Archive for ◊ October, 2012 ◊

• Saturday, October 20th, 2012

GEETA DALALEncryption technology is widely used for many legitimate personal and business purposes. In fact many crucial public services cannot be safely and effectively performed if encryption is not deployed and used. For instance, we cannot safely and security conduct online banking transactions without effective use of encryption methodology. Thus, Encryption Policy of India is Needed to be formulated as soon as possible.

We have no National Encryption Policy of India and in the absence of any such Policy Encryption related issues cannot be effectively managed in India. There is no doubt that Indian Encryption Policy Must be Formulated as soon as possible. Further, dedicated Encryption Laws and Regulations in India are also required. We also need dedicated Cyber Security Laws of India.

Use of Encryption in India has never been smooth. Intelligence Agencies in general and Central Home Ministry of India in particular are very much concerned about use of Encryption beyond 40 bits. However, what Home Ministry is not realising is that anything below 128 bits of encryption is definitely “Unsafe” and anything below 256 is “Potentially Unsafe”.

The Stakeholders that need “Higher Encryption Level Protection” includes Banks, Stock Exchanges, E-Mail Service Providers, Corporate Communications, Sensitive Government Communications, etc. It is “Not Feasible” to ask for Encryption Level below 256 bits.

Obviously, Indian Government has to take care of National Security and Law Enforcement needs as well. This does not mean we should have a “Weak Cyber Security Infrastructure” in India. On the contrary, we must ensure a Strong, Robust and Resilient Cyber Security Infrastructure for India.

At Perry4Law Techno Legal Base (PTLB) we believe that India should invest in establishing good Techno Legal Cyber Security Capabilities on the one hand and Cyber Skills and Intelligence Gathering Skills Development in India on the other hand. We believe that E-Surveillance can never be an “Alternative” for good and effective Cyber Security and Intelligence Gathering Capabilities. E-Surveillance must “Supplement” Intelligence Gathering Skills and “Not Supplant” the same.

This entire problem is happening because we have no Encryption Policy in India that clearly demarcates what level of Encryption can be used and what level cannot be. Further, we have no Legal Framework regarding Encryption usage in India.

We also have no Encryption Laws in India or Encryption Framework and Norms in India that have been “Prescribed” by the Parliament of India. All we have are “Encryption Guidelines” that are incorporated in various “Civil Contracts” with Telecom Companies and other such Companies. At most they are “Departmental Guidelines” but they do not have the “Force of Law”.

They are indirectly made applicable as “Forced Conditions” by the Telecom Companies and other Stakeholders. The “Legality” of this is very much doubtful as “End Users” have no “Autonomy” and “Free Choice” in such cases.

The Cyber Law of India, as applicable through Information Technology Act 2000 (IT Act 2000) has a single provisions in this regard. Section 84A of IT Act 2000 says that the Central Government may prescribe the modes or methods of Encryption. Till now the Central Government has not prescribed any “modes or methods” of Encryption usage in India. In fact, the IT Act 2000 is so “Badly Drafted” that many of its provisions are “Unconstitutional” and there is an urgent need to “Repeal” the Cyber Law of India.

It is high time for us to formulate a Techno Legal Encryption Policy for India as soon as possible. The Encryption Policy of India must keep in mind the Commercial, Cyber Security, Cyber Law, National Security, Intelligence Agencies and Law Enforcement requirements.

Further, the Indian Encryption Policy must also keep in mind the Civil Liberties in Cyberspace. Recently, the United Nations has declared that “Access to Internet” is a Human Right. Indian Government must “Balance” the National Security Requirements with Human Rights in Cyberspace as giving “Primacy” to one over another is not feasible.

Perry4Law and PTLB hope that Indian Government would take immediate steps to accommodate these “Suggestions” of ours.

Category: Uncategorized  | Comments off
• Saturday, October 20th, 2012

Data Protection Laws In India Are Urgently NeededOf late India has become super active for formulating norms and rules pertaining to data protection laws in India and data security laws in India. Although this is just the exploration stage yet legal frameworks for data protection and data security may be in pipeline. There is no second opinion that Indian data security laws are urgently needed and we cannot postpone it anymore.

Data Protection and Privacy Protection are very important these days. Data and privacy must be protected with techno legal means so that sensitive information of individuals and organisations is not compromised. Data is very crucial and valuable these days when virtually everything is done in an online environment.

