With India now witnessing deep penetrations of smart technology oriented by the Internet of Things (IoT), it only becomes natural for the industry players to opt for top-notch security solutions, however, this may not always be the case with respect to the small and medium enterprises (SMEs) which have also mushroomed by the dozen (on almost a monthly basis) of late. Now, keeping SMEs as the focal point, it is worth understanding that Indian cyber-security laws guarantee a degree of protection in case of digital security breaches.
Therefore, to clearly understand the cyber-security scenario in India from the legal viewpoint, and also to obtain clarity on dealing with security breaches via the law, Rahul R of Electronics For You spoke to Biju Nair who is Executive Director at Software Freedom Law Centre India and a practising lawyer. Biju threw enough light on aspects ranging from provisions in the Indian cyber laws to things that act as actual deterrents to cyber criminals.
Q. What are the provisions in the Indian cyber laws with respect to IoT security breaches? How are victims of such attacks protected under law?
A. At this juncture, it is worth understanding that in India there are both sectoral regulations as well as broad frameworks classified under the Information Technology (IT) act. In case an individual falls prey to a data breach, there is the section 43(A) of the Information Technology Act .2000 that entitles a affected person to approach civil courts for compensation.
Q. In case companies fall prey to an IoT security breach, what immediate steps should victims take from a legal perspective?
A. From the legal perspective, in case of digital security breaches, victims should immediately notify the Computer Emergency Response Team (CERT) that is governed by the IT Act. Even Section 70 (B) mentions CERT as the nodal agency. Victims should keep in mind the fact that offering complete information to CERT about security breach incidents is vital.
Secondly, after an incident happens, the underlying security mechanism should be evaluated and strengthened if required. Even after attacks happen, there must be regular audits to eliminate the possibility of potential attacks in the future.
Additionally sectoral regulators also needs to be notified viz. RBI, SEBI, IRDA.
Q. Talking about security attacks, post an attack, can victims make use of the Right To Information (RTI) laws?
A. Foremost, it is worth understanding that all information offered by companies to CERT is confidential. Unless, courts seek these details, information cannot be divulged to the public. Therefore Right to Information laws is not the right tool.
Seeking assistance from CERT and Sectoral regulators would be advisable.
Q. As far as cyber cells are concerned, in the ‘IT hub’ Bangalore, there is a dedicated cyber cell that hardly sees complaints (as per statistics), what do you think could be the reason for this disappointing trend?
A. Primarily, lack of awareness is the key issue. In most cases, victims are ignorant with respect to approachability. Even the IT acts are not communicated effectively to the public.
An illustration here is obtained when we consider a banking scenario; banks should clearly inform customers about the dos and don’ts (with respect to digital security) at periodical stages. This is not adhered to by the heads of most of the financial institutions based in India today.
Periodic awareness and stricter enforcement along with easier/ simple reporting mechanism is the need of the Hour. Additional cyber cell is needed.