Information Security Laws, Regulations Every Organisation Should Follow
Each organization should strive to keep up with competition in terms of growth, sales, reach and technology. Keeping up with technology as and when new finds and trends are developed is difficult, expensive and requires training and hiring of skilled professionals to operate such technology. But, an organization must implement new technology if it deems such to be feasible and more efficient for the business.
Information is the cornerstone for many businesses and this information or information technology should be safeguarded and protected by laws, Rules and Regulations. Your Organization’s information and technology may be susceptible to cyber attacks from hackers, competing companies and terrorists. Cyber attacks, also referred to as cyber incidents include viruses, phishing, trojans, DOS, unauthorized access, impersonation, etc. One way to protect your Organization is by using cyber security which includes encryptions, anti-virus software, firewall, login passwords, conforming with compliance and so on.
Security Laws and Regulations
All matters related to information security are governed by the Information Technology Act, 2000, it’s Rules and subsequent amendments. The following points are the current laws in India and the Information Security Laws and regulations your organization should follow:
- India has no specific cybercrime legislation but instead, the IT Act, 2000 and the Indian Penal Code, 1860 (IPC) govern cyber security laws and regulation in India. Under the IT Act, 2000, organizations have the option to determine the security standard to be adopted with respect to the collection, storage and use of information. Mandatory security standards are described in various Rules. Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. suggests that organizations can use International Standards Organisation/International Electrotechnical Commission (ISO/IEC) 27001 or any code prescribed by the Government to frame reasonable security practices and procedures. There are prescribed rules for the banking sector, finance sector and IT sector that is constantly updated. For example, banks have prescribed guidelines (stipulated by the RBI) on Information security, electronic banking and risk management which require banks to use 128-bit secure layer encryption technology under ISO/IEC 27001 and ISO/IEC 27002.Under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Rule 3 states that sensitive data such as passwords, financial information, physical or mental health condition, sexual orientation, medical history, biometric information or any service cannot be disclosed without the user’s consent. The collection, storage, use and disclosure of such information should be made public on a company’s website in the form of a Privacy policy, under Section 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. A privacy policy should mention the practices and policies, the type of personal or sensitive data collected, the purpose of collecting such information and reasonable security practices and procedures employed under Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. A privacy policy protects a company in case any liability arises when a user access that company’s website by disclosing information beforehand.Any transfer of personal information should be made under a lawful contract between all the parties involved. Any information freely available on public domain or published under the Right to Information Act, 2005 shall not be considered as sensitive personal data.
- There doesn’t seem to be any proposals in Parliament or the houses of assembly to change any data security laws. The most recent Act passed by Parliament (yet to be notified) was the Aadhaar Act, 2016 for the targeted delivery of financial and other subsides, services and benefits. This Act restricts the disclosure of personal or private information to third-parties and any disclosure could result in a compensation and/or criminal punishment. The Act does not include privacy and information security laws outside the scope of Aadhaar. Aadhaar based and/or enabled systems are reliable for validating customer information if such systems conform to the statutes and guidelines clearly stipulated in the Aadhaar (Targeted Delivery of Financial and Other Subsides, Services and Benefits) Act, 2016.
- Financial Information – a customer’s financial information collected by an organization (such as a bank, insurance company or security firm) or a financial service provider/company is protected against disclosure under Rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Disclosure of such private information will result in a criminal breach. If a hacker disrupts, extracts, modifies, releases or uses such financial information, then such a person/persons are liable to be criminally punished and/or fined up to INR 5,00,000 under Sec 66 of the Information Technology Act, 2000.
- Insurance – Several insurance schemes have been launched in the past few years to cover organizations, websites, apps, etc. against cyber risks. As the need and demand for protection in the form of insurance against cyber risks rises, cyber security insurance will continue to gain popularity. A good insurance will do what it is intended to do, that is protect your information or compensate you in case any data or information is stolen, destroyed, hacked, etc. The increase in cyber crimes has directly led to an increase in more insurances being issued and used.
- Compliance – Failure to comply with Information Security laws and regulations will result in compensation for the negligence of information or data under Section 43A of the IT Act, 2000. Such compensation shall be determined by the court depending on the extent of damage done and the wrongful gain or loss incurred. Under Section 72A of the IT Act, 2000, if personal information is disclosed by a service provider in the due course of servicing a contract which results in wrongful gain or loss, then such an infringement could result in criminal punishment. Criminal punishment could result in up to 3 years in jail or a fine of INR 5,00,000 or both.
Governing Body
Under section 48 and 49 of the Information Technology Act, 2000, Cyber Appellate Tribunals are appointed as data protection authority, by the Central Government, and the adjudicating officer is appointed as the chairperson of the Tribunal. Currently, each State Government has a secretary to the Ministry of Information Technology, and it is this secretary who will be appointed as the adjudicating officer. An officer will be appointed under the Act to adjudicate claims not exceeding INR 5 Crores.
