Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
08E-043
~ UNIVERSITY
INFORMATION
Indira Gandhi National Open University
School of Vocational Education and Training TECHNOLOGY SECURITY
J
V \
''ftmr.liACf ciT~ ~ ~ qmft t ~ 3lT\iT
'$ "PT it "ffi- w ffl Cfid ?l1 ctT ~ C1iT 3l'1'aR.qr -,
t I~ ~ ~ Cfil<on ~ ~ \iOta ~ cniml
f4qiidlait ciT·~qr@ ~~ ciT~~ '3)tR
"3ORfr t 1" ~
- $A: 'lj mt1t
- Indira Gandhi
y
V J)I
OSE-043
l§) ignou THE PEOPLE'S
UNIVERSITY
Information
Technology Security
Indira Gandhi National Open University
School of Vocational Education and Training
•.
Block
.1 3
INFORMATION TECHNOLOGY ACT
UNIT 1
UNIT 3
Common Cyber Crimes and Government Laws and
Rules in Information Security 32
/
I
I
Programme Expert/Design Committee of Advanced
Certificate in Information Security (ACISE)
Prof. K.R. Srivathsan Mr. Anup Girdhar, CEO, Sedulity Solutions &
Pro Vice-Chancellor, IGNOU Technologies, New Delhi
Mr. BJ.Srinath, Sr. Director & Scientist 'G', Prof. A.K. Saini, Professor, University
CERf-ln, Department of In ormation School of Management Studies, Guru Gobind
Technology, Ministry of Communication and Singh Indraprastha University, Delhi
Information Technology, Govt. of India
Mr. e.S. Rao, Technical Director in Cyber
Mr. A.S.A Krishnan, Director, Department of
Security Division, National Informatics Centre
Information Technology, Cyber-Laws and
Ministry of Communication and Information
E-Security Group, Ministry of Comniunication
Technology
and information Technology, Govt of India
Block Preparation
Unit Writer Block Editors Proof Reading
Adv. Vaishali Kant Mr. S. Balasubramony, Ms. Urshla Kant
B.A.LL.B, LLM Dy. Superintendent of Police, Assistant Professor,
National Law School of CBI, Cyber Crime School of Vocational
India University, Bangalore Investigation Cell, Delhi Education & Training,
(Unit 1, 2, & 3) IGNOU
Ms. Urshla Kant
Assistant Professor, School of
Vocational Education &
Training, IGNOU
Production
Mr. B. Natrajan Mr. J itender Sethi Mr. Hemant Parida
Dy. Registrar (Pub.) Asstt. Registrar (Pub.) Proof Reader
MPDD, IGNOU, New Delhi MPDD, IGNOU, New Delhi MPDD, IGNOU, New Delhi
July, 2011
© lndira Gandhi National Open University, 2011
ISBN: 978-81-266-5528-1
All rights reserved. No part of this work may be reproduced in any form, by mimeograph or any
other means, without permission in writing from the lndira Gandhi National Open University.
Further information about the School of Vocational Etlucation and Training and the lndira Gandhi
National Open University courses may be obtained from the University's office at Maidan Garhi,
New Delhi-110068. or the website of IGNOU www.ignou.ac.in
Printed and published on behalf of the Indira Gandhi National Open University, New Delhi, by
the Registrar, MPDD .
Laser typeset by Mctronics Printographics, 27/3 Ward No. 1, Opp. Mother Dairy, Mehrauli,
New Delhi-30
Printed at A-One Offset Printers, 5/34, Kirti Nagar Indl. Area, New..Delhi-ll0015
/
/
BLOCK INTRODUCTION
Information Technology Act is very important in this digital age. Digital technology
and new communication system have made dramatic changes in our lives. Business
.community as well as individuals is increasingly using computers to create, transmit
and store information in the electronic form instead of traditional paper documents.
It came into force on 17th October, 2000. The IT Act is the first cyber law in India.
It is mainly based on the UNCITRAL Model Law on electronic commerce. The IT
Act has been designed to give boost to electronic commerce, e-transactions and
similar activities associated with commerce and trade and also to facilitate electronic
governance by means of reliable electronic records. Due to the rapid change in the
technology, there is a need for bringing in suitable amendments in the existing law
in our country to facilitate e-commerce. This block comprises of three units and is
designed In the following way.
The Unit One aims to introduce India's Information Technology Amendment Act
.~ 2008 which resolve many practical difficulties faced in the implementation of the
Act. It strengthens data protection regime, and makes cyberspace more trustworthy
since cyber criminals, whether engaging in data and identity theft, fmancial frauds
or posing threat to national security through acts of cyber terrorism, will be brought
to justice. The IT Amendment Bill 2008 aims to bring significant changes in extant
cyber laws in India, interalia, introducing legal recognition to electronic signatures,
data protection obligations and mechanisms, provisions to combat emerging cyber
security threats such as cyber terrorism, identity theft, spamrning, video voyeurism,
pornography on internet, and other crimes.
The Unit two attempted to introduce you to Privacy which involves proper control
. and protection of personal information and the ability to determine if and how that
information should be obtained and used and to what extent. Until specific
legislation is enacted on providing data security and privacy in India, a legal
controversy that arises in this sphere has to be resolved, to a large' extent, through
the Information Technology (Amendment) Act, 2008. Contractual liabilities and
exercise of best security practices may be quite helpful in ensuing data protection
and privacy. •
The Unit three describes the effort towards answering some of the fundamental
queries about the cyber crimes related to the information security. The. IT Act has
dealt with both 'cyber contraventions'and 'cyber offences'. It has identified the
criminal conduct vis-a-vis computer network, computer system or computer. It
introduces power to prosecute those that deliberately and without authorization,
misuse computer systems. The Government has passed certain rules in relation to
provide data security and privacy.
ACKNOWLEDGEMENT
The material we have used is purely for educational purposes. Every effort has
been made to trace the copyright holders of material reproduced in this book.
Should any infringement have occurred, the publishers and editors apologize and
will be pleased to make the necessary corrections in future editions of this book.
/ I
Introduction to Information
UNIT 1 INTRODUCTION TO Technology Amendment
Act 2008
INFORMATION TECHNOLOOY
AMENDMENT ACT 2008.
l
Structure
1.0 Introduction
1.1 Objectives
1.2 Need of IT Amendment Act, 2008
1.3 Evolution of IT Amendment Act
1.4 Amendments to IT Act
1.5 UID
Ji 1.6 Let Us Sum Up
1.7 Check Your Progress: The Key
1.8 Suggested Readings
1.0 INTRODUCTION
The new amendments to the Information Technology Act, 2000 were passed by
the Lok Sabha on December 2008. It has introduced various positive developments.
It is an attempt by the Government to create a dynamic policy that is..technology
neutral.
1.1 OBJECTIVES
After studying this unit, you should be able to:
• To understand UID.
