This article has been written by Nandan Rathi, a 5th year law student at Hidayatullah National Law University.
Abstract-
In recent years India has made rapid progress in digital technology. This has increased the demand for an adequate standard of regulation governing cyberspace. Update and improved cyber laws and protection have become the need of the hour because of various major cyber-attacks across the world.
In response to the growing call for a comprehensive overhaul of laws covering cyberspace, the government is taking measures and formulating necessary guidelines. These laws have an impact on individuals, businesses, and government offices. Further, there is a need to maintain the balance between innovation and regulation.
Key Words- Cybersecurity, Information Technology, regulations
INTRODUCTION-
After the COVID-19 pandemic, India rapidly expanded its digital infrastructure. This has pushed the demand for new, updated, revamped regulatory mechanisms to strengthen cybersecurity. With the rise in technological advancement and increased usage, the risk of getting attacked and targeted by cyberattacks increases. Many incidents have taken place. This has caused tensions and concern among businesses, organizations, and persons across India.
“The IBM Security Data Breach Report 2022 found that for FY 2022, the average data breach in India has recorded a 25% jump compared to 2020. The major form of cybersecurity attacks is unauthorized access to personal data, compromising sensitive information, and leaking it for personal benefit”[1].
For example, in 2021 “Air India suffered a huge cyber-attack. The personal data files of more than 4.5 million customers were leaked, undermining security and raising questions about individual privacy”[2]. In yet another incident “Domino’s India also faced a similar attack. The personal information of 180 million users was stolen straight from the company’s database”[3].
It is well known that technology advances rapidly, and law takes years to form. India lacks a comprehensive framework for cybersecurity laws. The regulations that are in place are redundant and do not adequately address the growing technology. The Indian government has started to take concrete measures to counter the menace of cyberattacks.
This article will focus on India’s cybersecurity regulations and relevant legislation, India’s current cybersecurity laws, how they are implemented, protecting businesses and organizations from attacks, and what changes can be made to existing laws.
Current Cybersecurity Legislation in India-
The Information Technology Act, 2000
2000 was the time when the Internet slowly started to spread in India. While its usage was crucial, there were also threats of security. The government had to enact the law to deal with this situation. Then came the ‘Information Technology Act’ of 2000. It was administered by the “Indian Computer Emergency Response Team (CERT-in). It guides Indian cybersecurity legislation, institutes data protection policies, and governs cybercrime. It also protects e-governance, e-banking, e-commerce, and the private sector, among many others”[4].
The ITA defines “cybersecurity as protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction”[5].
“The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the CERT-In Rules) prescribe that CERT-In will be responsible for responding to cybersecurity incidents and will assist cyber-users in the country”[6].
Information Technology (Amendment) Act 2008
IT Act 2008 brought important changes in current use, broadening the scope of cybercrime and the authentication of electronic signatures. “It also encouraged companies to implement better data security practices making them liable for data breaches.
The IT Act of 2008 applies to any individual, company, or organization (intermediaries) that uses computer resources, computer networks, or other information technology in India”[7].
The major drawback of the IT Act 2008 is ‘subsection 69’, which empowers the “Indian government to expeditiously intercept, monitor, decrypt, block, and remove data and content at its discretion, threatening a person’s privacy. Violation of the IT Act may incur penalties ranging from $1,250 to 3-year imprisonment”[8].
Information Technology Rules, 2011
The government brought ‘Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Privacy Rules)’ as an important aspect of cybersecurity.
The major amendments include “provisions for the regulation of intermediaries, updated penalties, and violation fees for cybercrime, cheating, slander, and nonconsensual publishing of private images”[9].
Indian SPDI Rules, 2011 for Reasonable Security Practices
“The rules give the right to correct their information and impose restrictions on disclosure, data transfer, and security measures. They only apply to corporate entities but aren’t responsible for the authenticity of sensitive personal data (SPD) like sexual orientation, medical records and history, biometric information, and passwords”[10].
National Cyber Security Policy, 2013
“The goal behind the National Cyber Security Policy is to create and develop more dynamic policies to improve the protection of India’s cyber ecosystem. The policy aims to make a workforce of over 500,000 expert IT professionals over the next five years through skill development and training”[11].
National Cyber Security Strategy 2020
The Indian government to further improve cybersecurity measures decided to formulate a plan for securing and preventing cyber-attacks. “The plan’s main goal is to serve as the official guidance for stakeholders, policymakers, and corporate leaders to avert cyber incidents, cyber terrorism, and espionage in cyberspace”[12]. Once the policy is implemented, cyber auditors will set up security programs for companies.
