Amity Business School

CYBER LAWS

1
 Amity Business School

• Cyber Space
• Fundamentals of Cyber Space
• Understanding Cyber Space
• Interface of Technology and Laws Defining Cyber Law
• Jurisdictional Issues in Cyber Space
• Jurisdiction in Cyber Space
• Concept of Jurisdiction
• Internet Jurisdiction
• Indian Context of Jurisdiction
• E-commerce- Legal issues
• Legal Issues in Cyber Contracts
• Cyber Contract and IT Act 2000
• I.P.R. & Cyber Space
 Amity Business School

Crime is both a social and economic phenomenon.

It is as old as human society. Many ancient books
right from pre-historic days, and mythological stories
have spoken about crimes committed by individuals
be it against another individual like ordinary theft
and burglary or against the nation like spying,
treason etc.

3
 Amity Business School

Crime in any form adversely affects all the

members of the society. In developing
economies, cyber crime has increased at rapid
strides, due to the rapid diffusion of the Internet
and the digitisation of economic activities

4
 Amity Business School

Cyber Crime is not defined in Information Technology Act 2000 nor in the I.T.
Amendment Act 2008 nor in any other legislation in India.

Offence or crime has been dealt with elaborately listing various acts and the
punishments for each, under the Indian Penal Code, 1860 and quite a few other
legislations too.

To define cyber crime, it is just a combination of crime and computer.

Any offence or crime in which a computer is used is a cyber crime’ is cyber crime.

Interestingly even a petty offence like stealing or pick-pocket can be brought within
the broader purview of cyber crime if the basic data or aid to such an offence is a
computer or an information stored in a computer used (or misused) by the fraudster.

The I.T. Act defines a computer, computer network, data, information and all other
necessary ingredients that form part of a cyber crime

5
 Amity Business School

In a cyber crime, computer or the data itself the

target or the object of offence or a tool in committing
some other offence, providing the necessary inputs
for that offence. All such acts of crime come under
the broader definition of cyber crime.

6
 Amity Business School

Information Technology Act -2000 and the I.T.

Amendment Act 2008

7
 Amity Business School

The Genesis of IT legislation in India:

Mid 90’s saw an impetus in globalization and computerization, with more and
more nations computerizing their governance, and e-commerce seeing an
enormous growth. Until then, most of international trade and transactions were
done through documents being transmitted through post and by telex only.

Evidences and records, until then, were predominantly paper evidences and
paper records or other forms of hard-copies only. With much of international trade
being done through electronic communication and with email gaining momentum,
an urgent and imminent need was felt for recognizing electronic records ie the
data what is stored in a computer or an external storage attached thereto.

The United Nations Commission on International Trade Law (UNCITRAL) adopted

the Model Law on e-commerce in 1996. The General Assembly of United Nations
passed a resolution in January 1997 inter alia, recommending all States in the
UN to give favourable considerations to the said Model Law, which provides for
recognition to electronic records and according it the same treatment like a paper
communication and record. 8
 Amity Business School

It is against this background the Government of India enacted its

Information Technology Act 2000 with the objectives as follows

stated in the preface to the Act itself.

“to provide legal recognition for transactions carried out by means of

electronic data interchange and other means of electronic
communication, commonly referred to as "electronic commerce"
It involve the use of alternatives to paper-based methods of
communication and storage of information, to facilitate electronic filing of
documents with the Government agencies

Further to amend the Indian Penal Code, the Indian Evidence Act, 1872,
the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India
Act, 1934 and for matters connected therewith or incidental thereto

9
 Amity Business School
Objectives of I.T. legislation in India:

The Information Technology Act, 2000, was passed as the Act No.21 of 2000,
got President assent on 9 June and was made effective from 17 October
2000.

The Act essentially deals with the following issues:

Legal Recognition of Electronic Documents,

Legal Recognition of Digital Signatures

Offenses and Contraventions

Justice Dispensation Systems for cyber crimes.

10
 Amity Business School

Amendment Act 2008:

The first legislation in the nation on technology, computers and ecommerce and
e-communication,

The Act was the subject of extensive debates, elaborate reviews and detailed
criticisms, with one arm of the industry criticizing some sections of the Act to be
draconian and other stating it is too diluted and lenient.