The original Act was developed to promote the IT industry, regulate e-commerce,
facilitate e-governance and prevent .ybercrime: The Act also sought to provide
legal recognition to the transaction carried out by means of electronic data
interchange or other means of. electronic communication.. commonly' referred as
e-commerce, to facilitate electronic filing of documents with the government
agencies, to amend IPC, Evidence Act, Bankers' Book Evidence Act and Reserve 5
/
/
I
Information Technology Act Bank of India in order to bring electronic documentation withiri the puryi~w ef'the
respective enactments, to bring the cyber criminals within/the purview of law and
to punish them, to bring the regime of digital signatures and to foster security
practices within India that would serve the country in a global context.
At the same time, there is lots of criticism 'suffered by this Act like as: 1) It is still
inadequate in providing sdfficient data protection provisions 2) It does not offer
much in terms of protection of Intellectual property on the net 3) It does not prohibit
spams and unsolicited e-mails that flood one's inbox 4) It is silent on issues relating
to cross border taxation arising out of international trade 5) A single section 79
devoted to the network service providers in the Act is highly inadequate.
The Amendment was made to address issues that the original bill failed to cover
and to accommodate further development of IT and related security concerns since
the original law was passed.
The Amendment has been criticized for decreasing the penalties for some
cybercrimes and for lacking sufficient safeguards to protect the civil rights of
individuals. Section 69, for example, authorizes the Indian government to intercept,
monitor, decrypt and block data at its discretion. According to Pavan Duggal, a
cyber law consultant and advocate at the Supreme Court of India, "The Act has
provided Indian government with the power of surveillance, monitoring and
blocking data traffic. The new powers under the amendment act tend to give Indian
government a texture and color of being a surveillance state".
The Information Technology Amendment Bill 2008 was passed by the Lok Sabha
and the Rajya Sabha in the last week of December 2008 and received the President's
assent on 5th February 2009. The Bill aims to make sweeping changes in the existing
Indian cyber law framework, including inserting new express provisions to bring
more cyber offences within the purview of the Information Technology Act, 2000.
/
/
Signatures adopted by United Nations Commission on International Trade Law Introduction to Information
(UNCITRAL). . Technology Amendment
Act 2008
Keeping in view the above, Government had introduced the Information Technology
(Amendment) Bill, 2006 in the Lok Sabha on 15th December 2006. Both Houses
of Parliament passed the Bill on 23rd December 2008. Subsequently the Information
Technology (Amendment) Act, 2008 received the assent of President on 5th
February 2009' and was notified in the Gazette of India.
b) Cyber cafe is defined as "any facility from where access to the Internet is
offered by any person in the ordinary course of business to the members
of the public.
c) Some of the earlier definitions in the Act that have been redefined Include:
'computer network', 'information', and 'intermediary' to make them more
precise .
/
Information Technology Act a) An intermediary has to comply with the central government guidelines,
under section 67C, for preservation and retention of information as may
be specified for such duration and in such manner and format. Failure to
do so shall be punished with imprisonment of up to three years and of a
fine.
3) Data protection new clause 43A: The existing Act provides for penalty for
damage to computers, computer systems under the title 'Penalty and
Adjudication' in section 43 that is widely interpreted as a clause to provide
data protection in the country. Unauthorized access to a computer, computer
system or computer network is punishable with a compensation of up to one
crore rupees. This section has been improved to include stealing of computer
source code for which compensation can be claimed. (Computer source has
been defined) Data protection has now been made more explicit through
insertion of a new clause 43A that provides for compensation to an aggrieved
person whose personal data including sensitive personal data may be
compromised by a company, during the time it was under processing with the
company, for failure to protect such data whether because of negligence in
implementing or maintaining reasonable security practices. Further, 'reasonable
security practices and procedures' will constitute those practices and procedures
that protect such information from unauthorized access, damage, use,
modification, disclosure or impairment a~ may be specified in an agreement
between the parties or as may be specified in any law in force. In the absence
of such an agreement or any law, the central government will prescribe security
practices and procedures in consultation with professional bodies or
associations.
/
r
4) Penalty for breach of confidentiality and privacy: Under section 72 it is Introduction to Information
presently restricted to those who gain access to an electronic record or Technology Amendment
Act 2008
document under the powers conferred under this Act. A new section 72A has
been added that provides for punishment for disclosure of information in breach
of a lawful contract. Any person including an intermediary who has access to
any material containing personal information about another person, as part of
a lawful contract, discloses it without the con ent of the subject person will
constitute a breach and attract punishment with imprisonment of up to three
years, and/or a fine of five lakh rupees. This is a strong deterrent, and also
will bring those responsible for breaching data confidentiality, under lawful
contracts, to justice. Along with section 43A, section 72A strengthens the data
protection regime in the country. It will go a long way in promoting trust in
trans-border data-flows to India.
a) Section 66: hacking as a term has been removed. This section has been
aligned with section 43 on compensation against damage. In addition to
the compensation u/s 43, a person who dishonestly or fraudulently gains
access to a computer system and damages it or diminishes its value or
causes disruption, will also be punished with imprisonment of up to three
years and/or a fine of five lakh rupees.
/ I
Information Technology Act h) Section 67: it has been revised to include the transmission of obscene
material in electronic form in addition to its publishing. Punishment for
publishing or transmitting obscene material in electronic form has,
however, been reduced from five to three years, while the fine has been
increased from one to five lakh rupees. For second offence, imprisonment
has been reduced from ten to. five years, and fine increased from two to
ten lakh mpers.
i) Section 67A: provides for punishment for publishing or transmitting of
material containing sexually explicit act in electronic form - imprisonment
of up to five years and a fine of ten lakh rupees; for second offence
imprisonment of up to seven years and a fine of ten lakh rupees.
1) Section 69: the earlier provision has been revised while two new sub-
sections have been added, namely 69A, and 69B. Powers under section
69 were earlier vested with the Controller of Certifying Authorities for
directing any agency of the government to intercept any information
transmitted through a computer resource. The revised section empowers
the central government or a state government to direct any agency of the
government to intercept, monitor or decrypt; or cause to be intercepted,
monitored or decrypted; any information generated, transmitted, received
or stored in any computer resource under conditions of threat to national
security or friendly relations with foreign states. The procedure and
safeguards for such interception or monitoring shall be prescribed by the.
government. This will make the application of section 69 more transparent
unlike the same section in the previous version since such procedures
were not mandated for the government to prescribe. An intermediary not
complying with such directions shall be punished with an imprisonment
of up to seven years and a fme.
m) Sub-section 69A: This is a new provision that empowers the central t,
government to issue directions for blocking of websites (blocking for public
access of any information through any computer resource). Conditions
under which this may be done are similar to those under section 69A, and
j
procedures and safeguards subject to which such blocking for access by
the public may be carried out, shall be prescribed by the central
government. It may be noted that blocking can only be ordered by the
central government unlike interception and monitoring that can be ordered
by the central or a state government. An intermediary not complying with
such directions shall be punished with an imprisonment of up to seven
years and a fine. .
n) Sub-section 69B: This is yet another provision that empowers the central
government to authorize to monitor and collect traffic data or information
through any computer resource for cyber security. Any government agency
can be authorized to monitor and collect traffic data or information
generated, transmitted, received or stored in any computer resource. An
intermediary not complying with such directions for enabling online access
10 or to secure and provide online access to the computer resource generating,
/
transmitting, receiving or storing such traffic data or information; shall Introduction to Information
be punished with an imprisonment of up to three years and a fine. Technology Amendment
Act 2008
0) Section 77: Compensation, penalties or confiscation awarded under the
IT Act do not preclude awards of compensation or imposition of penalty
or punishment under any other law. However, sub-section 77A does provide
for compounding of offences except for the award of punishment for life
imprisonment or for a term exceeding three years under 'this Act.
