IT (Amendment) Act 2008 and its effect on the Indian enterprise

By Dhwani Pandya, Principal Correspondent 29 Oct 2009 | SearchSecurity.in

Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

The Information Technology (Amendment) 2008 Act has been debated since it was passed by the Indian Parliament in December 2008, about a month after the terrorist attacks in Mumbai. Certain sections like Section 69 which provides authority to the Indian government for interception, monitoring, decryption and blocking electronic data traffic have come under major criticism. "The Act has provided Indian government with the power of surveillance, monitoring and blocking data traffic. The new powers under the amendment act tend to give Indian government a texture and color of being a surveillance state," says Pavan Duggal, a cyber law consultant and advocate at the Supreme Court of India.

Vivek Kathpalia, the partner at Nishith Desai Associates observes that though the earlier IT Act provided the government with statutory powers to intercept information, it did not provide the power to monitor and decrypt digital information. Now it has the ability to monitor and seek decryption of communication over computer networks (such as email and IP telephony). The new IT Act empowers the Indian government to intercept, monitor and decrypt computer systems, resources and communication devices. This means that the government will be able to conduct surveillance on corporate networks and email systems.

According to Duggal, the new IT Act does not include sufficient checks and balances to prevent misuse of information. This raises corporate espionage and information leakage concerns.

While Kathpalia believes that the new IT Act provides good requirements from a national security perspective, information access misuse by unscrupulous parties may prove to be dangerous for enterprises (as well as individuals). "The government needs to keep an eye on how the Act is implemented. The rules framed under this Act should be very clear. Individuals and corporate bodies should be approached only if the matter relates to national security requirements. The Indian government should also ensure that the information gathered by them is kept confidential," says Kathpalia.

The Indian Computer Emergency Response Team (CERT-In) will act as a national agency to address cyber security incidents. CERT-In will have powers to monitor, collect, analyze, and block information. Kathpalia feels that very strict rules are required to govern the functioning of this agency.

At the moment, there is much ambiguity about the available safeguards for an enterprise if it is subjected to interception and monitoring under the new IT act. On this front, Kathpalia clarifies that the IT act prescribes procedures and safeguards under for interception, decryption or monitoring. The IT Act also mentions that the government's appointed agency (which has not been identified at present – possible agencies include those such as the Police Departments' cyber cells and the Central Bureau of Investigation) should record reasons in writing and issue an order. "If a company suspects foul play after receiving the order, it can always challenge the order by approaching the court. In cases of insufficient reasons provided by the authority, it can also get a stay order from the court," says Kathpalia. If the agency finds incriminating evidence during investigation, it will require a magistrate's order to take possession of the computer assets under question.

The new IT Act mentions that if an enterprise is negligent in implementing a reasonable information security procedure, then it's liable to pay damages to the affected party.

Data privacy issues

Earlier, there was no clarity over data security and privacy issues in India, since this issue was not governed by any Act. Much ambiguity existed when it came to the obligations of an enterprise which handles sensitive personal data (like credit card or medical information). With the new IT Act, the government necessitates that corporate bodies protect all personal data and information they possess, deal or handle in a computer resource under section 43 (A), informs Kathpalia.

The new IT Act mentions that if an enterprise is negligent in implementing a reasonable information security procedure, then it's liable to pay damages to the affected party. It also tries to explain reasonable security practices and procedures. According to the Act, reasonable security means procedures and practices designed to protect sensitive information from unauthorized access, modification and disclosure. The Act tries to explain the nature of sensitive data, informs Kathpalia.

However, Duggal feels that the new IT Act does not provide adequate legal mechanisms for data protection and privacy. "Data protection and privacy cannot be given adequate coverage under a single section. Hence we need to have dedicated data protection laws like other nations," Duggal suggests. On this front, Kathpalia feels that enterprises will need more guidance on sensitive data and reasonable security practices within the organization.

The new IT act lacks coverage of areas like social networking, user generated content, spyware and malware. "Emerging cybercrimes and mobile crimes have not been appropriately addressed. The definition of sensitive and personal data has been left to the government," says Duggal.

Yet another bone of contention in the new IT Act is the reduction in punishment tenures for cybercrime. Although the new IT Act rates cyber terrorism as a heinous offence punishable with life imprisonment, it is a cybercrime friendly legislation, claims Duggal. The IT Act has reduced its quantum of punishment and almost all cyber crimes are now bailable. "An offense such as online obscenity earlier received an imprisonment for five years. Now it has been reduced to a year," observes Duggal.

To sum it up, the new Indian IT Act tries to capture several aspects dealing with personal data privacy, Blackhat hacking and cyber terrorism. However, a strong and regulated implementation mechanism is required to mitigate possibilities of the Act's misuse.

Tags: Business compliance management,  Enterprise risk management strategies,  Risk Management Strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Business compliance management Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Fraud risk management is key to avoid Wipro-like incidents Security awareness is the key... cultivate employee loyalty Jim Reavis on cloud computing security and regulatory compliance The TCS Website hack: Don't let your company join the list Enterprise risk management strategies Clientless SSL VPN vulnerability and Web browser protection Information rights management helps L&T protect its knowhow Cloud Security Alliance releases top cloud computing security threats Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraud risk management is key to avoid Wipro-like incidents Risk Management Strategies 11 application security tweaks for a secure SDLC Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Zeus Trojan continues reign infecting 74,000 PCs in global botnet RAM-scraping attacks are a rising -- but preventable -- threat Jim Reavis on cloud computing security and regulatory compliance The TCS Website hack: Don't let your company join the list SIEM systems streamline compliance processes, offer security benefits Microsoft extends SDL program, adds Agile development template Data classification as an insurance to protect information

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary knowledge process outsourcing (KPO)  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary