Related Links

In Focus News Post Talk Spot

Security of information and networks are both of tremendous significance. Their significance has further been enhanced due the onset of Cyber Terrorism in a big way.

The September 11th 2001 attacks on World Trade Centre symbolized an irreversible turning point in the history of the web. The September11th attacks led to destruction of immensely valuable information and networks, apart from loss to life and property. As such, after the September 11th attacks, the concentration of the world’s attention on security has become unprecedented.

Information Security brings along with it various aspects and issues concerning its legalities. At this juncture it is important to note the legal position of Information Security in India.

India enacted its first Cyberlaw namely the Information Technology Act, 2000 on 17th May 2000, which was implemented on 17th Oct 2000. A perusal of the preamble of the IT Act clearly shows that this is not a law dedicated to Information Security. However, since Information Security is absolutely a necessity for E-Commerce transactions, the laws covers some aspects relating to the same. This is the evident as one of the main objectives of the IT Act 2000 is to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as "electronic commerce", which involves the use of alternative paperbased methods of communication and storage of information.

As such, Information Security is covered in some measure under IT Act 2000. It is important to note that the definitional clause of the Indian Cyberlaw does not give a legal definition of security. However, it provides the definition of secure system and security procedure. Thus, "secure system" means computer hardware, software, and procedure that :

• are reasonably secure from unauthorized access and misuse
• provide a reasonable level of reliability and correct operation
• are reasonably suited to performing the intended function
• adhere to generally accepted security procedures

Similarly, "security procedure" means the security procedure prescribed by the Central Government under the IT Act, 2000. The law defines a secure electronic record. It states that where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification.

The Indian Cyberlaw also details secure digital signatures. If by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was :

• unique to the subscriber affixing it
• capable of identifying such subscriber
• created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such digital signature shall be deemed to be a secure digital signature.

The Central Government has been empowered to prescribe the security procedure having regard to commercial circumstances prevailing at the time when the procedure was used, including :

• the nature of the transaction
• the level of sophistication of the parties with reference to their technological capacity
• the volume of similar transactions engaged in by other parties the availability of alternatives offered to but rejected by any party
• the cost of alternative procedures
• the procedures in general use for similar types of transactions or communications.

The Indian Cyberlaw makes breach of security an act which attracts consequences of civil liability. If a person without the permission of owner or any other person in charge of a computer, computer system or computer network, accesses or secures access to such computer, computer system or computer network, he is liable to pay statutory damages by way of compensation, not exceeding 10 million Indian rupees (one Crore rupees) to the person so affected.

Thus, merely gaining access to any computer, computer system or computer network by breaching or violating the security processes or mechanisms is enough to attract the civil liability.

In addition, doing any further acts in the computer, computer system or computer network, including downloading, copying or extracting any data, computer database or information from such system or introducing any computer virus into the same or damaging, disrupting or causing to be damaged or disruption of the same or denying the access to any authorized person of the same and providing any assistance to any person for doing any of the acts mentioned above, would also attract the civil liability of damages by way of compensation not exceeding ten million Indian rupees (one Crore rupees).

In addition, breach of Information Security is also implicitly recognized as a penal offence in the form of hacking. It is to pertinent to note that section 66 of the IT Act, 2000 makes hacking as a penal offence punishable with three years imprisonment and two lakh rupees fine. The way in which section 66 has been drafted obviously shows that the breach of Information Security is an integral and paramount feature of the same.

The appropriate government, be it the Central or State Government, has been given the discretion to declare any computer, computer system or computer network as a protected system. Further, any person who secures access or attempt to secure access to a protected system in contravention of the provisions of the law, shall be punished with imprisonment of either description for a term which may extended to ten years and shall be liable to fine.

For the purpose of investigating the offences detailed under the IT Act, 2000, police officers not below the rank of Deputy Superintendent of Police have been duly authorized. These officers also have also been given the power of entry, search and arrest without warrant in public places.

Further as per amendments made in the Indian Evidence Act, 1872 by the IT Act, 2000, it has been provided that in any proceedings involving a secure electronic record, the court shall presume unless contrary is proved, that the secure electronic record has not been altered since the specific point of time, which the secure status relates. The law also states that in any proceedings, involving secure digital signature, the court shall presume, unless the contrary is proved, that the secure digital signature is affixed by subscriber with the intention of signing or approving the electronic record.

Finally some issues of Information Security relating to entities which want to be Certifying Authorities have been specified in the Information Technology (Certifying Authorities) Rules 2000 and the Information Technology Security Guidelines. These guidelines are pretty exhaustive and detail different aspects of physical and operational security and information management including sensitive information security, system integrity, security measures and many other issues.

Thus while Information Security has been elaborately dealt with by the IT Act and Rules, there are a number of issues which have been left to the subjective discretion of legal entities.

In conclusion, I am of the opinion that the legal issues relating to Information Security are likely to develop much further over a period of time, more so in the context of scenario that has emerged post the September 11th attacks. The law on security of information and networks has to evolve much further to keep pace with the developments on the technological front. Together, it is the responsibility of each netizen and computer user to ensure that the security of their computers, computer systems and computer networks is preserved and not violated. Only in preservation of Information Security of the same lies the path of progress and prosperity.

The author, Pavan Duggal can be contacted at pduggal@nde.vsnl.net.in, pavanduggal@hotmail.com
He is a Supreme Court Advocate, Cyberlaw Consultant, President – Cyberlaw.net, Member MAC, ICANN. You can also log into the site http://www.cyberlaws.net

More information about the author is available at:
http://www.google.com/search?sourceid=navclient&q=pavan+duggal
http://s.teoma.com/search?q=pavan+duggal&qcat=1&qsrc=0&Search.x=11&Sear ch.y=15
http://www.cyberlaws.net/cyberindia/pavanlinks.htm