8) Electronic Signature: The Act has been made technology neutral. Earlier
only digital signatures based on asymmetric cryptography were recognized as
electronic signatures to sign electronic documents/records. Section 3 on digital
signatures has been replaced by electronic signatures. Nbw the central
government is empowered to issue any other types of signatures ba~ed on
.
new, mature technologies under section 15 and 16.
9) Electronic Contract Formation: Section lOA has been added that provides
for validity of contracts formed through electronic means.
10) Audit of Electronic Records: Section 7A has been added that provides for
audit of documents maintained in electronic form.
11) Encryption: Section 84C has been added that enables the central government
to prescribe the modes or methods of encryption for secure use of the electronic
medum and for promotion of egovernance and e-commerce.
b) Compare your answer with the one given at the end of this ·Unit.
11
/
(
Information Technology Act 2) Explain the evolutionary process for IT Amendment Act, 2008?
·································i···················· .
1.5 DID
"
The Unique Identification Authority of India (UIDAI) is an agency of the
Government of India responsible for implementing the envisioned ADHAAR a
Multipurpose National Identity Card or Unique Identification card (UID Card)
project in India. It was established in February 2009, and will own and operate the
Unique Identification Number database. The authority will aim at providing a unique
number to all Indians, but not smart cards. The authority would provide a database
of residents containing very simple data in biometrics.
The agency is headed by a chairman, who holds a cabinet rank. The UIDAI is part
of the Planning Commission of India. NandanNilekani, a former eo-chairman of
Infosys Technologies, was appointed as the first Chairman of the authority in June
2009. Ram Sewak Sharma, an IAS Officer of Jharkhand Government cadre has
been appointed as the Director General and Mission Director of the Authority. He
is known for his best effort in e-Governance project for Jharkhand State and working
. as an IT secretary he received a number of awards for best Information Technology
Trends State in India. The UIDAI no. is a 12 digit number.
Launch
It is believed that Unique National IDs will help address the rigged state elections,
widespread embezzlement that affects subsidies and poverty alleviation programs ..
such as NREGA. Addressing illegal immigration into India and terrorist threats is
another goal of the program.
Most reports suggest that the plan is for each Indian citizen to have a unique
identification number with associated identifying biometric data and photographs
by 2011. However, other reports claim that obtaining a unique number would be
voluntary, but those that opt to stay out of the system "will find it very inconvenient:
they will not have access to facilities that require you to cite your ID number".
Government issued IDs are fragmented by purpose and region in India, which
results in widespread bribery, denial of public services and loss of income, especially
12 afflicting poor citizens. As the unique identity database comes into existence, the
/
/
.various identity databases (voter ID, passports, ration cards, licenses, fishing permits, Introduction to Information
border area id cards) that already exist in India are planned to be linked to it. The Technology Amendment
Act 2008
Authority is liaising with various national, state and local government entities to
begin this process. The Union Labor Ministry has offered its verified Employment
Provident Fund (EPFO) database of 42 million citizens as the first database to be
integrated into the unique ID system.
Other UID projects implemented on a smaller scale in India can also facilitate in
the development of the national project. An example is a project developed by
Wolf Frameworks Cloud Computing vendor and Social Education and Development
Society (SEDS) for profiling and generating Unique Identification for more than
40,000 members in the Anantapur district of Andhra Pradesh.
The UID will link a person's Passport Number, Driving License, PAN card, Bank
Accounts, Address, Voter ID, etc. and all this information will be checked through
a database. So, for example, if someone has different addresses on PAN and driving
license, is liable to get caught. Those who will opt out of this program will have_
much inconvenience in doing business, operating bank accounts and other offices
which will require a UID.
UIDAI has headquarters in Delhi and a technology centre in Bangalore. It also has
8 regional offices in Chandigarh, Delhi, Lucknow, Ranchi, Guwahati, Mumbai,
Hyderabad and Bangalore.
One estimate of the cost to completely roll-out National IDs to all Indian residents
above the age of 18 has been placed at 150,000 crore (US$33.45 billion). A different
estimate puts it at US$ 6 billion. A sum of 100 crore (US$22.3 million) was
approved in the 2009-2010 union budget to fund the agency for its first year of
existence. UID has received a huge boost with Dr Pranab Mukherjee, Minister of
Finance, allocating Rs 1900 crore to the Unique Identification Authority of India
(UIDAI) for 2010-11.
Initial estimates project that the initiative will create 1000 new jobs in the country,
and business opportunities worth 6,500 crore (US$1.45 billion) in the first phase
of implementation.
Risks "
In December 2010, UIDAI published the report on their proof of concept trial
designed to test, among other things, whether biometrics are reliable enough to
guarantee that every entry on the CIDR is unique. UIDAI's figures published in
the report suggest that no, the biometrics are not reliable enough, Aadhaar will
drown in a sea of false positives.
/
Information Technology Act great that tests tell you nothing, they cannot be used to predict how well biometrics
technology will perform in the real world, they cannot support a valid argument to
invest in biometrics. All three academics advise governments the world over. One
of them, Antonio Possolo, is head of the statistical engineering division at the US
National Institute of Standards and Technology (NIST), an organisation that has
advised UIDAI in the past. On this occasion, UIDAI have not followed NIST's
advice that tests like their proof of concept trial are pointless.
With its academic support now withdrawn, the outlook for the global mass consumer
biometrics industry has darkened, throwing the towel in. At the same time,
governments elsewhere are abandoning ship. NSTIC, the US National Strategy for
Trusted Identities in Cyberspace makes no mention of using biometrics. Neither
does IdA, the UK plan for digital delivery identity assurance. And Holland has
suspended its plan to develop a:centralised population register including everyone's
biometrics. India may find itself the last adherent of this receding faith.
Criticism
There are many potential privacy fallouts of this project, not the least of which is
triggered by the Government's official plan to link the databases together.
