Cyber Security in India

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? As per Section 43 of the Information Technology Act, 2000 (IT Act), if any person accesses or secures access to a computer, computer system or computer network or resource, without permission of the owner, or person in charge of such computer, he will be liable to pay damages, by way of compensation to the affected person. Further, section 66 of the IT Act states that any person who commits any ‘computer related offence’ as provided under section 43, will also be punishable by imprisonment for up to three years, or a fine of up to Rs. 5,00,000, or both. Accordingly, access to third party data stored on a computer, computer network, resource or system is unlawful and punishable under the IT Act. Also, it may be relevant to discuss the manner in which personal information is dealt with, under the IT Act. The IT Act defines “personal information” to mean “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) further categorises personal information into a category known as “sensitive personal data or information” (SPDI). SPDI has been defined to mean personal information relating to passwords, financial information, physical or mental health condition, sexual orientation, medical records or biometric information. As per the IT Act and Privacy Rules, bodies corporate may collect, store, process, dispose of, transfer and use personal information as long as they have notified the person whose data is being collected (Data Subject), the fact that the data is being collected, the purpose and use of such data as well as the intended recipients of the data. In case of personal information amounting to SPDI, the threshold further increases, and express written or electronic consent of the Data Subject is required, prior to collecting, using, processing, transferring, storing or disposing of SPDI. Bodies corporate handling personal information are also required to maintain reasonable security practices and procedures. Any access or storage of third party personal information, without complying with the requirements under the Privacy Rules would be a violation of section 43A of the IT Act. As per section 43A, where a body corporate possessing, dealing or handling any SPDI in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures, and thereby causes wrongful loss or wrongful gain to any person, such body corporate would be liable to pay damages by way of compensation to the person so affected. The compensation that may be payable is not capped under the IT Act. Furthermore, non-compliance with the Privacy Rules would generally attract residuary penalty under the IT Act, as per Section 45. Section 45 states that any contravention of the rules or regulations under the IT Act will be penalised with a fine of up to Rs. 25,000. Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? While no specific legal mechanism exists with regard to data breaches, civil courts in India have the power to order discovery by making necessary or reasonable orders for the production, discovery, inspection or impounding of documents or other material which may constitute evidence. Therefore, where the perpetrator is known, an aggrieved individual may approach a civil court and invoke this power to identify the nature, extent and intentions of a data breach. Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? No, there is no general restriction on the use that may be made of information or documentation obtained in this regard through a legal process. Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? As a general rule, court proceedings are open to the public. Only in rare cases do courts exercise their inherent powers to conduct proceedings in private, for example in proceedings involving matrimonial disputes or rape. Indian courts have so far never exercised this discretion with regard to incidents of data breach. However, it would be possible for an aggrieved party to request the court to conduct proceedings in private and restrict publication of consequent orders or judgment. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? Yes, under Indian law the restriction of res judicata would only apply where a suit or issue has been previously heard and finally decided by competent court. As such, withdrawing, abandoning or staying legal proceedings prior to final determination would not prevent a party from commencing proceedings in another jurisdiction. Is there an obligation in your jurisdiction to hold personal information securely? Yes, under Indian law an entity collecting a Data Subject’s “Personal Information” or SPDI (Data Collector) is required to comply with reasonable security practices and procedures. This would require implementation of such security practices, standards and policies that are commensurate with the nature of information being protected. As a part of this requirement, a Data Collector is required to take measures to prevent unauthorised disclosure or transfer of such information. For the purpose of the above requirements “Personal Information” includes any information that relates to a natural person which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions? Yes, Indian law restricts and regulates the transfer of Personal Information and SPDI to any recipient, including a recipient situated in a foreign jurisdiction. Transfer of Personal Information or SPDI to a recipient in India or any foreign jurisdiction is permitted provided:

  • The recipient ensures the same level of data protection that is adhered to by the Data Collector under Indian law; and
  • The transfer:
    • is necessary for the performance of a lawful contract between the Data Collector and the Data Subject; or
    • has been expressly consented to by the Data Subject.

Is there a generally applicable obligation to notify data subjects of a data breach in your Jurisdiction? No. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? Yes, under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 all data centers, service providers, intermediaries and companies are required to report certain “cyber security incidents”, including unauthorised access of data and IT systems, to the Indian Computer Emergency Response Team (CERT-In). Such reports are required to be made within reasonable time, so as to leave scope for appropriate action by the authorities. The format and procedure for reporting of cyber security incidents have been provided by Cert-In on its official website, http://www.cert-in.org.in/ Are there sector specific mandatory data breach notification obligations in your jurisdiction? No.