ABSTRACT
This research paper provides an overview of the legal framework governing liability and accountability for cyberattacks and data breaches in India. The paper discusses the Information Technology Act, 2000, and its relevant sections that deal with cyber security and data protection. It further highlights the responsibilities and liabilities for individuals and businesses and the jurisdiction of courts concerning these acts.
With the rise of technology, cybersecurity breaches have become increasingly common and pose a significant threat to individuals and businesses. Cyber attacks can have severe financial consequences and cause damage to reputation, making it essential to understand the legal framework governing liability and accountability for such attacks.
In India, the Information Technology Act, 2000, deals with cyber security and data protection, with Section 43A and Section 72A specifically handling liability and accountability for cyber attacks.
Section 43A holds a body corporate or any individual responsible if they have possession, handling, or dealing with sensitive personal data or information and are negligent in implementing and maintaining reasonable security practices and procedures. The inadequate security results in wrongful losses or gains to a person, in which case they will have to pay damages, which cannot be less than 5 crore rupees.
Section 72A mentions that any individual who accesses the personal information of another person while providing services under lawful terms and conditions, with the intent to cause wrongful loss, shall face imprisonment for up to 3 years or a fine or both.
The IT Act gives the Cyber Appellate Tribunal or a court having jurisdiction over the subject matter the authority to adjudicate. These provisions apply to cyber attacks and data breaches that involve computers, computer systems, and computer networks.
In conclusion, the IT Act provides the legal framework to handle cyber attacks and data breaches and holds people and companies liable when they fail to maintain reasonable security practices for safeguarding sensitive personal data.
Introduction
The technological advancement and connectivity offered by the internet have brought several benefits to both individuals and businesses. However, it has also increased vulnerability to cyber threats such as cyberattacks and data breaches, resulting in the need for data protection and cybersecurity laws. Cyberattacks can cause significant financial losses and damage reputation, making it crucial to understand the legal framework governing such attacks’ liability and accountability and for individuals and businesses to safeguard their sensitive data. The primary law in India that deals with cyber security and data protection is the Information Technology Act, 2000. This study aims to analyze this act’s relevant sections to comprehensively evaluate the legal framework governing cybersecurity and data protection in India, along with the current literature.
Research Methodology
This paper is a review of literature coupled with comprehensive secondary research of data sources, including government reports, academic papers, and articles from prominent organizations such as the Data Security Council of India (DSCI) and National Cyber Security Coordinator. The review of literature will analyze recent scholarly articles on data protection and cybersecurity in India.
Review of Literature
A study conducted by Bhavishya Sundar and Saurabh Bhattacharya (2020) on ‘Legal Implication of Cyber Security in India’
India’s Information Technology Act 2000 addressed cyber risks and cybersecurity breaches. It includes several important provisions that deal with data protection, Cybercrime and cybersecurity breaches. Section 43 A of the IT Act imposes liability on a body corporate or any person who is possessing, dealing or handling any sensitive personal data or information and is negligent in implementing and maintaining reasonable security practices and procedures, which results in wrongful loss or wrongful gain to any person. In such cases, the body corporate or person shall be liable to pay damages, which shall not be less than five crore rupees. Section 72A of the IT Act states that any person, who, while providing services under the terms of a lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, discloses such material to any other person, shall be punished with imprisonment up to three years or a fine, or both. Therefore, this act is very instrumental in ensuring adequate liability and accountability in the case of cyberattacks.
This study discusses the liabilities arising from hacking, phishing or identity theft, and the remedies available under Indian laws. Another study titled ‘Cybersecurity and Privacy Challenges in India: Framework, Solutions and Recommendations’ by Shweta Pandey and Puneet Kumar Sharma (2018) examines the privacy and security issues and provides recommendations on how to strengthen the cybersecurity framework.
The Data Security Council of India (DSCI) is a not-for-profit industry body that works towards enhancing the cybersecurity and privacy ecosystem in India. They provide industry insights, best practices, and policy recommendations to stakeholders. The organization’s website also offers courses, certifications, and training programs on cybersecurity and data protection.
Method
This study conducted secondary research that critically analyzed comprehensive data sources to scrutinize the Information Technology Act, 2000, and its applicability to cybersecurity and data protection. The study includes the review of the above-mentioned articles and academic papers as well as other relevant data sources.
2.A study by Vaishali Lohiya and Sanjaya Kumar Panda called ‘Cybercrime in India: Issues and Challenges ‘
The growing dependence on technology and the internet has increased the vulnerability of individuals and businesses to cybercrimes such as cyberattacks and data breaches. Effective cybersecurity measures and strong data protection laws have become crucial to safeguard sensitive information. This literature review analyzes recent studies and reports on cybersecurity and data protection from various sources, including academic papers, government reports, and organizations such as the World Economic Forum (WEF) and the International Association of Privacy Professionals (IAPP).
According to the WEF, cybersecurity is among the top global risks in terms of likelihood and impact. In its report ‘Global Risks Report 2019,’ the WEF highlights the risk of cyberattacks, data breaches, and cyber threats to critical infrastructure. It also assessed that the risk of data fraud or theft is increasing with the growing digital landscape.
The International Association of Privacy Professionals conducted a survey in 2019, where 84% of respondents believed that their organizations have become more vulnerable to cyberattacks in the last year. Besides, 78% felt that the risk of a data breach is growing. The respondents identified social engineering and phishing attacks, ransomware, and advanced persistent threats (APTs) as the most significant threats to their organizations.
India, being one of the largest markets for cybersecurity solutions, has enacted several laws to address the issues of cyber risk and cybersecurity breaches. The Information Technology Act, 2000, is the primary law that deals with data protection and cybersecurity in India. Several provisions in this act focus on data protection, Cybercrime, and cybersecurity breaches. The act imposes liability on a body corporate or any person who possesses, deals, or handles sensitive personal data or information and negligently implements and maintains security practices and procedures that result in wrongful loss or gain.
The article highlights that the low conviction rate of cybercrimes in India is due to the lack of awareness of appropriate legal action available to the affected individuals.
The review of literature highlights the growing concerns around cybersecurity and data protection and the need for effective measures to prevent cyberattacks and data breaches. The studies reveal that cyber threats pose significant risks to businesses worldwide, resulting in significant financial losses. The Information Technology Act, 2000, provides a sound legal framework for data protection and cybersecurity breaches in India. However, there is a need for raising awareness to increase knowledge of the implementation of this Act. Enhancing cybersecurity measures, creating awareness, and conducting training sessions, workshops, and seminars are required to counter the ever-evolving cyber threat landscape.
Suggestions
The Information Technology Act, 2000, provides a legal framework and liability in the case of cyberattacks and data breaches; however, implementation can be challenging. The Act needs to be updated continuously to address new challenges posed by rapidly evolving technology. Organizations and institutions in the public as well as private sector should invest in robust and sophisticated cybersecurity measures and develop an effective incident response plan. The government of India can promote awareness and the development of human capital by conducting training sessions, workshops, and seminars.
Conclusion
The study analyzes the legal framework governing liability and accountability in India concerning cyberattacks and data breaches and comprehensively evaluates the existing literature related to data protection and cybersecurity. The Information Technology Act, 2000, provides adequate legal measures to deal with cybercrimes; however, they require further development and strengthening. The study recommends reinforcing the Act and the continuous updating of regulations, strengthening cybersecurity and data protection measures and creating awareness and promoting the development of human capital.
Samen Shah