The Supreme Court also held the right to privacy to be implicit under article 21 of
the Indian Constitution in Rajgopal v. State of Tamil Nadu. Moreover, India has
enacted a number of laws that provide some protection for privacy. For example
the Hindu Marriage Act, the Copyright Act, Juvenile Justice (Care and Protection
of Children) Act, 2000 and the Code of Criminal Procedure all place restrictions
on the release of personal information. Privacy is a key concern with respect to
the Multipurpose National Identity Card (MNIC) scheme as all of an individual's
personal information will be stored in one database where the possibility of
corruption and exploitation of data is far greater than when having the information
disbursed.
Risks that arise from this centralization include possible errors in the collection of
information, recording of inaccurate data, corruption of data from anonymous
sources, and unauthorized access to or disclosure of personal information. Other J
countries with national identification systems have confronted numerous problems J
with similar risks such as trading and selling of information, and India, which has
no generally established data protection laws such as the U.S. Federal Privacy
Statute or the European Directive on Data Protection, is ill-equipped to deal with
such problems. The centralized nature of data collection inherent in the MNIC
proposal only heightens the risk of misuse of personal information and therefore
potentially violates privacy rights. In consideration of the risks involved in the
creation of a centralized database of personal information, it is imperative that
such a programme not be established without the proper mechanisms to ensure the
security of each individual privacy rights. Unfortunately, Indials proposed MNIC
programme lacks any provision for judicial review at the present time. Without
credible and independent oversight, there is a risk of 'mission creep' for MNICs;
the government may add features and additional data to the MNIC database
bureaucratically and reflexively, without reevaluating the effects on privacy in each
instance.
14
/
/
Introduction to Information
1.6 LET US SUM UP Technology Amendment
Act 2008
India's Information Technology Act, 2000 is comprehensive legislation but contains
many lacunae. The passage of the IT Amendment Act 2008 will resolve many
practical difficulties faced in the implementation of the Act. It strengthens data
protection regime, and makes cyberspace more trustworthy since eyber criminals,
whether engaging in data and identity theft, financial frauds or posing threat to
. national security through acts of cyber terrorism, will be brought to justice. The IT
Amendment Bill 2008 aims to bring significant changes in extant cyber laws in
India, interalia, introducing legal recognition to electronic signatures, data protection
obligations and mechanisms, provisions to combat emerging cyber security threats
such as cyber terrorism, identity theft, spamming, video voyeurism, pornography
on internet, and other crimes. There may be still some lacunae which will surface
with passage of time.Hence, constant amendments in the legal statutory framework
will always be essential. With growing dynamics of technology in India, the legal
matrix needs to be strengthened at every milestone to fill up lacunae that remain
in ,Information technology laws.To cope with the multifarious challenges that
technological advancement may bring, be it issues of cyber security, privacy or
·" cybercrimes, India will call for more efficacious and stricter regime of cyberlaws.
1) Amendment was created to address issues that the original IT Act failed to
cover and to accommodate further development of IT and related -security
concerns since the original law was passed.
3) For easy reference, a brief overview of the significant changes brought out by
the IT Amendment bill, 2008 is as given below:
/
/
Information Technology Act
Section 2(ua) defines "Indian Computer Emergency Response
Team"
Section 2(v) "Message" included in the' definition of
"Information"
7 No Change
8,9 No Change
-
10 No significant Change
20 Section Omitted.
21 No significant change
37,38,39 No change
40 No change in 40.
16
/
/
Introduction to Information
New Section 40A specifies the duties of the subscriber of Technology Amendment
Electronic Signatures certificate. Act 2008
41,42 No Change
47 No significant change
57.58,59,60 No Change
62 No Change
63 No Change
64 No significant change
65 No change
/ I
Information Technology Act
66B: Receiving a Stolen Computer Resource
I
Punishment: On first conviction with imprisonment for a term
which may extend to five years and with fine which may extent
to ten lakhs.
18
/
/
i
Introduction to Information
69 Scope extended from decryption to interception, monitoring Technology Amendment
also. Power lies with the authorized Government agency of Act 2008
the Central Government.
.
,
for Critical Information Infrastructure protection
71,72 No Change
73,74,75,76 No change
77 No Significant Change
8l-A No Change
82 No Significant Change 19
,
/
Information Technology Act
83,84 No Change
85,86 No Change
88,89 No 1Changes
· 90 No significant change
J 91-94 omitted
• http://www.cis-india.org
• http://www.cyberlaws.net
• http://www.mit.gov.in
20
/
Legal Implications of
UNIT 2 LEGAL IMPLICATIONS OF Personal Security
PERSONAL SECURITY
Structure
2.0 Introduction
2.1 Objectives
2.2 Need of Data Protection and Privacy
2.2.1 Preventing Data Misuse
2.2.2 Rapidly Changing Technology
2.2.3 Globalizations
2.2.4 Complex Regulatory Environments at the Local, National and Global Levels
2.2.5 Accountability
2.2.6 Client's Confidence
.1. 2.3 Indian Laws related to Data Protection and Privacy
2.3.1 . Indian Constitution
2.3.2 Information Technology Act, 2000
2.3.3 IT (Amendment) Act, 2008
2.4 Suggestions to tackle the ,Issue of D~ta Protection and Privacy
2.5 Let Us Sum Up
2.6 CheckYour Progress: The Key
2.7 Suggested Readings
2.0 INTRODUCTION
No doubt, India is one of the best outsourcing destinations due to its significant
skills, cost and other advantages. As we all know that the phenomenal growth and
expansion in the IT and BPO sectors, which are continuously providing cost efficient
services to the world across has given India a global success in the world. But,
outsourcing services involve working in an environment requiring compliance with
multiple laws of different countries from where the personal data originates. The
problem may continue for the service providers due to the lack of data privacy
laws in India. At the same time, they may not be able to deal with all the laws
present across the world in an effective manner. This means that there is a great
need of placing uniform framework in place for the data protection. It would not
help in the outsourcing services but also in all kinds of services where data is
involved or stored. Presently, there is no way to .give assurance about the data
security and privacy to anyone. It may cause high losses and disruption in the IT
and Outsourcing Industry and lead to the loss of foreign investment as well.
Therefore, this unit focuses on the data protection and privacy issues involved
which need to be tackled. There is an urgent need to strengthen the data protection
environment.
2.1 OBJECTIVES
After studying this unit, you should be able to:
/
I
· Information Technology Act
2.2 NEED OF DATA PROTECTION AND PRIVACY
Much of the increased attention is attributed to the technological advancements
that have moved society from the industrial age to the informational age and toward
the interactive age. The evolution of the information superhighway which is the
infrastructure for the virtual place called· 'cyberspace' is of great significance. This
era of cyber clouding has enhanced the ability to collect, accumulate, assimilate
and disseminate large amounts of personal information.
Generally, there are three social concerns that drive the issue of Privacy. These
include individual's fear about; how personal information is used or shared, how it
is protected and who is accountable. The growing focus on privacy is mainly driven
by two forces:
The following are the reasons for demanding the best data security practices to be";
followed in an Indian Outsourcing Industry. They are:
/
/
2.2.3 Globalizations Legal Implications of
Personal Security
Today businesses are compelled to interact beyond the traditional market borders.
