision is not yet fully developed in India. That said, judicial precedents have provided some guidance. In KN Govindacharya v Union of India the court mandated foreign companies that may be classified as intermediaries and that conduct business operations with a nexus to India to appoint local grievance officers.
In another matter (Swami Ramdev v Facebook, Inc), the Delhi High Court considered whether platforms such as Facebook, Google, YouTube, Google Plus and Twitter may be directed to block content on a global basis vide the extra-territorial applicability of the IT Act, or whether the jurisdiction of the Indian courts is limited to blocking content in India. The suit was filed by Baba Ramdev (a religious and business personality in India) against various social media intermediaries, alleging that these platforms were being used to circulate defamatory content about him. The Delhi High Court issued an order directing those intermediaries to take down, remove, block, restrict or disable access to certain defamatory content on a global basis, which had been uploaded from IP addresses within India. For content uploaded from outside India, the court directed the intermediaries to block access and disable URLs and links from being viewed in India, in order to ensure that users in India could no longer access them. Similar takedown orders have been successfully granted against foreign intermediaries in matters pertaining to IP infringement.
1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?
Yes, India has entered into bilateral instruments with several countries to cooperate and implement measures that promote cybersecurity.
As a member of the Shanghai Cooperation Organisation, India is a party to the Agreement on Cooperation in Ensuring International Information Security between the Member States of the Shanghai Cooperation Organisation. Member States routinely collaborate to exchange information relating to cybercrime.
Further, India has formalised memoranda of understanding with countries such as Spain, Brazil, Morocco and the United Arab Emirates in the interest of building cooperation in the area of cybersecurity.
1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?
The IT Act prescribes penalties ranging from fines to imprisonment for various types of malicious cyber activities, including hacking, tampering with computer source code, denial-of-service attacks, phishing, malware attacks, identity fraud, electronic theft, cyberterrorism, privacy violations and the introduction of any computer contaminant or virus. Similar provisions exist under the IT Act and under allied law for cyber threats involving intellectual property. Examples of such offences and associated penalties include the following:
· Section 66 of the IT Act provides for punishment in the form of imprisonment for a term up to three years or a fine of up to INR 500,000 if a person dishonestly or fraudulently commits any offence under Section 43 of the IT Act, including:
> hacking (ie, accessing a computer, computer system or computer network without the permission of the owner, or downloading, copying and extracting any data, or disrupting any system);
> injection of malware into a computer; and
> denial-of-service attacks (ie, denying access to any person authorised to access a computer) and the like.
· Section 66C of the IT Act provides that anyone that fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person shall be punished with imprisonment of up to three years and may also be liable to be punished with fine of up to INR 100,000.
In addition to imprisonment and fines, any computers, computer systems, floppy disks, compact disks or other materials which are used to contravene any provision of the IT Act, rules, orders or regulations framed thereunder may be confiscated.
The provisions of the IPC are often invoked in tandem with the IT Act to prosecute cybercrime cases. The IPC prescribes penalties for offences such as defamation, cheating, criminal intimation and obscenity, when they occur in cyberspace.
2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?
The IT Act is enforced by various agencies; and depending on the nature of the offence, the punishments include civil or criminal penalties, or both. Some important considerations in this context are summarised below:
· The CERT-In is the agency responsible for coordinating cyber incident response activities and handling of cybersecurity incidents. CERT-In has the authority to request information and issue directions to service providers, intermediaries, data centres, bodies corporate and any other persons to perform their functions as described under the IT Act and the CERT Rules. Failure to respond to CERT-In’s information requests is punishable with a fine of up to INR 100,000, or imprisonment for up to one year, or both.
· The government has also established certain agencies to perform specified functions, such as the National Critical Information Infrastructure Protection Centre (‘NCIIPC’), which is authorised to assess and prevent threats to vital installations and critical infrastructure in India. In the event of any threat to such infrastructure, the NCIIPC may request information and issue necessary directions. The NCIIPC can take cognisance, on its own initiative, of any vulnerability or threat that is affecting or may affect the critical information infrastructure of the nation, and take suitable measures accordingly. Further, the NCIIPC can also order the encryption, decryption, monitoring and blocking of cyber information to protect critical information infrastructure, as may be necessary.
