[ISN] Information security: a legal perspective

[InfoSec News]

http://www.financialexpress.com/fe_full_story.php?content_id=76698

PAVAN DUGGAL 
December 13, 2004  

Security is one of the biggest concerns that affects the world today, 
not only in the actual world but in the context of the electronic 
format and the information stored therein. There is an increasing 
emphasis on legal issues concerning information security. India 
enacted its first cyber law, namely the Information Technology Act, 
2000 which came into force on October 17, 2000. A perusal of the 
preamble of the same clearly shows that this is not a law dedicated to 
security. However, one of the main objectives of the IT Act, 2000 is 
to provide legal recognition for "electronic commerce", which involves 
the use of alternatives to paper-based methods of communication and 
storage of information. Security is thus covered in some measure under 
IT Act, 2000. 
 
The definitional clause of the Indian cyber laws does not define 
security. However, it defines secure system and security procedure and 
a secure electronic record. The Indian cyber law also details secure 
digital signatures. It makes breach of security an act that attracts 
consequences of civil liability. If a person without the permission of 
the owner or any other person in charge of a computer, computer system 
or computer network, accesses or secures access to the same, he will 
be liable to pay statutory damages by way of compensation, not 
exceeding Rs 1 crore. Thus, merely gaining access to such a computer 
or system by breaching or violating the security processes or 
mechanisms is enough to attract civil liability. Breach of security is 
also implicitly recognised as a penal offence, as hacking is 
punishable under Section 66 of the IT Act, 2000 with three years 
imprisonment and a fine of Rs 2 lakh. 

The appropriate government has been given the discretion to declare 
any computer as a protected system. Any person who secures access or 
attempts to secure access to a protected system in contravention of 
the provisions of the law, shall be punished with imprisonment of 
either description for a term which may extended to ten years and 
shall be liable to fine. 

As per amendments made in the Indian Evidence Act, 1872 by the IT Act, 
in any proceedings involving a secure electronic record, the court 
shall presume, unless contrary is proved, that the secure electronic 
record has not been altered since the specific point of time, to which 
the secure status relates. Also, in any proceedings involving secure 
digital signatures the court shall presume unless the contrary is 
proved that the secure digital signature is affixed by the subscriber 
with the intention of signing or approving the electronic record. 

Some issues of security relating to certifying authorities have been 
specified in the IT (Certifying Authorities) Rules, 2000 and the IT 
security guidelines. These guidelines are pretty exhaustive and detail 
different aspects of physical and operational security and information 
management including sensitive information security, system integrity 
and security measures. In conclusion, I am of the opinion that the 
legal issues relating to security are likely to develop over a period 
of time as the law on security of information and networks evolves to 
keep pace with the developments on the technological front. It is the 
responsibility of each computer user to ensure that the security of 
computers, computer systems and computer networks is preserved and not 
violated. Only in preservation of security of the same lies the path 
of progress and prosperity. 


The author is a Supreme Court advocate and cyber law consultant. He 
can be reached at pduggal at nde.vsnl.net.in and pavanduggal at hotmail.com.