The Information Technology (Amendment) Act, 2008 an act to amend the IT Act 2000 received the assent of the President on 5th February 2009. Several legal & security experts are in the process of analyzing the contents and possible impacts of the amendments. The objective of this note is to try and study the possible implications and impacts on Indian companies. This note is not intended to be a comprehensive analysis of the amendments, but only certain key points which could impact Indian Companies
The IT Act 2000 did not have any specific reference to Data Protection, the closet being a provision to treat data vandalism as an offense. The Government introduced a separate bill called “Personal Data Protection Act 2006” which his pending in the Parliament and is likely to lapse. The ITA 2008 has introduced two sections which address Data Protection aspects to an extent, which gives rise to certain key considerations for the sector.
The sections under consideration are:
Section 43A: Compensation for failure to protect data
Section 72A: Punishment for disclosure of information in breach of lawful contract
Section 43A states
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.
By way of explanation: "Body corporate means Indian companies"
"Reasonable security practices mean a mutual contract between the customer and service provider OR as per the specified law. In absence of both then as specified by the Central Government
Hence it would be important for Indian companies to seriously look at SLA’s and agreements which have been signed with clients to understand the data protection implications. The same goes for understanding the applicable laws.
A major modification is that this clause doesn’t mention the compensation limit of Rs. 1 Crore which was there as part of section 43 of the ITA 2000. This implies that there is no upper limit for damages that can be claimed. This essentially is “unlimited liability” for Indian companies, which could cause serious business implications.
Under this section disclosure without consent exposes a person including an "intermediary" to three years imprisonment of fine upto Rs. Five lacs or both.
This section uses the term “personal information” and not “sensitive personal information” as in section 43A. Hence it could apply to any information which is obtained in order to deliver services. Hence in some ways broadens the definition of information.
2. Information Preservation
Across the amendments there are several references to “service providers” or “intermediaries”, which in some form would apply to all Indian companies.
e.g. Section 67C: Preservation and Retention of information by intermediaries.
Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe”. Any intermediary who intentionally or knowingly contravenes the provisions shall be punished with an imprisonment for a term which may extend to 3 years and shall also be liable to fine.
The notifications on time for preservation etc. are not yet released. However since this is a “cognizable” offense any police inspector can start investigations against the CEO of a company.
Apart from the two aspects discussed in this note, there are other areas which could also be considerations for E.g.
Sec 69: Power to issue directions for interception or monitoring or decryption of any information through any computer resource.
Sec 69B: Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security.etc.
In summary, IT Risk management and response needs to be looked at by all companies for various reasons including customer assurance, compliance, customer regulations, protection of information assets etc. The ITA 2008 amendments provide us with few additional factors for considerations which could have significant impact on business. Information technology regulations and laws would only get more stringent and defined; hence it’s imperative for organizations to be aware and prepared.