· Any remedies available under the IT Act – including compensation for parties affected by cybersecurity incidents – may be claimed before adjudicating authorities appointed under the IT Act for this purpose. These adjudicating authorities have the powers of a civil court and can thus request evidence and documents and summon witnesses in connection with an inquiry into any contravention under the IT Act.
· Authorised government officers can also issue interception, decryption or monitoring orders, and ask private companies, service providers, intermediaries and so on to provide access to or block access of information available in any computer resource, in connection with the investigation of any offence or in the interest of national security. Failure to comply with such orders is punishable with criminal enforcement.
· In the event of a cybersecurity breach, the persons in charge of organisations must demonstrate that they had implemented security control measures as documented in their information security programmes and policies. In the event of contravention of the IT Act, any person in charge of supervising the affairs of a company shall be liable to prosecution, unless he or she can prove either a lack of knowledge or that he or she exercised all due diligence to prevent the contravention.
· Extraterritorial applicability: The provisions of the IT Act have extra-territorial application if the offence involves a computer, computer network or computer resource located in India. Please see question 1.4 for more details.
In addition to enforcement proceedings under the IT Act, criminal penalties may separately arise under the IPC. Cybercrime is punishable under the code and is dealt with in the same manner as though the offence had been committed in the real world.
Finally, sector-specific authorities (eg, the RBI) may also levy penalties for non-compliance with their respective cybersecurity standards. For example, the RBI imposed a monetary penalty of INR 1 million on the Union Bank of India for non-compliance with Cyber Security Framework in Banks.
Depending on the nature of the offence and allocation under various statutes, provisions implicating the persons in charge of companies, including directors, will be relevant and must be considered.
2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?
Section 43A of the IT Act provides that where a company possesses or deals with SPDI and is negligent in maintaining reasonable security practices and procedures, which in turn causes wrongful loss or wrongful gain to any person, that company shall be liable to pay damages to the person affected. The affected party (private or otherwise) may initiate a civil action against the negligent company and claim compensatory damages. If the person contravening the IT Act is a company, every person who is in charge of the conduct of its business will be liable to prosecution for the company’s offence. Further, if the contravention took place with the consent or connivance of, or due to the neglect of, any director, manager, secretary or other officer of the company, that person will also be liable for the contravention, unless he or she can prove that the contravention took place without his or her knowledge, or that he or she exercised all due diligence to prevent such contravention.
Further, anyone that, without the permission of the owner of a computer or a computer system or network, does any of the acts mentioned under Section 43 of the IT Act – including accessing or securing access to the computer or computer system or network, downloading or extracting any data from it, contaminating it with a virus or other malware, or causing any damage to it, committing a denial-of-service attacks and so on – will be liable to pay damages by way of compensation to persons so affected. Therefore, persons affected can claim compensatory damages from employees or individuals for hacking and similar illegal activities.
2.3 What defences are available to companies in response to governmental or private enforcement?
Companies can be prosecuted for a variety of offences, and therefore the defence strategy varies. Examples of common defence mechanisms are discussed below.
Intermediaries such as telecommunications companies, internet service providers, network service providers, web hosts, search engines, online payment sites and online marketplaces can rely on a safe harbour defence from content liability. To be eligible to this defence, an intermediary must comply with certain conditions, including the following:
· The intermediary’s role is limited to providing access to information made available by third parties;
· The intermediary does not initiate the transmission of data made available by third parties;
· It does not select the receiver of the transmission;
· It does not select or modify the information contained in the transmission; and
· It has observed due diligence in discharging its duties in compliance with the IT Act and the Intermediaries Guidelines, which require removal or disabling of access to objectionable content upon receiving knowledge, among other things.