There were some conspicuous omissions too resulting in the investigators relying
more and more on the time-tested (one and half century-old) Indian Penal Code
even in technology based cases with the I.T. Act also being referred in the
process and the reliance more on IPC rather on the ITA.

11
 Amity Business School

The need for an amendment – a detailed one – was felt for the I.T. Act almost from
the year 2003 & 04 itself.

Major industry bodies were consulted and advisory groups were formed to go into
the perceived lacunae in the I.T. Act and comparing it with similar legislations in
other nations and to suggest recommendations.

Such recommendations were analysed and subsequently taken up as a

comprehensive Amendment Act and after considerable administrative procedures,
the consolidated amendment called the Information Technology Amendment Act
2008 was placed in the Parliament and passed without much debate, towards the
end of 2008 (by which time the Mumbai terrorist attack of 26 November 2008 had
taken place).

12
 Amity Business School

This Amendment Act got the President assent on 5 Feb 2009 and was made
effective from 27 October 2009.

Some of the notable features of the ITAA are as follows:

• Focussing on data privacy

• Focussing on Information Security
• Defining cyber café
• Making digital signature technology neutral
• Defining reasonable security practices to be followed by corporate
• Redefining the role of intermediaries
• Recognising the role of Indian Computer Emergency Response Team
Inclusion of some additional cyber crimes like child pornography and cyber
terrorism
• Authorizing an Inspector to investigate cyber offences (as against the DSP
earlier)

13
 Amity Business School

How the Act is structured:

The Act totally has 13 chapters and 90 sections (the last four sections namely
sections 91 to 94 in the ITA 2000 dealt with the amendments to the four Acts
namely the Indian Penal Code 1860,

The Indian Evidence Act 1872, The Bankers’ Books Evidence Act 1891 and
the Reserve Bank of India Act 1934).

The Act begins with preliminary and definitions and from thereon the chapters
that follow deal with authentication of electronic records, digital signatures,
electronic signatures etc.

Elaborate procedures for certifying authorities (for digital certificates as per IT

Act -2000 and since replaced by electronic signatures in the ITAA -2008)
have been spelt out. The civil offence of data theft and the process of
adjudication and appellate procedures have been described. Then the Act
goes on to define and describe some of the well-known cyber crimes and
lays down the punishments therefore. Then the concept of due diligence, role
of intermediaries and some miscellaneous provisions have been 14
described
 Amity Business School

Definitions:

The ITA-2000 defines many important words used in common computer parlance like
‘access’, ‘computer resource’, ‘computer system’, ‘communication device’, ‘data’,
‘information’, ’security procedure’ etc. The definition of the word ‘computer’ itself
assumes significance here.

‘Computer’ means any electronic magnetic, optical or other high-speed data

processing device or system which performs logical, arithmetic, and memory functions
by manipulations of electronic, magnetic or optical impulses, and includes all input,
output, processing, storage, computer software, or communication facilities which are
connected or related to the computer in a computer system or computer network;

‘Computer system’ which means a device or a collection of devices with input, output
and storage capabilities. Interestingly, the word ‘computer’ and ‘computer system’
have been so widely defined to mean any electronic device with data processing
capability, performing computer functions like logical, arithmetic and memory functions
with input, storage and output capabilities. A careful reading of the words will make
one understand that a high-end programmable gadgets like even a washing machine
or switches and routers used in a network can all be brought under 15
the definition
 Amity Business School

Similarly the word ‘Communication devices’ inserted in the ITAA-2008 has been
given an inclusive definition.

Taking into its coverage cell phones, personal digital assistance or such other
devices used to transmit any text, video etc like what was later being marketed
as iPad or other similar devices on Wi-fi and cellular models.

Definitions for some words like ‘cyber café’ were also later incorporated in the
ITAA 2008 when ‘Indian Computer response Emergency Team’ was included.

16
 Amity Business School

Digital Signature: ‘Electronic signature’ was defined in the ITAA -2008

whereas the earlier ITA -2000 covered in detail about digital signature, defining
it and elaborating the procedure to obtain the digital signature certificate and
giving it legal validity.

