The Information Technology (Amendment) Act 2008, an act to amend the IT Act 2000 received the President’s permission on 5th February 2009. Several legal & security experts are analyzing the contents and possible impacts of the amendments.

The objective of this note is to try and study the possible implications and impacts on Indian companies. This note is not a comprehensive analysis of the amendments. However, it covers specific vital points that could impact Indian IT companies.

Data Protection
The IT Act 2000 did not have any specific reference to Data Protection, the closet being a provision to treat data vandalism as an offense. The Government introduced a separate bill called “Personal Data Protection Act 2006,” which is pending in the Parliament and is likely to lapse.

The IT(A) Act 2008 has introduced two sections that address data protection aspects.

The sections under consideration are:

  • Section 43A: Compensation for failure to protect data
  • Section 72A: Punishment for disclosure of information in breach of lawful contract

Description of Section 43A
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.

By way of explanation: “Body corporate means Indian companies”.

“Reasonable security practices mean a mutual contract between the customer and service provider OR as per the specified law. In the absence of both then as specified by the Central Government.

Hence it would be important for Indian companies to seriously look at SLAs and agreements which have been signed with clients to understand the data protection implications. The same goes for understanding the applicable laws.

A major modification is that this clause doesn’t mention the compensation limit of Rs. 1 Crore, which was there as part of section 43 of the IT Act 2000. This implies that there is no upper limit for damages that can be claimed. This essentially is “unlimited liability” for Indian companies, which could cause serious business implications.

Description of Section 72A
Under this section, disclosure without consent exposes a person, including an “intermediary,” to three years imprisonment or a fine up to Rs. Five lacs or both.

This section uses the term “personal information” and not “sensitive personal information” as in section 43A. Hence, it could apply to any information obtained to deliver services and, therefore, broaden the definition of information.

Information Security
Across the amendments there are several references to “service providers” or “intermediaries”, which in some form would apply to all Indian companies.

Example - Section 67C
Preservation and retention of information by intermediaries. Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe”.

Any intermediary who intentionally or knowingly contravenes the provisions shall be punished with an imprisonment for a term which may extend to 3 years and shall also be liable to fine.

The notifications on time for preservation etc. are not yet released. However, since this is a “cognizable” offense any police inspector can start investigations against the CEO of a company.

Apart from the two aspects discussed in this note, there are other areas which could also be considered.

  • Sec 69: Power to issue directions for interception or monitoring or decryption of any information through any computer resource.
  • Sec 69B: Power to authorize to monitor and collect traffic data or information through any computer resource for cybersecurity, etc..

Cyber risk management and response must be revisited by every enterprise to secure critical assets and meet compliance needs. The IT(A) act 2008 amendments provide a few additional factors that can have a significant impact on business. Information technology regulations and laws are sure to get more stringent and defined, making organizations more prepared to take on today’s threats.

 

To know more about how to secure your organization and stay compliant, do get in touch with us at contact@aujas.com.