Part III: Cybersecurity and Privacy
🛡️

Part III: Cybersecurity and Privacy

PART III: CYBERSECURITY AND PRIVACY

Emergent technologies make access to data far easier, even without the consent of the owner/controller of this data. In this context, the IT Act under Section 2(nb) defines cyber-security to mean "protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction."
Basis this, the broad definition of a "cyber-crime" is fairly clear – i.e., unauthorised access to devices (such as computers) or the data stored therein. In Jaydeep Vrujlal Depani v State of Gujarat, the Gujarat HC held that crimes committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm or loss to the victim, directly or indirectly, using modern telecommunications networks such as the Internet (including chatrooms, emails, notice boards and groups) and mobile phones would constitute cyber-offences.
To ensure that such threats are minimised, the Act adopts a three-part mechanism. First, it sets standards for security procedures and practices involving computers and data (including storage, data transfer etc.). Second, it provides civil and criminal penalties/punishments for breaches under the Act. Third, it provides for security measures during data breaches by setting up relevant nodal authorities.

Information Security Standards: Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 ("SPDI Rules")

Section 43A of the IT Act establishes civil liability for a failure to protect data when a duty to do so exists with a body corporate dealing with sensitive personal data or information. Three conditions are laid out:
(i) The body corporate possesses, handles, or deals with "sensitive personal data or information."
(ii) Such handling is done through a computer resource which the body control owns, controls or operates.
(iii) Wrongful loss or gain is caused with relation to such data/computer resource because the body corporate did not implement adequate security practices.
Now of course, certain major questions arise: what is sensitive personal data or information? What would constitute "adequate security practices"? Would the presence of a breach automatically mean that the security procedures implemented were not adequate? The SPDI Rules were implemented to answer these questions.

Sensitive Personal Data or Information ("SPDI"): Definition and Scope

Personal data or information essentially refers to such information that relates to a natural person that, directly or along with information that may likely be accessible to a body corporate (including information in the public domain), can be used to identify the natural person in question (Rule 2(1)(i)). Building on this, SPDI is outlined underlined under Rule 3, which broadly may be categorised as financial information, physio-biological (including medical) information and passwords. This would include information related to the above as well (such as the security questions needed to remember passwords). Since Rule 3 acts as a trigger, as a result of which certain organizations are subject to higher standards of data protection, judicious interpretation becomes important. More importantly, as provided under S.43A, the standards set out here apply only to body corporates, and not to natural persons.

Provisions

The SPDI Rules outline certain obligations to be followed by body corporates with respect to handling of SPDI.
On Collection
  1. Informed consent: Prior to collecting SPDI, all body corporates should clearly inform the owners of the data (from whom data collection is happening) about why such data is being collected, and what their privacy policy is (i.e., how they handle the data, how storage and sharing of such data happens, for how long will this data be stored, etc.). This should be explained in a simple, accessible manner (Rule 4). Following this, the body corporate (or authorised representative) has to collect consent of the person from whom such SPDI is collected (Rule 5(1)).
  1. Absolute necessity: Rule 5(2) goes further to state that SPDI can only be collected, if: (a) SPDI is collected for lawful purposes in connection with the functioning of the body corporate, and (b) Collection of SPDI is considered necessary for such purposes. Naturally, questions about the scope of phrases such as "connected to a function or activity of the body corporate," and "considered necessary" is subject to case-by-case analysis.
On Retention and Storage
  1. Retention of SPDI must not exceed the period necessary for lawful use unless otherwise mandated by law (Rule 5(4)). The data collected must only be used for the purpose for which it was collected (Rule 5(5)).
  1. Rule 5(7) entitles data principals to refuse to provide SPDI or withdraw consent at any time. Withdrawal must be in writing, and it enables the body corporate to deny service if the information is essential. This rule creates an opt-out mechanism, though it has not been enforced on a large enough scale.
  1. The Rules also provide data review and correction rights (Rule 5(6)), allowing individuals to verify and amend inaccuracies in data shared. However, the owner of the data is the one who should ensure that data post amendment is accurate.
On Data Sharing
  1. If the data is to be shared, prior consent (in writing/fax/email) of the provider of such information is mandatory. This permission is not necessary if the data is to be shared with government agencies which are given permission under the law to collect SPDI for purposes of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences. However, to exercise this power, government agencies are required to send a notice to the collector of the SPDI outlining what data they need and why (Rule 6).
  1. Rule 7 states that data transfers to different organizations, whether domestic or international can only be done subject to 2 conditions: (a) such transfer of data is necessary for performance of the terms in the contract, and; (b) the receiving organization has the same level of protection as the body corporate (which is presumably compliant with the SPDI Rules).
On Best Practices (Rule 8)
  1. The SPDI Rules recognize IS/ISO/IEC 27001 – "Information Technology – Security Techniques – Information Security Management System – Requirements" as one of the recognized standards of Information Security practices. It is necessary that the body corporate implement and adequately document the technical, managerial and procedural standards through information security policies, as may be necessary.
  1. In case of self-regulating entities that follow procedures other than IS/ISO/IEC 27001, the question of whether their Information Security practices are compliant with Rule 8 shall be subject to due approval from the Central Government.
  1. Further, audits ensuring compliance with reasonable best practices shall be performed once a year or upon significant upgradation of systems/computer resource and process.
This section continues with detailed coverage of punitive measures, criminal offences, and CERT-In provisions...