We have no dedicated Data Protection Laws In India. Data of individuals and companies require both constitutional as well as statutory protection. The constitutional analysis of Data Protection In India has still not attracted the attention of either Indian individuals/companies nor of Indian government.

The statutory aspects of data protection in India are scattered under various enactments. The Information Technology Act 2000 (IT Act 2000), which is the Cyber Law Of India, also incorporate few provisions regarding data protection in India. However, till now we have no dedicated statutory and constitutional Data Privacy Laws In India and data protection law in India.

Further, we do not have a dedicated Privacy Law In India as well. Privacy Rights In India are still not recognised although the Supreme Court Of India has interpreted Article 21 Of Indian Constitution as the source of privacy rights in India. Just like data protection, provisions pertaining to privacy laws in India are also scattered in various statutory enactments. Privacy Rights And Laws In India need to be strengthened keeping in mind the Privacy Rights In India In The Information Age.

Another related aspect pertains to Data Security In India. In the absence of proper data protection, privacy rights and Cyber Security In India, data security in India is also not adequate. Further, we do not have a dedicated Cyber Security Law In India as well. Cyber Security Issues In India need more attention of Indian government as Managing India’s Cyber Security Problems is not an easy task.

Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that data protection requirements are essential part of Civil Liberties Protection In Cyberspace. With the growing use of information and communication technology (ICT), data protection requirement has become very important. It would not be wrong to assume privacy and data protection rights as integral part of Human Rights Protection In Cyberspace.

Perry4Law and PTLB believe that Indian government must formulate different laws for privacy, data protection and data security. The IT Act 2000 has already committed the mistake of incorporating all cyberspace related aspects at a single place. This has resulted in a chaos and we have no effective law for any aspect of cyberspace.

Perry4Law and PTLB suggest that India government must formulate separate laws for issues like privacy, data security and data protection.

Category: Uncategorized  | Comments off
• Saturday, October 20th, 2012

Indian Data Security Laws Urgently NeededThe need and demand for data protection laws in India and data security laws in India are increasing. This is so because data protection and data security touches almost all the spheres of personal lives and business transactions.

India has remained indifferent towards data protection and data security for long. Now Indian government has shown some inclination towards ensuring a legal framework for data protection and privacy protection in India.

Data is the backbone of any society that primarily relies upon information and communication technology (ICT). Protection of data is both the personal and proprietary requirement of various individuals and institutions. This is the reason why data must be secured through techno legal means.

As on date, we have no dedicated Data Privacy Laws In India and Data Protection Law In India. Even a dedicated Privacy Law Of India is missing. There is an urgent need to formulate Techno Legal Data Security Laws In India, Cyber Security Law In India, Privacy Rights And Laws In India, etc. While formulating such laws, we must keep in mind that Privacy Rights In India In The Information Age are different from the traditional privacy requirements.

Data security is closely related to cyber security expertise. Thus, Cyber Security Issues In India need better and focused attention of Indian government as Managing India’s Cyber Security Problems is a very delicate and tedious task. In these circumstances, Indian Data Protection Laws Are Urgently Needed. We cannot ignore data Protection Laws In India and privacy rights in India anymore. Similarly, Encryption Laws And Regulation In India must also be formulated as soon as possible.

At the national policy levels as well the Indian government has to do lots of hard work. For instance, the Encryption Policy Of India Is Needed. Similarly, an implementable Cyber Security Policy Of India is also need of the hour.

Indian government has also suggested projects and initiatives like National Cyber Coordination Centre (NCCC) Of India, Central Monitoring System (CMS) Project Of India, National Intelligence Grid (Natgrid) Project Of India, etc that would require dealing with the data and information in a constitutional manner.

Clearly data security laws of India are urgently needed. The sooner they would be formulated the better it would be for the interest of various stakeholders in general and national interest of India in particular.

Category: Uncategorized  | Comments off
• Wednesday, October 17th, 2012

LEGAL FRAMEWORK FOR E-GOVERNANCE IN INDIALegal enablement of ICT systems in India and legal framework for information society of India are still missing in India. For instance, we have no legal framework for e-courts in India, online dispute resolution in India, mandatory e-governance services in India, etc. Further, we have no dedicated legal framework for cloud computing in India as on date.

Although electronic delivery (e-delivery) of services in India is needed yet in the absence of suitable policies and legal frameworks in this regard, e-delivery of services in India is still a dream.

lectronic governance in India (e-governance in India) is still at its infancy stage. Most of the e-governance projects of India under the national e-governance plan (NEGP) are still in the pipeline despite the deadline being passed long before. This is despite the fact that thousand of crores of public money has already been utilised for e-governance projects of India but without any constructive and practical results.

