10:00 - 19:00

Our Opening Hours Mon. - Fri.


Call Us For Free Consultation





Laws governing IT Security Companies in India

 > Business Laws  > Laws governing IT Security Companies in India

Laws governing IT Security Companies in India

As it is easily perceptible that in recent times cybercrimes have been causing unanticipated damages across industries, nations, governments and individuals on a global level. Cyber threats are not only limited to data breach but are also predominantly active in areas such as, theft of identity, breach of data, monetary loss or financial theft, among others. The world of cybersecurity is fostering day by day, and catering towards the needs of businesses, but simultaneously, the world of cyber-crime is also increasing, updating and targeting the businesses in every new way possible. Hackers are efficiently working and attacking at the weakest and most vulnerable times of the companies. This brings our attention to fortify not only the cybersecurity systems but also scrutinizing and bringing robust cyber laws as well.

The Legislative Framework of Cyber Security Laws in India

Information Technology (IT) Act, 2000: The laws with respect to Cyber Law in India, principally encompasses the Information Technology Act, 2000 and the regulations framed under this Act. This act is the parent statute, burdened with the duty to take care of all the relevant aspects of areas related to cybersecurity, be it various forms of cyber violations, punishments involved, compliances etc. This act is explicitly applicable to the companies that do business in India and includes all those corporations registered in India, the companies who outsource work in India, and keep up with the servers within the nation’s borders. This act deals with all activities concerning online trades and electronic documents. If any international corporation is just having customer base in India and this is the only relationship the company has with India, then it is not governed by the IT Act. However, if the body corporate runs a service there in India, or sell any products as well as maintain servers there, then it is held to the IT act. Nonetheless, the IT Act alone is not thoroughly exhaustive for dealing with the cyber law issues, rather there exist a lot of judgments, certain other legislations and acts as well, that have collaboratively evolved the Cyber Law regime in India to a greater extent. The IT Act not only grants legal recognition and protection for transactions carried out through electronic medium and other means of e-communication, but it also aims at safeguarding electronic data and preventing unauthorised or illegitimate use of a computer system.

Some Important Provisions in the IT Act are:
• Section 43: This section is applicable to the individuals or body corporates who disrupt the computer systems or destroy the information residing in a system or steal any data etc., without the authorized permission from the owner. The authorized owner is fully entitled to get compensation for the intact loss and damage suffered in such situations. In the case of Dr. Rishi Dixit and Others v. Preventive Life Care Pvt. Ltd. 2019 SCC OnLine TDSAT 172, the Respondent company alleged that the Appellants, deceitfully and covertly stole certain confidential procedure, customer database, research papers, and some additional vital information from the computer network of respondent, without permission. The tribunal found the appellants to be in contravention of Section 43 (b) of the ITA 2000, r/w (i) and (j), and ordered them to pay compensation of Rs 15 lakh in consort with interest of 8%.
• Section 66: This section is applicable in the situations where a person is found to deceitfully or fraudulently perform any act mentioned in section 43. The maximum term of punishment in such cases can be three years of imprisonment or a fine up to Rs. 5 lakhs or even both. In the case of Kumar v/s Whiteley [1991] 93 CAR 25, the accused got unlawful access to the Joint Academic Network and not only he fraudulently deleted and added certain files but also changed the passwords with an intention to refute access to the legally authorized users. Ultimately, due to the huge loss incurred through the act of the accused, N G Arun Kumar, the court sentenced him one year imprisonment along with a fine of Rs 5,000 u/s 66 of IT Act (along with section 420 IPC, cheating).
• Section 66B: This section deals with the persons who deceitfully obtain filched devices or computers, and the penalty imposed for such acts is imprisonment up to 3 years or fine up to Rs. one lakh, or both.
• Section 66C: This section imposes penalties for offences of identity thefts where the person pretends to be an authorized person by signing digital documents fraudulently with sham digital signatures or if anyone hacks the passwords etc. The IT Act punishes such persons with an imprisonment for maximum three years or with fine of Rs. one Lakh or both.

Miscellaneous rules and regulations formulated under the IT Act, 2000 are as follows:
• CERT Rules: The Computer Emergency Response Team was founded under the IT (The Indian CERT and Manner of Performing Functions and Duties) Rules, 2013. It is responsible for gathering, scrutinizing and circulating knowledge and guiding with respect to the cyber security and taking appropriate measures during exigencies.
• SPDI Rules: SPDI is an acronym for Sensitive Personal Data or Information and these rules were expounded under the IT (Reasonable Security Practices and Procedures & Sensitive Personal Data or Information) Rules, 2011. These regulations are to be obeyed by the corporations that manage, gather, preserve or pass on classified information.
• Protected System Rules: The body corporates that have protected systems must carry out certain data security measures, as specified under the IT (Information Security Practices & Procedures for Protected System) Rules, 2018.
• Intermediaries Rules: Intermediaries are now regulated under the IT (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021 and the 2011 Rules of Intermediaries Guidelines stand replaced by these former new latest rules notified by the government in exercise of its power under section 87 of the IT act, 2000. All the intermediaries, let it be social intermediaries or any category, they all must set up grievance redressal mechanism and implement sufficient security practices and processes to safeguard their computer resources and the associated data. Intermediaries are also required to report cybersecurity incidents to CERT-In.

