Cybersecurity Laws in India: Is It Time for a Regime Change?

1. Introduction

Given the expansive range of India’s software infrastructure, India is also prone to the highest number of cybersecurity incidents. In 2021 alone, these incidents ranged from the unauthorised access and dissemination of the personal data of about 4.5 million customers of a top Indian airline company[1] to the leakage of approximately 180 million users’ personal data from a renowned food chain’s database[2]. A recent report by Check Point Research (“CPR”) identifies India as the most impacted country in terms of cyber-attacks – organisations in India witness approximately 213 weekly ransomware attacks, on average[3]. As per the findings of The State of Ransomware 2021 survey by a cybersecurity firm Sophos, about 68% of the affected Indian organisations whose data was hacked in the year 2020-21 resorted to the payment of ransom to recover their data.[4]

Despite the clear urgency and importance of promoting stringent cybersecurity and data protection practices in India, the Indian government has been unable to effectively legislate on the issues of comprehensive data protection, privacy, and cybersecurity law. India’s legal regime continues to follow a fragmented and piecemeal approach towards both cybersecurity and data privacy. The laws governing such issues include but are not limited to –

• The Indian Penal Code, 1860 (“IPC”),
• The Information Technology Act, 2000 (“IT Act”), and
• various sectoral regulations, discussed in detail below.

The Supreme Court of India has, in a recent special leave petition filed in the case of Jagjit Singh v. State of Punjab[5], held that the offence of hacking and data theft would not only be an offence under the provisions of the IT Act, but would also constitute criminal misappropriation under the IPC.  The application of a criminal statute that is over a century and a half old merely muddies the waters – and therefore, this note focuses on the more modern regulations, the IT Act and the various sectoral regulations.

2. The Information Technology Act, 2000

• • Reasonable Security Practices and Procedures

Under Section 43A of the IT Act, companies are required to implement “reasonable security practices and procedures” to protect information from unauthorised access, damage, use, modification, disclosure, or impairment. In accordance with the said provision, the Indian government issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). These rules are significant as they set out the country’s existing data protection regime.

As per the  SPDI Rules, a body corporate is said to have complied with “reasonable security practices and procedures” if it has implemented policies that contain managerial, technical, operational, and physical security control measures that are proportionate to the information assets it seeks to protect. In furtherance to this, these entities are also required to enforce a comprehensive documented information security practice and policy.

The SPDI Rules have identified IS/ISO/IEC 27001, as specific international standards which may be implemented by body corporates to fulfil the “reasonable security practices” requirement under existing laws. This is, of course, not mandatory.

• • Offences

Companies that cause wrongful loss to any person, due to their negligence in the implementation of reasonable security practices and procedures, are liable to pay compensation  up to INR 5,00,00,000. The compensation award is adjudicated upon by an officer appointed by the Central Government, after the officer has conducted an inquiry into the claim.

If a claim exceeds the prescribed amount above, the dispute is heard by the competent court that has monetary jurisdiction over the claim. Appeals against the orders of an adjudicating officer are heard by the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”), a body that was initially set up to adjudicate disputes within the telecom sector. Appeals against decisions of the TDSAT are heard before the High Courts of the respective states in the country.

Further, the IT Act also penalises body corporates for other cybersecurity-related offences such as unauthorised access, extraction, damage, disruption, or denial of services in respect of computers and computer networks, the intentional tampering of source codes that are required to be maintained by law, identity thefts, and the dishonest receipt of stolen computer resources or communication devices. Each of these offences is separately punishable with both imprisonment (which may extend up to 3 years) and/or a fine ranging from INR 100,000 to 500,000, depending on the nature of the offence.

• • Computer Emergency Response Team (CERT-In)

The Indian Government requires entities to notify authorities about cybersecurity incidents, including personal data breaches, through the rules governing its Computer Emergency Response Team (“CERT-In”). The CERT-In is an agency established under the IT Act, and acts as the nodal authority for cybersecurity related matters in India. CERT-In’s primary functions include responding to cybersecurity incidents, predicting and preventing cybersecurity incidents, undertaking analysis and forensics of cybersecurity incidents, and also issuing emergency measures and advisory guidances to tackle such incidents. The scope of CERT-In’s support varies on a case-to-case basis, and depends on factors such as the type and severity of the incident, the affected entity or individuals, and CERT-In’s available resources at the time of occurrence of the incident.

