CYBER LAW

Information Technology Act, 2000 (ITA)

(As amended up to 2008)

Cyber Law deals with:-

1. Introduction

2. Electronic Signature

3. Electronic Governance

4. Electronic Records

5. Controller & Certifying Authorities

6. Cyber Regulations Appellate Tribunal

7. Offences & Penalties

1. Introduction: The advent of Electronics System has replaced paper based methods of
communication and storage of information on paper and files which has become obsolete now.
Computer systems, network, database or software, e-mails, digital signature, media, optical,
computer memory, microfilms, electronic data, image or sound stored in electronic system,
electronic records etc. known as electronic commerce have revolutionized the entire globe. IPC,
Indian Evidence Act, Bankers Books Evidence Act and RBI Act have been amended suitably to
include the above developments. India too passed the ‘Information Technology Act, 2000,
providing legal recognition for Electronic Commerce and giving a regulatory regime to supervise
the Certifying Authorities issuing Electronic Signature Certificates.

2. UN Commission on International Trade Law (UNCITRAL) adopted Model Law on Electronic

Commerce in 1996. It provides for equal legal treatment of users of electronic and paper based
communications. The ITA is a follow up measure. The Act does not apply to NIs, Power of
Attorneys (PAA 1882), Trusts under Indian Trusts Act 1882, Wills under Indian Succession Act,
1925, any contract for sale or conveyance of immovable property and documents / transactions
notified in Official Gazettes of CG.

1
 DEFINITIONS (Sec 2)
Access (Sec 2(1) a): Gaining entry into, instructing or communicating with the logical,
arithmetical or memory function resources of Computer, Computer System or a Computer
Network.

Sec 2(1) d) Electronic (digital) signature: Adoption of any methodology or procedure by a person
for the purpose of authenticating an electronic record by means of an electronic signature.

Sec 2 (1) f): Asymmetric Crypto System: It is a system of a secure key pair consisting of a private
key for creating an electronic signature and a public key to verify the same.

Sec 2(1) i): Computer: It is an electronic, magnetic, optical or other high speed data processing
device or system which performs logical, arithmetic and memory functions by manipulation of
electronic, magnetic or optical impulses. It includes all input, output, processing, storage,
computer signature or communication facilities which are connected or related to the computer
in a computer system or network.

Sec 2(1) j) Computer Network: It is one or more computer through 1) use of satellite,
microwave, terrestrial line or other communications made and 2) terminals or a complex
connecting 2 or more interconnected computers whether or not the interconnection is
maintained.

Sec 2(1) p) Electronic signature: It means authentication of any electronic record by a subscriber
by means of an electronic method or procedure. It is effected by the use of asymmetric crypto
system and hash function.

Sec 2(1) t) Electronic Record: means data or record, image or sound stored, received, or sent in
an electronic form or computer generated micro film or fiche. Private Key means the key used to
verify an electronic signature and listed in the Electronic Signature Certificate. An Electronic
Signature shall be created and verified by cryptography that concerns itself with transforming
electronic record into unintelligible forms and back again and two keys shall be used, one for
creating a signature and another for verifying the same.

Sec 2(1) za) Originator: He is a person who sends, originates, stores or transmits any electronic
message or causes any electronic message to be sent, generated, stored or transmitted to any
other person but does not include an intermediary.

Sec 2(1) ze) Secure System: It is a computer hardware, software and procedure that 1) are
reasonably secure from unauthorized access or misuse 2) provide a reasonable level of reliability
and correct operation 3) are reasonably suited to performing the intended function and 4)
adhere to generally accepted security procedures.

2
 3. Authentication of Electronic Records (Sec 3) Authentication is a process used to confirm the
identity of a person or to prove the integrity of information. Message authentication involves
determining its source and verifying that it has not been modified / replaced in transit. Subject
to provisions of Sec 3, any subscriber may authenticate an electronic record by affixing his
electronic signature.

Hash Function: It is an algorithm that maps or translates one set of bits into another (generally
smaller) set in such a way that 1) a message yields the same result any time the algorithm is
executed by the same message as input 2) it is computationally infeasible for the message to be
derived / reconstituted from the signature provided by the algorithm. It is computationally
infeasible to find 2 messages that produce the same hash result using the same algorithm.

 Electronic Signature Certificate (Sec 35-39) (ESC) (Sec 2 (1) q) is issued by the Certifying
Authority to a subscriber, with an expiry date. There will be fees for issue of ESC. A certifying
authority will archive ESC. ESCs in operational use that become compromised (when private key
and owner of ESC are in doubt) shall be revoked as per the procedure defined. ESC can be
suspended on request from subscriber or in public interest. It can also be revoked on
subscriber’s request, upon subscriber’s death or on winding up or dissolution of the firm, if
material fact is wrong. Some of the important duties of ESC’s owner/subscriber include (a)
generating the key pair, and (ii) securing an electronic signature. Every subscriber shall retain
control of private key.

