Information Technology Act - CA perspective

CA A.Rafeq, FCA, CISA, CIA, CGEIT

Managing Director, Wincer Infotech Limited

Bangalore, 25th Jan. 2012

1

Agenda

1. Need for Chartered

Accountants to embrace IT

2. Overview of IT Act 2000 and IT

Act 2008

3. Impact of IT Act on

Government, Enterprises and

Individuals – some case studies

4. Impact and opportunities for

Chartered Accountants

– IT Act

2

1. Need for Chartered Accountants to embrace IT

3

Technology: key enabler of business change

• Value does not come miraculously from technology

• Technology only provides a capability

• Value is only realized when this capability is applied and managed as part of comprehensive program of business change.

• Evolved from automation through information to transformation, extent and complexity of business change has grown dramatically, and includes: – Business strategy – Business processes – How people work – Organizational structure and – Technology

4

Industrial revolution to Knowledge revolution

• Industrial revolution to the Knowledge revolution – Pervasive IT

• Role of IT in the evolving knowledge society is comparable to that of the railroad during the Industrial Revolution.

• Amount of private and enterprise data stored on computers is doubling every 12 to 18 months.

• Mobile computing gives users the freedom to roam, with access to data and services at any time and in any place.

• IT is becoming a primary driver of business growth and is expected to make a greater contribution to success of enterprises.

• Investment in IT is being made as it impacts business performance. • Technology continues to be the one key driver of business growth

worldwide, with IT spends continuing to see an annual rise for the foreseeable future – TCS Annual Report 2010-2011.

5

Future of IT

• A Dutch start up, Sparked • is using wireless sensors on cattle so that when one is sick or

pregnant, it sends a message to the farmer. • Each cow transmits 200 MB of data per year. • We can monitor ourselves this way too. • Using a wireless cardiac monitor your physician can check for health

risks. • And this is just the beginning of embedded IT.

6

7

8

Information and IT: BI, Big Data and Data Analytics

9

Cloud computing

Global Scenario: • Cloud services revenue to touch $149 billion in 2014. $55 billion

forecasted worldwide revenue from public IT cloud services alone.

• Cloud services cost less than traditional outsourced services, with savings ranging from 20% to 50% depending on the type of service offered.

• 30% the rate at which cloud computing will grow in 2011, or more than 5 times the rate of IT industry as a whole.

• 2.3 million jobs (the net new jobs created by cloud on a cumulative basis over the period 2010 to 2015.

• The impact of cloud computing will be very high on the nearly $60 billion outsourcing sector, whose mantra is cost savings. This sector has little choice but to include cloud computing as part of their service portfolio.

10

Cloud computing Indian Scenario: • India is ahead of US in cloud adoption. Top cloud users today are Brazil (27%), Germany

(27%), India (26%), US (23%).

• Cloud computing market in India is expected to cross USD 1.08 billion by 2015, from USD 110 million in 2010.

• Of the projected $4.5-billion total cloud computing market in India by 2015, private cloud will account for $3.5 billion.

• It will generate about 100,000 additional jobs and save about 50 percent of cost of IT operations for Indian enterprises.

• India's No. 3 outsourcing firm looks at cloud computing as a "game changer”. It is building data centers in India is implementing private clouds in partnership with other IT firms.

• The cloud has the potential to transform business ecosystems that are relatively under penetrated by IT due to high capital requirements, such as government, healthcare and education.

• CC allows us to deliver standard end-to-end processes as a service to customers using new operating models - TCS

11

Impact of IT for CA in future

• CAs with solid IT skills are needed to design, integrate, and implement advanced software systems, as well as serve as consultants to link hardware/software solutions with sound business plans.

• Technology will continue to challenge and reshape our lifestyles, work patterns, educational experiences, and communication styles and techniques. Technology will rewrite the “rules of business,” leaving those far behind who will not harness it and effectively integrate it.

• Many of the traditional, essential skills of CAs are being replaced by new technologies that are increasing in number and being rapidly developed, often from unexpected sources.