Digital signature was defined in the ITA -2000 as “authentication of electronic

record” as per procedure laid down in Section 3

Section 3 discussed the use of asymmetric crypto system and the use of Public
Key Infrastructure and hash function etc.

This was later criticized to be technology dependent ie., relying on the specific
technology of asymmetric crypto system and the hash function generating a
pair of public and private key authentication etc.

17
 Amity Business School

Section 3 which was originally “Digital Signature” was later renamed as “Digital
Signature and Electronic Signature” in ITAA - 2008 thus introducing technological
neutrality by adoption of electronic signatures as a legally valid mode of executing
signatures.

This includes digital signatures as one of the modes of signatures and is far broader
in ambit covering biometrics and other new forms of creating electronic signatures
not confining the recognition to digital signature process alone.

While M/s. TCS, M/s. Safescript and M/s. MTNL are some of the digital signature
certifying authorities in in India, IDRBT (Institute for Development of Research in
Banking Technology – the research wing of RBI) is the Certifying Authorities (CA) for
the Indian Banking and financial sector licensed by the Controller of Certifying
Authorities, Government of India.

18
 Amity Business School

Ementation of the Act:

However, the Central Government has to evolve detailed procedures and

increase awareness on the use of such systems among the public by putting
in place the necessary tools and stipulating necessary conditions. Besides,
duties of electronic signature certificate issuing authorities for bio-metric
based authentication mechanisms have to be evolved and the necessary
parameters have to be formulated to make it user-friendly and at the same
time without compromising security.

19
 Amity Business School

Section 43 deals with penalties and compensation for damage to

computer, computer system etc.

This section is the first major and significant legislative step in India to
combat the issue of data theft. The IT industry has for long been
clamouring for a legislation in India to address the crime of data theft,
just like physical theft or larceny of goods and commodities.

This Section addresses the civil offence of theft of data. If any person
without permission of the owner or any other person who is in charge
of a computer, accesses or downloads, copies or extracts any data or
introduces any computer contaminant like virus or damages or disrupts
any computer or denies access to a computer to an authorised user or
tampers etc…he shall be liable to pay damages to the person so
affected.
Earlier in the ITA -2000 the maximum damages under this head was
Rs.1 crore, which (the ceiling) was since removed in the ITAA 2008.
20
 Amity Business School

The essence of this Section is civil liability. Criminality in the offence of data
theft is being separately dealt with later under Sections 65 and 66.

Writing a virus program or spreading a virus mail, a bot, a Trojan or any other
malware in a computer network or causing a Denial of Service Attack in a
server will all come under this Section and attract civil liability by way of
compensation. Under this Section, words like Computer Virus, Computer
Contaminant, Computer database and Source Code are all described and
defined.

Questions like the employees’ liability in an organisation which is sued against

for data theft or such offences and the amount of responsibility of the employer
or the owner and the concept of due diligence were all debated in the first few
years of ITA -2000 in court litigations like the bazee.com case and other cases.

https://www.mondaq.com/india/it-and-internet/572042/the-bazeecom-saga-
unravelled-supreme-court-clarifies-intermediary-liabilities-for-hosting-obscene-
content 21
 Amity Business School

Section 43-

A dealing with compensation for failure to protect data was introduced in the ITAA
-2008.

As per this Section, where a body corporate is negligent in implementing

reasonable security practices and thereby causes wrongful loss or gain to any
person, such body corporate shall be liable to pay damages by way of
compensation to the person so affected.’.
The corporate responsibility for data protection is greatly emphasized by inserting
Section 43A whereby corporates are under an obligation to ensure adoption of
reasonable security practices.

22
 Amity Business School
Reasonable Security Practices

• Site certification
• Security initiatives Awareness Training

• Conformance to Standards,

• Certification Policies and adherence to

policies

• Policies like password policy, Access

Control, email Policy etc Periodic
monitoring and review.
•
•
23
 Amity Business School

Adjudication:Having dealt with civil offences, the Act

then goes on to describe civil remedy to such offences in
the form of adjudication without having to resort to the
procedure of filing a complaint with the police or other
investigating agencies. Adjudication powers and
procedures have been elaborately laid down in Sections
46 and thereafter. The Central Government may appoint
any officer not below the rank of a director to the
Government of India or a state Government as the
adjudicator. The I.T. Secretary in any state is normally
the nominated Adjudicator for all civil offences arising
out of data thefts and resultant losses in the particular
24
 Amity Business School

Section 65: Tampering with source documents is dealt with

under this section.

