1. Introduction
  2. Timeline of Events
  3. Why was IT Act 2000 amended in 2008?
  4. Data privacy
  5. Definitions
  6. What is the punishment for cyber crimes?
  7. Who can conduct RAIDS AND INVESTIGATION for Cybercrimes?
  8. About the Author

This is a guest article written by Mr.Krapesh Bhatt, an IT Security professional from Surat.

Introduction

Dear All, Firstly, I would like to thank Mrunal for providing me with the opportunity to write and come up with the article which provides information on our IT ACT.

  • I am motivated to write this article relating to Our Information Technology Act and its related amendments so as to spread the awareness of the Act.
  • I have tried to make the IT Act’s major sections which come in our daily lives simpler to understand. As India is one of few countries in the world which enacted the law specially to curb cyber crime – a positive approach in this direction.
  • The countries which have their own cyber laws are U.S, U.K, Japan, European Union, Australia, Germany, Singapore, Belgium, Brazil, Canada, Italy, and France. India has too joined the club and framed laws to curb cyber crime.

Timeline of Events

  1. The ministry of commerce, Govt. of India drafted the guidelines as “Ecommerce Act 1998”, since the ministry of Information Technology was absent at that time.
  2. Later on coming to existence, this was re-drafted as “Information Technology bill 1999”
  3. This draft was placed in the parliament in Dec 1999 and passed in May 2000.
  4. After the Assent of president, the bill finally came to effect from 17th Oct 2000. This came to be known as “IT ACT 2000”
  5. It was amended in 2008.

Why was IT Act 2000 amended in 2008?

  1. The main intent to pass the 2000’s Act was to provide legal recognitions to transactions carried out by means of electronic data interchange and other means of electronic communications, commonly known as electronic commerce, which involved the use of alternatives to paper based methods of communication and storage of information and to facilitate the filing of documents of government agencies.
  2. But Cyber crime was not looked upon in this act. Even after passing the Act, there was still need to address the specific cyber crimes that were taking place along with the technological advancement.
  3. Since the Booming growth of BPO industry and increasing dependence on computers and networks, the incidents of leaking of private data from the BPO’s, Banks, Healthcare sectors, telecommunication industry gave rise to provide for a strict legislation to protect the data privacy of all the customers and corporations.
  4.  Also, the crimes related to privacy breach were rising but as there was no legal framework, specific to the incidents, the IT ACT 2000 seemed ineffective.
  5. With the developing demands, the amendments in the IT ACT 2000 were made and IT ACT 2008(amendment) was passed finally on 23rd December 2008.

Data privacy

As Data privacy remains prime importance to the topic of discussion, I will discuss the section related to Section 43A of the amended Act which covers all the sectors of Indian economy. Section 43A was inserted After Section 43 of the parent Act.
As per the stated Act, in Section 43A of the amended act, stats as follows:

“43A. Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

Definitions

Body Corporate Means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
reasonable security practices and procedures Means security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure or impairment.
sensitive personal data or information It means

  1. Password;
  2. Financial information such as Bank account or credit card or debit card or other payment instrument details;
  3. Physical, physiological and mental health condition;
  4. Sexual orientation;
  5. Medical records and history;
  6. Biometric information;
  7. any detail relating to the above clauses as provided to body corporate for providing service; and
  8. Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.

 (SOURCE: IT ACT 2008 Amendment, Sec 43A)

What are the responsibilities of a company handling personal data?

Now, we try to understand the procedures and practices needed to safeguard the sensitive personal data from being stolen, modified without consent of owner, misused or sold in underground markets.
let’s make it simple to understand this rule. Say for eg.

  1. We have a bank, and as we all know, it deals with sensitive personal data of its customers in its computer networks/servers. Our names, account numbers, passwords, Date of birth, Sex, credit/Debit card details, etc.
  2. Therefore, to make sure the bank complies with Mandate of IT ACT, it needs to either get certify with ISO 27001 (world renowned standard for data protection) or it may develop its own security manual which describes full indepth details of its IT assets, the Life cycle of assets, the physical security measures(viz. CCTVs, Locks, vaults, fire prevention/detection, temperature controls in server rooms, security guard details and so on).
  3. It should also have a detailed Business Continuity plan (In case of any natural/manmade calamity the organization must have a detailed backup process so as to continue its business),
  4. Other applicable procedures of separation of duties of key personals, background checks of employees before employing, etc.
  5. Not only Banks, but the BPOs/KPOs, hospitals, and various other businesses which deals with sensitive personal data, need to comply with this act.

What is the punishment for cyber crimes?

SECTION OF THE ACT OFFENCE PENALTY
Section 65 Tampering with computer source documents. Imprisonment up to 3 years or a fine of 2 lakh rupees, or both.
Section 66 Hacking & Breach of confidentiality of personal information as per sec.43 & 43A Imprisonment up to 3 years or a fine up to 5 lakh rupees or both.
(For Hacking, fine is 2 lakh rupees, imprisonment is 3 years)
Section 66A Sending offensive messages through communication service, etc. Imprisonment of 3 years & fine.
Section 66B Dishonestly receiving stolen resource or communication device. Imprisonment of 3 years & fine.
Section 66C & D Identity theft Imprisonment up to 3 years & fine up to 1 lakh rupees.
Section 66E Violation of personal Privacy Imprisonment up to 3 years or fine not exceeding 2 lakh rupees or with both.
Section 66F Cyber terrorism Imprisonment for life.
Section 67, 67A & B Publishing or transmitting obscene material in electronic form./pornography/child pornography Imprisonment term up to 5/7 years and fine up to 10 lakh rupees.
Section 67C Failure to preserve and retain information by intermediaries Imprisonment for 3 years and fine.

Who can conduct RAIDS AND INVESTIGATION for Cybercrimes?

  • As per the act, previously, a police officer not less than a rank of DySP can investigate or conduct a raid at a public place without a warrant, but as per the amendment, the rank of Police Inspector can investigate the offences and conduct raids. (Section 78-amended)
  • Also, As per the provisions in the act, and according to section 46(amended), adjudicating officer shall exercise jurisdiction to adjudicate matters in which claim for injury or damage does not exceed 5 crore. If this claim exceeds above 5 crore, then the matter is looked upon by the competent court.

NOTE:

This article is made to provide firsthand information to the readers regarding Information technology act, and spread awareness for IT ACT among masses. In case more detailed information is needed, then it is recommended to refer the gazette published by the ministry of information technology.
Website: http://www.mit.gov.in/

ABOUT THE AUTHOR OF ARTICLE:

This article is prepared by EVOLUTION INFO SECURE SERVICES; we are Cyber Security Company which offers techno-legal consulting in the line of IT ACT. More information about the company can be found at our website: www.evolutioninfosecure.in
you can contact us at

  1. email: contact@evolutioninfosecure.in
  2. twitter: @EVOLUTIONSEC

Readers can post their feedback, comments, compliments, suggestions, doubts on the email address given. I will be more than happy to respond to them, as I firmly believe that knowledge increases by sharing rather than keeping stagnant in minds.