The persons in charge of supervising companies must demonstrate that they were unaware of the breach, and that sufficient due diligence measures were exercised to prevent the breach, in order to defend themselves against criminal enforcement proceedings arising from offences described under the IT Act.
3. Landmark matters
3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?
There have been a few judicial pronouncements of significance pertaining to cyber laws in India. One such precedent resulted in revisions to the concept of intermediary liability in India (Avnish Bajaj v State (NCT) of Delhi). In this case the managing director and manager of website Bazee.com faced criminal liability for the sale of obscene content between buyers and sellers accessing their website. The Supreme Court of India disagreed with this decision and held that vicarious liability could not be attached to the directors, as the company itself had not been accused of a crime under the IT Act. The nature of proceedings in this matter led to the inclusion of safe harbour protection under the IT Act for intermediaries operating in India. As a result of these amendments, intermediaries can claim immunity arising from any liability in respect of content hosted on their platform, subject to the implementation of due diligence measures stipulated under the Intermediaries Guidelines.
Another pertinent judicial precedent is Shreya Singhal v Union of India, in which the Supreme Court struck down Section 66A of the IT Act on the grounds that it was inconsistent with freedom of speech and expression. This section provided for punishment by way of arrest of persons who sent offensive or false information through a computer resource for the purpose of causing annoyance or inconvenience, or misleading the addressee. The decision clarified another long-standing issue that affected intermediaries in India, holding that intermediaries are obliged to remove or disable access to any offensive, derogatory or illegal content only upon receipt of a court order or an order issued by a government agency.
In Anvar PV v PK Basheer ((2014) 10 SCC 473, the Supreme Court laid down minimum authentication conditions for the admittance of electronic records as evidence in accordance with the Indian Evidence Act, 1872.
The concept of cyber defamation was recognised in India in SMC Pneumatics (India) Pvt Ltd v Jogesh Kwatra (CS(OS) 1279/2001), in which a corporation’s reputation was allegedly defamed through emails. The Delhi High Court restrained the defendant from sending derogatory, defamatory, obscene, vulgar, humiliating and abusive emails to the plaintiff through any medium, including online. This is one of the early precedents in which the judiciary assumed jurisdiction in respect of activities occurring in the cyberspace.
National Association of Software and Service Companies v Ajay Sood (119 (2005) DLT 596) is another landmark judgment, in which the Delhi High Court declared ‘phishing’ to be an illegal act, and defined it as “a misrepresentation made in the course of trade, leading to confusion, as to the source and origin of the email causing immense harm, not only to the consumer, but even to the person whose name, identity or password is misused”. The court found the act of phishing to constitute passing off that tarnished the reputation of the plaintiff, and awarded an injunction and compensatory damages.
3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?
Pivotal cyber incidents or events: There have been quite a few incidents in India, which have differed in scale and intensity. In 2018 several malicious applications that masqueraded as the popular game Fortnite were released for Android; when downloaded by users, they resulted in malware being placed on their devices that harvested the calls, message logs and contact details of users without their knowledge.
Recently, Justdial – a company that provides local search options for different services – suffered a massive data breach in which user data was exposed. The leaked data included details such as names, email accounts, numbers, addresses and gender.
Other examples of major cybersecurity incidents include the following:
· In July 2016 an employee of Union Bank of India received a phishing email that enabled hackers to gain administrator-level access to the bank’s network, execute fund transfers and defraud the bank of $171 million.
· In 2017 food aggregator Zomato suffered a major data theft in which names, email IDs and hashed passwords of 17 million users were hacked and misappropriated.
· In June 2017 the Petya Ransomware attack affected the container handling functions at a terminal operated by AP Moller-Maersk at Mumbai’s Jawaharlal Nehru Port Trust.
· In 2019 there was a cyber-attack on the Kudankulam Nuclear Power Plant in which a malware infection was identified on its network system containing data pertaining to administrative activities.
Cyber-related innovation and technology development: The Data Security Council of India (DSCI) is a not-for-profit industry body that works to establish best practices, standards and initiatives in the interests of cybersecurity and privacy.