Unlike other jurisdictions which have adopted a harm-based approach to determine whether a security incident should be reported to the relevant authorities, the IT Act and the rules issued thereunder instead make it mandatory to report certain types of security incidents to CERT-In, within a reasonable period of time. These include –

1. the targeted scanning or probing of critical networks or systems;
2. a compromise of critical systems or information;
3. the unauthorised access of information technology systems or data;
4. the defacement of or intrusions into websites, and unauthorised changes to websites;
5. malicious code attacks and attacks on servers;
6. identity thefts, spoofing, and phishing attacks;
7. the denial of service and distributed denial of service attacks;
8. attacks on critical infrastructure, supervisory control and data acquisition (SCADA) systems, and wireless networks; and
9. attacks on applications like e-governance and e-commerce.

The law prescribes a penalty for non-compliance with the reporting requirement mentioned above. Additionally, if a service provider, intermediary, data centre, company or any person fails to provide the information required by CERT-In, or fails to comply with any direction issued by CERT-In, they shall be liable for imprisonment up to one year, or a fine or both.

The CERT-In has started to play a more active role in ensuring that organisations affected by specific cybersecurity incidents comply with the mandatory incident notification requirements. In January 2021, CERT-In issued an advisory guidance to organisations on the management of data breaches and security incidents, and recommended the best practices to be complied with, in this regard.

• • Protected Systems

The IT Act provides a legal framework for critical information infrastructure in India – which comprises of computer resources that have a significant impact on national security, economy, public health, or safety. Consequently, the government may – (i) classify systems that impact critical information infrastructure as protected systems, (ii) selectively authorise the individuals who may access such protected systems, and (iii) prescribe additional information security practices and procedures for these protected systems.

Currently, protected systems in India are limited to those that relate to government functions. All protected systems must follow the 2015 guidelines published by the National Critical Information Infrastructure Protection Centre (“NCIIPC”), which is the nodal agency for the protection of critical information infrastructure.

• • Intermediaries

Intermediaries such as internet, network, and telecom service providers, web hosting service providers, search engines, payment sites, online market places and other digital players are further required to follow additional cybersecurity obligations under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. For instance, they are required to contractually impose obligations on the users to prevent them from using the intermediaries’ services in a manner that affects functionality through the introduction of viruses, or any other malicious file, code, or program.

Further, these intermediaries are bound to cooperate with the government and its various governmental agencies on the investigation, detection, and prevention of cybersecurity offences or incidents. Some intermediary obligations in the face of such incidents include (i) the sharing of information under their control or possession, (ii) assisting such agencies, upon a request for information, within 72 hours of communication of the request, and finally, (iii) diligently reporting cybersecurity incidents to CERT-In.

Intermediaries are usually provided with a certain level of protection known as the “safe harbour” principle to avoid any liability that could arise from the misuse of their resources by third party users of their platform. However, upon their failure to comply with the government’s instructions in respect of users’ offences, an intermediary may lose its safe harbour protection.

3. Sectoral Regulations

Sectoral regulations on cybersecurity are common in India. Regulations have been issued in respect of the following sectors: (a) financial services, (b) health services, (c) telecommunications, (d) insurance, and (e) securities law. With the exception of the financial services sector, these regulations continue to be fairly “light touch”, as far as cybersecurity and data protection are concerned. An overview of the relevant regulations are set out below.

• • Financial Services

The Reserve Bank of India (“RBI”) has introduced a comprehensive cybersecurity framework for banks and payment system operators that include mandatory breach notifications, regular audits and threat assessments, and the implementation of anti-phishing technology. Banks are required to formulate a comprehensive board-approved information security policy and cyber crisis management plan outlining their preparedness indicators for potential cyber-attacks. They must also report all cybersecurity incidents to RBI, within 2-6 hours of discovering the breach. The RBI has been at the forefront of multiple enforcement actions, including by way of imposing fines on banks and on alternative financing institutions due to their non-compliance in this regard.

• • Health

The government has prescribed Electronic Health Records Standards under the Clinical Establishment (Regulation and Registration) Act, 2010, based on global information security standards such as ISO/HL 7, ISO/IEC 27002, and ISO/TS 14441:2013. Further, in the year 2020, it also launched the National Digital Health Mission, whose aim was to create an efficient healthcare eco-system based on the integration of digital health data and infrastructure. This policy initiative mandates the adoption of ISO/TS 17975:2015 for consent management and the International Standard on Fast Healthcare Interoperability Resources (FHIR) – R4 Specification for the electronic exchange of healthcare information.

• • Securities Market

Given the crucial part played by digital information in the stock market’s day to day dealings, entities in the sector are held to high standards as far as cybersecurity and data protection is concerned. Comprehensive cybersecurity policies are required to be implemented by stock exchanges, depository participants, asset management companies, and mutual fund companies. Such policies need to be modelled on the NCIIPC’s principles. Regulated entities must also set up information technology committees, designate senior officials to oversee the compliance of the policies, and implement technical measures to protect their assets and infrastructure.