Meanwhile, the World Bank has once again issued $ 150 million loan to India. It has been issued under the category of e-delivery of public services development policy loan of India. The purpose of the loan is to ensure e-services delivery policy in India that is presently missing.

However, what is more alarming is the fact that in India we have no legal framework for e-governance that can ensure mandatory e-governance services in India. Although the information technology act 2000 carries provisions pertaining to e-governance services in India yet they are “non mandatory” in nature. This has resulted in a poor e-governance services delivery in India. Till now we have no legal framework that mandates that citizens and organisations can claim e-governance as a matter of right.

Further, the scope of NEGP is very wide covering almost all aspects of governance – right from delivery of services and provision of information to business process re-engineering within the different levels of government and its institutions. It is essential that NGP is implemented, monitored and regulated through a legal framework so that it is no more just a plan but reality.

In fact, while implementing the NEGP, various structural and institutional issues have already arisen which clearly call for a statutory mandate for their resolution. The purpose would be to give statutory mandate to the institutional entities, setting up of a separate fund, defining responsibilities and providing for time frames and oversight mechanisms. Thus, this legislation may, inter alia, contain provisions regarding the following:

(a) Definition of e-governance in the Indian context, its objectives and role,

(b) Coordination and oversight mechanisms, support structures at various levels, their functions and responsibilities,

(c) Role, functions and responsibilities of government organisations at various levels,

(d) Mechanism for financial arrangements including public-private partnership,

(e) Specifying the requirements of a strategic control framework for e-government projects dealing with statutory and sovereign functions of the government,

(f) Responsibility for selection and adoption of standards and inter-operability framework,

(g) Framework for cyber security, privacy protection, data security and data protection etc,

(h) Parliamentary oversight mechanism, and

(i) Mechanism for co-ordination between government organisations at Union and State levels.

Source: ICTPS Blog

Category: Uncategorized  | One Comment
• Wednesday, October 17th, 2012

GEETA DALALCloud computing is a commercial project that most of the IT vendors of the world would love to launch in India. This is so because India has a large market for cloud computing business. However, the crucial question is whether India is ready for cloud computing? In short, we have to check whether cloud computing is viable for India especially when techno legal experts of India have answered in negative.

There are many hurdles for the successful implementation of cloud computing framework in India. The biggest among them is absence of legal framework for cloud computing in India. Further, allied legal frameworks are also missing that makes use of cloud computing in India non feasible and prone to numerous legal challenges.

For instance we have no dedicated privacy laws in India, data security laws in India and data protection laws in India. Further, India is fast becoming an endemic e-surveillance society in the absence of proper laws and constitutional procedural safeguards.

For instance, the central monitoring system project of India (CMS project of India) would have absolute control over telecommunications and Internet communications that also without any legal framework and parliamentary oversight. Further, companies like Research in Motion (RIM) have openly declared their support for e-surveillance activities of Indian intelligence agencies by extending cloud computing based e-surveillance model for its Blackberry messenger services.

Further, India is also the only country of the world where phone tapping and e-surveillance is done without a court warrant and beyond the judicial scrutiny. The executive branch of Indian constitution is neither accountable to the parliament of India nor to the judiciary in this regard.

All a police officer or governmental officer has to do is to approach the concerned cloud computing service provider, and it would hand over all your sensitive data and information to him without your knowledge. Further, even if the data is not physically handed over, access to the same can be given to such officer without anybody knowing of such access.

Privacy violations would definitely arise in cases of use of cloud computing in India. The only fact is that you may not be aware that your privacy rights have been violated and your sensitive and personal data is no more a secret.

Indian government must not use software as a service (SAAS) or cloud computing for governmental and public services delivery till suitable procedural safeguards against violation of civil liberties in general and privacy rights in particular are at place. Even industrial players like Infosys and CII have endorsed this viewpoint. Time has come to enact a constitutionally sound legal framework for cloud computing in India.

Source: ICTPS Blog

Category: Uncategorized  | One Comment
• Friday, October 12th, 2012

Techno Legal Initiatives Of Perry4Law And PTLBIssues like cyber law, cyber security, cyber forensics, e-courts, etc are essentially techno legal in nature. Being techno legal in nature they require extra efforts on the part of various stakeholders. This requirement is compulsive in nature and is not confined to a single nation.