4. Electronic Governance (EG) (Sec 4-10) : EG is recognition by Govt. to accept communication,

storage of information, acceptance of digital signatures in electronic forms and retention of
electronic records and giving it a legal sanctity. The act provides for legal recognitions of
electronic records and electronic signatures in Govt. and its agencies. Govt. may declare that
any computer or computer system or network to be a protected system. The law may provide
for retention of electronic records, publication in electronic gazette.

Sec 4: Where any law provides that information or any other matter shall be in writing, or in
typewriter or printed form, such requirement is deemed to have been satisfied if such matter or
information is a) rendered or made available in an electronic form and b) accessible so as to be
usable for a subject reference.

Sec 5: Where any law provides that information or any other matter shall be authenticated by
affirming the signature or any document shall be signed or shall bear the signature of any
person, such requirement shall be deemed to have been satisfied, if such matter or information
is authenticated by means of electronic signature affixed.

Sec 6: Use of electronic records and digital systems in Govt. and its agencies: Where any law
provides for 1) filling up any form, application or any other document with any office, authority,
body or agency owned / controlled by Govt. in a particular manner 2) the issue or grant of any

3
 license permit, sanction or approval by whatever name called in a particular manner 3) the
receipt or payment of money in a particular manner, such reprint shall be deemed to have been
satisfied if they are done electronically. The Govt. may prescribe 1) the manner and format in
which such electronic record shall be filed, created or issued 2) the manner or method of
payment of any fees, charges for filing, creation or issue of any electronic record under
clause(1).

Sec 7: Retention of electronic records.

Sec 8: Publication of rules, regulations in electronic gazette.

Sec 9: No requirement to insist on acceptance in electronic form.
Sec 10: Power to make rules by CG in respect of electronic signatures.

Attribution, Acknowledgement, Time and Place of Despatch and Receipt of Electronic Record
(Sec 11 – 13)
5. Electronic Records (ER): ER means data, record or data generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated micro fiche. An ER
shall be attributed to the Originator. Sec 11. An electronic record shall be attributed to an
originator if it is sent by a) himself directly b) by another person who had authority on his behalf
to send the message c) by an information system programmed by or on his behalf to operate
automatically.

Sec 12: If the Originator has not agreed with addressee that acknowledgement has to a
particular format or manner, the same be given by any communication, automated or
otherwise, by the addressee or through any conduct of the addressee sufficient to indicate to
the originator that the electronic record has been received. If, however, the originator insists on
a particular means of receipt, it should be so sent or the communication will be treated as not
sent at all.

Sec 13: The dispatch of an electronic record occurs when it enters a computer resource outside
the control of Originator. Its receipt occurs when the record enters the designated computer
resource of the addressee; if not, when it is retrieved by him.

Secure Electronic Record (SER) (Sec 14-16) : It is one where any security procedure has been
applied to an electronic record at a specified time (Sec 14). From such point of time to the point
of verification it is called a SER. By application of a security procedure, a digital signature can be
secured. CG will prescribe such procedure (Sec 16). Sec 15 If, by application of a Security
Procedure agreed to by the parties concerned, it can be verified that an electronic signature, at
the time it was affixed, was unique to the subscriber, capable of identifying the subscriber and
created in a manner or using a means under the exclusive control of the subscriber and linked to
the electronic record to which it relates in such a manner that if the record is altered, the

4
 electronic signature would be invalidated, then such a signature is deemed a secure electronic
signature.
Regulation of Certifying Authorities (Sec 17-34)

6. Controller of Certifying Authorities (CCA)(Sec 17): The CG may appoint CCA and other officers
to regulate the Certifying Authorities (CAs). CCA’s functions Sec 18 include: Exercising
supervision over CAs, certifying their Public Keys, laying down standards for them, specifying
form and contents of Electronic Signature Certificates (ESCs) and the Key, and specifying the
manner in which CAs shall conduct their dealings with the subscribers, their duties and so on.
Sec 19 CCA also recognizes foreign CAs, with previous approval of CG.

Powers of CCA: To delegate powers, Investigate contraventions, Give directions, Direct any
agency to intercept information, access to computers and data, act as repository Sec 20 (storage
place) / certifying authority, issue license, and renew license. CCA shall get its operation audited
annually. Granting license (Sec 21) to certifying authorities including to foreign companies,
rejection, revocation and suspension of license (Sec 26).
Sec 20: To ensure the secrecy and security of electronic signatures, CCA shall prescribe the
hardware, software and procedures to secure from intrusion and misuse, observe the standards
prescribed by CG and maintain a computerized data base of all public keys that such data base
and the public keys are available to public.

