It has been several months since the Indian IT Rules 2011 were drafted into law in April 2011. However, despite the initial hue and cry, it’s back to business as usual for most organizations. Given that there is a decided lack of awareness and activity with regards to these rules, we spoke to industry experts to gauge their response and gain their perspective.
While the Indian IT Rules 2011 document has brought in clarity to a fair extent, some stipulations are open to interpretation. In the opinion of Gowree Gokhale, partner at Nishith Desai Associates, “the rules are more of a clarification than a drastic departure from the IT Act itself.” She adds that the rules are fraught with gray areas. Perhaps realizing this shortcoming, the Department of Information Technology (DoIT), Government of India, issued a press note in late August, clarifying some of the contentions.
The government has now made clear that the IT Rules 2011 apply only to companies located in India and companies that collect data directly from customers (and not under contract). Moreover, the note clarifies a major contentious issue regarding the requirement of written consent. Consent given through click-through agreements is now to be considered valid. While the government clarifies these and other contentious points in iterations, on-ground challenges remain.
Requirements, challenges and costs
To begin with, the rules now require organizations to have a comprehensive, documented information security policy in place. ISO 27001 is recommended as one of the acceptable compliance standards. According to the Indian IT Rules 2011, if an entity or association chooses to follow its own standards and security procedures, this has to be duly notified and approved by a government-appointed agency.
However, no such industry accreditations exist as yet and in the future, it can be expected that ISO 27001 will become the de facto standard for information security in India. Compulsory compliance to this standard is thus going to be the first cost to businesses under the Indian IT Rules 2011.
According to Rahul Aggarwal, Managing Consultant – Risk and Regulatory with PricewaterhouseCoopers (PwC), the Indian industry already has many controls in place, especially in the BPO sector. However, by making these requirements legally binding under the Indian IT Rules 2011, businesses will now face stringent record retention and documentation obligations.
SearchSecurity.in spoke to several enterprises across sectors (such as BFSI, IT/ITES, Telecom and Media) for this feature story. If there are still many organizations unaware or unconcerned about the IT Rules 2011 notification, it is possibly due to lack of precedent. Says Vakul Sharma, an advocate at the Supreme Court of India: “The rules are here and are now the law of the land. The onus is now on enterprises to incorporate them into their policies. Ignorance of the law cannot be a defense if at some later date they are found to be liable for a breach.”
According to Sharma, implementation of the Indian IT Rules 2011 will be a big challenge faced by businesses. Since the India IT Rules 2011 bring in the possibility of self-certification, this requires an audit mechanism to be in place. No audit agencies have been identified by the government thus far. Sharma expects this to change in due course of time.
The real challenge here, says PwC’s Aggarwal, is also going to be interpretation. Lacking precedent, organizations could draw their own interpretation of the stipulations of the Indian IT Rules 2011. He feels that things would stabilize with maturity, and precedents will be set over time.
- Litigation cover
While section 43A of the Indian IT Rules 2011 covers every body-corporate, the same does not hold true for section 79, under which the intermediary rules fall. While the effort involved in implementing the stipulations might be substantial, Sharma believes that they shouldn’t be looked at as an impediment to the business since this should translate into massive cost savings from the point of view of litigation and risk cover. He says that the Indian IT Rules 2011 guarantee freedom from liability for organizations that can demonstrate due diligence.
Charanjit Singh Sodhi, Airtel’s chief of security plans and policies, says that the IT Amendment Act 2008 under section 43a stipulates that every individual breach of customer data is liable to be fined up to Rs 1 crore (Rs 10 million). The ITAA also stipulates fines up to Rs 5 crore per individual breach for failure to protect customer data due to lack of due diligence. Says Sodhi, “The Indian IT Rules 2011 notifications have now brought clarity to what was once a gray area by clearly defining due diligence, sensitive customer data, etc.”
The Indian IT Rules 2011 notification is expected to bring overall hygiene to the industry, which will go a long way in ensuring data privacy and protection in the country. Aggarwal feels that organizations are at varying maturity levels, and this has a bearing on implementation. He explains that there will be those that will have to make little effort to attain compliance, while others could have a tough time defining controls and setting up frameworks that measure up to international standards.
Vicky Shah, founder of infosec consultancy firm The Eagle Eye, believes that the rules will standardize the information security ecosystem in the country, bringing it on par with global standards. Disclosure, liability and privacy now have well-defined responsibilities attached to them, he says.
The Indian IT Rules 2011 notification also brings in accountability, with the primary beneficiary being the consumer. Over time, it's reasonable to expect a common understanding around the interpretation of these rules in Indian enterprises. Based on the comments garnered from interviewed experts, the general consensus is that the Indian IT Rules 2011 notification is a good thing, as it holds the promise of increased accountability and security in the Indian information security and privacy ecosystem.
Please send your feedback to vharan at techtarget dot com. You can follow our Twitter feed at @SearchSecIN.
This was first published in September 2011