Techno legal issues pose special challenges before all nations. This is so because these issues are complex combination of both technical and legal issues. At Perry4Law and Perry4Law Techno Legal Base (PTLB) we have been spearheading many world renowned techno legal initiatives.

For instance, Perry4Law and PTLB are managing the exclusive techno legal centre of excellence for cyber forensics in India, centre of excellence on cyber security in India, virtual legal education campus in India and techno legal e-learning centre of PTLB, lifelong techno legal education in India, legal enablement of ICT systems in India, etc.

Similarly, on the education, trainings and skills development front as well Perry4Law and PTLB have been managing many initiatives. For instance, the exclusive techno legal e-learning in India is managed by PTLB whereas highly specialised and domain specific trainings and education is managed by Perry4Law techno Legal ICT Training Centre (PTLITC).

Perry4Law and PTLB are also managing the exclusive techno legal e-courts consultancy and training centre of India, online dispute resolution services in India, e-discovery services in India, e-commerce services in India, cyber forensics services in India, cyber security services in India, LPO and KPO services in India, etc.

We are also discussing important issues pertaining to international ICT policies and strategies. Similarly, techno legal issues are specifically discussed at PTLB blog. We hope these initiatives would prove useful to all stakeholders.

Source: ICTPS Blog

Category: Uncategorized  | Comments off
• Friday, October 12th, 2012

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBElectronic Courts in India are essential part of Legal Enablement of ICT Systems in India. Ensure Legal Enablement for ICT Systems of India can bring many advantages and benefits. It can bring transparency and accountability along with speedier disposal of cases. In short, establishment of E-Courts in India can bring much needed judicial reforms in India.

Establishment of E-Courts in India is a tedious and complicated process. It requires tremendous Techno Legal Expertise without which Electronic Courts in India cannot be established.

The key advantages of establishment of Electronic Courts in India is achievement of Transparency and Efficiency, reduction in Corruption and Backlog of cases, Cost and Time Saving, Witness Protection, etc. Through E-Filing cases can be filed from any part of India and if we use E-Trials as well we would be allowing greater participation of Witnesses in Court Proceedings.

It must also be understood that there is a difference between a Computerised Court and Electronic Court (E-Court). Although we have many Computerised Courts in India, even in District Courts of Delhi and High Court of Delhi, yet we do not have a single E-Court in India till October 2012.

Till a Computerised Court is capable of Electronic Filing, Electronic Evidence Submission, etc through Internet it cannot be termed as an E-Court. Presently, physical presence at the Court’s premises is required to submit files and documents on Electronic Media like CDs and that negates the whole concept of E-Courts in India.

Lack of Techno Legal Expertise is the main reason for poor performance of E-Courts in India. Further, Governmental and Judicial Will to establish E-Courts in India are also missing. Establishment of E-Courts in India can help in reducing the backlog of cases in India. Although there are no exact figures that can be given in this regard yet I believe that establishment of E-Courts could help in reducing Backlog of cases upto 30%.

It is absolutely required to establish E-Courts in India as soon as possible. The first indication of establishment of E-Courts in India was given in the year 2003. However, till now not even a single E-Court has been established by any State or by Centre. India must establish few E-courts within the next Five years.

However, establishment of E-Courts in India in the next Five years depends upon how “Serious” we are regarding establishment of E-Courts in India. With the present “Speed” and “Commitment” we cannot establish even a single E-Court in India by 2017. However, if we start working in this direction right now, establishment of few “Experimental E-Courts” is possible till 2017. Time has come to seriously work in this regard as Electronic Delivery of Justice in India has failed to materialise so far.

Category: Uncategorized  | Comments off
• Thursday, October 11th, 2012

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBCyber security in India has not received the attention of Indian policy makers. As a result India has witnessed many sophisticated cyber security attacks against its computer systems operating at crucial departments and places from time to time. Even the terrorists are using technology to further their nefarious objectives in India. The problem is that Indian government, like any other government, is not capable of tackling cyber security issues single handedly. It needs private sector support to achieve this task.

According to Praveen Dalal, Managing Partner of the exclusive techno-legal cyber security research and training centre of India (CSRTCI), cyber security in India needs an urgent rejuvenation. He informs that till now Indian government has not thought it fit to consider cyber security as a part of National Policy.