Sec 21: The license granted under Sec 20 shall be valid for the prescribed period, not
transferable or heritable and subject to the conditions laid down by CG.

Sec 22: The application for license shall be on prescribed form, accompanied by 1) certification
practice statement 2) statement containing procedure for identification of applicant 3) payment
fees stipulated by CG (not exceeding Rs 25,000/-) 4) other documents required, if any.

Sec 25: CCA may, after enquiry, revoke the license if 1) the statements in application are
incorrect or false 2) terms and conditions of license are not complied with 3) Standards required
to be maintained are not met 4) Provisions of the Act, rules and regulations and provisions there
under are not complied with. However, reasonable opportunity would be given to present his
version.

Sec 26: Suspension is resorted when revocation is not felt necessary. Suspension of license
should not exceed 10 days. Due notification should be published. No Certificates should be
issued by him during this period.

Electronic Signature Certificates (Sec 35-39):

Sec 35: ESC may be issued if CA is satisfied that 1) the applicant holds private key corresponding
to public key to be listed in ESC 2) The private key held is capable of creating the digital
signature 3) The public key to be listed in ESC can be used to verify the electronic signature

5
 affixed by the private key held by the applicant. Reasonable opportunity has to be given to the
applicant before rejecting an application.

Sec 36: CA, while issuing ESC, shall certify that 1) he has complied with the provisions of the Act
2) He has published this for public and the subscriber has accepted the ESC 3) Subscriber holds
the private key corresponding to the public key listed in ESC 4) Subscriber’s private key and
public key constitute a functioning key pair 5) Information contained in ESC is accurate 6) It has
no knowledge of any material fact which if included in ESC would adversely affect the reliability
of representations in above clauses.

Sec 37: An ESC can be suspended by CA on receipt of request to that effect from 1) subscriber
listed in ESC or any person duly authorized by him and it is in public interest to do so. An ESC will
not be suspended for more than 15 days without notice to the subscriber. CA notifies the
subscriber of the suspension.

Sec 38: A CA may revoke an ESC 1) when a subscriber or his authorized person requests for it 2)
On death of subscriber 3) Where the firm or company who is the subscriber is dissolved or
wound up. He may also revoke it if is found that 1) A material fact mentioned in ESC is false 2)
One requirement for ESC is not met 3) Private key of subscriber is compromised and may affect
ESC’s reliability 4) Subscriber is dead or dissolved or wound up as applicable. Any suspension or
revocation shall be published in repository.

Duties of Subscribers Sec40-42

Sec 40 Subscriber shall generate the key pair following the procedure, once he decides to accept
an ESC.

Sec 41: By accepting publication/ authorizes an ESC to a person or in a repository, a subscriber is

deemed to have accepted it. By this he means that he holds the private key corresponding to
the public key, all representations made to the CA and the contents of ESC are true and he
knows the contents of ESC.

Sec 42: Subscriber shall exercise reasonable care to retain control of private key. If this is
compromised, he shall immediately inform CA in the prescribed manner and shall remain
responsible for the consequences until he has done so.

Penalties & Adjudication Sec 43 – 47

Penalty for damage to Computer / Computer System etc.

Damage as given below, by accessing the Computer System, Network, removable storage
medium etc., without obtaining permission of owner or in-charge of the System (Sec 43)
Compensation payable to the owner is up to Rs 1 cr.
1) Accesses or secures access to computer system

6
 2) Downloads, copies any data, database or information
3) Introduces any computer contaminant* / virus$ * set of instructions designed to
modify/destroy/record/transmit data of programs residing within computer
system/Network $computer instruction/information/data/program that
destroys/damages/degrades adversely affects performance of computer system/Network
4) Damages* or causes to damage the computers, data/ database, other programs in the
system/ Network *destroy, alter, delete, add, modify, or rearrange computer resources
5) Disrupts or causes disruption of any computer system/ Network
6) Denies or causes denial of access to any person authorized to access any computer system/
Network
7) Provides assistance to any to facilitate access to computer system/ Network
8) Charges services availed by a person to the account of another person by tampering with or
manipulating any computer system/ Network

Penalty for failure to furnish information/ return etc. (Sec 44)

If any person who is required under the Act or its rules/ regulations to a) furnish any document,
return or report to CCA fails to furnish the same, he shall be liable to pay a penalty of Rs 1.5 lacs
b) file any return or furnish any book or other documents within the time fails, he is liable to pay
Rs 5,000/- per day as penalty c) maintain books of accounts/ records , fails to do so, he is liable
for a penalty not exceeding Rs 10,000/- per day.

