Security Policies and Cyber Laws
Security Policy
A security policy is a formal set of rules that defines how an organization protects its information and IT assets. The primary goals of a security policy are to ensure the Confidentiality, Integrity, and Availability (CIA) of data.
Policies can be categorized as organizational, system-specific, or issue-specific.
Cyber Law
Cyber law refers to the legislation that governs the use of computers, the internet, and digital communications. It encompasses areas such as cybercrime, electronic transactions, data protection, and intellectual property (IP) rights.
The Information Technology (IT) Act, 2000
The Information Technology Act, 2000 is the primary legislation in India that deals with cybercrime and electronic commerce. It serves as the foundational legal framework that governs digital activities in the country.
Based on the UNCITRAL Model Law on Electronic Commerce, the Act was designed to regulate digital transactions and safeguard the sectors of e-governance, e-banking, and e-commerce.
The Act consists of 94 sections, which are divided into 13 chapters and 2 schedules.
It highlights penalties and sanctions enacted by the Parliament of India that safeguard the sectors of e-governance, e-banking and e-commerce.
1. Timeline and Scope
The bill was signed into law on May 9, 2000, and officially came into effect on October 17, 2000.
The Act applies to all individuals using computers, networks, and the internet in India, regardless of their nationality or location. It also covers offenses committed outside India if they involve computer systems or citizens within India.
2. Objectives of the IT Act, 2000
The main objectives of the Act are:
To grant legal recognition to electronic records and digital signatures.
To promote the efficient delivery of government services electronically (e-governance) and facilitate the electronic filing of documents with government agencies.
Provide legal framework to boost digital transactions between firms and individuals, thereby promoting e-commerce.
Defining and imposing penalties for cybercrimes like data theft, hacking, and identity theft, to create a secure cyber landscape.
To establish procedures and authorities for the enforcement of the Act's provisions.
To promote innovation and entrepreneurship in the Indian IT sector.
3. Key Features and Importance
The Act provided legal recognition/validity to electronic records and signatures, making them equivalent to their physical counterparts.
It also led to the creation of key regulatory bodies:
Controller of Certifying Authorities (CCA): A government body responsible for issuing and managing digital signature certificates.
Cyber Appellate Tribunal: A specialized tribunal to hear appeals against orders from the Act's adjudicating officers.
Cybersecurity and Data Protection
The Act is closely associated with CERT-In (Indian Computer Emergency Response Team), the national nodal agency for responding to cybersecurity incidents. It also introduced foundational data protection principles, mandating that companies obtain user consent before collecting personal information and granting individuals the right to seek compensation for data misuse.
Intermediary Liability
It defined the roles and responsibilities of intermediaries (such as internet service providers and online platforms) and established conditions under which they could be exempt from liability for third-party content.
4. Provisions for Electronic Governance
A major focus of the IT Act was to enable and promote e-governance, which involves using electronic means to manage government processes.
Section 4: Grants legal recognition to electronic records, making them as valid as paper documents.
Section 5: Provides legal recognition for digital signatures, treating them as equivalent to handwritten signatures.
Section 6: Encourages government agencies to use electronic records and digital signatures for filing documents, issuing licenses, and processing payments.
Section 7: Authorizes the retention of legally required documents in electronic form.
5. Section 43 of the IT Act, 2000
Section 43 of Chapter IX of the IT Act, 2000, specifies various actions for which a penalty is imposed if they are performed without permission from the owner or person in charge of the computer system. If any of these actions are done with dishonest or fraudulent intent, they are punishable under Section 66 of the Act.
The prohibited actions outlined in Section 43 include:
Accessing information from the system.
Downloading or copying data without proper authorisation.
Introducing a virus or other malicious software into the system.
Causing damage to a computer network or database.
Preventing an authorised user from accessing the system.
Assisting others in breaching the provisions of the law.
Charging someone for services they have not utilised.
Altering or removing information to reduce its value or cause harm.
Stealing or tampering with the source code that makes a computer program work.
6. Key Offences and Penalties
The Act outlines various offenses and the corresponding penalties for them.
| Section | Offence | Penalty |
|---|---|---|
| Section 65 | Tampering with documents stored within a computer system. | Imprisonment up to 3 years, or a fine of Rs. 2 lakhs, or both. |
| Section 66 | Committing any act mentioned in Section 43 (e.g., unauthorized access, downloading data, introducing viruses) with fraudulent intent. | Imprisonment up to 3 years, or a fine up to Rs. 5 lakhs, or both. |
| Section 66B | Dishonestly receiving a stolen computer resource or communication device. | Imprisonment up to 3 years, or a fine up to Rs. 1 lakh, or both. |
| Section 66C | Identity theft. | Imprisonment up to 3 years, or a fine of Rs. 1 lakh, or both. |
| Section 66D | Cheating by personation using a computer resource. | Imprisonment up to 3 years, or a fine of Rs. 1 lakh, or both. |
| Section 66E | Violation of privacy. | Imprisonment up to 3 years, or a fine of Rs. 2 lakhs, or both. |
| Section 66F | Cyber terrorism. | Life imprisonment. |
| Section 67 | Publishing or sharing obscene material in electronic form. | Imprisonment up to 5 years and a fine of Rs. 10 lakhs. |
| Section 67A | Publishing or sharing material containing sexually explicit acts in electronic form. | On first conviction, imprisonment up to 5 years and a fine of Rs. 10 lakhs. On subsequent convictions, imprisonment up to 7 years and a fine of Rs. 10 lakhs. |
| Section 67B | Depicting children in sexually explicit form and sharing such material electronically. | Imprisonment up to 7 years and a fine of Rs. 10 lakhs. |
Section 67C (Preservation and Retention of Information by Intermediaries): Intermediaries (ISP's, social media platforms, etc.) must preserve and retain specific information for a certain duration as prescribed by the Central Government. Failure to comply is punishable with imprisonment for up to three years and a fine.
Section 69 (Interception, Monitoring, and Decryption Powers): This section grants Governments the power to order the interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource.
Section 69A (Power to Block Public Access): Empowers the Central Government to block public access to any information online. This is the primary legal provision used by the government to ban websites and applications.
Section 69B (Power to Monitor and Collect Traffic Data): Allows the Central Government to authorize any agency to monitor and collect traffic data or information from any computer resource for the purpose of enhancing cybersecurity and identifying, analyzing, and preventing cyber threats.
Section 66A of the IT Act, 2000
Section 66A was introduced into the Information Technology Act, 2000 through the 2008 amendment to address cybercrimes related to the internet and emerging technologies. It imposed penalties for sending offensive messages through communication services and electronic means.
As per the now-repealed section, a person could face punishment for the following actions:
Sending information that is highly offensive or has a menacing character.
Using a computer or communication device to send false information with the intent to cause annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will.
Sending an electronic mail or message with the intention of causing annoyance, inconvenience, or to deceive or mislead the recipient.
Controversy and Repeal
The section became highly controversial due to its vague language.
The lack of a clear definition for what constituted an "offensive" message led to the unnecessary punishment of several individuals. This included any message or information that could incite hatred or compromise the integrity and security of the nation.
In 2015, a bill was initiated to amend the section to safeguard citizens' fundamental rights. Ultimately, the Supreme Court of India struck down Section 66A in its entirety.
The court declared it unconstitutional as it was violative of Article 19, which guarantees the freedom of speech and expression.