12

Innovation - key to success

There’s plenty of evidence that if

You don’t find dramatically new ways of doing business,

You’re not going to be in business

13

• IT – The road ahead for CAs

• The core competencies of a CA are a unique combination of knowledge and skills in various aspects of accounting, assurance, information systems, governance, management, risk, controls, regulatory compliances, business processes, human relations, technology and related areas relevant for enterprises of all types and oriented towards the objective of providing value and deliverables as per requirement of clients/users.

• Global studies have shown that the traditional core competencies of CAs needs to be enhanced with increased understanding of technology systems and there is urgent need to develop the ability to process and integrate information among various areas of business practice.

• CA firms have to become IT savvy so as to deploy the optimum level of IT within their firm and also to have the required working knowledge of IT to audit/consult for their clients.

14

IT – The road ahead for CAs

• Interested in providing IT implementation and consulting services

• Get good understanding of technologies, tools, processes, and trends… and REGULTIONS.

• CA firms have to consider IT not merely as an office asset to be procured for use by staff as an office automation tool but as a critical infrastructure which has a strategic long-term impact on their service delivery capabilities.

15

16

Example of GRC risk

17

IT Governance Principle

• “Information Technology is critical to the success of an enterprise, Information Technology is an issue which cannot be relegated solely to management or IT Specialists, but must instead receive the focussed attention of both”.

18

The key questions?

Corporate Governance

• How do suppliers of finance get managers to return some of the profits to them?

• How do suppliers of finance make sure that managers do not steal the capital they supply or invest in bad projects?

• How do suppliers of finance control managers?

IT Governance

• How do board and executive management get their CIO and IT organisation to return some business value to them?

• How do board and executive management get their CIO and IT organisation do not steal the capital they supply or invest in bad IT projects?

• How do board and executive management control their CIO and IT organisation?

19

2. Overview of IT Act 2000 and IT Act 2008

20

Objectives of the IT Act 2000

• Provide legal recognition for transactions carried out by means of electronic data interchange, and other means of electronic communication, commonly referred to as "electronic commerce“

• Facilitate electronic filing of documents with Government agencies and E-Payments - E-Governance:

• Amend the Indian Penal Code, Indian Evidence Act,1872, the Banker’s Books Evidence Act 1891,Reserve Bank of India Act ,1934

Establish Certifying Authorities for Digital Signature

Recognize Digital Signature

Impose tough penalties on Cyber crimes

Set up Appellate authorities

Schedule II provides for Guidelines for Implementation and management of IT Security

21

Extent of application

• Extends to whole of India and also applies to any offence or contravention there under committed outside India by any person {section 1 (2)} read with Section 75- Act applies to offence or contravention committed outside India by any person irrespective of his nationality, if such act involves a computer, computer system or network located in India

22

Act is NOT applicable to…

(a) a negotiable instrument (Other than a cheque) as defined in section 13 of the Negotiable Instruments Act, 1881; (b) a power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882; (c) a trust as defined in section 3 of the Indian Trusts Act, 1882; (d) a will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 including any other testamentary disposition (e) any contract for the sale or conveyance of immovable property or any interest in such property; (f) any such class of documents or transactions as may be notified by the Central Government

23

IT Act 2000

• Enacted on 17th May 2000- India is 12th nation in the world to adopt cyber laws

• IT Act is based on Model law on e-commerce adopted by UNCITRAL

• IT Act was amended by IT Amendment Act, 2008

• When the Information Technology Act, 2000 was introduced –it was the first information technology legislation introduced in India!

• And Information Technology (Amendment) Act 2008 (Effective from October 27, 2009) - could be a Game Changer!

