http://www.financialexpress.com/fe_full_story.php?content_id=76698
PAVAN DUGGAL
December 13, 2004
Security is one of the biggest concerns that affects the world today,
not only in the actual world but in the context of the electronic
format and the information stored therein. There is an increasing
emphasis on legal issues concerning information security. India
enacted its first cyber law, namely the Information Technology Act,
2000 which came into force on October 17, 2000. A perusal of the
preamble of the same clearly shows that this is not a law dedicated to
security. However, one of the main objectives of the IT Act, 2000 is
to provide legal recognition for "electronic commerce", which involves
the use of alternatives to paper-based methods of communication and
storage of information. Security is thus covered in some measure under
IT Act, 2000.
The definitional clause of the Indian cyber laws does not define
security. However, it defines secure system and security procedure and
a secure electronic record. The Indian cyber law also details secure
digital signatures. It makes breach of security an act that attracts
consequences of civil liability. If a person without the permission of
the owner or any other person in charge of a computer, computer system
or computer network, accesses or secures access to the same, he will
be liable to pay statutory damages by way of compensation, not
exceeding Rs 1 crore. Thus, merely gaining access to such a computer
or system by breaching or violating the security processes or
mechanisms is enough to attract civil liability. Breach of security is
also implicitly recognised as a penal offence, as hacking is
punishable under Section 66 of the IT Act, 2000 with three years
imprisonment and a fine of Rs 2 lakh.
The appropriate government has been given the discretion to declare
any computer as a protected system. Any person who secures access or
attempts to secure access to a protected system in contravention of
the provisions of the law, shall be punished with imprisonment of
either description for a term which may extended to ten years and
shall be liable to fine.
As per amendments made in the Indian Evidence Act, 1872 by the IT Act,
in any proceedings involving a secure electronic record, the court
shall presume, unless contrary is proved, that the secure electronic
record has not been altered since the specific point of time, to which
the secure status relates. Also, in any proceedings involving secure
digital signatures the court shall presume unless the contrary is
proved that the secure digital signature is affixed by the subscriber
with the intention of signing or approving the electronic record.
Some issues of security relating to certifying authorities have been
specified in the IT (Certifying Authorities) Rules, 2000 and the IT
security guidelines. These guidelines are pretty exhaustive and detail
different aspects of physical and operational security and information
management including sensitive information security, system integrity
and security measures. In conclusion, I am of the opinion that the
legal issues relating to security are likely to develop over a period
of time as the law on security of information and networks evolves to
keep pace with the developments on the technological front. It is the
responsibility of each computer user to ensure that the security of
computers, computer systems and computer networks is preserved and not
violated. Only in preservation of security of the same lies the path
of progress and prosperity.
The author is a Supreme Court advocate and cyber law consultant. He
can be reached at pduggal@nde.vsnl.net.in and pavanduggal@hotmail.com.
_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable -
http://www.osvdb.org/
