Organisations and their role in regulating Hacking in India

Naina Agarwal[1]

Unauthorized Access, also known as hacking in common parlance, is a type of cybercrime wherein a person knowingly gains access to the data of another system using a data processing device without the consent of the owner.[2] Unfortunately, India is yet to have dedicated data protection legislation[3] and in its absence, it is essential to determine the responsibility of the organizations dealing in sensitive data to prevent such data invasions. The aim of this article is to analyze the Indian regulations in this regard and assess the limitations persisting in the Indian Cyber laws to deal with hacking in comparison to the prevailing global standards. It further attempts to suggest changes in the existing cyber law framework in order to become better equipped in curbing the instances of hacking.

Regulations Governing Hacking in India

In order to define the organization, it is pertinent to look at the definition of “person” under the Indian Penal Code, 1860. According to Section 11 of IPC, the word “person” includes any Company or Association or body of persons, whether incorporated or not.[4] In terms of IT Act, 2000 for the purpose of imposing liability an organization is described as a body corporate which can be sued for its negligence. Since there is no specific legislation on data protection in India, the Information and Technology Act, 2000 covers the major aspect of data protection and deals with all types of cybercrimes. In addition to the aforesaid legislation, the Indian Penal Code, 1860 penalizes various cybercrimes including obscenity, data theft, cheating, cyber frauds.[5]

Under Section 43 of the IT Act, 2000, a civil liability incurs and the person gaining such unauthorized access can be made liable to pay compensation to the person affected by such intrusion[6] whereas, a criminal liability arises under Section 66 of the IT Act, 2000, punishing the offender with imprisonment up to three years and/or fine up to five lakh rupees.[7] Moreover, Section 43A of the act, which was added by way of an amendment in 2009 also imposes a civil liability for negligence on the body corporate which handles or deals with sensitive information.[8] Section 70(3) of the IT Act, 2000 also provides punishment for the person who gains or attempts to gain unauthorized access in contravention of this provision.[9]

At times, the offences given under the IT Act, 2000 may overlap with offences penalized under IPC and this can lead to ambiguity where offences compoundable and bailable under one legislation may be non-compoundable and non-bailable under the other legislation. In Gagan Harsh Sharma v. The State of Maharashtra[10], the employees were prosecuted under Section 408 and Section 420 of IPC, 1860 and at the same time charges were also levelled against them under Section 43 and 66 of the IT Act, 2000 for the theft of data and software after hacking into the employer’s system. The issue before the court was that the offences under IT Act, 2000 were bailable while the offences under IPC were not therefore, the petitioners should not be charged for offences under IPC. The Court upheld petitioner’s contention after relying on the Supreme Court’s judgement in Sharat Babu Digumarti v. Govt. of NCT of Delhi wherein it was held that an individual will not be charged for offences under IPC if he is being charged under the IT Act for the “offences arising out of same action”.[11]

Despite the legal provisions in place, there have been numerous occurrences of hacking in India. For instance, the website of the Supreme Court of India was attacked by the hackers after the Loya death verdict.[12] Websites of various organizations such as Indian Space Research Organization, TRAI, Central Bureau of Investigation, JNU, IRCTC and multiple public as well as private sector banks have also come under attack in relation with unauthorized access and data theft.[13] However, these instances are not limited to India. In 2014, the internet giant Yahoo claimed that its system was hacked and the data of nearly 500 million users was stolen.[14] Prior to that, a similar incident happened with Yahoo in 2013 which affected 3 billion users. The Bangladesh Bank Heist is another notable incident wherein the hackers illegally transferred millions of dollars from Bangladesh Bank and later transferred them to accounts in Philippines and Sri Lanka[15] and most recently, in 2017, systems around the world were infected with “WannaCry” ransomware[16].

Organization’s Liability on Data Breach

To curb the menace of cybercrime, European Union has come up with General Data Protection Regulation which has laid down strict standards for data protection of the consumers in Europe by bestowing responsibility on the companies to maintain compliance.[17] In July 2020, the Court of Justice of the European delivered a landmark judgement in the matter of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems.[18]The court held that companies transferring data to the importing country must ensure that there are “adequate standards of protection” in the importing country as per the Standard Contractual Clauses and the local laws of importing country are not contrary to SCCs. The Court thereby made the data exporters responsible for the protection of data not only in Europe but also abroad.