• ITA Rules, 2011

24

Objectives of IT Act 2008

• Casts responsibility on body corporate to protect sensitive personal information (Sec. 43A)

• Recognizes and punishes offences by companies and individual(employee) actions (Sec. 43, 66 to 66F, 67..): – Sending offensive messages using electronic medium or using body

corporate’s IT for unacceptable purposes – Dishonestly stolen computer resource – Unauthorized Access to computer resources – Identity theft/Cheating by personating using computer – Violation of privacy – Cyber terrorism/Offences using computer – Publishing or transmitting obscene material

• Provides for Extensive powers for Police & Statutory Authorities

25

What IT Act 2008 amendment aims for

• Paradigm shift in data protection and privacy regime in India: – Establishing a self regulation framework – Maintenance of reasonable security practices and

procedures – Articulating “sensitive personal data or information” – Adjudication related to data protection and privacy [civil

liabilities] – Providing criminal prosecution vis-à-vis data protection

and privacy

26

Rules to IT Act 2008

• Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

• Information Technology (Intermediaries guidelines) Rules, 2011

• Information Technology (Electronic Service Delivery) Rules, 2011

27

Definitions (section 2)

• "computer" means electronic, magnetic, optical or other high-speed date processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or relates to the computer in a computer system or computer network;

• "computer network" means the inter-connection of one or more computers through- – (i) the use of satellite, microwave, terrestrial lime or other

communication media; and

– (ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;

28

Definitions (section 2)

• "electronic record" means date, record or date generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche;

• “secure system” means computer hardware, software, and procedure that-

(a) are reasonably secure from unauthorized access and misuse; (b) provide a reasonable level of reliability and correct operation; (c) are reasonably suited to performing the intended function; and (d) adhere to generally accepted security procedures • “security procedure” means the security procedure prescribed by the

Central Government under the IT Act, 2000.

• secure electronic record – where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification

29

Definitions

• Information includes

• Data, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche

• Electronic form

• With reference to information means

• Any information generated, sent, received or stored

• in media, magnetic, optical, computer memory, microfilm, computer generated micro fiche or similar device

30

Definition

• Digital signature • Authentication of any electronic record by a subscriber • by means of an electronic method or procedure • in accordance with the provisions of section 3

• Affixing digital signature • Adoption of any methodology or procedure by a person for

purpose of authenticating an electronic record by means of a digital signature

• Intermediary

• With respect to any particular electronic message means • Any person who on behalf of another person receives,

stores or transmits that message or provides any service with respect to that message

31

Electronic Governance

• Legal recognition of electronic records (Sec.4) • Where any law provides that information of any other

matter shall be in writing or in the typewritten or printed form then

• Not withstanding anything contained in any law,

• Such requirement shall be deemed to be have been satisfied if such information or matter is:

» Rendered or made available in an electronic form and

» Accessible so as to be usable for a subsequent

reference

32

Recognition for E-Governance

• Provides for following in electronic form (Sec.6): • Filing of any form, application or any other document with

any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner:

» The issue or grant of any licence, permit, sanction or

approval by whatever name called in a particular manner

» The receipt or payment of money in a particular manner

» As prescribed by the appropriate Government

33

A digital signature

• Created using a software.

• Unique and dynamically created by the software.

• Used for identifying and authenticating a user for transactions in the digital world similar to identifying and authenticating users through physical signatures in the physical world.

• Issued by the Certificate Authority and is valid for the period it is allotted.

• Any one can confirm whether the digital certificate is valid by confirming with the Certificate authority who has issued it.

34

Electronic Signature substituted by digital signature in IT Act 2008

• Subscriber may authenticate any electronic record by

• Such electronic signature or electronic authentication technique that is: – Considered reliable and specified in second schedule

• Technique shall be considered reliable if:

– Signature creation data is unique to and under the control of the

authenticator

– Alterations are detectable

– Eg. PIN, digitised fingerprint or image, retina scan

35

Impact of Digital Signature

• "As enterprises increasingly use digital signature technologies to support e-commerce, legal issues such as non-repudiation, online contracts and protection of intellectual property will become more common“

• "Business managers, Auditors and lawyers need to understand some of the underlying technology as they grapple with the legal implications”