Increasing competition has made the outsourcing industry to expand globally. What
success demands is to remove the walls around the business and broaden access
and open the working wings all over the world. Again, the expansion of the business
is' largely depends on the Data security and privacy measures' practiced by the
outsourcing company. t
2.2.5 Accountability
Service providers act as the third party; performs the back office work on behalf
of the client/customer, and perform the processing when instructed to do so by the
latter. Performance of this outsourced processing involves a<;cess to information
and its processing by the Service Provider, as if it were carried out directly by the
client. Therefore, the processing performed by the Service Provider must comply
with the applicable privacy principles. Although when personal information is to
be transferred to the service provider, the data collector (i.e. client) should obtain
the consent of the individual or exercise due diligence and take reasonable steps
to ensure that the service provider will protect the information consistently with
these principles. However, this would not prevent the accountability of the Service
Provider.
/
Information Technology Act . specific law on privacy like some other countries. As such, it has been left to the
Judiciary to interpret privacy within the realm of existing legislations.
In the famous easel, the Supreme Court held that Article 21 of the Constitution
include "Right to Privacy" as a part of the 'Right to protection of life and personal
liberty'. It was observed that the concept of liberty in Article 21 was comprehensive
enough to include privacy and that a person's house, where he lives with his family
is his castle and that nothing is more deleterious and healthy than a calculated
interference with his privacy.
J In anothercase", the Supreme Court observed that privacy primarily concerns the
individual. It therefore, relates to and overlaps with the concept of liberty. Any
right to privacy must encompass and protect the personal intimacies of the home,
the family, marriage, motherhood, procreation and child rearing .... Right to privacy
in terms of Article 21 of Constitution is not an absolute right if there were a
conflict between fundamental rights of two parties, that right which advances public
morality would prevail. Hence, in the light of above judgments given by Supreme
Court, we can point out that-
3 72. Penalty for breach of confidentiality and privacy: Save as otherwise provided in this Act or
any other law for the time being in force, if any person who, in pursuance of any of the powers
conferred under this Act, rules or regulations made thereunder, has secured access to any electronic
record, book" register, correspondence, information, document or other material without the consent
of the person concerned discloses such electronic record, book, register, correspondence,
information, document or other material to any other person shall be punished with imprisonment
for a term which may extend to two years, or with fine which may extend to one lakh rupees, or
24 with both.
/
/
I
restricted manner. It refers to those persons who have an access to information Legal Implications of
only in pursuance of power given under the IT Act, 2000 or rules or regulations Personal Security
made thereunder. It does not have any bearing on violation of an individual's privacy
in cyberspace. Section 72 is, therefore, limited to information being obtained by
virtue of a "power granted under the IT Act". This section mainly applies to the
Certifying Authorities as well who obtained information from subscribers.
~
2.3.3 IT (Amendment) Act, 2008
In the light of the latest technological developments and with an objective to review
the IT Act, 2000; Hon'ble Minister for Communications and Information
Technology has set-up an Expert Committee in 2005 under the Chairmanship of
Shri Brijesh Kumar, Secretary, Department of Information Technology with
representatives like Shri Kiran Karnik, President, Nasscom from the IT industry.
The Expert Committee has completed its deliberations and submitted its report to
Thiru Dayanidhi Maran, Hon'ble Minister for Communications and Information
Technology then.
d) For a country like India where we are trying to enhance the positive use of
Internet and working towards reducing the digital divide, it needs to be ensured
that new users do not get scared away because of publicity of computer related
offences. At the same time, it must be ensured that offenders do not go
unpunished. This balancing spirit has been incorporated in the proposed
amendments in relevant sections.
e) The section related to obscenity in electronic form has been revised to bring
in line with Indian Penal Code (IPC) and other laws but fine has been increased
because of ease of such operation in electronic form. A new section has been
added to address child pornography with higher punishment.
The IT Amendment Act, 2008 pas strengthened the data protection regime in the
country which is expected to enhance trustworthiness of the Indian ITIBPO service
/
/
Information Technology Act providers. It inter-alia include prQVISlOnSfor addressing protection of critical
information infrastructure; privacy of information held in computer system and
networks, breach of confidentiality and privacy, audit of electronic records, enabling
public-private partnership in the area of e-Governance, conclusion of contract
through electronic means, dishonestly stolen computers or communication device,
spam, identity, theft, cheating by personality, violation of privacy, cyber terrorism
and child pornography. ~The provisions also empower Government tQ prescribe
guidelines for making service providers and intermediaries accountable and
responsible towards consumers/subscribers,
The Information Technology (Amendment) Act,· 2008 provides for the privacy of
information held in the computer systems and networks for customer/client
confidence. Sections 43, 43A, 72 and 72A of the Act address the issue of breach of
confidentiality and privacy. In fact, implementation of sec 43A and 72A will surely
make a mark in the data security. Section 43A5 fixes the responsibility on the
body corporate and companies to adequately protect the sensitive data or
information which they own, possess, control or operate by implementing and
maintaining "reasonable security procedures and practices". The need to protect
an indi vidual data is reflected in this new restrictions imposed on collection, storage
and handling of that data. Even, under the sec 43A, a person can ask for the
compensation in case his data of any type has been compromised by the Company,
within the time of data processing ..
1
5 '43A. Compensation for failure to protect data: Where a body corporate, possessing, dealing or
handling any sensitive personal data or information in a computer resource which it owns, controls
or operates, is negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate
shall be liable to pay damages by way of compensation to the person so affected.
i) "body corporate" means any company and includes a firm, sole proprietorship or other
association of individuals engaged in commercial or professional activities;
ii) "reasonable security practices and procedures" means security practices and procedures
designed to protect such information from unauthorized access, damage, use, modification,
disclosure or impairment, as may be specified in an agreement between the parties or as may
be specified in. any law for the time being in force and in the absence of such agreement or
any law, such reasonable security practices and procedures, as may be prescribed by the
Central Government in consultation with such professional bodies or associations as it may·
deem fit;
iii) "sensitive personal data or information" means such personal information as may be prescribed
by the Central Government in consultation with such professional bodies or associations as
26 it may deem fit.'.
I
/
I ,1
As specified in any law for the time being in force or Legal Implications of
Personal Security
To be specified by the Central Government in consultation with such
professional bodies or associations as it may deem fit.
However till date there is no law specifying reasonable security practice nor has
the Central government defined the security practices to be impl.emented in order
to securing vital data. In the absence of such defined security practices and
procedures, it is open for the parties to enter intb agreements and lay down their
own methods of protecting their sensitive information. This has lead to many issues,
such as:
c) For the purpose of procuring more and more business, do these Outsourcing
Companies are been made to enter into an agreement which are imposing too
much obligations on them?
d) What would be reasonable security practices for one industry may not be
applicable to another industry. It has to be pointed out that one set of security
practices will not fit the entire nation.