It is obvious that India is finding it difficult to gather necessary cyber security expertise and this is resulting in a weak cyber security. Fortunately, private initiatives like CSRTCI are bridging the much needed gap of cyber security in India. The centre is providing techno-legal solutions for areas like cyber law, cyber security, cyber forensics, cyber terrorism, cyber espionage, critical ICT infrastructure protection, cyber war, etc. It is also providing techno-legal solutions for Indian projects like CCTNS, Natgrid, NCTC, etc.

CSRTCI also maintains a “repository” of software and tools for areas like cyber security, cyber forensics, penetration testing, malware analysis, encryption, stegnography, etc. It also maintains a rich techno-legal literature, articles, databases, etc for ready reference.

However, the most important and crucial achievement of the CSRTCI is that it has an “Exclusive Techno-Legal Software Repository” and research literature. It also has expertise for “aggressive defence” and human rights protection in cyberspace. In short, it is a single place destination for the techno-legal cyber security and allied fields.

The government of India and private sector of India must concentrate upon cyber security as soon as possible. Further, there is an emergent need to make proper amendments in the otherwise impotent, weak and ineffective cyber law of India. The increasing cyber crimes in India is also attributable to the “welcoming law” of India incorporated in the information technology act 2000 that instead of deterring the cyber criminals is in fact encouraging them to indulge in cyber crimes.

Source: Cyber Laws In India

Category: Uncategorized  | Comments off
• Thursday, October 11th, 2012

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBFinance Ministry of India and Reserve Bank of India (RBI) have been working in the direction of bringing many good Financial and Banking Sector Reforms in India. In this direction RBI has already issued two good policy documents that would streamline use of Information Technology to enhance core banking practices in India.

The first document is a report of its Working Group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as Information Technology Vision Document for 2011-17 (IT Vision 2011-17). The vision document has recommended many good suggestions including requiring that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of Board of Directors.

Further, RBI has shown its willingness to allow big industrial houses to set up banks in India. However, it would not allow them to open the banks unless RBI gets the “Power to Supersede” Boards of banks that are not being run properly. RBI also wants the right to oversee the operations of the promoting company and any affiliates that will have business relationships with the bank. RBI has been suggesting bringing suitable Amendments in the Banking Regulation Act, 1949 (BRA 1949) in this regard.

Reacting immediately the Cabinet approved the long-pending amendment to the BRA 1949. The proposed amendments align voting rights of shareholders in proportion to the equity held and provide more regulatory teeth to the RBI. These powers now include the power to supersede bank boards.

Finance Minister Pranab Mukherjee would bring the proposed amendments in the BRA 1949 in current session of Parliament (March 2011) to carry forward the proposals made by RBI in this regard. Mukherjee said RBI proposes to issue guidelines for new private bank licences by the end of March. RBI has also made it clear that it would consider issuing fresh licences for private banks only after getting more regulatory powers, including supersession of bank Boards.

These are the much needed Banking and Financial Sector Reforms that were long pending. By including the contemporary issues of Information and Communication Technology, RBI has also covered a wide area. Hopefully Parliament of India would approve the amendments as soon as possible.

Source: PTLB Blog

Category: Uncategorized  | Comments off
• Thursday, October 11th, 2012

B.S.DALAL SENIOR PARTNER OF PERRY4LAWCyber law issues, cyber security and national security are on agenda of Indian government these days. However, till now cyber security in India is not upto the mark and cyber law of India requires an urgent repeal. This is because the entire approach and attitude of India government is defective.

Indian government has failed to understand that e-surveillance is not a substitute for cyber security capabilities. Instead of developing cyber security capabilities of India, the Indian government is stressing upon growing use of e-surveillance in India and Internet censorship in India.

All these exercises of India government have been done without any legal framework supporting these initiatives of Indian government. Phones are tapped in India without a constitutionally valid phone tapping laws in India. The central monitoring system project of India (CMS Project of India) is also not supported by any legal framework. Surveillance of Internet traffic in India is also another area that requires a sound legal framework. Various authorities with far reaching powers have been created without any legal backing.

Now the government has proposed setting up of National Cyber Coordination Centre (NCCC) of India. The NCCC would provide actionable alerts to government departments in cases of perceived security threats. It is hoped that this would help in fighting terrorists and other cyber criminals.

The NCCC will scan whole cyber traffic flowing at the point of entry and exit at India’s international Internet gateways. The web scanning centre will provide actionable alerts for proactive actions to be taken by government departments. All government departments will now talk to the Internet Service Providers (ISPs) through NCCC for real time information and data on threats. Presently, the monitoring of web traffic is done by Centre for Development of Telematics (C-DoT) which has installed its equipments at the premises of ISPs and gateways.