36

Secure digital signature-S.15

• If by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was: (a) unique to the subscriber affixing it; (b) capable of identifying such subscriber; (c) created in a manner or using a means under the

exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such digital signature shall be deemed to be a secure digital signature

37

Public Key Infrastructure

• Allow parties to have free access to the signer’s public key

• This assures that the public key corresponds to the signer’s private key – Trust between parties as if they know one another

• Parties with no trading partner agreements, operating on open networks, need to have highest level of trust in one another

38

Certificate based Key Management

• Operated by trusted-third party – CA

• Provides Trading Partners Certificates

• Notarises the relationship between a public key and its owner

CA

User A User B

CA A B

CA A CA B

39

The licensing process

• Examining the application and accompanying documents as provided in sections 21 to 24 of the IT Act, and all the Rules and Regulations there- under;

• Approving the Certification Practice Statement(CPS);

• Auditing the physical and technical infrastructure of the applicants through a panel of auditors maintained by the CCA.

40

Audit Process

• Adequacy of security policies and implementation thereof;

• Existence of adequate physical security;

• Evaluation of functionalities in technology as it supports CA operations;

• CA’s services administration processes and procedures;

• Compliance to relevant CPS as approved and provided by the Controller;

• Adequacy to contracts/agreements for all outsourced CA operations;

• Adherence to Information Technology Act 2000, the rules and regulations

thereunder, and guidelines issued by the Controller from time-to-time. 41

CCA

CA CA CA

Relying

Party Subscriber Subscriber Subscriber

Directory of

Certificates

CRLs

Directory of

Certificates

CRLs

PKI Hierarchy

42

Section 12- Acknowledgement of Receipt

• If Originator has not specified particular method- Any

communication automated or otherwise or conduct to

indicate the receipt

• If specified that the receipt is necessary- Then unless

acknowledgement has been received Electronic Record shall

be deemed to have been never sent

• Where ack. not received within time specified or within

reasonable time the originator may give notice to treat the

Electronic record as though never sent 43

Section 13- Dispatch of Electronic record

• Unless otherwise agreed dispatch occurs when ER enters resource outside the control of originator

• If addressee has a designated computer resource , receipt occurs at time ER enters the designated computer, if electronic record is sent to a computer resource of addressee that is not designated , receipt occurs when ER is retrieved by addressee

• If no Computer Resource designated- when ER enters Computer Resource of Addressee.

• Shall be deemed to be dispatched and received where originator has their principal place of business otherwise at his usual place of residence

44

Civil Wrongs under IT Act

Chapter IX of IT Act, Section 43

• Whoever without permission of owner of the computer: – Secures access (mere U/A access)

• Not necessarily through a network

– Downloads, copies, extracts any data – Introduces or causes to be introduced any viruses or contaminant – Damages or causes to be damaged any computer resource

• Destroy, alter, delete, add, modify or rearrange • Change the format of a file

– Disrupts or causes disruption of any computer resource • Preventing normal continuance of computer

45

Key Provisions of the IT Act for corporates – Sec. 43A

• The responsibility for protection of stakeholder information by body corporate primarily arises from the provisions of Section 43A of the Information Technology Act, 2008, which provides as follows:

• “Where a body corporate, possessing, dealing or handling any sensitive personal data or information

• in a computer resource which it owns, controls or operates,

• is negligent in implementing and maintaining reasonable security practices and procedures and

• thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected”.

46

TYPES OF CYBER CRIMES

• Cyber terrorism

• Cyber pornography

• Defamation

• Cyber stalking (section 509 IPC)

• Sale of illegal articles-narcotics, weapons, wildlife

• Online gambling

• Intellectual Property crimes- software piracy, copyright infringement, trademarks violations, theft of computer source code

• Email spoofing

• Forgery

• Phising

• Credit card frauds

Crime against property

Crime against Government

Crime against persons

47

Provision affecting body corporates

Section 85: • “Where a person committing a contravention of any of the

provisions of this Act or of any rule, direction or order made there under is a Company,

• every person who, at the time the contravention was committed,

• was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly”

48

3. Impact on Government, Enterprises and Individuals

– some case studies

49

Impact of IT Act

Overall Impact

• Recognition of Electronic Records

• Electronic filing of records

• Legal recognition for digital signature

Specific Impact

• How digital signatures could be used within the company?