IT Rules, 2021
The MeITY brought “the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021” replacing the IT Rules, 2011.
“The new rules allow ordinary users of digital platforms to seek compensation for their grievances and accountability when their rights are infringed upon, as well as institute additional due diligence on organizations.
IT Rules, 2021 also distinguishes between smaller and more significant social media intermediaries based on user numbers and places a much heavier burden on larger social media intermediaries concerning personal data protection”[13].
KYC (Know Your Customer)
KYC is mandated by the Reserve Bank of India (RBI). “KYC is the tracking and monitoring of customer data security for improved safeguarding against fraud and payment credential theft. It requires banks, insurance companies, and any other digital payment companies that carry out financial transactions to verify and identify all of their customers”[14]. “Failing to adhere to the KYC directions, banks, businesses, and corporations may face a monetary penalty of ₹2 lakh”.
The Digital Personal Data Protection Act of 2023 (DPDP)
“The act borrows its broad definition of personal data from the EU’s General Data Protection Regulation (GDPR) and aims to protect data principals and restrict the activities of data fiduciaries”[15].
The act has various guidelines that individuals, businesses, corporations, and government departments must follow. “The DPDP established the Data Protection Board of India and outlined a new class of data fiduciaries. Significant data fiduciaries are organizations determined to pose increased risk based on a government assessment. Organizations willing to be significant data fiduciaries must comply with additional requirements”[16].
Criminal Laws Changes-
The Bharatiya Nagarik Sanhita (BNS) replaced the Indian Penal Code. Under the BNS, “continued cyber-crimes and economic offenses are referred as organized crime. The BSA specifies that electronic records will be considered primary records. The BNS prescribes forging false electronic documents as an offense and lays an imprisonment punishment of seven years and a fine”[17].
Additionally, the Companies Act 2013, requires companies to “implement security systems to ensure that electronic records are secured from unauthorized access”.
Further India has sector-specific regulations in place that govern cybersecurity. In the Banking Sector, “the Reserve Bank of India Act 2018 deals with cybersecurity guidelines and framework. The act mandates the strict enforcement of guidelines otherwise heavy penalties would be imposed. The RBI has enacted various cells to facilitate cybersecurity”[18]. Further RBI from time to time makes changes and brings new laws to govern cybersecurity.
Major Regulatory Bodies-
Enforcing the cybersecurity regulations can be a challenging task. To ensure that such rules and laws are properly implemented, the government has devised certain regulatory bodies.
Computer Emergency Response Team (CERT-In)
It came into force in 2004. “CERT-in is the national nodal agency for collecting, analyzing, forecasting, and disseminating non-critical cybersecurity incidents. The CERT-In cybersecurity directive helps with issuing guidelines for Indian organizations guidelines as well, giving the best possible practices to prevent threats”[19]. All intermediaries are required to report any cybersecurity incidents to CERT-In.
CERT-In Newest 6-Hour Data Breach Reporting Deadline-
This latest amendment addresses “cybersecurity reporting, mandating all Indian companies, service providers, intermediaries, data centres, and businesses to report identified cybersecurity incidents and data breaches within a 6-hour deadline”[20]. This provision was criticized since businesses have found it extremely difficult to enforce. The short time frame to make a detailed report is not feasible. Despite criticisms, failing to adhere to the rules will attract a punishment of up to 1 year.
National Critical Information Infrastructure Protection Center (NCIIPC)
Under ‘Section 70’ of the Information Technology Act of 2000, the government 2014 enacted the National Critical Information Infrastructure Protection Center (NCIIPC).
Located in the National Capital, “the NCIIPC was appointed as the national nodal agency in terms of Critical Information Infrastructure Protection. It comes under the Prime’s Minister Office (PMO)”[21].
India has cybersecurity bifurcated into two parts- “Non-Critical Infrastructure (NCI),” which CERT-In is responsible for, and “Critical Information Infrastructure (CII),” which NCIIPIC is responsible for.
“NCIIPC is responsible for reporting and monitoring critical sectors like Energy and Power and financial services including Banking and insurance, telecommunication, transportation, and strategic public enterprises.
NCIIPC successfully implemented several guidelines for policy guidance, knowledge sharing, and cybersecurity awareness for organizations to conduct pre-emptive measures of the important sectors, especially in power and energy”[22].