All tweets, messages, emails, status updates and even email drafts will now pass through the new scanning centre. The centre may probe further into any email or social media account if it finds a perceived threat.

India’s National Security Council Secretariat (NCSC) has asked various departments to assess their needs for officials, who will coordinate with the scanning agency. The National Security Council handles the political, nuclear, energy and strategic security concerns of the country.

This can be another agency without a legal framework. Creating agencies without legal framework is counter productive as it violates civil liberties and human rights. The Indian government must keep this in mind while creating NCCC.

Source: ICTPS Blog

Category: Uncategorized  | Comments off
• Thursday, October 11th, 2012

Chief Information Officers (CIOs) Made Mandatory For All Banks In IndiaReserve Bank of India (RBI) executive director G Gopalakrishna recently said that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. G Gopalakrishna further said the banks will have to implement the facility of “second factor verification” at merchant establishments and ATMs shortly.

The requirements are arising out of the two recently released documents by RBI. The first document is a report of its working group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as information technology vision document for 2011-17 (IT Vision 2011-17). The vision document envisages that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of board of directors. The vision document also requires that while following the above, legal aspects relating to the provisions of the Acts such as Payments and Settlement Act, 2007 and IT Act, 2000 may be strictly adhered to.

This requirement of CIO/CTO is arising because many small banks do not have a designated CTO and also do not have a clear framework on information sharing. RBI is interested in gradual shift to an online system where it can access all the information from the main server of the bank once the RBI’s IT Vision is implemented. Those banks having no CIO/CTOs and a steering committee are now required to have these requirements fulfilled as soon as possible.

The objectives of vision document are to ensure the use of information technology beyond core banking and into newer areas like management of information systems (MIS) and better regulatory reporting.

The vision document has been prepared by a high-level committee chaired by deputy governor K.C. Chakrabarty. The vision document also recognises the growing operational risks arising out of adopting technology in the banking sector like use of Internet banking, which could affect financial stability.

If the vision document is fully implemented, it will ensure that the RBI gets access to the servers of all banks, including foreign banks so that it has access to all the banking transactions. Further, the vision document also emphasises on the need for internal controls, risk mitigation systems, fraud detection/prevention and business continuity plans. These are good banking reforms and they must be implemented by banks in India as soon as possible.

Source: PTLB Blog

Category: Uncategorized  | Comments off
• Thursday, October 11th, 2012

MR.B.S.DALAL SENIOR PARTNER OF PERRY4LAWCyber crimes against banks are very common. For example Citigroup had recently confirmed cyber attack upon bank’s network. It is also well known that a timely and appropriate cyber due diligence could have prevented such attacks and various cyber frauds that are growing in the banking sector of India.

Reserve Bank of India (RBI) has recently directed that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. This has been suggested so that cyber due diligence for banks in India can be ensured.

Few more areas that Indian banks must keep in mind include cyber security due diligence for banks in India, e-discovery for due diligence for banks in India, cyber law compliances, ATM frauds and phishing attacks, etc. However, the big question is are Indian banks ready for cyber due diligence?

As per RBI’s guidelines and recommendations, Indian banks need to ensure implementation of basic organisational framework and put in place policies and procedures which do not require extensive budgetary support, infrastructural or technology changes, by October 31, 2011.

The rest of the guidelines need to be implemented within period of one year unless a longer time-frame is indicated in the RBI’s circular. There are also a few provisions which are recommendatory in nature, implementations of which are left to the discretion of banks.

RBI is becoming more and more serious regarding defaults committed by Indian banks. In the past, RBI imposed penalty upon 19 banks for non compliance of prescribed standards. Similarly, RBI has also directed that any strictures passed against directors of a bank by any financial sector regulators must be reported to it. Non compliance of the recommendations of RBI working group may attract both penalty and strictures.

Banks are required to follow cyber due diligence and cyber security due diligence requirements in their own interests. The sooner it is done the better it would be for all the stakeholders.

Source: ICTPS Blog

Category: Uncategorized  | Comments off
• Thursday, October 11th, 2012

Information Technology (Intermediaries Guidelines) Rules 2011 Of IndiaInformation Technology (Intermediaries Guidelines) Rules 2011 of India have been prescribed to take care of the Internet intermediary legal framework of India. This is a crucial area that required a sound techno legal regime.