Depending upon the industry, compliance with business requirements such as ISO
27001, DPA, Basel 11, HIPAA etc. may be enforced by means of agreements between
the parties. And failure on the part of any party to maintain such contractual
obligation can lead to legal consequences by virtue of this section. It is to be noted
that there is no upper limit for compensation that can be claimed by the affected
party in such circumstances.
Section 72A6 provides further for strengthening the data protection regime in our
Country. It deals with the punishment for breach of lawful contract which will
prevent any intermediary and service provider, who has secured any material or
information from a user, from passing it on to other persons, without the consent
of user. The purview of section 72A is wider than the existing section 72 and
extends to disclosure of personal information of a person (without consent) while
providing services under a lawful contract and not merely disclosure of information
obtained by virtue of "powers granted under the IT Act". Section 72A also covers
the intermediary who would be punishable for disclosure of information in breach
of lawful contract. The term "intermediary"? has been defined to mean (with
respect to any particular electronic record) a person, who on behalf of another
person receives, stores or transmits that record or provides any service with respect
to that record and includes telecom service providers, network service providers,
Internet service providers, Web-hosting service providers, search engines, online
payment sites, on line auction sites, online market places and cyber cafes. Therefore,
this section provides upto three years imprisonment or with a fine which may
extend to five lakh rupees as a punishment for disclosure of any information as
that is deemed the breach of a lawful act. It provide a better functioning system
6 72A. Punishment for disclosure of information in breach of lawful contract: Save as otherwise
provided in this Act or any other law for the time being in force, any person including an
intermediary who, while providing services under the terms of lawful contract, has secured access
. to any material containing personal information about another person, with the intent to cause or
knowing that-be is likely to cause wrongful loss or wrongful gain discloses, without the consent
of the person concerned, or in breach of a lawful contract, such material to any other person,
shall be punished with imprisonment for a term which may extend to three years, or with fine
which may extend to five lakh rupees, or with both.".
/
/
Information Technology Act for the Outsourcing industry, enabling them to develop the data security system
under strict vigilance for avoiding internal and external threats to ensure better e-
governance.
While the provisions of the amendment Act may not be as stringent as the data
protection laws in other jurisdictions in protecting the rights of individuals/clients
in relation to their personal data, the amendment Act has attempted to make
organizations handling sensitive and personal information liable for any misuse of
such data and has definitely set the ball rolling in the right direction.The Information
Technology Amendment Act, 2008 has set the ball rolling in addressing the lacuna
of data protection laws in the country. The provisions are however not adequate to
meet the needs of the corporate India.
b) Compare your answer with the one given at the end of this Unit.
2) Provide the details of Indian laws related to data protection and privacy?
/
4) There is an urgent need to develop or codify the law of tort in India. This Legal Implications of
would enable individual clients from different territorial jurisdictions to move Personal Security
courts in our country, for monetary damages for violation of their privacy.
6) Any company, public office or service providers in India must give a clear
notice that they are collecting information and also what is the kind of
information being collected and for what purpose.
10) Contractual clauses should explicitly provide for data protection and security.
11) Appointment of the Data Security Officers to independently ensure that data
is processed properly and with security.
12) Training and awareness on data security and privacy to the employees of the
Outsourcing Companies, public offices and other organizations.
13) Adopt alternate dispute resolution mechanism to resolve any disputes arises
with regard to data protection and privacy
b) Compare your answer with the one given at the end of this Unit.
1) Give your own suggestions to tackle the issue of data protection and privacy .
/
Information. Technology Act DSCI for certification that will provide further assurance about the requirements
followed to maintain data security and privacy and could be trusted. Moreover, in
addition to this, grievance redressal should be encouraged through alternative
dispute resolution mechanisms such as mediation and conciliation for the quick
redressal of related disputes. Hence, contractual liabilities and exercise of best
security practices may be quite helpful in ensuing data protection and privacy.
At the end of the day, le!s hope that the evolving cyber law will win the battle for
data security and privacy so that India remains as a trustworthy secured destination
for providing data protection and security.
I
/
compliance with data protection requirements similar to those of the Country Legal Implications of
where the client is located, and/or where the data is originated, by following Personal Security
the best security and privacy practices and standards. But, the problem is that
the Indian outsourcing Industry is not able to deal with these laws in an efficient
manner, might be because there is no uniform framework for the data protection
in our Country.
l
Accountability: Service providers act as the third party, performs the back
office work on behalf of the client/customer, and perform the processing when
instructed to do so by the latter. Performance of this outsourced processing
involves access to information and its processing by the Service Provider, as
if it were carried out directly by the client. Therefore, the processing performed
by the Service Provider must comply with the applicable privacy principles.
Although when personal information is to be transferred to the service provider,
the data collector (i.e. client) should obtain the consent of the individual or
exercise due diligence and take reasonable steps to ensure that the service
provider will protect the information consistently with these principles.
However, this would not prevent the accountability of the Service Provider.
Client's confidence: Of course, the need of Data protection and privacy arises
primarily to earn the Client's confidence which is the most ultimate motive of
every businessman.
1) Give your own suggestions for providing data protection and privacy virtually.
• Frank Bott, Allison Coleman, Jack Eaton, Diane Rowland, "Professional issues
in Software Engineering", Third Edition, published by CRC Press, 2001.
31
/
/
Information Technology Act
UNIT 3 COMMON CYBER CRIMES
AND GOVERNMENT LAWS
AND RULES IN INFORMATION
SECURITY
Structure
3.0 Introduction
3.1 Objectives
3.2 Nature of Cyber Crimes
3.3 Reasons behind Cyber Crimes
3.4 Kinds of Cyber Crime
J 3.5 Prevention of Cyber Crime
3.6 Government Rules
3.7 Let Us Sum Up
3.8 Check Your Progress: The Key
3.9 Suggested Readings
3.0 INTRODUCTION
The Information Technology Act, 2000 has been substantially amended by the
Information Technology (Amendment) Act, 2008 whereby numerous cyber crimes
with regard to information security has been added to the law. Infact, IT Act has
penal character which defines various offences and punishments to reduce cyber
crimes. As we know that intemet is a global network of millions of computers
with one another. It permits instant communication through e-mail or online chat
or buying or selling of goods through auction websites etc. Moreover, datal
information is so volatile as it can be easily erased, modified, transmitted and
concealed through electronic techniques. In this digital world, the flow of
information is so easy and quick that the possibility or probability of misusing
personal information is much high. There are no geographical constraints as such.
With the growing invasion of information technology in our lives, the injury and
losses caused by cyber crimes are of significant magnitude.
