As The World Grapples With Rampant
As The World Grapples With Rampant
As The World Grapples With Rampant
Overviews
The Information Technology (IT) Act, 2000, is the primary legislation dealing with
cybersecurity, data protection and cybercrime.
Information Technology (The Indian Computer Emergency Response Team and Manner of
Performing Functions and Duties) Rules, 2013 (2013 rules), established the Computer
Emergency Response Team (CERT-In) as the administrative agency responsible for
collecting, analysing and disseminating information on cybersecurity incidents, and
taking emergency response measures. These rules also put in place obligations on
intermediaries and service providers to report cybersecurity incidents to the CERT-
In.
Directions on information security practices, procedure, prevention, response and
reporting of cyber incidents for a safe and trusted internet, issued in 2022 by the
CERT-In, add to and modify existing cybersecurity incident reporting obligations
under the 2013 rules.
Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011 (SPDI rules) require companies that
process, collect, store or transfer sensitive personal data or information to
implement reasonable security practices and procedures.
The Information Technology (Guidelines for Intermediaries and Digital Media Ethics
Code Rules, 2021) require intermediaries to implement reasonable security practices
and procedures to secure their computer resources and information, maintaining safe
harbour protections. Intermediaries are also mandated to report cybersecurity
incidents to the CERT-In.
Information Technology (Information Security Practices and Procedures for Protected
System) Rules, 2018, oblige companies that have protected systems – as defined
under the IT Act – to put in place specific information security measures.
Other laws that contain cybersecurity-related provisions include the Indian Penal
Code 1860, which punishes offences committed in cyberspace (such as defamation,
cheating, criminal intimidation and obscenity), and the Companies (Management and
Administration) Rules 2014 which require companies to ensure that electronic
records and systems are secure from unauthorised access and tampering. There are
also sector-specific rules issued by regulators and agencies, including the Reserve
Bank of India, the Insurance Regulatory and Development Authority of India, the
Department of Telecommunications, the Securities Exchange Board of India, the
National Health Authority of India, among others, which mandate cybersecurity
standards to be maintained by their regulated entities
Under the IT Act, the government may notify any computer resource that affects the
facility of CII to be a protected system, prescribing cybersecurity obligations for
companies handling protected systems. Designated CII sectors include transport,
telecoms, banking and finance, power, energy and e-governance. Within these
sectors, the appropriate authority can notify certain computer systems as protected
systems. Sectoral regulators and agencies, including the Central Electricity
Authority, have also formulated rules and guidelines on cybersecurity and CII.
Institutional Framework
Security Measures
Sectoral regulators and nodal agencies also prescribe security measures. The
Reserve Bank of India prescribes standards for banks, including setting a mechanism
for dealing with and reporting incidents, cyber crisis management, and arrangements
for continuous surveillance of systems and the protection of customer information.
It also mandates banks to follow the ISO/IEC 27001 and ISO/IEC 27002 standards.
The 2013 rules require organisations to report incidents to the CERT-In within a
reasonable time. Incidents include denial of service attacks, phishing and
ransomware incidents, website defacements, and targeted scanning of networks or
websites.
In April 2022, the CERT-In issued a new directive modifying obligations under the
2013 rules, including requirements to report cybersecurity incidents within six
hours, syncing system clocks to the time provided by government servers,
maintaining security logs in India, and storing additional customer information.
The IT Rules 2021 also require intermediaries to notify the CERT-In of security
breaches as part of their due diligence obligations.
Cybercrimes
Traditional criminal actions such as theft, fraud, forgery, defamation and mischief
– all of which are covered under the Indian Penal Code, 1860 – might be included in
cybercrimes. The IT Act addresses modern offences such as tampering, hacking,
publishing obscene information, unauthorised access to protected systems, breach of
confidentiality and privacy, and publishing false digital signature certificates.
Sending threatening messages by email, defamatory messages by email, forgery of
electronic records, cyber fraud, email spoofing, web-jacking and email abuse are
also punishable offences.
Future Path