The Indian Companies Act, 2013 (PDF) has prescribed additional and stringent obligations upon companies to not only maintain various document sin electronic form but to also ensure their cyber security. In short, techno legal compliances have been prescribed by the Companies Act, 2013 with penalty for non compliance.
Section 120 of the Companies Act, 2013 provides that without prejudice to any other provisions of this Act, any document, record, register, minutes, etc.,—
(a) required to be kept by a company; or
(b) allowed to be inspected or copies to be given to any person by a company under this Act, may be kept or inspected or copies given, as the case may be, in electronic form in such form and manner as may be prescribed.
Section 397 of the Act prescribes that notwithstanding anything contained in any other law for the time being in force, any document reproducing or derived from returns and documents filed by a company with the Registrar on paper or in electronic form or stored on any electronic data storage device or computer readable media by the Registrar, and authenticated by the Registrar or any other officer empowered by the Central Government in such manner as may be prescribed, shall be deemed to be a document for the purposes of this Act and the rules made thereunder and shall be admissible in any proceedings thereunder without further proof or production of the original as evidence of any contents of the original or of any fact stated therein of which direct evidence is admissible.
Section 398(1) of the Act prescribes that notwithstanding anything to the contrary contained in this Act, and without prejudice to the provisions contained in section 6 of the Information Technology Act, 2000, the Central Government may make rules so as to require from such date as may be prescribed in the rules that—
(a) such applications, balance sheet, prospectus, return, declaration, memorandum, articles, particulars of charges, or any other particulars or document as may be required to be filed or delivered under this Act or the rules made thereunder, shall be filed in the electronic form and authenticated in such manner as may be prescribed;
(b) such document, notice, any communication or intimation, as may be required to be served or delivered under this Act, in the electronic form and authenticated in such manner as may be prescribed;
(c) such applications, balance sheet, prospectus, return, register, memorandum, articles, particulars of charges, or any other particulars or document and return filed under this Act or rules made thereunder shall be maintained by the Registrar in the electronic form and registered or authenticated, as the case may be, in such manner as may be prescribed;
(d) such inspection of the memorandum, articles, register, index, balance sheet, return or any other particulars or document maintained in the electronic form, as is otherwise available for inspection under this Act or the rules made thereunder, may be made by any person through the electronic form in such manner as may be prescribed;
(e) such fees, charges or other sums payable under this Act or the rules made thereunder shall be paid through the electronic form and in such manner as may be prescribed; and
(f) the Registrar shall register change of registered office, alteration of memorandum or articles, prospectus, issue certificate of incorporation, register such document, issue such certificate, record the notice, receive such communication as may be required to be registered or issued or recorded or received, as the case may be, under this Act or the rules made thereunder or perform duties or discharge functions or exercise powers under this Act or the rules made thereunder or do any act which is by this Act directed to be performed or discharged or exercised or done by the Registrar in the electronic form in such manner as may be prescribed.
Explanation.— For the removal of doubts, it is hereby clarified that the rules made under this section shall not relate to imposition of fines or other pecuniary penalties or demand or payment of fees or contravention of any of the provisions of this Act or punishment therefor.
(2) The Central Government may, by notification, frame a scheme to carry out the provisions of sub-section (1) through the electronic form.
Section 400 of the Act provides that the Central Government may also provide in the rules made under section 398 and section 399 that the electronic form for the purposes specified in these sections shall be exclusive, or in the alternative or in addition to the physical form, therefor.
Section 401 of the Act provides that the Central Government may provide such value added services through the electronic form and levy such fee thereon as may be prescribed.
Section 402 of the Act provides that all the provisions of the Information Technology Act, 2000 relating to the electronic records, including the manner and format in which the electronic records shall be filed, in so far as they are not inconsistent with this Act, shall apply in relation to the records in electronic form specified under section 398.
The Companies (Management and Administration) Rules, 2014 (PDF) also deal with management and inspection of documents in electronic form. Rule 27 (1) provides that every listed company or a company having not less than one thousand shareholders, debenture holders and other security holders, shall maintain its records, as required to be maintained under the Act or rules made there under, in electronic form.
The Explanation to Rule 27 (1) provides that for the purposes of this sub-rule, it is hereby clarified that in case of existing companies, data shall be converted from physical mode to electronic mode within six months from the date of notification of provisions of section 120 of the Act.
Rule 27 (2) provides that the records in electronic form shall be maintained in such manner as the Board of directors of the company may think fit,
The proviso to Rule 27 (2) provides that -
(a) the records are maintained in the same formats and in accordance with all other requirements as provided in the Act or the rules made there under;
(b) the information as required under the provisions of the Act or the rules made there under should be adequately recorded for future reference;
(c) the records must be capable of being readable, retrievable and reproducible in printed form;
(d) the records are capable of being dated and signed digitally wherever it is required under the provisions of the Act or the rules made there under;
(e) the records, once dated and signed digitally, shall not be capable of being edited or altered;
(f) the records shall be capable of being updated, according to the provisions of the Act or the rules made there under, and the date of updating shall be capable of being recorded on every updating.
The Explanation to Rule 27 (2) provides that for the purpose of this rule, the term “records” means any register, index, agreement, memorandum, minutes or any other document required by the Act or the rules made there under to be kept by a company.
Rule 28 deals with security of records maintained in electronic form. Rule 28(1) provides that the Managing Director, Company Secretary or any other director or officer of the company as the Board may decide shall be responsible for the maintenance and security of electronic records.
Rule 28(2) provides that the person who is responsible for the maintenance and security of electronic records shall-
(a) provide adequate protection against unauthorized access, alteration or tampering of records;
(b) ensure against loss of the records as a result of damage to, or failure of the media on which the records are maintained;
(c) ensure that the signatory of electronic records does not repudiate the signed record as not genuine;
(d) ensure that computer systems, software and hardware are adequately secured and validated to ensure their accuracy, reliability and consistent intended performance;
(e) ensure that the computer systems can discern invalid and altered records;
(f) ensure that records are accurate, accessible, and capable of being reproduced for reference later;
(g) ensure that the records are at all times capable of being retrieved to a readable and printable form;
(h) ensure that records are kept in a non-rewriteable and non-erasable format like pdf. version or some other version which cannot be altered or tampered;
(i) ensure that at least one backup, taken at a periodicity of not exceeding one day, are kept of the updated records kept in electronic form, every backup is authenticated and dated and such backups shall be securely kept at such places as may be decided by the Board;
(j) limit the access to the records to the managing director, company secretary or any other director or officer or persons performing work of the company as may be authorized by the Board in this behalf;
(k) ensure that any reproduction of non-electronic original records in electronic form is complete, authentic, true and legible when retrieved;
(l) arrange and index the records in a way that permits easy location, access and retrieval of any particular record; and
(m) take necessary steps to ensure security, integrity and confidentiality of records.
Rule 29 deals with inspection and making of copies of records maintained in electronic form. It provides that where a company maintains its records in electronic form, any duty imposed by the Act or rules made there under to make those records available for inspection or to provide copies of the whole or a part of those records, shall be construed as a duty to make the records available for inspection in electronic form or to provide copies of those records containing a clear reproduction of the whole or part thereof, as the case may be on payment of not exceeding ten rupees per page.
Rule 30 provides that if any default is made in compliance with any of the provisions of this rule, the company and every officers or such other person who is in default shall be punishable with fine which may extend to five thousand rupees and where the contravention is a continuing one, with a further fine which may extend to five hundred rupees for every day after the first during which such contravention continues.