• How digital signatures could be used for business operations with customers and suppliers

• How digital signatures could be used for new business avenues?

• How will it impact the way your company is maintaining its record and conducting business operations?

50

Security implications – different dimensions

GOVERNMENT:

Regulations and Policies, Lawful interception

ENTERPRISES:

Contractual, Risk management, Compliance, IT Security Strategy

NETIZEN:

Data Privacy, Safe Browsing

51

Section 43A

• "body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities

• "reasonable security practices and procedures“ means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

• "Sensitive personal data or information“ means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

52

Why Cyber law Compliance is a burning Issue?

• Has given a Security orientation to Cyber law in India

• Cyber Security is no longer a Technical Issue

• It is a legal prescription under ITA 2008

• Every Corporate Entity should therefore • Implement a structured plan of action to ensure that he is

not liable under ITA 2008 through a Cyber Law Compliance programme

53

Seven basic compliance requirements

• Designate a Cyber Law Compliance officer

• Initiate training of employees on Cyber Law Compliance

• Introduce sanction procedures in HR policy for non compliance

• Use authentication procedures suggested in law

• Maintain data retention as suggested under Section 67C

• Identify and initiate safeguard requirements indicated under Sections 69 and 69A, 69B,43A

• Initiate global standards of data privacy on collection, retention, access, deletion etc

54

Categories of Cybercrimes

Offences - sections 65 to 74 categorized as offences against:

Property

• Tampering with computer source documents

• Hacking

Person

• Obscenity

• Cyber trespass

• confidentiality and privacy

Sovereignty/government/Authority

• Interception of information affecting sovereignty

• Unauthorized access to protected systems

• Noncompliance with Orders of Certifying Authority

• Misrepresentation for obtaining Digital Signature

• Digital Signature for fraudulent or unlawful purpose

• Publishing Digital false in particulars

55

Cyber Terrorism is defined in Section 66F

• Whoever threatens the unity, integrity, security or sovereignty of India or strike terror in people by: 1. Denying access to computer resource; or

2. Access computer resource without authority; or

3. Introduce any computer contaminant and causes death or destruction of property; or

• Penetrates restricted computer resources or information affecting sovereignty, integrity, friendly relations with foreign states, public order, decency, contempt of court, defamation or to the advantage of foreign state or group of persons.

• It is punishable with imprisonment upto life.

56

Forgery

Andhra Pradesh Tax Case

• In the explanation of the Rs. 22 Crore which was recovered from the house of the owner of a plastic firm by the sleuths of vigilance department, the accused person submitted 6000 vouchers to legitimize the amount recovered, but after careful scrutiny of vouchers and contents of his computers it revealed that all of them were made after the raids were conducted .

• All vouchers were fake computerized vouchers.

57

Cyber stalking

• Ritu Kohli (first lady to register the cyber stalking case) is a victim of cyber-stalking.

• A friend of her husband gave her phone number and name on a chat site for immoral purposes.

• A computer expert, Kohli was able to trace the culprit. Now, the latter is being tried for "outraging the modesty of a woman", under Section 509 of IPC.

58

Cyber defamation

• SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra: India’s first case of cyber defamation was reported when a company’s employee (defendant) started sending derogatory, defamatory and obscene e-mails about its Managing Director.

• The e-mails were anonymous and frequent, and were sent to many of their business associates to tarnish the image and goodwill of the plaintiff company.

• The plaintiff was able to identify the defendant with the help of a private computer expert and moved the Delhi High Court.

• The court granted an ad-interim injunction and restrained the employee from sending, publishing and transmitting e-mails, which are defamatory or derogatory to the plaintiffs.

