Cyber law specialist Pavan Duggal shares tips for CSOs to do proactive compliance with the law and avoid potential legal exposure
What’ new in ‘enterprise security’ today and how are businesses tackling rising security challenges?
The first emerging trend is the realization by companies that they are intermediaries under the Indian Cyberlaw and that they have to do documented due diligence which is mandated under the law while discharging their obligations under the Information Technology Act, 2000.
Another major trend is the realization amongst enterprise security domain that in case there is a breach of enterprise security on company’s network, the same could expose the company to civil and criminal legal consequences. The civil consequences include the company to be exposed to being sued for damages by way of compensation upto Rupees Five Crores per contravention.
In addition, there is criminal exposure of imprisonment ranging from three years to life imprisonment and also with fine ranging from Rupees One Lakh to Rupees Ten Lakh. However, despite the realization, there is a sense of complacency in as much as the entries still believe in the Indian Jugaad School of Management. However, companies have to quickly realize that they may not able to do jugaad to save themselves from potential legal exposure.
How IT Act 2000 & the Companies Act 2013 changed the rule of the game for chief security officers?
The IT Act, 2000 and the Indian Companies Act, 2013 now mandates that all intermediaries who are handling, dealing or processing with sensitive personal data, must implement and maintain reasonable security practices and procedures. Failure to do that, it exposes the company to criminal liability apart from exposure of unlimited damages by way of compensation by making company responsible for security intrusions happening on their network. The focus of the law is to increasingly encourage the company to do proactive compliances with the law.
What’s new when it comes to legal mandates for information security and risk management pros?
New things are on the horizon as mandated under the IT Rules, 2011 for information security and risk management professionals. Amongst themselves, two sets of rules become extremely relevant. These include the Information Technology (Intermediaries Guidelines) Rules, 2011 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Now these rules are mandatory in nature and are mandated to comply with the same. Non-compliance exposes the legal entities to civil and criminal consequences.
What’s your advice for CSOs to have smooth sailing with regard to implementation of best practices keeping in regulations, compliance, etc?
The CSO must insist that their companies must comply with the Information Technology Act, 2000 and rules and regulations made thereunder. If the said companies are dealing, handling or processing SPI, then separate compliances stipulated under the law must be done. In this unpredictable world, it is hard to predict when your network could be attacked. Given the special status of the Information Technology Act, 2000 as a special legislation, the provisions of the Information Technology Act, 2000 prevail over anything inconsistent therewith contained in any other law for the time being in force.
The total number of complaints to CERT-IN till September 2014 was 96,383. In nine month, 15k sites were reportedly hacked in the country; a majority of the cases have been filed under the IT Act. What’s the message for the CSO from this?
The message from these figures is that cyber security has to be taken far more seriously. There is a mandatory obligation of due diligence by law on CSO. CSO must quickly understand the newly complex emerging ecosystem of unsecure cyberspace. Hence, they should focus on the statutory exemption from liability given to them under the IT Act, 2000. They can enjoy the said statutory exemption from liability, provided they comply with the provisions of the Information Technology Act, 2000 and the rules and regulations made there under.