In India as well, the need to protect privacy of an individual was felt when Supreme Court delivered the landmark judgement in Justice K.S. Puttaswamy(Retd.) v. Union of India and Ors.[19] In Swami Ramdev v. Facebook Inc.[20], the Delhi High Court passed an order whereby the defendants were held responsible and further, were directed to remove defamatory content against the petitioner from all the digital platforms available in India and outside India. In K.N. Govindacharya v. Union of India[21], the Court mandated foreign companies conducting businesses in India to appoint grievance officers by exercising the extra-territorial jurisdiction provided under the IT Act, 2000.

A company can be held liable for its negligent conduct u/s 43A of the IT Act, 2000. On the other hand conditional immunity is provided to intermediaries u/s 79(1) subject to conditions laid down u/s 79(2) and 79(3). In Shreya Singhal v. Union of India,[22] the Supreme Court iterated that an intermediary is responsible for taking down the content after it has come to its knowledge that such content is unlawful. This becomes a problem as intermediary is not required to act on its own discretion where removal of unlawful content is concerned.[23]

On the lines of EU’s GDPR, India introduced the Personal Data Protection Bill, 2019 which is yet to come in force. Under the Bill certain obligations have been imposed upon the “data fiduciaries". These data fiduciaries include the state actors as well as private entities. Thereby, it makes the companies liable for protection of personal data. Additionally, it also asks them to comply with technical standards such as fair and reasonable collection of data and notice requirement for collection of data. The data fiduciaries also have to ensure safety and adopt measures of transparency in lawful processing of data.[24] Moreover, certain regulation standards can also be laid down by industry specific regulators like RBI and SEBI stipulating additional safeguards to be observed by organizations such as banks and companies to prevent breach of data.[25]

Changes Required in Indian Approach

There are several changes required in India’s approach to make organisations more accountable. As per the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, reasonable security practices are to be observed by companies engaged in processing of sensitive personal data and information. Similarly under the Intermediaries Guidelines, 2011, intermediaries are also required to observe reasonable security practices. For instance, before disclosing data to a third party, the consent of person providing SPDI is required in addition to collection and processing of data. Regulatory authorities like RBI and IRDAI prescribe certain technical safety standards to be followed by the entities in the industry so as to foster a secure environment, well-equipped against possible acts of hacking. Therefore, role of Regulatory Authorities is crucial in order to strengthen the existing cyber framework. Shift of responsibility from individuals to large scale companies also establishes a system of accountability and transparency.

Companies can, in fact, adopt better industry practices to avert data breaches. They can develop a strategy for compliance with the existing legal norms by providing an operational structure. Regular review of compliance and privacy impact assessment must be done to identify any potential risks. The identified risks must be dealt with on priority basis to eradicate the threat effectively. Before collecting the data, companies must ensure that consent of SPDI provider is obtained and data is used for the purposes for which such consent was obtained. In addition to this, organisations can protect themselves against cyberattacks through cyber insurance.[26] If protected, companies will also be safeguarded against losses that may incur due to such breach. This, however, does not imply that companies do not need a strong cybersecurity defence. Cyber insurance can only mitigate the risk to a certain extent but companies must adhere to all possible compliances.

Section 84A of the IT Act, 2000 allows the Central Government to provide Encryption Standards but India does not have any law on encryption as of now even though regulatory authorities can recommend minimum encryption standards for securing transactions.[27] Like GDPR in European Union, India also needs to lay down specific guidelines for Encryption Standards and safeguards for protection of data.