59

Online gambling: virtual casinos, Cases of money laundering

• Cyber lotto case: In Andhra Pradesh one Kola Mohan created a website and an email address on the Internet with the address 'eurolottery@usa.net.' which shows his own name as beneficiary of 12.5 million pound in Euro lottery.

• After getting confirmation with the email address a telgu newspaper published this as news.

• He gathered huge sums from the public as well as from some banks. The fraud came to light only when a cheque amounting Rs 1.73 million discounted by him with Andhra bank got dishonored.

60

Case Study- BPO Data Theft

• The recently reported case of a Bank Fraud in Pune in which some ex employees of BPO arm of MPhasis Ltd Msource, defrauded US Customers of Citi Bank to the tune of RS 1.5 crores has raised concerns of many kinds including the role of "Data Protection".

• The crime was obviously committed using "Unauthorized Access" to the "Electronic Account Space" of the customers. It is therefore firmly within the domain of "Cyber Crimes".

61

BPO data theft -Case Study (contd.)

• The BPO is liable for lack of security that enabled the commission of the fraud as well as because of the vicarious responsibility for the ex-employee's involvement. The process of getting the PIN number was during the tenure of the persons as "Employees" and hence the organization is responsible for the crime.

• Some of the persons who have assisted others in the commission of the crime even though they may not be directly involved as beneficiaries will also be liable under Section 43 of ITA-2000.

• Under Section 79 and Section 85 of ITA-2000, vicarious responsibilities are indicated both for the BPO and the Bank on the grounds of "Lack of Due Diligence".

• At the same time, if the crime is investigated in India under ITA-2000, then the fact that the Bank was not using digital signatures for authenticating the customer instructions is a matter which would amount to gross negligence on the part of the Bank.

62

Case Study- Case of Extortion of Money Through Internet

• The complainant has received a threatening email and demanded protection from unknown person claiming to be the member of Halala Gang, Dubai. Police registered a case u/s. 384/506/511 IPC.

• The sender of the email used the email ID xyz@yahoo.com & abc@yahoo.com and signed as Chengez Babar.

• Both the email accounts were tracked, details collected from ISP’s & locations were identified.

• The Cyber cafes from which the emails has been made were monitored and the accused person was nabbed red handed.

63

Email spoofing: • Pranab Mitra , former executive of Gujarat Ambuja Cement

posed as a woman, Rita Basu, and created a fake e-mail ID through which he contacted one V.R. Ninawe an Abu Dhabi businessmen.

• After long cyber relationship and emotional massages Mitra sent an e-mail that ‘‘she would commit suicide’’ if Ninawe ended the relationship. He also gave him ‘‘another friend Ruchira Sengupta’s’’ e-mail ID which was in fact his second bogus address.

• When Ninawe mailed at the other ID he was shocked to learn that Mitra had died and police is searching Ninawe. Mitra extorted few lacs Rupees as advocate fees etc. Mitra even sent e-mails as high court and police officials to extort more money. Ninawe finally came down to Mumbai to lodge a police case.

Bankrupt Complainant approaches Police

• The complainant realizes having been cheated, approaches Police.

• Total amount obtained by the perpetrator = Rs 1.25 crore.

• The I.P. Addresses embedded in all e-mails received by complainant reveal the origin to be either

• Ambuja Cement Company or

• A residential address at Nerul.

• A bank account at Chembur

• Police swing into action and raid the addresses.

• Two laptops recovered at the said place contain most of the e-mail communication made under the various identities such as Ruchira, Advocate Mitra, New York Police, Kolkata Police etc.

• Man assuming all these identities was identified as P M, employee of Gujarat Ambuja

65

4. Impact and opportunities for Chartered Accountants

66

Chartered Accountants

Traditional areas: • Internal Auditing,

• Filing of returns

• Compliance

• MIS

New Areas: • Electronic filing of documents

• Web based business

• Web Assurance policies

• eEnabling business operations

67

eCommerce Concepts and impact

• eCommerce refers to the use of technology to enhance the processing of commercial transactions between a company, its customers and its business partners.