3.1 OBJECTIVES
After studyingthis unit, you should be able to:
The term 'cyber crime' is a misnomer. This term has nowhere been defined in any
32 statute /Act passed or enacted by the Indian Parliament. The concept of cyber
/
crime is not radically different from the concept of conventional crime. Both include Common Cyber Crimes and
con dud whether act or omission, which cause breach of rules of law and Government Laws and Rules
in Information Security
counterbalanced by the sanction of the state. The word 'cyber' is synonymous
with computer, computer system or computer network. Thus, cyber crime may be
defined as any illegal act that involves a computer, computer system or computer
network.
Cyber crimes are technology based crimes and, thet computer or internet itself can
be used as a weapon or means to do such crimes quite freely. They are organized
and white collar crimes like cyber frauds, hacking, data theft, phishing, identity
theft etc. Cyber crimes are committed with the help of technology and cyber
criminals have deep understanding of technology. Infact, cyber criminals are
technocrats who understand the intricacies of information technology. Cyber crimes
do not consider any boundaries or territorial barriers.
Such crimes are quite different from the traditional crimes due to the use of digital
platform. The demarcation lies in the involvement of the medium in cases of cyber
crime. The sine qua non for cyber crime is that there should be an involvement, at
any stage, of the virtual cyber medium. Due to their peculiar nature, cyber crime
investigation is technical. IUs quite difficult to collect direct evidence. Cyber crime
is the latest and perhaps the most complicated problem in the cyber world. "Cyber
crime may be said to be those species, of which, genus is the conventional crime,
. and where either the computer is an object or subject of the conduct constituting
crime". "Any criminal activity that uses a computer either as an instrumentality,
target or a means for perpetuating further crimes comes within the ambit of cyber
crime".
A generalized definition of cyber crime may be "unlawful acts wherein the computer
is either a tool or target or both". The computer may be used as a tool in the
following kinds of activity- financial crimes, sale of illegal articles, pornography,
online gambling, intellectual property crime, e-mail spoofing, forgery, cyber
defamation, cyber stalking. The computer may however be target for unlawful acts
in the following cases- unauthorized access to computer/ computer system! computer
networks, theft of information contained in the electronic form, e-mail bombing,
data didling, salami attacks, logic bombs, Trojan attacks, internet time thefts, web
jacking, theft of computer system, physically damaging the computer system.
The important elements of cyber crime are 1) There must be intent to secure access
to any programme or data held in any computer, computer system or computer
network. 2) The person must know at the time that he commits the actus reus that
the access he intends to secure is unauthorized.
1) Capacity to store data in comparatively small space: The computer has unique
characteristic of storing data in a very small space. This affords to remove or
derive information either through physical or virtual medium makes it much
more easier.
/ I
Information Technology Act key loggers that can steal access codes, advanced voice recorders; retina
imagers etc. that can fool biometric systems and bypass firewalls can be utilized
to get past many a security system.
b) Compare your answer with the one given at the end of this Unit.
1
34
/
/
Common Cyber Crimes and
3.4 KINDS OF CYBER CRIME Government Laws and Rules
in Information Security
Cybercrime ranges across a spectrum of activities. At one .end are crimes that
involve fundamental breaches of personal or corporate privacy, such as assaults
on the integrity of information held in digital depositories and the use of illegally
obtained digital information to blackmail a firm or individual. Also at this end of
the spectrum is the growing crime of identity theft. Midway along the spectrum lie
transaction based 'crimes such as fraud, trafficking in child pornography, digital
piracy, money laundering, and counterfeiting. These are specific victims, but the
criminal hides in the relative anonymity provided by the internet. The following
are the crimes, which can be committed against the following groups:
Against Individuals
ii) Cyber-stalking
i) Computer vandalism
iii) Netrespass
Against Organization
iii) Trafficking
vii) Forgery 35
/
/
I
Information Technology Act The above mentioned offences are discussed in brief as follows:
8) Transmitting virus/worms: This topic has been adequately dealt herein above. 1
9) Intellectual Property crimes/Distribution of pirated software: Intellectual
property consists of a bundle of rights. Any unlawful act by which the owner
is deprived completely or partially of his rights is an offence. The common
I
I
/
/
The Hyderabad Court has in a land mark judgement has convicted three people Common Cyber Crimes and
and sentenced them to six months imprisonment and fine of 50,000 each for Government Laws and Rules
. in Information Security
unauthorized copying and sell of pirated software:
Another definition may be attempted to cover within its ambit every act of
cyber terrorism.
4) endangering the sovereignty and integrity of the nation and a cyber terrorist
is the person who uses the computer system as a means or ends to achieve
the above objectives. Every act done in pursuance thereof is an act of
cyber terrorism.
12) Fraud & Cheating: Online fraud and cheating is one ofthe most lucrative
businesses that are growing today in the cyber space. It may assume different
forms. Some of the cases of online fraud and cheating that have come to light
are those pertaining to credit card crimes, contractual crimes, offering jobs,
etc. Intangible assets represented in data format, such as money on deposit or
hours of work, are the most common targets of computer related fraud.
/
/
Information Technology Act Check Your Progress 2 /
b) Compare your answer with the one given at the end of this Unit.
2) Always avoid sending any photograph online particularly to strangers and chat
friends as there have been incidents of misuse of the photographs.
3) Always use latest and up date anti virus software to guard against virus attacks.
4) Always keep back up volumes so that one may not suffer data loss in case of
virus contamination.
5) Never send your credit card number to any site that is not secured, to guard
against frauds.
6) Always keep a watch on the sites that your children are accessing to prevent
any kind of harassment or depravation in children.
7) It is better to use a security programme that gives control over the cookies
and send information back to the site as leaving the cookies unguarded might
prove fatal.
8) Website owners should watch traffic and check any irregularity on the site.
Putting host based intrusion detection devices on servers may do this.
10) Web servers running public sites must be physically separate protected from
38 internal corporate network.
/
/
Common Cyber Crimes and
3.6 GOVERNMENT RULES / Government Laws and Rules
in Information Security
Recently, the Central Government made the rules in the exercise of the powers
conferred by sec 87(2)(ca), read with sec 6A(2) of the Information Technology
Act, 2000. Such rules are called the Information Technology (Electronic Service
Delivery) Rules, 2011. These rules are designed to support or elaborate the
provisions of the IT Act.
For bringing information security, rules are incorporated to properly deliver public
services through electronically by the appropriate Government or by its agency. It
is provided that the appropriate Government may specify the form and manner of
Electronic Service Delivery and determine the manner of encrypting sensitive
electronic records requiring confidentiality, while they electronically signed. Also
all authorities that issue any license, permit, certificate, sanction or approval
electronically, shall create, achieve and maintain a repository of electronically signed
electronic records. The appropriate Government specify the security procedures in
J respect of the electronic data, information, applications, repository of digitally
.
,
signed electronic records. The appropriate Government may direct every service
provider and authorised agent to keep an updated and accurate account of the
transactions, receipts, vouchers and specify the formats for maintaining accounts
of transactions and receipt of payment in respect of the electronic services delivered
and the said records shall be produced for inspection and audit before an agency
or person nominated by the appropriate Government.
