IT Act 2008 (IT Amendment Act 2008)
India’s Information Technology (Amendment) Act 2008, passed by the Lok Sabha and the Rajya Sabha in December 2008 and enforced since October 2009, extensively amends the Information Technology Act, 2000 (also known as ITA-2000).
The Act is administered by the Indian Computer Emergency Response Team (CERT-In) and applies to offences committed outside India as well as to those committed throughout India itself.
IT Act 2000
The IT Act 2000, which was based on the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce, was originally enacted to provide legal recognition for e-commerce transactions.
It contained 13 chapters and 94 sections, and addressed digital signatures, the electronic filing of documents with government departments, electronic data storage, electronic fund transfers between financial institutions, and electronic bookkeeping by bankers.
However, the fast pace of technological change meant that by 2008 the Act needed substantial revision.
The 2008 amendment
The 2008 Act comprises 14 chapters and 124 sections, and contains a number of amendments designed to address technological advances since the original Act, including the following:
- The increasing popularity of smartphones is addressed, and the term ‘communication devices’ is defined to mean ‘cell phones, personal digital assistance or combination of both or any other device used to communicate, send or transmit any text, video or image’.
- The validation of electronic signatures and contracts is addressed, and ‘electronic signature’ is substituted for ‘digital signature’ throughout the Act, promoting technological neutrality. The term ‘electronic signature’ is defined to mean ‘authentication of any electronic record by a subscriber by means of [a specified] electronic technique… and includes digital signature’.
- Section 43A mandates that corporations are responsible for implementing and maintaining ‘reasonable security practices and procedures’ to protect ‘sensitive personal data or information’. They are now liable for breaches and must pay compensation to affected parties.
- Owners of a given IP address are now responsible for content accessed or distributed through it.
- New forms of crime not covered by the original Act are addressed and new penal provisions are included. Details of these offences are listed below.
Offences and penalties under the Act
The majority of offences under the IT Act 2008 are punishable by up to three years’ imprisonment and a fine of up to one lakh rupees. Exceptions include offences relating to child pornography and other obscene materials, which are both punishable by up to seven years' imprisonment and a fine of up to ten lakh rupees for repeat offences. Cyber terrorism is punishable by up to life imprisonment.
Under the new Section 77B, offences which carry a punishment of three years’ imprisonment – i.e. most cyber crimes under the Act – will be bailable.
There is substantial controversy surrounding the IT Amendment Act 2008.
Section 66A, which addresses the electronic sending of offensive material, has been widely criticised by freedom of speech campaigners as its ambiguity allows considerable room for interpretation. The term ‘offensive material’ has not been defined, allowing for a number of people to have been arrested – and imprisoned – for political comments made on social media sites. As a result, several public interest litigations (PILs) have been submitted to the Supreme Court, contending that the Act curbs freedom of speech and violates the Constitution.
Section 69 grants powers to government officials to ‘intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource’, to ‘block for access by the public or cause to be blocked for access by the public any information generated, transmitted, received, stored or hosted in any computer resource’ and to ‘monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource.’ These broad powers of surveillance and blocking are being contested by civil rights groups and protesters against Internet censorship in India.
Section 77B has been criticised for making most cyber crime offences bailable, and therefore enabling cyber criminals to continue their activities with little interruption as well as giving them the freedom to destroy electronic evidence of their wrongdoing.
According to the latest available figures from the National Criminal Records Bureau, 2,876 cyber crimes were registered and 1,522 arrests were made in India under the IT Act in 2012. Of the registered crimes, nearly 1,900 were for hacking, for which fewer than 750 people were arrested.
To put these figures into perspective, the Internet and Mobile Association of India has projected that the country would have 24.3 crore Internet users by June 2014. Internet penetration in India is still under 15%, but is increasing rapidly. The country’s current population is estimated at 127 crore.
IT Act 2008 and ISO27001
Organisations looking to seek compliance with the IT Act 2008 need to have a robust Information Security Management System (ISMS) in order to manage their information effectively. Information security is a broad approach that addresses the security of information in all forms and covers paper documents, physical security and human error as well as the handling of digital data.
In order to achieve an effective cyber security posture, organisations must realise that hardware and software solutions alone are not enough to protect them from cyber threats and that a broader information security approach is needed. The three fundamental domains of effective information security are people, process and technology.
ISO27001 is the internationally recognised best-practice Standard that lays out the requirements of an ISMS and forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO27001 in order to deliver their specific added value.
Organisations with multiple compliance requirements often seek certification to ISO27001 as its comprehensive information security approach can centralise and simplify disjointed compliance efforts; it is often the case that companies will achieve compliance with a host of legislative requirements simply by achieving ISO27001 certification.
The latest version of the Standard, ISO27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO27001:2013 has been developed in order to harmonise with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.
Further, the additional external validation offered by ISO27001 certification is likely to improve an organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
How ISO27001 can help you comply with Indian information security legislation
Written by cyber security expert Alan Calder, this free guide details how to leverage ISO27001 as a single framework for creating a cyber secure enterprise while supporting adherence to the IT (Amendment) Act 2008 and many other information security laws.
Enter your name and email address below to read our free guide on complying with information security legislation in India:
Why IT Governance?
IT Governance is a specialist in the field of information security and IT Governance, and has led more than 400 successful certifications to ISO27001 around the world.
IT Governance has created ISO 27001 packaged solutions to give Indian organisations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.
Get started today >>