330 likes | 776 Views
PRIVACY AND SECURITY POLICIES THAT ENCOURAGE EBUSINESS A PRESENTATION BY PAVAN DUGGAL, ADVOCATE, SUPREME COURT OF INDIA PRESIDENT,CYBERLAW ASIA PREESIDNET, CYBERLAWS.NET ICC INDIA, 20-9-2006 WIDE CONCEPTS PRIVACY AND SECURITY Foundation of the Pyramid of eBusiness
E N D
A PRESENTATION BY PAVAN DUGGAL,ADVOCATE, SUPREME COURT OF INDIA PRESIDENT,CYBERLAW ASIA PREESIDNET, CYBERLAWS.NET ICC INDIA, 20-9-2006
WIDE CONCEPTS • PRIVACY AND SECURITY • Foundation of the Pyramid of eBusiness • Increasing focus on these twin subjects in the last one decade
DIFFERENT TREATMENT • Different countries are affording different treatment to these subjects • Depending upon the historical development of jurisprudence in their respective jurisdictions • West versus Asia • India – a classical Asian example
INDIA • There is no comprehensive legislation on privacy in India • Left to the judiciary to interpret privacy within the realm of existing legislations • Right to privacy has been upheld by the Supreme Court of India as an integral part of the fundamental right to life under Article 21 of the Constitution of India – available only against State
INFORMATION TECHNOLOGY ACT, 2000 • Does not deal with Privacy • Section 72 talks about Privacy - refers to statutorily authorized persons who, after having secured access to any electronic record, book, register, correspondence, information, document or other material, without the consent of the person concerned, disclose such electronic record, book, register, correspondence, information, document or other material to any other person • Section 72 – has no bearing on violation of an individual’s privacy in cyberspace
INDIAN SCENE • Information collected is sold for commercial considerations • Computers are hacked into and personal information of consumers stolen • Absence of actionable civil wrong
INDIA AND PRIVACY • Need to develop torts law • Need for legislation about privacy in electronic medium
SECURITY • Security is one of the biggest concerns that affects the world today. Not only is security in the actual world a matter of concern but security in the context of the electronic format and the information stored therein has become a matter of immense concern.
INFORMATION SECURITY • As the world is moving towards the information society, it is natural to expect an increase in the emphasis on security. • Security of information and networks are both of tremendous significance. Their significance has further been enhanced due to the onset of Cyber Terrorism in a big way.
TURNING POINT • September 11th 2001, attacks on World Trade Centre symbolize an irreversible turning point in the history of the web. • The September 11th attacks led to destruction of immensely valuable information and networks, apart from loss of life and property. • After the September 11th attacks, the concentration of the world’s attention on security has been unprecedented.
LEGAL ISSUES • Security brings along with it various aspects and issues concerning its legalities. At this juncture it is important to note the legal position of security in India.
INDIAN CYBERLAW • India enacted its first Cyberlaw namely the Information Technology Act, 2000, on 17th May 2000, which was implemented on 17th Oct 2000. • A perusal of the preamble of the IT Act clearly shows that this is not a law dedicated to security.
SECURITY COVERED • However, since security is absolutely a necessity for E-Commerce transactions, the laws covers some aspects leading to security. This is evident as one of the main objectives of the IT Act, 2000
PREAMBLE • to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as “electronic commerce”, which involves the use of alternative paper-based methods of communication and storage of information. • As such, security is covered in some measures under the IT Act, 2000.
NO DEFINITION OF SECURITY • The definitional clause of the Indian Cyberlaw does not give a legal definition of security. However, it provides the definition of secure system and security procedure.
SECURE SYSTEM DEFINED • “secure system” means computer hardware, software, and procedure that- (a) are reasonably secure from unauthorized access and misuse; (b)provide a reasonable level of reliability and correct operation; (c)are reasonably suited to performing the intended function; and (d) adhere to generally accepted security procedures;
SECURITY PROCEDURE • “security procedure” means the security procedure prescribed by the Central Government under the IT Act, 2000.
SECURE ELECTRONIC RECORD • where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record, from such point of time to the time of verification.
SECURE DIGITAL SIGNATURES • The Indian Cyberlaw also details secure digital signatures. If by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was- (a) unique to the subscriber affixing it ; (b) capable of identifying such subscriber ;
SECURE DIGITAL SIGNATURES (c)created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such a digital signature shall be deemed to be a secure digital signature.
SECURITY PROCEDURE • Central Government has been empowered to prescribe the security procedure having regard to commercial circumstances prevailing at the time when the procedure was used, including- (a)the nature of the transaction ; (b)the level of sophistication of the parties with reference to their technological capacity ;
SECURITY PROCEDURE (c)the volume of similar transactions engaged in by other parties; (d)the availability of alternatives offered to, but rejected by any party; (e)the cost of alternative procedures; (f)the procedures in general use for similar types of transactions or communications.
DAMAGES • The Indian cyberlaw makes breach of security an act, which attracts consequences of civil liability. • If a person without the permission of owner or any other person in charge of a computer, computer system or computer network, accesses or secures access
DAMAGES to such computer, computer system or computer network, he is liable to pay statutory damages by way of compensation, not exceeding 10 million rupees to the person so affected. Thus, merely gaining access to any computer, computer system or computer network by breaching or violating the security processes or mechanisms is enough to attract the civil liability.
DAMAGES • In addition, doing any further acts in the computer, computer system or computer network, including downloading, copying or extracting any data, computer database or information from such system or introducing any computer virus into the same would invite liability to pay damages.
HACKING • In addition, breach of security is also implicitly recognized as a penal offence in the form of hacking. • Section 66 of the IT Act, 2000, makes hacking as a penal offence punishable with three years imprisonment and inr 200,000/-
PROTECTED SYSTEMS • The appropriate government, be it the central or state government, has been given the discretion to declare any computer, computer system or computer network as a protected system.
ACCESS TO PROTECTED SYSTEMS • Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of the law, shall be punished with imprisonment of either description for a term which may be extended to ten years and shall be liable to fine.
PRESUMPTIONS • As per amendments made in the Indian Evidence act 1872, by the IT Act, 2000, it has been provided that in any proceedings involving a secure electronic record, the court shall presume unless contrary is proved, that the secure electronic record has not been altered since the specific point of time, which the secure status relates.
IT RULES • Some issues of security relating to entities which want to be Certifying Authorities have been specified in the IT (Certifying Authorities) Rules, 2000, and the IT Security Guidelines. These guidelines are pretty exhaustive and detail different aspects of physical and operational security and information management including sensitive information security, system integrity, security measures and many other issues.
CONCLUSIONS • India, like other countries, has miles to go to strengthen the enabling legal infrastructure to promote the cause of privacy and security. • Need for adopting a flexible approach • Need for elaborating the basic principles in primary legislations and leaving the dealing of the nitty gritty details to the rule making power of the government.
A PRESENTATION BY PAVAN DUGGAL,ADVOCATE, SUPREME COURT OF INDIA PRESIDENT,CYBERLAW ASIA PREESIDNET, CYBERLAWS.NET pduggal@gmail.com