If claims exceed the stipulated amount, then all matters will be resolved in Civil Court. The local police are also authorized to investigate offenses under the IT Act, 2000, as stipulated in Section 72 and 72A of the Act.
Cyber Security incidents can be resolved by the nodal agency Computer Emergency Response Team (CERT), which is an agency set up by the Ministry of Communication and Information Technology in accordance with the IT Act. This agency has the power to block webpages, detect malicious activities and vulnerabilities, analyze cyber incidents, etc. Under the IT Act, 2000, Amendments and Rules, no individual or organization is required to report cybersecurity incidents to CERT, but they have the option to report such incidents. Incidents need not be compulsorily reported to the Public as well. The banking, financial, telecom and medical sectors are strictly regulated and can enforce Cyber-Security Rules.
Hacks In India
In light of the recent cyber incidents in India, it is essential that we look at our Information Security laws and regulation closer. These laws and regulations will create a secure and regulated Information Security environment in India for businesses, individuals and the Country itself.
Let’s take a look at some of the recent cyber incidents and how you can protect yourself in the event of such mishaps:
- In May 2017, around 13.5 Crore Aadhaar accounts were compromised by Government Departments namely, the National Rural Employment Guarantee Scheme (NREGS), the Chandranna Bhima Scheme (A.P.) and the National Social Assistance Programme (NSAP). According to the Report by Sinha and Kodali, the mobile numbers and bank details of millions of Aadhaar accounts are available online. Fraudulent individuals misused the system by getting a cloned sim and using the OTP for unauthorized transactions. The best recommendation is for companies to follow PCI DSS as the payment security standard although, there is no mandate on any standard to be adopted. There are online tools that exist to help organizations mask Aadhaar numbers through a centralized console and discover Aadhaar numbers online.
- In May 2017, a ransomware attack called Wannacry attacked India among 74 other countries like the UK, Russia, Thailand, etc. although, India was among the top 3 worst hit countries from the hack. The hack hit computers in hospitals, institutions and private accounts of individuals by blocking all access to data on a particular system. The attackers encrypted existing data on computer systems and demanded to be paid in bitcoin to decrypt the information. These payments demanded were between INR 19,000-39,000 per system. The way to prevent such attacks is to constantly update security patches provided by your operating system and to use effective anti-virus software.
- The IRCTC website was supposedly hacked on the 5th of May, 2016. What really happened was that all users transaction history was wiped clean from the IRCTC website database by hackers. A committee of Cyber Experts was set up following the hack to look into the data breach and to set up better cyber laws in India.
- In October 2016, India was hit with its worst Debit Card hack yet where information in over 3.2 million debit cards was compromised and it took over 6 weeks before it was detected. The breach originated in the Hitachi payments system and the banks worst affected by the hack were ICICI, HDFC, YES Bank and Axis Bank. Following the hack, the banks affected blocked breached cards and reissued new debit cards to customers. Customers were also directed to use only certified ATM’s and to take better security precautions by changing their security PIN, internet banking password, etc. every few months.
- Legion is a group of hackers that have a global presence and of late have started targeting citizens and organizations in India. The group claim that their objective is to bring social justice by access to information. In the last few years, Legion has hacked the Twitter accounts of Rahul Gandhi, Barkha Dutt, Vijay Mallya, Lalit Modi, etc. Private data has been made public by the hacking group through partial data dumps. This group has pointed out the flaws in the Indian Information and data security systems time and time again.
- In December 2016, Yahoo was afflicted with the biggest and worst data breach in history. Over 1 Billion accounts were compromised. The hackers used forged cookies to store login information and access user accounts without the need of a password. These breaches revealed email information, bank details and passwords, medical records, credit information, and a whole lot of private and personal information. The hackers could also access sites like eBay, Amazon, Walmart, etc. because of password sharing. Many Indian users on Yahoo were affected by the hacks originating in 2013 leading up to the hacks again in 2016.
Why Laws And Regulation Matter?
In light of the recent cyber attacks and hacking in India, it is important that companies, businesses, startups and other organizations adhere to information security laws and regulations in India. Although these laws may sometimes fall behind the rate of change of technology, new cases of hacking and cyber attacks set precedent for future laws and guidelines to be framed. It is essential to keep up to date with Official Notifications issued by the Central Government.
LegalDesk.com is a legal service provider that helps in providing templates of legal documents such as agreement and contract drafts, terms of use and privacy policies, digitally and in the paper, format delivered right to your office or doorstep. Draft your legal documents online with LegalDesk.com