However, these rules are also prone to misuse by both governmental and non governmental players. This is the reason why a motion for annulment of these intermediary guidelines was moved in the Rajya Sabha as well but was defeated ultimately.

Internet intermediary law in India is incorporated in the Information Technology Act 2000 (IT Act 2000) and the Rules made there under. Internet intermediaries’ liability in India is now well established and foreign companies and websites must duly comply with the same to avoid civil, criminal, administrative and financial penalties. In short, these foreign companies and their Indian subsidiaries must ensure that they comply with the cyber law due diligence in India.

The Gazette Notification numbered G.S.R. 314(E), dated 11-04-2011, formulated the Information Technology (Intermediaries Guidelines) Rules, 2011 of India. These rules provide the rights and responsibilities of internet intermediaries in India. If the Internet intermediaries follow these rules and exercise proper cyber due diligence, they are entitled to a “safe harbour protection”. Otherwise, they are liable for various acts or omission occurring at their respective platforms once the matter has been brought to their notice.

The legal actions against foreign websites can be taken in India. Further, cyber litigations against such foreign websites would increase in India in the near future. It is of utmost importance for these foreign companies and websites to follow Indian laws in true letter and spirit.

Perry4Law and Perry4Law Techno Legal Base (PTLB) are providing the legal position regarding Internet intermediary liability in India under the IT Act 2000 in general and Information Technology (Intermediaries Guidelines) Rules, 2011 of India in particular. The salient features of the same are as follows:

(1) The Information Technology (Intermediaries Guidelines) Rules, 2011 of India have been formulated by the Central Government in exercise of its powers conferred by clause (zg) of subsection (2) of section 87 read with sub-section (2) of section 79 of the Information Technology Act, 2000 (21 of 2000).

(2) Definitions — (1) In these rules, unless the context otherwise requires,–

(a) “Act” means the Information Technology Act, 2000 (21 of 2000);

(b) “Communication link” means a connection between a hyperlink or graphical element (button, drawing, image) and one or more such items in the same or different electronic document wherein upon clicking on a hyperlinked item, the user is automatically transferred to the other end of the hyperlink which could be another document website or graphical element.

(c) “Computer resource” means computer resources as defined in clause (k) of sub-section (1) of section 2 of the Act;

(d) “Cyber security incident” means any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthotrised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation;

(e) “Data” means data as defined in clause (o) of sub-section (1) of section 2 of the Act;

(f) “Electronic Signature” means electronic signature as defined in clause (ta) of sub- section (1) of section 2 of the Act;

(g) “Indian Computer Emergency Response Team” means the Indian Computer Emergency Response Team appointed under sub section (1) section 70 (B) of the Act;

(h) “Information” means information as defined in clause (v) of sub-section (1) of section 2 of the Act;

(i) “Intermediary” means an intermediary as defined in clause (w) of sub-section (1) of section 2 of the Act;

(j) “User” means any person who access or avail any computer resource of intermediary for the purpose of hosting, publishing, sharing, transacting, displaying or uploading information or views and includes other persons jointly participating in using the computer resource of an intermediary.

(2) All other words and expressions used and not defined in these rules but defined in the Act shall have the meanings respectively assigned to them in the Act.

(3) Due diligence to be observed by intermediary — The intermediary shall observe following due diligence while discharging his duties, namely: —

(1) The intermediary shall publish the rules and regulations, privacy policy and user agreement for access-or usage of the intermediary’s computer resource by any person.

(2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that —

(a) Belongs to another person and to which the user does not have any right to;

(b) Is grossly harmful, harassing, blasphemous defamatory, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever;

(c) Harm minors in any way;

(d) Infringes any patent, trademark, copyright or other proprietary rights;

(e) Violates any law for the time being in force;

(f) Deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;

(g) Impersonate another person;

(h) Contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;

(i) Threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation

(3) The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):

Provided that the following actions by an intermediary shall not amount to hosing, publishing, editing or storing of any such information as specified in sub-rule: (2) —

(a) Temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another computer resource;

(b) Removal of access to any information, data or communication link by an intermediary after such information, data or communication link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions of the Act;

(4) The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six (36) hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes,

(5) The Intermediary shall inform its users that in case of non-compliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the Intermediary has the right to immediately terminate the access or usage rights of the users to the computer resource of Intermediary and remove non-compliant information.

(6) The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

(7) When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing staling clearly the purpose of seeking such information or any such assistance.