• • Telecom Sector

The Telecom Regulatory Authority of India regulates telephone operators and service providers and prescribes the security and infrastructure requirements that need to be fulfilled as a condition for their continued operation. Licensed telecom service providers have to comply with the ISO/IEC 15408, ISO 27000, 3GPP, and 3GPP2 security standards, among others. The certification for the same can only be issued by authorised agencies in India unless specifically approved by the Department of Telecommunication. Further, organisations must undertake regular audits and implement security management policies and practices. In order to operate, these service providers are also required to contractually impose their information security requirements on all vendors and suppliers that they work with.

• • Insurance Sector

The Insurance Regulatory and Development Authority (“IRDAI”) regulates the insurance sector in India. In 2017, it issued guidelines on information security and cybersecurity for insurers, to emphasise the need to maintain the confidentiality and integrity of data in a robust manner. In furtherance of this objective, the IRDAI requires insurers to appoint a chief information security officer, to form an information security committee, to put together a cyber crisis management plan, formulate information and cybersecurity assurance programmes, undertake adequate security safeguards to protect data, and implement adequate processes to identify and mitigate risks, etc.

4. Enforcement Trends Across Sectors

In recent years, the TDSAT has actively awarded damages to aggrieved individuals, for cybersecurity lapses within the telecommunications sector. In this regard, most cases have arisen within the financial services space, due to the negligence of financial institutions in implementing reasonable security standards and safeguards. Generally, the damages awarded have not exceeded the actual loss (together with interest).

In the financial sector, the RBI has diligently imposed penalties of up to INR 1,00,00,000 on financial institutions, for their non-compliance with the RBI’s cybersecurity requirements. It is pertinent to note that the imposition of a penalty by the RBI on a banking company precludes the initiation of legal proceedings against the said company before courts of law.

Of late, the CERT-In has also started to play an active role in the enforcement of breach notification obligations, and has called upon organisations that are affected by cybersecurity incidents to furnish information pertaining to the incidents in question.

Additionally, the government has launched the National Cyber Crime Reporting Portal in 2020-21, that enables citizens to report cybercrimes online. This reporting is then followed up with an investigation by the appropriate law enforcement agencies.

5. Conclusion

The fragmented regulatory landscape of cybersecurity in India has resulted in much confusion, with cybercrimes being prosecuted under either ambiguous or archaic statutes. The often confusing tapestry of regulations results in ineffective implementation, and more often than not, entities are unable to derive normative guidance from these regulations due to their ambiguous nature.

A comprehensive and instructive cybersecurity law, aided by specialist regulation on an as-needed basis, is crucial for the development of the cybersecurity regime in India. Otherwise, the courts, enforcement agencies, and regulators will continue to attempt to mould old regulations in unintended ways, and struggle to address many of the constantly evolving cybersecurity issues.

ABOUT THE AUTHORS:

MATHEW CHACKO

Mathew is the Head of the Technology, Media & Telecommunications practice group at Spice Route Legal, and is recognised as a leading Indian lawyer by several national and international directories. With close to two decades of experience, he advises on a variety of cross-border corporate and commercial transactions, including in relation to investments, fund-formation, technology laws, data privacy, intellectual property, commercial and regulatory compliance, tech law disputes, and risk mitigation strategy.

AADYA MISRA

Aadya is a senior associate with the firm’s Technology, Media and Telecommunications practice group, with a special focus on, and extensive experience in, handling data protection, cybersecurity and privacy mandates. Recognised as a Rising Star by The Legal500 in 2020, Aadya regularly works with domestic and international market leaders in industries, ranging from financial services, and blockchain, to telecommunications, consumer retail, and emerging technologies.

SAMYUKTA RAMASWAMY

Samyukta is an associate with the firm’s Data Protection, Privacy and Cybersecurity practice, within the broader TMT Practice Group, with a focus on cloud services and cybersecurity mandates. She assists clients with structuring their data protection practices, procedures and policies to demonstrate compliance with applicable laws, and advises them on a range of issues including international data transfers, data breach response and management, and risk mitigation.

[1]https://www.bloomberg.com/news/articles/2021-05-22/cyber-attack-on-air-india-led-to-data-leak-of-4-5-million-fliers

[2]https://www.hindustantimes.com/india-news/dominos-pizza-data-breach-company-says-financial-information-safe-as-data-of-180-million-users-compromised-101621855567340.html

[3] https://tech.hindustantimes.com/tech/news/india-saw-the-highest-number-of-ransomware-attacks-in-2021-report-71621331517413.html.

[4] https://www.livemint.com/news/india/67-of-indian-organizations-paid-a-ransom-to-get-their-data-back-sophos-survey-11622526811992.html

[5] Jagjit Singh v. The State of Punjab, Special Leave Petition Criminal No(s). 3583/2021.