The Indian government approved “the Revamped Distribution Sector Scheme in August 2021. The main goal is to improve the operations of DISCOMs (distribution companies) by enhancing the cyberinfrastructure with AI-based solutions”[23].
Cyber Regulations Appellate Tribunal (CRAT)
The Indian Government created CRAT under the Information Technology Act. “It acted as a chief governing body and authority for fact-finding, receiving cyber evidence, and examining witnesses”[24].
Securities and Exchange Board (SEBI) of India
Since 1988, the SEBI (Securities and Exchange Board of India) has been the regulatory body for “securities and commodity markets” in India. SEBI ensures that the needs of market intermediaries and investors are met.
“SEBI has six committee members who are required to oversee guidance for cybersecurity initiatives for the Indian market. SEBI also communicates with other agencies like CERT-In, NCSC (National Cyber Coordination Center), DoT (Department of Telecommunications), and The Ministry of Electronics and Information Technology (MeitY) for cooperation in implementing laws. For non-compliance with SEBI guidelines, a penalty of 20,000 is imposed on companies till they resolve the issue”[25].
Insurance Regulatory and Development Authority (IRDAI)
IRDAI issues information security guidelines for insurers and addresses the importance of maintaining data integrity and confidentiality.
According to a report “68% of Indian insurance organizations were affected by ransomware and resorted to paying ransom to recover their data”[26].
In 2022, “IRDAI introduced an improved cybersecurity framework focused on the insurer’s main security concerns. It aims to encourage insurance firms to establish and maintain a robust risk assessment plan, improve mitigation methods of internal and external threats, prevent ransomware attacks and other types of fraud, and implement robust business continuity”[27].
Telecom Regulatory Authority of India (TRAI) & Department of Telecommunications (DoT)
TRAI is a regulatory body, and DoT is a separate executive department of the Ministry of Communications in India. “TRAI has more regulatory powers, both work together to govern and regulate telephone operators and service providers. Currently, TRAI addresses newer responsibilities governing consumer data because most digital transactions in India are done via cell phones”[28].
The DoT collaborates with the Indian IT ministry for better and smooth implementation of laws.
Major Cyber Security Development Across the World-
Governments around the world are working tirelessly to enact the rules and regulations to boost cybersecurity measures. Countries like the US, the EU, and Singapore have made new laws to tackle rising cyber threats. This changing legal landscape is marked by the rise of Artificial Intelligence which continues to have a major impact on cybersecurity. Coming up with laws is shaping and transforming the global regulatory environment.
World Economic Forum’s Global Security Outlook report says that “business leaders are increasingly open to cybersecurity measures a drastic change in a short time. The laws enacted across the world have varied from strengthening the existing laws to issuing guidelines”[29].
The European Union’s NIS2-
The Network and Information Security (NIS) Directive 2 was enacted in early 2023 and had a 21-month implementation period which ended recently. “It was designed to strengthen cybersecurity resilience and harmonize regulations across the bloc. In particular, the regulations aim to beef up the EU’s cybersecurity capabilities around critical infrastructure such as energy systems, healthcare networks, and transportation services. The directive enhances the cooperation between member states and establishes a new center to oversee the coordinated response to cyberattacks. It compels the organization to report any cybersecurity breach within 24 hours”[30].
The US National Cybersecurity Strategy-
In May 2024, the US government informed that several aspects of the US National Cybersecurity Strategy were advanced or had gone into force this year. This includes “developing cybersecurity scenario exercises to help critical infrastructure owners prepare for attacks from nation-states and malicious cyber actors and proposing changes in the way the government buys Internet of Things devices to ensure they are secure by design.
The strategy also aims to ensure that the US is at the forefront of developing cybersecurity standards and establishing a State Department Bureau of Cyberspace and Digital Policy to build international partnerships to counter malicious cyber actors”[31].
Singapore’s Operational Technology Cybersecurity Masterplan
This plan was released in August 2024. “It aims to bolster cybersecurity around the technology that underpins a modern economy. The operational technology (OT), includes much of the digital equipment that interfaces with the physical world”[32]. The plan is ongoing efforts to enhance cybersecurity measures.
The European Cyber Resilience Act
In 2024, the EU Cyber Resilience Act (CRA) was implemented, mandating bolstered cybersecurity mechanisms for everyday hardware and software products. “From baby monitors to smart-watches, products, and software that contain a digital component are omnipresent in our daily lives”[33]. The “CRA aims to guarantee that cybersecurity protocols are maintained throughout the entire lifecycle of digital products. The CRA mandates that cybersecurity obligations be adhered to at every value chain stage. Further, smart products that comply with the CRA will carry a European standard marking”[34].