Conclusion

The weakness of the Indian Cyberlaw framework is a major reason behind the inadequacy of authorities to curb hacking. Numerous efforts have been made in order to secure sensitive personal data and information. However, lack of enforcement and exploitation of loopholes by hackers in the absence of accountability by companies continue to haunt India’s struggle against hacking. With laws on data protection still being in a nascent stage, organisations must assume responsibility and play a definitive role in preventing data breaches in India.
[1] Naina Agarwal is a final year law student at University School of Law and Legal Studies, GGS Indraprastha University. She has a keen interest in Telecommunications, Media and Technology Law. For any discussion related to the article, she can be contacted via mail naina127a@gmail.com
[2] Seth P. Chazin, Unauthorized Computer Access (Otherwise Known as Hacking), Bay Area Attorney, (Oct. 17, 2019, 1:57 AM), https://www.bayarea-attorney.com/unauthorized-computer-access-otherwise-known-as-hacking
[3] Aprajita Rana, Cybersecurity Comparative Guide, Mondaq (Jan 23, 2021, 7:45 PM), https://www.mondaq.com/india/technology/963026/cybersecurity-comparative-guide.
[4] Indian Penal Code 1860 § 11.
[5] Vinod Joseph and Deeya Ray, Cyber Crimes Under The IPC And IT Act - An Uneasy Co-Existence, Mondaq (Jan 23, 2021, 7:45 PM), https://www.mondaq.com/india/it-and-internet/891738/cyber-crimes-under-the-ipc-and-it-act--an-uneasy-co-existence?login=true
[6] Information and Technology Act 2000 § 43.
[7] Information and Technology Act 2000 § 66.
[8] Information and Technology Act 2000 § 43-A.
[9] Information and Technology Act 2000 § 70(3).
[10] 2019 CriLJ 1398
[11] AIR 2017 SC150.
[12] Samanwaya Rautray, Supreme Court website hacked within minutes after Loya death verdict, The Economic Times, (Nov. 06, 2019, 3:23 PM), https://economictimes.indiatimes.com/news/politics-and-nation/supreme-court-website-hacked-within-minutes-after-loya-death-verdict/articleshow/63838925.cms?from=mdr
[13] Ivan Mehta, 6 Indian Websites That Have Recently Been Taken Down By Hackers, Huffington Post, (Nov. 06, 2019, 3:23 PM), https://www.huffingtonpost.in/2016/03/02/the-hack-is-digital-india_n_9371044.html
[14] Nicole Perlroth, All 3 Billion Yahoo Accounts Were Affected by 2013 Attack, The New York Times, (Nov. 06, 2019, 3:23 PM), https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html
[15] Mamun Rashid, The Bangladesh Bank heist and beyond, Dhaka Tribune, (Nov. 06, 2019, 5:46 PM) https://www.dhakatribune.com/opinion/op-ed/2019/02/03/the-bangladesh-bank-heist-and-beyond
[16] Dustin Volz, U.S. blames North Korea for 'WannaCry' cyber-attack, Reuters, (Nov. 06, 2019, 3:23 PM), https://in.reuters.com/article/usa-cyber-northkorea/u-s-blames-north-korea-for-wannacry-cyber-attack-idINKBN1ED01G
[17] Michael Nadeau, General Data Protection Regulation (GDPR): What you need to know to stay compliant, CSO (Jan 23, 2021, 7:45 PM), https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
[18] (Case C-311/18) (Schrems II)
[19] (2017) 10 SCC 1
[20] (2019) 263 DLT 689
[21] W.P. (C) 3672/2012
[22] (2013) 12 S.C.C. 73
[23] Malvika Kapila Kalra, Intermediary Liability under the Information Technology Act: Time for an Amendment?, Bar and bench (Jan. 23, 2021, 7:54 PM) https://www.barandbench.com/columns/intermediary-liability-under-the-information-technology-act-time-for-an-amendment
[24] Rashi Dhir and Divya Sharma, Obligations On Businesses Vis-À-Vis The Personal Data Protection Bill, 2019, Mondaq (Jan. 23, 2021, 7:54 PM), https://www.mondaq.com/india/Privacy/893238/Obligations-On-Businesses-Vis-Vis-The-Personal-Data-Protection-Bill-2019
[25] Supra, note 2.
[26] CISCO, What is Cyber Insurance, (Jan 29, 2020, 1:56 AM), https://www.cisco.com/c/en/us/solutions/security/cyber-insurance/what-is-cyber-insurance.html#~why-cyber-insurance
[27] SFLC, FAQ-Legal Position on Encryption in India, (Jan 29, 2020, 1:56 AM), https://sflc.in/faq-legal-position-encryption-india#:~:text=No%2C%20India%20does%20not%20have,be%20used%20in%20securing%20transactions.

CONTACT

Any queries can be addressed via mail at cictl@mnlumumbai.edu.in  (Kindly mention “Query – Blog) at the mail.

Maharashtra National Law University Mumbai Post Box No: 8401 Powai, Mumbai – 400 076 Tel: 022-25703187, 022-25703188 Email: nlumumbai@mnlumumbai.edu.in

Leave a Comment

Your email address will not be published. Required fields are marked *