• eCommerce has vast potential to change the way business is conducted.

• eCommerce transactions over the Internet include – Formation of Contracts – Delivery of Information and Services – Delivery of Content

• Traditional sources of competitive advantage will be supplanted, power and control will shift from suppliers to customers, global markets will become accessible to all comers and the traditional role of middlemen will be undermined

68

eCommerce Issues

1. Web merchants may be bogus

2. Customers may be fictitious

3. Electronic documents on the Web may not be authentic

4. Trading partners may deny they were a party to the transaction

5. Transactions may be intercepted, tampered with or replayed

6. Digital signatures and electronic records may not be recognized as evidence in courts of law

7. Transactions may be hard to substantiate causing problem of accounting recognition.

8. Audit trails may be lacking or easily tampered with

69

Minimum Security Requirement for eCommerce

NON REPUDIATION

AUTHENTICATION

CONFIDENTIALITY

INTEGRITY

Ref:

Sub:

Sir,

This is with your

Ref vide -------

-------------------- Vikram

Signature

Replace

letterhead &

signature on

original

document

Replace

Envelope

?

?

70

The Answer

Encryption

Cryptographic

digital signature

NON REPUDIATION

AUTHENTICATION

CONFIDENTIALITY

INTEGRITY

Replaces

letterhead &

signature on

original

document

Replaces

Envelope

71

Digital Certificates in eCommerce

• Verification of customer, merchant, bank .. – Non-repudiation

– Time stamping

– Authentication

– Legal evidence

• Secure E-Mail – Receipt of contracts

– Receipt of purchase orders

– Receipt of other important Electronic documents

72

Impact on traditional areas

Key Issues impacting CAs

Authenticity

How do we implement a system that ensures that transactions are genuine and authorized?

Reliability

How do we rely on the information, which does not have physical documents?

Accessibility

How do we gain access and authenticate this information, which is digital form?

73

Control Objectives for eCommerce

Business and Control objectives do NOT change e.g.

• Goods sold are as per customer order

• Delivered to correct customer

• Payment is correct and made to correct supplier

• Transactions are correctly recorded, etc

However, monitoring tools and techniques used need to be changed

74

Sample checklist for evaluation

Section 43 A

(a) Are various components of “sensitive personal data or information” vis-à-vis users/customers defined by the enterprise?

(b) Does the enterprise you have a security policy?

Is the security policy documented?

Section 67C

Does the enterprise have an electronic record preservation and retention policy?

Section 69B

Has the enterprise adopted/established appropriate policy, procedures and safeguards for monitoring and collecting traffic data or information?

Are these documented?

75

Sample checklist for evaluation

Section 70B

Does the enterprise have appropriate documented procedure to comply with the requests of CERT-IN regarding cyber security incidents?

Section 72A

(a)Does the enterprise have an adequate privacy policy?

(b) Whether the enterprise has provided for opt-in/opt-out clause in the privacy policy?

General

1. Have the enterprise appointed designated officer/nodal officer/computer-in-charge to comply with the directions of competent authority/agency under various provisions of the Act?

2. Whether details of such designated officer/nodal officer readily available online (at your website)?

76

Key Concepts to Take Away

• Implications of IT Act 2000

– More pervasive as we move on

– Definite role to play

– Are we ready and equipped?

– Do we have the vision and long term focus?

– Certificate Authorities, Digital Signatures will be key enablers of eCommerce

• eCommerce offers exciting Avenues

77

78

References

• http://mit.gov.in/content/cyber-laws

• http://naavi.org/

• http://www.pavanduggal.net/

• http://www.cert-in.org.in/

• http://www.cyberlawsindia.net/

• http://www.indlii.org/CyberLaw.aspx

• www.google.co.in and….

79

All challenges are opportunities

IT is one such continuing challenge

80