The appropriate Government may also cause an audit to be conducted of the affairs
of the service providers and authorised agents in the State. Such audit may cover
aspects such as the security, confidentiality and the privacy of information, the
functionality and performance of any software application used in the electronic
service delivery and the accuracy of accounts kept by the service providers and
authorised agents.
In the same manner, Central Government has made the rules with regard to the
protection of sensitive personal data or information under the Information
Technology (Reasonable Security Practices and procedures and sensitive personal
data or information) Rules, 2011. For the first time, the definition for the 'personal
information' has been incorporated under its rule 2(1)(i) as "Personal information"
means any information that relates to a natural person, which, either directly or
indirectly, in combination with other information available or likely to be available
with a body corporate, is capable of identifying such person. Also Rule '3 defines
the sensitive personal data or information as Sensitive personal data or information
of a person means such personal information which consists of information relating
to;- (i) password; (ii) financial information such as Bank account or credit card or
debit card or other payment instrument details ; (iii) physical, physiological and
mental health condition; (iv) sexual orientation; (v) medical records and history;
(vi) Biometric information; (vii) any detail relating to the above clauses as provided
to body corporate for providing service; and (viii) any of the information received
under above clauses by body corporate for processing, stored or processed under
lawful contract or otherwise provided that, any information that is freely available
or accessible in public domain or furnished under the Right to Information Act,
2005 or any other law for the time being in force shall not be regarded as sensitive
personal data or information for the purposes of these rules.
Further, the body corporate or any person who on behalf of body corporate collects,
receives, possess, stores, deals or handle information of provider of information,
shall provide a privacy policy for handling of or dealing in personal information
including sensitive personal data or information and ensure that the same are
available for view by such providers of information who has provided such
39
/
1
Information Technology Act information under lawful contract. Such policy shall be published on website of
body' corporate or any person on its behalf and shall provide for-
ii) type of personal or sensitive personal data or information collected under rule
3; .
~
iii) purpose of collection and usage of such information;
Moreover, Body corporate or any person on its behalf shall obtain consent in writing
through letter or Fax or email from the provider of the sensitive personal data or
information regarding purpose of usage before collection of such information. Body
corporate or any person on its behalf shall not collect sensitive personal data or
J information unless:
While collecting information directly from the person concerned, the body corporate
or any person on its behalf shall take such steps as are, in the circumstances,
reasonable to ensure that the person concerned is having the knowledge of:
. .
Body corporate or any person on its behalf holding sensitive personal data or
information shall not retain that information for longer than is required for the
purposes for which the information may lawfully be used or is otherwise required
under any other law for the time being in force. The information collected shall be
used for the purpose for which it has been collected. Body corporate or any person
on its behalf permit the providers of information, as and when requested by them,
to review the information they had provided and ensure that any personal
information or sensitive personal data or information found to be inaccurate or
deficient shall be corrected or amended as feasible provided that a body corporate
shall not be responsible for the authenticity of the personal information or sensitive
personal data or information supplied by the provider of information to such body
corporate or any other person acting on behalf of such body corporate.
Body corporate or any person on its behalf shall, prior to the collection of
information including sensitive personal data or information, provide an option to
the provider of the information to not to provide the data or information. sought to
be collected. The provider of information shall, at any time while availing the
services or otherwise, also have an option to withdraw its consent given earlier to
the body corporate. Such withdrawal of the consent shall be sent in writing to the
40 body corporate. In the case of provider of information not providing or later on
/
withdrawing his consent, the body corporate shall have the option not to provide Common Cyber Crimes and
goods or services for which the said information was sought. Government Laws and Rules
in Information Security
-
Body corporate or any person on its behalf shall keep the information secure.
Body corporate shall address any discrepancies and grievances of their provider of
the information with respect to processing of information in a time bound manner.
For this purpose, the body corporate shall designate a Grievance Officer and publish
his name and contact details on its website. The Qrievance Officer shall redress
the grievances or provider of information expeditiously but within one month'
from the date of receipt of grievance.
A body corporate or any person on its behalf may transfer sensitive personal data
or information including any information, to any other body corporate or a person
in India, or located in any other country, that ensures the same level of data
protection that is adhered to by the=bcdy corporate as provided for under these
Rules. The transfer may be allowed only if it is necessary for the performance of
the lawful contract between the body corporate or any person on its behalf and
provider of information or where such person has consented to data transfer.
/
Information Te_~~ologyAct> ----The body corporate or a person on its behalf who have implemented either IS/
ISO/lEe 27001 standard or the codes of best practices for data protection as
approved and notified shall be deemed to have complied with reasonable security
. practices and procedures provided that such standard or the codes of best practices
have been certified or audited on a regular basis by entities through independent
auditor, duly approved by the Central Government. The audit of reasonable security
practices and procedures shall be carried out by an auditor at least once a year or
as and when the body'corporate or a person on its behalf undertakes significant
upgradation of its process and computer resource.
............................................................................................................................. /
/
•••••••••••••••••••••••••••••••••••••••••••••••• 0." ••••••••••••••••••••••••••••••••••• ~ ••• l••.•••••••
/.•••••.••••••....•.•••...
42
/
Common Cyber Crimes and
3.7 LET US SUM UP Government Laws and Rules
in Information Security
This unit is an effort towards answering some of the fundamental queries about
the cyber crimes related to the information security. The IT Act has dealt with
both 'cyber contraventions' and 'cyber offences'. It has identified the criminal
conduct vis-a-vis computer network, computer system or computer. It introduces
power to prosecute those that deliberately an without authorization, misuse
computer systems. The Government has passed certain rules in relation to provide
data security and privacy.
1) Cyber crime is the latest and perhaps the most complicated problem in the
cyber world. "Cyber crime may be said to be those species, of which, genus is
the conventional crime, and where either the computer is an object or subject
of the conduct constituting crime". "Any criminal activity that uses a'comp~ter
either as an instrumentality, target or a means for perpetuating further crimes
comes within the ambit of cyber crime".
2) Such crimes are quite different from the traditional crimes due to the use of
digital platform. The demarcation lies in the involvement of the medium in
cases of cyber crime. The sine qua non for cyber crime is that there should be '
an involvement, at any stage, of the virtual cyber medium. Due to their peculiar
nature, cyber crime investigation is technical. It is quite difficult to collect
direct evidence.
1) Against Individuals:
ii) Cyber-stalking.
iv) Defamation.
i) Computer vandalism
,iii) Netrespass
/
/
, Information Technology Act vi) Internet time- thefts -
Against Organization:
iii) Trafficking
vii) Forgery
• www.naavi.org
• www.cyberlawsindia.net
• www.cybercellmumbai.com
44
/
MPDD-IGNOU/P.O. 1T1 July 2011
ISBN: 978-81-266-5528-1
/
/