Dr. Pavan Duggal
Chairman
International Commission On Cyber Security Law

In today’s ecosystem, cyber security is gaining tremendous significance and is extensively being targeted both by state and non-state actors. In this regard, we need to appreciate that today India does not have any dedicated cyber security law in place. Instead we are now relying upon the Indian Cyberlaw, which is the Information Technology Act, 2000 for us to be guided on cyber security.

Way back in 2008, we came up with very extensive definition of cyber security under the Information Technology (Amendments) Act, 2008. The said definition defines cyber security to mean protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. This is a futuristic kind of legal definition that has stood the test of time in the last 14 years and continues to guide us. 

Under the amendments to the Information Technology Act, 2000, we did come in with some cosmetic provisions pertaining to cyber security. However, the vast gamut of cyber security issues have still not been covered under the Information Technology Act, 2000 and the rules and regulations made thereunder. 

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 have mandated intermediaries to implement reasonable security practices and procedures being ISO 27001 , while discharging their obligations under the prevailing law. Meanwhile, in 2013, we saw India coming up with National Cyber Security Policy. The said Policy was a great Policy document except that as a nation, we have not been able to implement it. National Cyber Security Policy 2013 transformed itself into a paper tiger. With the result, we are all waiting for the National Cyber Security Strategy that is about to be released very shortly by the Government, that should actually guide all stakeholders in the governmental and private ecosystem on their respective roles and duties on cyber security. On 28th April, 2022, the Government of India introduced a new set of directions. These  Directions have been issued under Section 70B of the Information Technology Act, 2000 specifically by the Indian Computer Emergency Response Team (CERT-In). We need to note that in India, the nodal agency on cyber security is the Indian Computer Emergency Response Team (CERT-In) which is thanks to the specific provisions in this regard under Section 70B of the Indian Information Technology Act, 2000. 

Through these Directions, India has sought to really identify and address some of the loopholes that exist in the cyber security legal frameworks in the country. These Directions are very significant because they represent a great resolve of the Government to go ahead and work towards strengthening the cyber security of the Indian networks and of Indian Critical Information Infrastructure. Under Section 70B, the Indian Computer Emergency Response Team (CERT-In) has the power to go ahead and issue any number of directions which is essential for protection and preservation of cyber security. 

These Directions got published on 28th April, 2022. The time of 60 days has been given to all stakeholders to comply with its parameters. 

We need to understand that these Directions are not directory, they are mandatory and they apply to five distinct categories of legal entities. They apply to service providers, intermediaries, data centers, body corporates and governmental organizations. In a nutshell, these Directions are very comprehensive. They cover cyberspace, Internet of Things (IoT), Artificial Intelligence, Blockchains and variety of these newly emerging paradigms like Machine Learning, 3D and 4D printing, additive manufacturing and drones. The service providers can always be given an order or direction by Indian Computer Emergency Response Team (CERT-In) and the directions can be given for the purposes of cyber incident response, protective and preventive actions related to cyber incidents.

Once, such a direction is given, then the service provider/intermediary/data centre/body corporate is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness. The order / direction may include the format of the information that is required (up to and including near real-time). The next time any legal entity gets a mandate or an order from the Indian Computer Emergency Response Team (CERT-In), it will be duty bound to provide the said information. Cert-In can use the said information, analyze the same and take steps to ensure that other stakeholders are not impacted by similar stuff.  The concerned service provider will have to maintain electronic logs of all their ICT systems securely for a rolling period of 180 days.

Further, there are data localization requirements. All logs of ICT systems shall be maintained within the Indian jurisdiction,

These will have to be provided to CERT-In along with reporting of any incident or when ordered / directed by CERT-In.

Logs retention and electronic information retention is a crucial element of the said Directions. So covered stakeholders cannot feign ignorance and have no choice but to comply with the said Directions. These Directions will further help the Government to protect Indian governmental and corporate computer systems, computer networks, computer resources as also data resident therein. Imposing criminal liability is really very interesting legal strategy that has been adopted by these very directions for the purposes of enforcing them in a stringent manner. 

The beauty is that these Directions have also been given extra territorial applicability.

The central key message is that Compliance is of crucial mandatory necessity. Non-compliance by with these Directions will tantamount to playing with fire. Not only the corporates and covered organizations would be exposed to criminal prosecution but also the relevant officer incharge of cyber security or who are looking after the networks and computer systems of the said organizations shall also be exposed to criminal liability. These Directions represent a major milestone. Let’s not take them as a normal notification that the Government has given. There is a criminal liability attached and having documentary proof of compliance will be of crucial necessity for all stakeholders.

India is not reinventing the wheel. Globally countries are coming up with similar data breach notification laws. They are ultimately aimed in the direction of strengthening the hands of the sovereign nation states in fighting the menace of cyber security breaches and strengthening their cyber security ecosystem. Lot of countries already have either dedicated laws on data breach notification or some of them have put data breach requirements as essential elements and ingredients of their national cyber security laws. India’s foray in data localization is also nothing new.  Russia has already come up with data localization under its RuNet law.China has also extensively followed data localization in its cyber security law. 

India is only begun to wake up to the immense power and the potential of humungous data that is getting generated by Indians and therefore generation and retention of data within India becomes of crucial necessity. We are all working in the direction of data economy and Web 3.0 where more and more data is going to fly all across and cyber security breaches will become the new normal. Hence, corporate and other stakeholders are best advised to ensure compliance and save their exposure to criminal liability and legal consequences. Due diligence, caution, care and due compliance with law are the only steps to safeguard the relevant body corporates.

This is an area where all of us have to learn. I am sure that the legal jurisprudence is going to constantly evolve as we go forward in India’s new cyber security legal framework. This may be the first big initiative but definitely not the last. We are going to see far-far more initiatives in this regard in the coming future.