The Need for Balancing Innovation and Regulation-
For any country to grow and develop, it requires innovation, development, and the use of advanced technology. This technology is a double-edged sword. While its importance cannot be questioned, it also threatens the safety and security of entities. Therefore, balance must be maintained to ensure that innovation and regulation go hand in hand.
Now it shall be the duty of the government to ensure that the rules they enact are proportionate measures. If the government enacts too stringent rules, it will make the companies unable to enforce the laws. This will further create problems; hence this should be avoided at all costs. Further making lenient rules will mean that companies are not protected adequately. The loss in data protection will further undermine the privacy of many customers.
India has taken various steps to regulate cybersecurity through initiatives and advisories. Guidelines have been issued to intermediaries and platforms that are potentially affected by cyberattacks. Users are also urged to maintain compliance.
Further, to overcome cyber threats, businesses, companies, and corporations will have to invest in software or other technologies to mitigate cyberattacks. This will increase the costs and regulatory burden. The government can give incentives to small players who will benefit from it.
Lastly, the government pushes for having safety and welfare of the people from cyberattacks, it also recognizes the need of development, promoting innovation. Therefore, India’s regulatory framework should balance innovation and regulation, through regular assessment and feedback.
[1] IBM India News Room. (2022). IBM Report: Consumers Pay the Price as Data Breach Costs Reach All-Time High. [online] Available at: https://in.newsroom.ibm.com/IBM-Report-Cost-of-Data-Breach-2022.
[2] Page, C. (2021). Air India Data Breach: Hackers Access Personal Details Of 4.5 Million Customers. Forbes. [online] 23 May. Available at: https://www.forbes.com/sites/carlypage/2021/05/23/air-india-data-breach-hackers-access-personal-details-of-45-million-customers/.
[3] Srivatsan, K. (2021). Domino’s Pizza data breach: Company says financial information safe as data of 180 million users compromised. [online] Hindustan Times. Available at: https://www.hindustantimes.com/india-news/dominos-pizza-data-breach-company-says-financial-information-safe-as-data-of-180-million-users-compromised-101621855567340.html.
[4] Ravi, V. (2023). What is the Indian Computer Emergency Response Team (CERT-In)? [online] Vajiram & Ravi. Available at: https://vajiramandravi.com/upsc-daily-current-affairs/prelims-pointers/cert-in/
[5] Section 2 (nb) of Information Technology Act, 2000
[6] Majumdar, A. (2022). Cyber Security: India Revamps Rules On Mandatory Incident Reporting And Allied Compliances. [online] Natlawreview.com. Available at: https://natlawreview.com/article/cyber-security-india-revamps-rules-mandatory-incident-reporting-and-allied
[7] Hanna, K. (n.d.). What is the Information Technology Amendment Act 2008 (IT Act 2008)? [online] WhatIs.com. Available at: https://www.techtarget.com/whatis/definition/Information-Technology-Amendment-Act-2008-IT-Act-2008
[8] Ibid
[9] prateeka (2021). Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. [online] Legalserviceindia.com. Available at: https://www.legalserviceindia.com/legal/legal/article-13965-information-technology-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011.html
[10] SS Rana (2017). Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 – Privacy – India. [online] www.mondaq.com. Available at: https://www.mondaq.com/india/data-protection/626190/information-technology-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011.
[11] George, A. (2013). National Cyber Security Policy 2013 – In a nutshell. [online] ClearIAS. Available at: https://www.clearias.com/national-cyber-security-policy-2013/.
[12] IASbaba. (2022). India’s National Cyber Security Strategy. [online] Available at: https://iasbaba.com/2022/04/indias-national-cyber-security-strategy/.
[13] Goyal, T. (2022). Explained | The amendments to the IT Rules, 2021. The Hindu. [online] 31 Oct. Available at: https://www.thehindu.com/sci-tech/technology/explained-the-amendments-to-the-it-rules-2021/article66079214.ece.
[14] Ali, A. (2024). What is KYC and How to do KYC Verification? [online] cleartax. Available at: https://cleartax.in/s/what-is-kyc.
