“The unseen threat is the most fearsome…”
Year 2020, began with the biggest upheaval that the humankind could have witnessed, i.e., the onset of Covid- 19. This unfathomable and unseen threat has had domino effect in our lives. While most of us have been caged (un/luckily) in our homes, the virtual lives have gotten the most of us, making each of the individual stick to their systems for prolonged hours. From ordering food and clothes online to attending meetings, or for even being a part of social events, the society is not only technology driven, but also technologically dependent. Like its said, “living remotely is the new reality.”
India witnessed several attacks of data beaches in past one year of pandemic, some of them being of MobiKwik, Airtel, BigBasket and so on. Considering the amount of reliance, the people currently have on internet, right from work to entertainment, there is a bleak possibility of the decrease in such numbers, especially when India’s digital vaccine delivery and distribution (VDD) infrastructure is the backbone of its national level COVID-19 vaccination plan.
The adversity of second wave along with the ongoing plan of vaccination drive is the most lucrative opportunity for all the cyber-criminals to focus on India- let alone the fact that we are one of the most vulnerable countries as well.
This entire discussion regarding the emerging and ever-increasing threat of Cyberattacks leads us towards one question- What is the role of Cyber Law and how can it help us to cure/prevent such incidents?
In India, even though we do not have a separate legislation that deals with cybersecurity, the rules and regulations drafted under the Information Technology Act, 2000, deals with the aspect of cybersecurity and the cybercrimes. The Act specifically deals with some of the offences like, hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft. The Act also enumerates provisions that aim at safeguarding electronic data, information or records, and preventing unauthorized or unlawful use of a computer system.
As an immediate response to the cyber threat and procuration of any such information related to suspected threats in India, an agency of the Government called the Indian Computer Emergency Response Team was appointed. The agency is responsible for collection, analysis and dissemination of information on cyber incidents and taking emergency measures to contain such incidents.
In order to further protect the data and prevent the instances of breach of such data privacy as punishable, the following rules have been brought into force:
- Information Technology (Intermediaries Guidelines) Rules, 2011 (the Intermediaries Guidelines): The intermediaries, like Amazon, Facebook, are protected under the safe harbour provision (Section 79) of the IT Act. The safe harbour provision rests on the principle of “don’t shoot the messenger”. However, as the law evolved with need of the society, the rules for intermediaries were framed to provide certain pre- requisites for entitlement of such waiver. These rules require an intermediary to implement reasonable security practices and procedures for securing their computer resources and information contained therein. The rules also make it incumbent upon the intermediaries to report instances of cyber threat or theft to the Computer Emergency Response Team, constituted as a nodal agency under Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013.
- Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (“the SPDI Rules”): These rules make it mandatory for an organization or person located in India to seek prior consent before obtaining the SPDI. The Rules also necessitates appointment of Grievance Officer, who shall be the point of contact for the person suffering from such breach or privacy infringement.
- Information Technology (Information Security Practices and Procedures for Protected System) Rules 2018 (“the Protected System Rules”): These rules prescribe the requisite infrastructure, i.e., the “protected system” required for enforcement of security practices and protective measures towards the data defined as “Highly Sensitive”. The rules also constitute the Information Security Steering Committee, where such “protected system” exists. The Committee shall comprise the Higher Management of the Company and be regulated under the chairmanship of CEO/ MD or Secretary of the Organization.
Other than the IT Act, Indian Penal Code also punishes the offences under the Code committed in cyberspace like defamation, obscenity, cheating etc.
Most of these laws have been drafted expansively, covering various forms that these acts of cyber attacks can take. However, their loose implementation and lack of enforcement measures, make them ineffective in various scenarios. Another setback these legislations suffer is the sector- specific and limited applicability.
The pandemic caused due to Covid- 19 has wider implications, like unemployment and long hours of in- house activities which add to such threats in the cyber world. The world- wide pandemic thus also calls for such a world- wide action and implementation of overall cyber security and minimizing of such threats.