The Ministry of Electronics and Information Technology (Meity) and the DSCI have set up the National Centre of Excellence for the purpose of coordinating data protection and cybersecurity technology development in India. The centre is engaged in identifying critical technology areas and use cases, enabling security research and supporting physical and virtual incubation.
Meity (through the erstwhile Department of Electronics and Information Technology) had framed the National Cyber Security Policy, 2013 to propose measures to safeguard public and private infrastructure from cyberattacks. India is now in the process of devising the National Cyber Security Strategy 2020 (‘NCSS 2020’), which is expected to reflect the emerging demands and concerns in this sector.
Legislative and judicial activity: The major legislative and judicial developments are discussed in questions 1.2 and 3.1.
4. Proactive cyber compliance
4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.
In addition to the reasonable security practices and procedures stipulated under the IT Act (described in question 1.2), industry-specific standards have been established by specific regulators. Industry-wide best practices are also common. Some examples include the following.
Financial sector: The RBI has issued various guidelines to promote cybersecurity, and for the prevention and proper handling of cyber fraud within the banking sector, which include:
· the Cybersecurity Framework in Banks, which sets out standards to be followed by banks to secure themselves against cybercrimes;
· the Basic Cyber Security Framework for Primary (Urban) Cooperative Banks, which prescribes certain basic cybersecurity controls for primary urban cooperative banks;
· the Sharing of Information Technology Resources by Banks Guidelines, which aim to ensure that privacy, confidentiality, security and business continuity requirements are fully met;
· the Information Technology Framework for the Non-Banking Financial Company Sector 2017, which focuses on IT policy, IT governance information and cybersecurity; and
· the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, which prescribes IT policy and outsourcing guidelines and recommendations.
Insurance sector: The insurance sector is subject to the Guidelines on Information and Cyber Security for Insurers, issued by the Insurance Regulatory and Development Authority of India. Under these guidelines, insurers are responsible for implementing adequate measures to ensure that cybersecurity issues are addressed. Insurers are also obliged to appoint a chief information security officer, formulate a cyber crisis management plan and conduct audits.
Industry standards: The CERT-In suggests best practices and system-specific security guidelines for Indian cybersecurity networks from time to time.
Industry best practices: Depending on the nature and extent of the cybersecurity incident, and the sensitivity of the sector, cyber incident response strategies differ from one business to another. Some measures that are common in India include the following:
· deploying a detailed information security policy to be approved by the board;
· conducting regular transaction monitoring;
· conducting information security risk assessments;
· setting up risk mitigation and transition plans;
· updating relevant stakeholders within the organisation on their roles in advance; and
· allocating appropriate personnel to engage with regulatory authorities and/or clients, service providers and so on.
Many companies also conduct regular assessments of the vulnerabilities in their systems, including by inviting focused hacking. Depending on the sector in which they operate, organisations can also reach out to CERT-In and seek advice on incident recovery, damage limitation and systems recovery.
4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.
Yes, CERT-In issues advisories on actions recommended for parties that have been affected by cybersecurity incidents. Its advisories are specific to cybersecurity incidents that are either discovered by CERT-In or reported to it. For instance, in light of the increased digital activity due to the COVID-19 pandemic, CERT-In has released a list of best practices for industry and users, and has recommended the following measures:
· installing antivirus and malware protection on electronic devices;
· updating digital signatures; and
· checking that all devices and services for remote access receive firmware updates.
In addition to the minimum cybersecurity standards mentioned in question 1.2, various regulatory bodies have advised businesses to adopt more robust cybersecurity measures. For example, in the National Cyber Security Policy 2013, the Meity (the erstwhile Ministry of Communication and Information Technology) recommended creating a secure cyber ecosystem, strengthening laws and setting up better mechanisms for early warning of and response to security threats. This policy encouraged all organisations to develop information security policies that were integrated with their business plans and reflected advanced international best practices.
Under the Digital India initiative, Meity has established the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre), an organisation that partners with internet service providers and anti-virus companies in order to provide information and tools to users to build network capability against botnet and malware threats.
