The Information Technology Act, 2000: Regulating Digital Technology and Communication System in India

Ishani Sen Gupta, Soumyajit Nath | May 2017

The need for companies dealing with sensitive personal data and information belonging to third parties to formulate and implement standard data protection measures has been once again thrown into prominence in light of the hacking at a major public sector bank when an official of the bank fell prey to a phishing email and clicked on a link releasing malware that went viral on the bank’s servers. The hackers would have got away with $171 million but were caught at the right time and the bank was able to recover the entire sum in about 80 hours.

In India, the Information Technology Act, 2000 (the said Act) is the primary law in India dealing with electronic transactions and the only law on the subject till date.

The said Act was further amended in the year 2008 to address the issues which were not covered by the Act of 2000. The salient features of the amendment are as follows:

Protection of third party data maintained by companies
Redefining terms such as “communication device” to reflect current usage
Validating electronic signatures and contracts (Electronic records are accepted as evidence in the court of law by the introduction of section 65B of the Indian Evidence Act. The admissibility of electronic records has also been upheld by amendments to the Indian Penal Code)
Making corporations responsible for implementing effective data security practices and liable for breaches.
Making the owner of a given IP address responsible for content accessed or distributed through it.

WHY IS IT IMPORTANT FOR A COMPANY TO PROTECT COMPUTER SOURCE DATA AND THIRD PARTY SENSITIVE DATA?

Protection of computer source data and third-party sensitive data prevents direct financial losses such as lost sales, penal measures enforced by the State against the company, indirect losses from the effects of a drop in investor confidence or customers fleeing to competitors and more so the State mandates protection of data by issuing guidelines and framing regulations.

HOW CAN A COMPANY BE HELD RESPONSIBLE IF DATA IS NOT PROTECTED?

When a body corporate possesses, deals with or handles any Sensitive Personal Data and Information (SPDI) in a computer resource and is negligent in maintaining security practices and procedures, thereby causing wrongful loss and gains to any person, such body corporate such be liable to pay damages by way of compensation (Section 43A and Section 72A). It is to be noted that the upper limit of compensation has not been specified by the Act.

SENSITIVE PERSONAL DATA AND INFORMATION (SPDI) INCLUDES;

Passwords
Financial information such as Bank account or credit card or debit card or other payment instrument details
Physical, physiological and mental health condition
Sexual orientation Medical records and history
Biometric information
Any detail relating to the above clauses as provided to body corporate for providing service
Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

COMPANIES CAN ADOPT AND IMPLEMENT INTERNAL POLICIES AND GUIDELINES IN ORDER TO REDUCE LOSS OR BREACH OF DATA;

Restriction of access to sensitive areas such as server rooms
Perimeter security (office locks, alarms etc.)
Audits should be carried out periodically to ensure compliances are taking place
Secured disposal of records
For electronic communication, digital signatures should be used
White listing (proactive security techniques that only allows a limited set of approved programs to run while blocking the others)
Cyber security Forensic Audit to identify, plug any gaps and strengthen the computer systems
Grievance Officer should be appointed to investigate instances of loss of data and receive complaints thereof
Organise and arrange regular seminars and sessions for employee awareness to keep them vigilant and updated as to requirements to data security and protection

The said Act also provides for penal measures for breach and/or violation of the relevant provisions of the said Act as contained in Sections 43, 65, 71, 72, 72A, 73 and 74 of the said Act.

In terms of the provisions of the ITA, 2000 the Director, Manager, Secretary and other officers of a company can also be held responsible for the offences committed by companies if it is proved that they had knowledge of the offence or was looking after the day to day administration of the company. This is envisaged in Section 85 of the ITA, 2000 which makes the Director, Manager, Secretary and other officers of a company vicariously liable for acts of the company

DO’S AND DON’TS

Certain guidelines, though seemingly simple yet if implemented, can ensure basic protection from theft or breach and/or minimize risk and liability

Digital signatures keys not to be disclosed internally by the managerial persons handling such keys
Legal audit of documents, records and information maintained in electronic form
Not to use any unprotected computer – should be safeguarded with antivirus, firewalls and original softwares
Not to leave sensitive information open and disclosed
Lock computer with alphanumeric passwords
Not to open suspicious links and emails
Training of employees for identification of potential threats such as phishing emails
Not to install unauthorised programs on computer used for official purposes
White listing (proactive security techniques that only allows a limited set of approved programs to run while blocking the others)
Obtain third party data only on consent in writing from the provider
Make the provider aware of the usage of such SPDI Not to transfer/share third party data without the previous consent of the provider
Appointment of grievance officer to deal with complaints in respect of data loss.

LANDMARK JUDGMENTS THAT PAVED THE WAY FOR EASIER IMPLEMENTATION OF THE ACT

SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra – India’s first case of cyber defamation, a Court of Delhi assumed jurisdiction over a matter where a company was being defamed through emails.

Nasscom vs. Ajay Sood & Others – In a landmark judgment the act of “phishing” was brought into the ambit of Indian laws even in the absence of specific legislation.

Shreya Singhal v. Union of India – The Hon’ble Supreme Court struck down Section 66A of the said Act being violative of Articles 14, 19 and 21 of the Constitution of India that guarantee citizens the Fundamental Rights to equality, free speech and life respectively, but not before citizens were targeted for online posts and emails that allegedly defamed politicians.

Privacy is a basic human right and computer systems contain large amount of data that may be sensitive. Chapters IX and XI of the Information Technology Act define liabilities for violation of data confidentiality and privacy related to unauthorised access to computer, computer system, computer network or resources, unauthorised alteration, deletion, addition, modification, destruction, duplication or transmission of data, computer database, etc. The data protection may include financial details, health information, business proposals, intellectual property and sensitive data. The right to privacy is recognised in Indian Constitution but its growth and development is entirely left at the mercy of the judiciary

Data protection and privacy has been dealt with in the Information Technology Act, 2000 in an exhaustive manner. The IT Act aims at setting specific standards of assimilation of right to privacy with handling of personal data and is much needed for striking an effective balance between disclosure and handling of personal data and privacy, especially with advancing technology in the digital medium with India aiming to ‘go digital’ as a State Policy across towns and villages through e-governance, e-courts and ‘e-dependence’

About Author

Ishani Sen Gupta

Ishani SenGupta is an Associate Partner of S. Jalan & Company, Kolkata. Ms. SenGupta’s practice area includes corporate and commercial documentation and transactional work including real estate practice.

Soumyajit Nath

Soumyajit Nath is a Senior Associate at S. Jalan & Company, New Delhi. His area of practice includes corporate litigation in Delhi High Court and the Supreme Court of India and commercial arbitrations.