Sign in / Join
New Indian Law Creates HUGE Infosec Audit Opportunities

New Indian law creates HUGE infosec audit opportunities

A new Indian law promises to create HUGE opportunities for Information Security professionals.

On 11 April 2011, the Central Government in exercise of the powers conferred by clause (ob) of subsection (2) of section 87 read with section 43A of the Information Technology Act, 2000 (21 of 2000) has defined reasonable security practices and procedures to be followed by those possessing, dealing or handling sensitive personal data or information.

Under this new law, "sensitive personal data or information of a person" means such personal information which consists of information relating to:―
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

Negligence in implementing and maintaining reasonable security practices and procedures may make a person liable to pay damages. It is interesting to note that the Information Technology Act originally capped compensation claims at Rs 1 crore under section 43. This cap has now been removed. Compensation claims upto Rs 5 crore are now handled by Adjudicating Officers while claims above Rs 5 crore are handled by the relevant courts.

Section 72A provides imprisonment upto 3 years and fine upto Rs 5 lakh for disclosure of personal information in breach of a lawful contract.

Any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law will not be regarded as sensitive personal data or information for the purposes of his law.

It is interesting to note that the term "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

Opportunity for infosec professionals

This law would make section 43A audits mandatory for almost all sectors of the economy including:

  1. Medical sector - doctors, hospitals, pathological labs, scan centers etc. It would also apply to pharmaceutical companies carrying out medical research and tests.
  2. Banks, insurance companies and other financial institutions
  3. Education institutions
  4. BPOs, call centers, LPOs
  5. Chartered Accountants
  6. Hotels
  7. eCommerce companies
  8. Retails outlets accepting credit card payments