[15] Dhanvi Kadian (2024). Cyber Laws in India: Understanding Online Security and Data Privacy. [online] legalshiksha. Available at: https://www.legalshiksha.com/post/cyber-crime-and-cyber-laws-in-india-process-for-filing-cyber-crime-complaint-in-india
[16] CS Isha Deshwal (2024). Digital Personal Data Protection Act, 2023: Key Features and Implications for Data Privacy in India. [online] LexComply Blog. Available at: https://lexcomply.com/blog/digital-personal-data-protection-act-2023-key-features-and-implications-for-data-privacy-in-india/
[17] narayan, anoop and gupta, priyanka (2019). The Legal 500. [online] Country Comparative Guides | The Legal 500. Available at: https://www.legal500.com/guides/chapter/india-data-protection-cybersecurity/
[18] LawBhoomi (2024). Cybersecurity Regulations for Financial Institutions in India. [online] LawBhoomi. Available at: https://lawbhoomi.com/cybersecurity-regulations-for-financial-institutions-in-india/
[19] ananda.krishna (2021). All About CERT-IN Certification. [online] Astra Security. Available at: https://www.getastra.com/blog/knowledge-base/cert-in-certification/
[20] Koragal, K. and Sharma, P. (2024). How to comply with CERT-In’s new six-hour time frame to report cyber incidents – Trilegal. [online] Trilegal. Available at: https://trilegal.com/news-insights/how-to-comply-with-cert-ins-new-six-hour-time-frame-to-report-cyber-incidents/
[21] NCIIPC (2024). National Critical Information Infrastructure Protection Centre, Government of India. [online] Nciipc.gov.in. Available at: https://www.nciipc.gov.in/CIISECEX2024.html
[22] Sadoian, L. (2024). NCIIPC Explained: Safeguarding India’s Critical Infrastructure | UpGuard. [online] Upguard.com. Available at: https://www.upguard.com/blog/nciipc-explained.
[23] Pib.gov.in. (2021). Cabinet approves Revamped Distribution Sector Scheme: A Reforms based and Results linked Scheme”. [online] Available at: https://pib.gov.in/Pressreleaseshare.aspx?PRID=1731474
[24] Cybertalkindia.com. (2017). Composition, Power and Functions of Cyber Appellate Tribunal – CYBERTALKINDIA®. [online] Available at: https://www.cybertalkindia.com/composition-power-and-functions-of-cyber-appellate-tribunal/
[25] Mehra, S. and Ahuja, A. (2024). Cybersecurity and Cyber Resilience Framework by SEBI: A Step Towards Digital Safety. [online] Bar and Bench – Indian Legal news. Available at: https://www.barandbench.com/law-firms/view-point/cybersecurity-cyber-resilience-framework-sebi-digital-safety
[26] Adam, S. (2021). The State of Ransomware 2021. [online] Sophos News. Available at: https://news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/.
[27] Anuj Bahukhandi and Singh, P. (2023). IRDAI publishes Information and Cybersecurity Guidelines 2023. [online] Lexology. Available at: https://www.lexology.com/library/detail.aspx?g=632dc701-ee07-492c-8c7b-fb54167d486a [Accessed 29 Oct. 2024].
[28] CPR. (2022). Telecom Regulatory Authority of India: Briefing Note – CPR. [online] Available at: https://cprindia.org/telecom-regulatory-authority-of-india-briefing-note/
[29] World Economic Forum (2024). Global Cybersecurity Outlook 2024. [online] World Economic Forum. Available at: https://www.weforum.org/publications/global-cybersecurity-outlook-2024/.
[30] ENISA (2024). NIS Directive. [online] ENISA. Available at: https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new.
[31] Waltzman, H., Lilley, S. and Hickey, A. (2024). White House Releases National Cybersecurity Strategy Implementation Plan, Version 2 | Insights | Mayer Brown. [online] www.mayerbrown.com. Available at: https://www.mayerbrown.com/en/insights/publications/2024/05/white-house-releases-national-cybersecurity-strategy-implementation-plan-version-2.
[32] CSR Singapore (2024). Singapore’s Operational Technology Cybersecurity Masterplan 2024. [online] Default. Available at: https://www.csa.gov.sg/Tips-Resource/publications/2024/operational-technology-cybersecurity-masterplan-2024
[33] digital-strategy.ec.europa.eu. (2024). EU Cyber Resilience Act | Shaping Europe’s digital future. [online] Available at: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act.
[34] Consilium. (2024). Cyber resilience act: Council adopts new law on security requirements for digital products. [online] Available at: https://www.consilium.europa.eu/en/press/press-releases/2024/10/10/cyber-resilience-act-council-adopts-new-law-on-security-requirements-for-digital-products/.