Concealing, destroying, altering any computer source code

when the same is required to be kept or maintained by law is
an offence punishable with three years imprisonment or two
lakh rupees or with both.
Fabrication of an electronic record or committing forgery by
way of interpolations in CD produced as evidence in a court

25
 Amity Business School

SECTION 66A Sending offensive messages thro communication

service, causing annoyance etc through an electronic communication or
sending an email to mislead or deceive the recipient about the origin of
such messages (commonly known as IP or email spoofing) are all
covered here. Punishment for these acts is imprisonment upto three
years or fine.

SECTION 66B : Dishonestly receiving stolen computer resource or

communication device with punishment upto three years or one lakh
rupees as fine or both.
SECTION 66C Electronic signature or other identity theft like using
others’ password or electronic signature etc. Punishment is three years
imprisonment or fine of one lakh rupees or both.
26
 Amity Business School

SETION 66D Cheating by personation using computer resource

or a communication device

SECTION 66E Privacy violation – Publishing or transmitting

private area of any person without his or her consent etc. NON
BAILABLE OFFENSE

66F Cyber terrorism – Intent to threaten the unity, integrity,

security or sovereignty of the nation and denying access to any
person authorized to access the computer resource or
attempting to penetrate or access a computer resource without
authorization. Acts of causing a computer contaminant (like
virus or Trojan Horse or other spyware or malware) likely to
cause death or injuries to persons or damage to or destruction of
property etc. come under this Section. Punishment27 is life
 Amity Business School

Section 67-A deals with publishing or transmitting of

material containing sexually explicit act in electronic form.
Contents of Section 67 when combined with the material
containing sexually explicit material attract penalty under
this Section.
Child Pornography has been exclusively dealt with under
Section 67B. Depicting children engaged in sexually explicit
act, creating text or digital images or advertising or promoting
such material depicting children in obscene or indecent
manner etc or facilitating abusing children online or inducing
children to online relationship with one or more children etc
come under this Section

28
 Amity Business School

Section 69: This is an interesting section in the sense that it

empowers the Government or agencies as stipulated in the
Section, to intercept, monitor or decrypt any information
generated, transmitted, received or stored in any computer
resource, subject to compliance of procedure as laid down
here.

29
 Amity Business School

This power can be exercised if the Central Government or the State

Government, as the case may be, is satisfied that it is necessary or
expedient in the interest of sovereignty or integrity of India, defence of
India, security of the State, friendly relations with foreign States or public
order or for preventing incitement to the commission of any cognizable
offence relating to above or for investigation of any offence. In any such
case too, the necessary procedure as may be prescribed, is to be
followed and the reasons for taking such action are to be recorded in
writing, by order, directing any agency of the appropriate Government.
The subscriber or intermediary shall extend all facilities and technical
assistance when called upon to do so.

30
 Amity Business School

ISO 27001 2013 is an Information Security Management standard.

Use it to manage and control your information security risks, to protect
and preserve the confidentiality, integrity, and availability of information,
and to establish your information security management system (ISMS).

31
 Amity Business School

https://www.imperva.com/learn/wp-
content/uploads/sites/13/2019/01/iso-
27001-compliance-steps.png.webp

32
 Amity Business School

ISO IEC 27002 2013 is an information security

management standard.
It defines a set of recommended information security
controls.
The official complete name of this standard is ISO/IEC
27002:2013
Information technology-Security techniques-Code of
practice for
information security controls. These recommended
controls
are found in sections 5 to 18:

33
 Amity Business School

5.Information Access Management

6.Cryptography Policy Management
7.Physical Security Management
8.Operational Security Management
9.Network Security Management
10.System Security Management
11.Supplier Relationship Management
12.Security Incident Management
13.Security Continuity Management
14.Security Compliance Management

34