Residual penalty Sec 45: Up to Rs 25,000/- is payable for any violation of regulations under the
Act, for which no penalty is specified.

Power to adjudicate Sec 46: CG may appoint any officer with background of IT, legal or judicial
experience to adjudicate whether there has been any contravention of regulations was
committed. If it was committed, he should seek explanation from the concerned and thereafter
penalty, if any. He shall exercise the powers of a civil court, which are also conferred on CAT.
Sec 47 says the Adjudicating Officer shall have due regard to the following factors, viz., a)
amount of gain or unfair advantage made on account of default b) the loss suffered by any
person because of the default and c) the repetitive nature of the default.

3) Cyber Regulations Appellate Tribunal (CAT) (Sec 48-64) : CAT is appointed by CG and shall
consist of the Chairperson with qualifications of a judge and holds office for 5 years and
considers appeals to CyberRegulations Appellate Tribunal (CAT). Any person aggrieved by an
order made by an Adjudicating Officer may prefer any appeal to the CAT. On receipt of appeal,
CAT may, after giving the parties to the appeal, an opportunity of being heard, pass such orders
thereon as it may think fit, confirming, modifying or setting aside the order appealed against.
CAT is not bound by the procedure laid down by Code of Civil Procedure and has vast powers
that generally a court has including reviewing decisions and aggrieved parties may file an appeal

7
 to High Court (Sec 62). Sec 63: Compounding should not exceed maximum penalty under the
Act. Sec 64: Penalty can be recovered as land revenue or ESC kept suspended till recovery.

Offences & Penalties (Sec 65-78) : Penalties will be levied to those who commit offences such
as:
 Tampering with computer source document: Imprisonment up to 3 years or Rs 2 lacs fine or
both Sec 65.
 Hacking computer system Sec 66: Same as above.
 Sec 66F: cyber terrorism: Imprisonment up to life.
 Publishing of information which is obscene in electronic form Sec 67: Imprisonment up to 5
years and fine of Rs 1 lac and in case of repetition, prison up to 10 years and fine of Rs 2 lacs.
 Sec 67A: Publishing/ transmitting material containing sexually explicit act-7years + fine up to Rs
10 lacs
 Failure to comply with orders of Controller Sec 68: Prison up to 3 years or fine up to Rs 2 lacs or
both. Refusal to assist: Prison up to 7 years. Access to a secured system Sec 70: Declares critical
Information Infrastructure in Official Gazette 10 years.
 Sec 70B: Indian Computer Emergency Response Team to serve as national agency for incident
response: It performs the following functions in the areas of cyber security.
1) Collection, analysis, dissemination of information on cyber incidents.
2) Forecast and alerts on cyber security incidents.
3) Emergency measures for handling cyber security incidents.
4) Coordination of cyber incidents response activities.
5) Issue guidelines, advisories, vulnerability notes and white papers relating to information
security practices procedures, prevention, response and reporting of cyber incidents.
6) Such other functions relating to cyber security as may be prescribed.

 Misrepresentation & breach of confidentiality/privacy Sec 71: Prison 2 years or fine Rs 1 lac or
both
 Sec 72A Punishment for disclosure of information in breach of lawful contract 3years or Rs 5
lacs or both
 Publishing their Electronic Signature Certificate (ESC) with false particulars: Prison 2 years or fine
Rs 1 lac or both
 Publication for fraudulent purpose Sec 74 & Residual penalties Sec 76 & 77: 2 years or fine Rs 1
lac or both & as may be decided. Offences with 3 years Prison will be bailable.
 Sec 78 All the cyber cases will be investigated by Inspectors of Police or above.
However, Sec 79 the Network Provider is not liable for any third party information, data, or
communication link made available or hosted by him and hence not to be penalized.
New Amendments:
Sec 67C: Preservation and retention of information by intermediaries: Specified information if
not retained prison 3 years + FINE.
Sec 69: Power to issue instructions to intercept, monitor or decrypt any information thro’
computer resource 7 years + fine

8
 Sec 69A: Power to issue instructions for blocking for public access of any information thro’ any
computer resource 7 years + fine
Sec 69B: Power to monitor and collect traffic data or information thro’ any computer resource
for cyber security 3 years + fine
 Sec 79A: CG to notify Examiner of Electronic Evidence
 Sec 80: Power of police and other officers to enter, search premises etc
 Sec 84: Protection to CCA, members of CAT for action taken in good faith
 Sec 87: power of CG to make rules
 Sec 88: Constitution of Cyber Regulations Advisory committee
 Sec 89: Power of Controller to make regulations
 Sec 90: Power of State Govt to make rules to carry out provisions of this act
***