(8) The intermediary shall take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011.

(9) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

(10) The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to “perform thereby circumventing any law for the time being in force:

Provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the acts of securing the computer resource and information contained therein.

(11) The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint.

The cyber laws due diligence requirements for companies in India are strenuous in nature and Internet intermediaries in India need to take care of the same to avoid legal troubles.

Source: ICTPS Blog

Category: Uncategorized  | Comments off
• Thursday, October 11th, 2012

Cyber Security Issues And Challenges In IndiaCyber security is a complex area that required dedicated and domain specific expertise. Cyber security is also a continuous process as an organisation has to updates its cyber security infrastructure on daily basis.

Cyber Security in India is one area that has to be given top priority by Indian government. The Cyber Security reflections in India prove this point. There are many policy related issues that Indian government must urgently take care of.

For instance, Cyber Warfare Against India and its Defenses, Critical Infrastructure Protection in India, Cyber Terrorism Against India and its Defences and Solutions, Cyber Espionage Against India And Its Challenges, Solutions And Defences, etc must be urgently considered by Indian government.

A special focus upon Cyber Security for Power Energy and Utilities in India must be given. Power Grids Cyber Security in India and its Challenges has emerged as special area of concern and India is clearly not in a position to defend its power infrastructure.

There are numerous Cyber Security Challenges in India that are still unredressed. Further, India’s Cyber Security Challenges are unique to Indian conditions and they require local treatment and solutions. Cyber Security Issues in India require a dedicated effort on the part of Indian stakeholders. Even the Cyber Security Firms, Companies and Consultants in India Must be Pro Active.

Cyber Security in India and its challenges and Problems require urgent attention of Indian government. We have already wasted enough time in this regard and it is high time for India to do some actual groundwork as conducting of conferences and seminars would not bring any favourable change towards establishment of cyber security capabilities of India.

Source: Virtual Cyber security Campus Of PTLB

Category: Uncategorized  | Comments off
• Thursday, October 11th, 2012

Legal Requirements To Start An E-Commerce Website In IndiaBefore a person or institution wishes to establish an e-commerce business in India, he/she/it must know the essential legal formalities for starting e-commerce business in India. The legal environment for establishment of e-commerce in India is complex in nature and it should not be taken lightly.

We have been receiving lots of queries regarding successful and legal opening of e-commerce business in India. We have already explained the legal formalities required for starting e-commerce business in India. In this article we would discuss the legal requirements for starting an e-commerce websites in India.

To start with, we would like to say that we have no dedicated e-commerce laws and regulations in India and they are still evolving. The Information Technology Act 2000 (IT Act 2000) governs the online issues of e-commerce in India.

IT Act 2000 is the sole cyber law of India. The cyber law of India mandates that the e-commerce entrepreneurs and owners must ensure cyber law due diligence in India. The cyber law due diligence for companies in India has already become very stringent and many foreign and Indian companies and websites have been prosecuted in India for non exercise of cyber due diligence.

E-commerce entrepreneurs and owners in India must understand that legal issues of e-commerce in India are different for different categories of e-commerce. For instance, electronic trading of medical drugs in India requires more stringent e-commerce and legal compliances as compared to other e-commerce activities. Digital communication channels for drugs and healthcare products in India are scrutinised more aggressively than other e-commerce activities. In fact, regulatory and legislative measures to check online pharmacies trading in banned drugs in India are already in pipeline.

The legal requirements for undertaking e-commerce in India also involve compliance with other laws like contract law, Indian penal code, etc. Further, online shopping in India also involves compliance with the banking and financial norms applicable in India. For instance, take the example of PayPal in this regard. If PayPal has to allow online payments receipt and disbursements for its existing or proposed e-commerce activities, it has to take a license from Reserve Bank of India (RBI) in this regard. Further, cyber due diligence for Paypal and other online payment transferors in India is also required to be observed.

Perry4Law and Perry4Law Techno Legal Base (PTLB) recommend that all e-commerce entrepreneurs and owners must do a proper techno legal due diligence before opening an e-commerce website. The Internet intermediary liability in India may be frequently invoked against e-commerce websites in India. The Information Technology (Intermediary Guidelines) Rules 2011 prescribes stringent liabilities for e-commerce websites in India. Further, e-commerce websites in India must ensure privacy protection, data protection, data security, cyber security, confidentiality maintenance, etc as well.

Source: E-Commerce Laws And Regulations In India

Category: Uncategorized  | Comments off