With India now witnessing deep penetrations of smart technology oriented by the Internet of Things (IoT), it only becomes natural for the industry players to opt for top-notch security solutions, however, this may not always be the case with respect to the small and medium enterprises (SMEs) which have also mushroomed by the dozen (on almost a monthly basis) of late. Now, keeping SMEs as the focal point, it is worth understanding that Indian cyber-security laws guarantee a degree of protection in case of digital security breaches.
Therefore, to clearly understand the cyber-security scenario in India from the legal viewpoint, and also to obtain clarity on dealing with security breaches via the law, Rahul R of Electronics For You spoke to Biju Nair who is Executive Director at Software Freedom Law Centre India and a practising lawyer. Biju threw enough light on aspects ranging from provisions in the Indian cyber laws to things that act as actual deterrents to cyber criminals.
Q. What are the provisions in the Indian cyber laws with respect to IoT security breaches? How are victims of such attacks protected under law?
A. At this juncture, it is worth understanding that in India there are both sectoral regulations as well as broad frameworks classified under the Information Technology (IT) act. In case an individual falls prey to a data breach, there is the section 43(A) of the Information Technology Act .2000 that entitles a affected person to approach civil courts for compensation.
Q. In case companies fall prey to an IoT security breach, what immediate steps should victims take from a legal perspective?
A. From the legal perspective, in case of digital security breaches, victims should immediately notify the Computer Emergency Response Team (CERT) that is governed by the IT Act. Even Section 70 (B) mentions CERT as the nodal agency. Victims should keep in mind the fact that offering complete information to CERT about security breach incidents is vital.
Secondly, after an incident happens, the underlying security mechanism should be evaluated and strengthened if required. Even after attacks happen, there must be regular audits to eliminate the possibility of potential attacks in the future.
Additionally sectoral regulators also needs to be notified viz. RBI, SEBI, IRDA.
Q. Talking about security attacks, post an attack, can victims make use of the Right To Information (RTI) laws?
A. Foremost, it is worth understanding that all information offered by companies to CERT is confidential. Unless, courts seek these details, information cannot be divulged to the public. Therefore Right to Information laws is not the right tool.
Seeking assistance from CERT and Sectoral regulators would be advisable.
Q. As far as cyber cells are concerned, in the ‘IT hub’ Bangalore, there is a dedicated cyber cell that hardly sees complaints (as per statistics), what do you think could be the reason for this disappointing trend?
A. Primarily, lack of awareness is the key issue. In most cases, victims are ignorant with respect to approachability. Even the IT acts are not communicated effectively to the public.
An illustration here is obtained when we consider a banking scenario; banks should clearly inform customers about the dos and don’ts (with respect to digital security) at periodical stages. This is not adhered to by the heads of most of the financial institutions based in India today.
Periodic awareness and stricter enforcement along with easier/ simple reporting mechanism is the need of the Hour. Additional cyber cell is needed.
Q. Now since you are vociferous in your appeal for strict enforcement of digital security laws, what are your recommendations from a technical viewpoint that lawmakers should take note of?
A.I would say that encryption should strongly be enforced at all levels. This should be followed by regular security audits.
Establishment of custom point of contact (PoC) is also imperative in today’s technical age. Most of the companies today (irrespective of scale) do not possess a technically competent PoC. This should be enforced upon by the government. In case of improper PoCs, even CERT shies away from contacting victims in case of security breaches.
Further there is a urgent need for Data Protection laws and Privacy laws to be in Force, otherwise users would lose trust in Digital Economy.
Q. Any other fundamental cyber security aspects which you think that the policy makers are missing out on now?
A. There are two aspects; awareness and specific enforcement. When you take the Aadhar database, the data over there is the most important; the data available is vital for any any business. The Aadhar database also seemingly looks like a target for cyber-criminals from other nations.
Any government wants data; this could lead to a situation where in a customer data leaks takes place; even on the lines of the ‘Big Brother Snooping Down’. I think that despite Digital India being an excellent initiative, there should be multiple layers of underlying security. There must be forums where Digital India initiatives such as e-payment gateways are tested for vulnerabilities. I think that the government of India should also reward developers and testers for coming out with bugs in the Digital India offerings.