  1. Indian Penal Code (IPC), 1860: In India, IPC 1860 also punishes certain offences committed over the web e.g., defamation, cheating, criminal intimation and indecency. However, here the focus will be towards the legal provisions and remedies of IPC that the IT sector-body corporates, specifically can avail:
    • Section 378, IPC: This section is associated with penalizing acts of theft of movable property. It also relates to the theft of any data stored electronically because Section 22, IPC asserts that the expression “movable property” is intended to comprise corporeal property of every type, excluding land and things fastened to the earth. So, if Information is kept in a CD or Pen Drive etc. and that device is filched, it would be dealt under the definition of ‘Theft’, but if Data is transferred electronically, i.e., in incorporeal form, it would not precisely establish theft under IPC. The maximum sentence imposed for such acts can be an imprisonment up to three years or fine or both. But these penal provisions of IPC cannot be charged when already the IT Act, 2000 provisions are attracted since IT Act has an overriding effect. In the case of Gagan Harsh Sharma v. The State of Maharashtra 2018 SCC OnLine Bom 17705, an employee stole certain data from the system and hacked the computers in such a way that now all the employees gained access to the confidential information. The employer filed a case under Sections related to theft under IPC and IT Act as well. The court held that among both the legislations in the present case of cybercrime, the IT Act has an overriding effect.
    • Section 419, IPC: This section stipulates maximum three years imprisonment for ‘cheating by personation’ and it can be backed by a fine as well, depending upon the severity of the offence committed.
    • Section 465, IPC: Usually this is the penal provision for the offence of forgery, however, in cyberspace, the attacks like email spoofing and fake documents are dealt with and penalized under this Section with an imprisonment term up to two years or fine or both. In the case of Anil Kumar Srivastava v. Addl Director, MHFW 2005 All LJ 2318, the petitioner faked signature of AD in some digital document and afterwards filed a case alleging wrong accusations about the same person. The Court held that the petitioner was liable u/s 465 as well as 471 of IPC.
  2. Companies (Management and Administration) Rules 2014 (the CAM Rules): These rules lay down stringent guidelines confirming the cybersecurity requirements and responsibilities upon the company’s directors and key leaders. It requires companies to make sure that their digital e-records and security systems are cloistered from unlawful access and tampering.
  3. IT Laws and Regulations associated with Intellectual Property Rights (IPR): The IT industry has an extremely profound corelation with the IPR legislation. The IT sector essentially comprises of software, web designing, and data operations. The new software gets developed by hard-working engineers who put in great effort with an aim to utilise the newly developed software for innovations and inventions. Under the IPR regime, the work is mostly protected under three major laws i.e., Patent Law, Copyright Law and Trademark Law. For example, consider protecting a computer programme or software developed by an IT Company. Now, section 13 states that copyright subsists in a literary work and u/s 2(o) of the Copyright Act, 1957, a literary work incorporates a computer programme as well. Therefore, it would also survive on a computer programme or software program.

Apart from the above ones, there are sector-specific standards issued by regulators for instance, the Reserve Bank of India, the Insurance Regulatory and Development Authority of India Act 1999 (IRDA), the Department of Telecommunication (DOT) and the Securities Exchange Board of India (SEBI), which oversee that whether cybersecurity standards are being appropriately well-maintained by their entities, like banks, insurance corporations, telecom service providers and listed entities.

As human reliance on technology intensifies, cyber laws in India and across the globe need steady up-gradation and rectifications. Technology has always been a dual-edged sword and can be used for both the reasons, good or bad. The Covid pandemic has also pushed most of the employees into a remote working unit, thus mounting the prerequisite of having more security. Steganography, Trojan Horse, Scavenging are all technologies which per se are not crimes, but falling in the wrong hands with an illegitimate intent who are willing to exploit them or misuse them, fall under the ambit of cyber-crime and is a punishable offence. Hence, it should be the obstinate efforts of rulers and law makers to make sure that the technology grows in a healthy manner and is used for legal and ethical business growth and not for committing crimes.
Authored By: Adv. Anant Sharma & Neha Sharma

No Comments

Leave a Comment