4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?
As per the Companies (Management and Administration) Rules, the managing director, company secretary and other directors and officers of a company are responsible for the maintenance and security of electronic records. Such persons are required, among other things, to:
· protect records against unauthorised access, alteration or tampering;
· ensure that computer systems, software and hardware are secured and validated to ensure their accuracy, reliability and accessibility; and
· take all necessary steps to safeguard the security, integrity and confidentiality of records.
Any failure by such personnel in this regard may be construed as a breach of their duties towards the organisation.
In the event of a cybersecurity breach, the persons in charge of an organisation must demonstrate before the regulators that they have implemented security control measures as per their documented information security programmes and information security policies. To effectively discharge their responsibilities, they must be aware of and updated on the information security preparedness of their organisation.
Further, as specified in question 2.2, Section 85 of the IT Act specifically states that in case of any contravention of the IT Act, anyone who is in charge of supervising a company shall be guilty of the contravention and shall be liable to prosecution, unless he or she can prove that the contravention took place without his or her knowledge, or that he or she exercised all due diligence to prevent such contravention. Therefore, officers and directors can protect themselves from liability by being proactive and deploying adequate cybersecurity measures in their organisations. It is advisable to maintain records of such measures.
4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?
Yes. As per the Cyber Security and Cyber Resilience Framework for Stock Brokers and Depository Participants issued by the SEBI, stockbrokers and depository participants must ensure that records of user access to critical systems are logged for audit and review purposes, and that logs are maintained and stored in a secure location for at least two years. SEBI also requires stock exchanges, depositories and clearing corporations to adhere to standards such as ISO/IEC 27001, ISO/ IEC 27002 and COBIT 5.
4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?
Yes. The CERT Rules require corporate entities affected by certain types of cybersecurity incidents to report the occurrence of incidents to CERT-In. Individuals and organisations may voluntarily report any cybersecurity incidents and vulnerabilities to CERT-In and seek the necessary technical support to recover from any loss caused by such incidents.
Under the Intermediaries Guidelines, an intermediary must inform CERT-In of cybersecurity breaches as soon as possible, in compliance with its due diligence obligations. CERT-In publishes the format for reporting cybersecurity incidents on its website from time to time. Among other things, the following information must be included:
· the time at which the incident occurred;
· the type of incident;
· details of the affected systems or network;
· the symptoms observed;
· the relevant technical systems deployed; and
· the actions taken in response.
Specific types of cybersecurity incidents (eg, target scanning or probing of critical networks or systems; unauthorised access of an IT system or data; malicious code attacks; identity theft; spoofing; phishing) must be mandatorily reported to CERT-In by service providers, intermediaries, data centres and bodies corporate within a reasonable time of their occurrence or discovery, to aid timely action.
In addition, sector-specific regulators include their own reporting requirements. For instance, under the Guidelines on Information and Cyber Security for Insurers issued by the IRDAI, insurers must report cybersecurity incidents that critically affect business operations and a large number of customers within 48 hours of learning of the cybersecurity incident. The RBI requires banks to comply with the Cybersecurity Framework in Banks, which requires banks to report cybersecurity incidents to the RBI within two to six hours, among other things.
There is no specific requirement to inform industry stakeholders, although this can be done voluntarily.
5. Cyber-incident response
5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?
Yes. Please see questions 4.5 and 5.2 for the notification requirements for cybersecurity incidents.
A ‘cybersecurity incident’ is defined under the CERT Rules as “any real or suspected adverse event in relation to cyber security that violates an explicit or implied security policy resulting in unauthorized access, denial of service/ disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization”.
While the notification requirement is not specific to the information type per se, the list of security incidents for which reporting is mandatory – such as target scanning or probing of critical networks or systems; unauthorised access of an IT system and data; malicious code attacks; identity theft; spoofing and phishing – gives an indication of this (ie, SPDI and critical infrastructure information).
5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?
There is no obligation to report cyber incidents (threats or breaches) to the general public. Under the Intermediaries Guidelines, intermediaries must inform the CERT-In of cybersecurity breaches as soon as possible. Further, as specified in question 5.1, specific types of cybersecurity incidents must be reported to CERT-In by service providers, intermediaries, data centres and companies within a reasonable time of their occurrence or discovery, to aid timely action. There seem to be no exceptions/safe harbours that permit intermediaries to avoid notifying CERT-In of a cybersecurity breach.
In addition, sector-specific regulators have their own reporting requirements, as discussed in questions 1.2 and 4.5.
CERT-In and the Reserve Bank of India have both prescribed formats and templates for reporting cyber-security incidents. CERT-In publishes the formats for reporting cybersecurity incidents on its website from time to time, as described in question 4.5.
The IT Act does not oblige an organisation that has suffered a cyber incident to provide services or specific information to affected individuals. That said, under Section 43A of the IT Act, a company that possesses, deals with or handles any SPDI in a computer resource which it owns, controls or operates, and which is negligent in implementing and maintaining reasonable security practices and procedures, thus causing wrongful loss or wrongful gain to any person, shall be liable to pay damages by way of compensation to the person so affected.
5.3 What steps are companies legally required to take in response to cyber incidents?
Please see question 4.3.
5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?
Please see question 4.3.
5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?
In the recent past, cyber-incident insurance has become increasingly popular in India. This trend is especially prevalent in more vulnerable sectors such as banking, IT and IT enabled services, retail and manufacturing, given the nature of the information collected, processed and stored by such industries.
6. Trends and predictions
6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
There is a renewed focus on robust cyber practices in India, from both the government and the private sector. The Digital India initiative has resulted in increased volumes of online financial transactions and a high level of reporting of cybersecurity attacks. We expect that the private sector will intensify its engagement with the government to bring in more technical and cross-border expertise to build resilience in this sector. The government is also expected to implement enhanced cybersecurity preparedness and awareness, including through the NCSS 2020.
Some of the gaps in the current law (eg, in terms of liability, penalties, reporting and disclosures) will be addressed to some extent in the new Personal Data Protection Bill 2019. India is yet to table a dedicated cybersecurity law, although news reports suggest that the government is soon expected to draft specialised legislation in this regard.
7. Tips and traps
7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?
One key challenge facing companies is the need to adopt the correct approach to cybersecurity issues. Traditionally, the steps they take in this regard are reactive, rather than proactive. Companies should assess their critical business activities holistically and implement pre-planned cybersecurity measures, instead of waiting for a cyber-incident and thereafter endeavouring to detect and patch vulnerabilities. This takes up considerable time, expense and expertise, which should be given appropriate allocation in policies and budgets.
Another challenge results from the absence of dedicated cyber legislation. While the IT Act and the SPDI Rules have prescribed safeguards and practices for companies that possess, deal with and handle SPDI in a computer system, this law does not address issues pertaining to cybersecurity and does not reflect the latest security practices and technologies. The problems faced by information security professionals are often left unanswered under this law, and companies are forced to rely on internal or cross-border best practices to prepare themselves to pre-empt cyber threats. The advent of new technologies such as artificial intelligence, 5G, the Internet of Things and cloud computing have intensified this inadequacy.
Finally, while India was one of the first few countries to establish a futuristic National Cyber Security Policy 2013, this is now fairly dated, as technologies, platforms, threats and services have evolved significantly since then. Cyber intrusions and attacks have increased in scope and sophistication, targeting SPDI, business data and critical infrastructure, and causing an adverse impact on the national economy and national security. It is imperative that issues arising from increased digital adoption –such as data protection, encryption protection, law enforcement in cyberspace and inadequate international cooperation on cybercrime – be addressed in the NCSS 2020. The private sector should engage in stakeholder consultation with the government in order to share cyber threats across different industries and support the utility of encryption technology in addressing cyber risks.
Sumit Ghoshal, Partner
Aprajita Rana, Partner
Shagun Badhwar, Senior Associate
Sana Khan, Associate