On 11 April 2011, the Central Government in exercise of the powers conferred by clause (ob) of subsection (2) of section 87 read with section 43A of the Information Technology Act, 2000 (21 of 2000) has defined reasonable security practices and procedures to be followed by those possessing, dealing or handling sensitive personal data or information.

Under this new law, “sensitive personal data or information of a person” means such personal information which consists of information relating to:―
(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for providing service; and
(viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

Negligence in implementing and maintaining reasonable security practices and procedures may make a person liable to pay damages. It is interesting to note that the Information Technology Act originally capped compensation claims at Rs 1 crore under section 43. This cap has now been removed. Compensation claims upto Rs 5 crore are now handled by Adjudicating Officers while claims above Rs 5 crore are handled by the relevant courts.

Section 72A provides imprisonment upto 3 years and fine upto Rs 5 lakh for disclosure of personal information in breach of a lawful contract.

Any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law will not be regarded as sensitive personal data or information for the purposes of his law.

It is interesting to note that the term “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

Opportunity for infosec professionals

This law would make section 43A audits mandatory for almost all sectors of the economy including:

1. Medical sector – doctors, hospitals, pathological labs, scan centers etc. It would also apply to pharmaceutical companies carrying out medical research and tests.

2. Banks, insurance companies and other financial institutions

3. Education institutions

4. BPOs, call centers, LPOs

5. Chartered Accountants

6. Hotels

7. eCommerce companies

8. Retails outlets accepting credit card payments

To equip our students to capitalize on this enormous opportunity we have added a special paper on “security audit and due diligence” in the PG Program in Cyber Security & Incident Response.

For details see:
http://www.asianlaws.org/courses/csir/index.htm

The database is online at:
http://www.cyberlawdb.com/main/

Global Cyber Law Database (GCLD) aims to become the most comprehensive and authoritative source of cyber laws for all countries. GCLD is a public service initiative by Asian School of Cyber Laws.

If you would like to contribute documents / information for inclusion in the Global Cyber Law Database, please email us on info@asianlaws.org

Currently the database contains information relating to the cyber law of the following countries:

Albania
Antigua & Barbuda
Argentina
Armenia
Australia
Austria
Bahamas
Barbados
Brazil
Bulgaria
Canada
China
Council of Europe
Croatia
Cyprus
Czech Republic
Dominican Republic
Estonia
Finland
France
Germany
Hungary
India
Indonesia
International Development
Ireland
Italy
Jamaica
Japan
Lithuania
Macedonia
Malaysia
Malta
Mexico
Moldova
Morroco
Netherlands
Philippines
Portugal
Romania
Russian Federation
Singapore
Slovakia
St Vincent & Grenadines
Sweden
Turkey
Ukraine
United Kingdom
USA

Details of the first workshop in this series are given below:

Topic: 1-day Workshop on Cyber Law

Date: Sat, 15 May 2010

Time: 10 AM to 5 PM

Venue: St Xavier’s College, College Hall, Ground Floor, St Xavier’s College, 5, Mahapalika Marg, Mumbai 400 001

On completion of the workshop each participant shall receive a certificate of participation issued by ASCL and Cyber Appellate Tribunal, Government of India.

The workshop will be inaugurated by Hon’ble Justice Rajesh Tandon, Chairperson, Cyber Appellate Tribunal, New Delhi.

For details call:

Pune – 09225548603
Mumbai – 09225548601

Nine years after the birth of cyber laws in India, the new improved cyber law regime in India has become a reality. The Information Technology Act initially came into force on 17th October 2000. Major changes to this law have now come into force.

Most of these changes relate to cyber crimes. The last decade has seen a spurt in crimes like cyber stalking and voyeurism, cyber pornography, email frauds, phishing and crimes through social networking. All these and more are severely dealt with under the new laws.

Some of the major developments are:

1.    Voyeurism is now specifically covered. Acts like hiding cameras in changing rooms, hotel rooms etc is punishable with jail upto 3 years. This would apply to cases like the infamous Pune spycam incident where a 58-year old man was arrested for installing spy cameras in his house to ‘snoop’ on his young lady tenants.

2.    Publishing sexually explicit acts in the electronic form is punishable with jail upto 3 years.  This would apply to cases like the Delhi MMS scandal where a video of a young couple having sex was spread through cell phones around the country.

3.    Collecting, browsing, downloading etc of child pornography is punishable with jail upto 5 years for the first conviction. For a subsequent conviction, the jail term can extend to 7 years. A fine of upto Rs 10 lakh can also be levied.

4.    The punishment for spreading obscene material by email, websites, sms has been reduced from 5 years jail to 3 years jail. This covers acts like sending ‘dirty’ jokes and pictures by email or sms.

5.    Compensation on cyber crimes like spreading viruses, copying data, unauthorised access, denial of service etc is not restricted to Rs 1 crore anymore. The Adjudicating Officers will have jurisdiction for cases where the claim is upto Rs. 5 crore. Above that the case will need to be filed before the civil courts.

6.     A special liability has been imposed on call centers, BPOs, banks and others who hold or handle sensitive personal data. If they are negligent in “implementing and maintaining reasonable security practices and procedures”, they will be liable to pay compensation. It may be recalled that India’s first major BPO related scam was the multi crore MphasiS-Citibank funds siphoning case in 2005. Under the new law, in such cases, the BPOs and call centers could also be made liable if they have not implemented proper security measures.

7.    Refusing to hand over passwords to an authorized official could land a person in prison for upto 7 years.

8.    The offence of cyber terrorism has been specially included in the law. A cyber terrorist can be punished with life imprisonment.

9.    Sending threatening emails and sms are punishable with jail upto 3 years.

10.    Hacking into a Government computer or website, or even trying to do so in punishable with imprisonment upto 10 years.

11.    Cyber crime cases can now be investigated by Inspector rank police officers. Earlier such offences could not be investigated by an officer below the rank of a deputy superintendent of police.

The following have also come into force on 27 October, 2009:

1. Rules pertaining to section 52 (Salary, Allowances and Other Terms and Conditions of Service of Chairperson and Members),

2. Rules pertaining to section 54 (Procedure for Investigation of Misbehaviour or Incapacity of Chairperson and Members),

3. Rules pertaining to section 69 (Procedure and Safeguards for Interception, Monitoring and Decryption of Information),

4. Rules pertaining to section 69A (Procedure and Safeguards for Blocking for Access of Information by Public),

5. Rules pertaining to section 69B (Procedure and safeguard for Monitoring and Collecting Traffic Data or Information) and

6. Notification under section 70B for appointment of the Indian Computer Emergency Response Team.

Useful links:

IT (Amendment) Act 2008:
http://mit.gov.in/download/it_amendment_act2008.pdf

Information Technology Act, 2000:
http://mit.gov.in/download/itbill2000.pdf

 For other relevant notifications, please visit:
http://mit.gov.in/default.ASPX?id=191

Official announcement – “Information Technology (Amendment) Act, 2008 comes into force”
http://pibmumbai.gov.in/scripts/detail.asp?releaseId=E2009PR1153

The search engine can be accessed for free from:
www.data64.cc

The search engine searches through a database of websites that is compiled and updated by subject experts. This ensures that users get the most relevant information in the fields of:

1. cyber crime
2. cyber crime investigation
3. cyber forensics
4. computer security

Books are available in the following categories:
1. Forensics
2. Linux Security
3. Unix Security
4. Windows Security
5. Wireless Security
6. Firewalls

Additionally you can also subscribe to relevant magazines and buy security related software and electronics.