Cyber Security Disclosure Norms In India Needed: CECSRDI

Cyber Security Disclosure Norms In India Needed CECSRDICyber security is a very crucial priority of nations around the world. India is also in the process of streamlining of its cyber security infrastructure but its efforts in this regard are neither coordinated nor sufficient. For instance, we do not have a dedicated cyber security law of India that is need of the hour. Further, there is also a dire need to bring a techno legal framework keeping in mind contemporary cyber security threats and challenges.

Almost 2 years back, Indian Government decided to formulate a legislation that would ensure strict cyber security disclosure norms. As per the then proposed legislation, if a company faced cyber attack or cracking incidence, the company would be required to disclose to its clients the impact of such an incident on the safety of their data and information. The company may also be required to inform government or its agency about such incidence.

At that time there was no chief information security officer (CISO) of India and this position has been recently created by Modi Government by appointing Dr. Gulshan Rai for this post. This may be the first step towards creating a more robust cyber security regime in India. This may also be the base for introducing cyber security breaches disclosure norms in India that can be reported to the CISO or any other designated authority in this regard.

We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance.

CECSRDI also strongly recommends formulating the cyber security breaches disclosure norms in India by Indian Government as soon as possible. We also suggest that a dedicated cyber security law of India must also be enacted by India as India has launched policy initiatives like Digital India and Internet of Things (PDF) that would require strong cyber laws. CECSRDI believes that cyber security best practices must be formulated by Indian Government that must be followed in true letter and spirit by all stakeholders.

In the absence of a coordinated and holistic policy implementation, Digital India is already heading towards rough waters. There are many shortcomings of Digital India, Aadhaar and IoT policy initiatives of Indian Government and they must be removed as soon as possible. Absence of adequate cyber security is a common problem for Digital India, Aadhaar and IoT projects. It seems the worst performance of Modi Government pertains to cyber security field where Modi Government seems to have lost the track.

Recently Target Corporation faced a cyber breach and this exposed it to litigations in multiple jurisdictions. The moot question is whether target has failed to observe cyber due diligence regarding this particular breach. The cyber law due diligence (PDF) is neglected in India with impunity. Indian Government is also not pro active in taking such neglected obligations very seriously and this has made the entire concept of cyber law due diligence in India a joke only.

No body takes Indian cyber law seriously and e-commerce websites are openly flouting the cyber law of India by not following the cyber law due diligence and cyber security best practices requirements.  In order to effectively enforce cyber security relations obligations, cyber security awareness in India must be further improved with a special emphasis upon clearly specifying the cyber security obligations of directors of Indian companies.

Cyber law and cyber security awareness at the schools level must also be ensured. School children in India must be suitably educated about cyber issues. Recently the Central Board of Secondary Education (CBSE) issued directions to curb bullying/cyber bullying and sexual abuses at schools. Without actual implementations these are mere guidelines that are issued every year with little impact. CECSRDI strongly recommends that not only these guidelines/directions must be stringently implemented by CBSE but even cyber law and cyber security awareness must be spread by CBSE among school students. Schools must also be required to notify about any cyber security breaches at their premises.

The task is difficult but not impossible to achieve. CECSRDI wishes all the best to Modi Government in its cyber security initiatives and projects and hopes that Modi government would actually start working in this direction as soon as possible.