REGULATORY COMPLIANCE UNDER

THE INFORMATION TECHNOLOGY ACT, 2000

ADV. SAGAR RAHURKAR

CASES

Nadeem Kashmiri and HSBC

Karan Bahree and Mphasis

My case - Hyundai

ISSUES

Liability of Company (Sec. 85)

Protection of data – Concern for outsourcing

industry

Privacy of data – Individual’s concern

SEC. 43A – COMPENSATION FOR FAILURE TO

PROTECT DATA

If body corporate, possessing, dealing or

handling any sensitive personal data or

information in a computer resource which it

owns, controls or operates, is negligent in

implementing and maintaining reasonable

security practices and procedures and

thereby causes wrongful loss or wrongful

gain to any person

Liability – Damages by the way of

compensation

ADJUDICATION

For claims upto Rs. 5 Crores –

Adjudicating officer

For claims above Rs. 5 Crores - Civil

courts (Unlimited liability)

WHO IS LIABLE?

Sec.85: Offences by companies

• The company itself, being a legal person;

• The top management including directors; and

• The managers (persons directly responsible for the data)

If it is proved that -

• they had knowledge of contravention; or

• they have not used due diligence

• that it was caused due to their negligence

ISSUES

What is Sensitive Personal data or

Information?

What are Reasonable Security

Practices and Procedures?

THE SOLUTION

The Information Technology (Reasonable

security practices and procedures and sensitive

personal data or information) Rules, 2011

Enforceable from 11th April, 11

To be read with Sec. 43A

SPDI

Password

Health

condition

Sexualorientati

on

Healthrecords

Bio-metric

s

Financial info

SENSITIVE PERSONAL DATA OR

INFORMATION

Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information)

Rules, 2011

REASONABLE SECURITY PRACTICES

Implementing comprehensive documented

information security programme and information

security policies

Containing –

Managerial, technical, operational and physical

security control measures commensurate with the

information assets held by the person.

Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or

information) Rules, 2011

REASONABLE SECURITY PRACTICES

The International Standard IS/ISO/IEC 27001 on

“Information Technology – Security Techniques –

Information Security Management System – Requirements”

is one such standard OR

If following other than IS/ISO/IEC codes of best practices

for data protection, shall get it duly approved and notified

by the Central Government OR

An agreement between the parties regarding protection of

“Sensitive Personal Information”

AUDITING

Necessary to get the codes or procedure certified or

audited on regular basis

Needs to be done by the Government Certified Auditor

Will be known as “Govt. Certified IT Auditor”

Not appointed yet

CERT-IN has empanelled IT Auditors

POLICIES/CLAUSES

COLLECTION OF INFORMATION

About obtaining consent of the information provider

Consent in writing through letter/fax/email from the provider

of the SPDI regarding purpose of usage before collection of

such information

Need to specify –

Fact that SPDI is being collected

What type of SPDI is collected?

How long SPDI will be held?

Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or

information) Rules, 2011

COLLECTION OF INFORMATION

Provider should know –

Purpose of collection

Intended recipients

Details of the agency collecting the information and agency

retaining the information

Body Corporate not to retain information longer than required

Option should be given to withdraw the information provided

SPDI shall be used only for the purpose for which it has been

collected

Shall appoint “Grievance Officer” to address any discrepancies

and grievances about information in a timely manner – Max. time

– One month

PRIVACY AND DISCLOSURE OF

INFORMATION POLICY

Policy about handling of SPDI

Shall be published on website or should be available to view/inspect @

any time

Shall provide for –

Type of SPDI collected

Purpose of collection and usage

Clear and easily accessible statements of IT Sec. practices and policies

Statement that the reasonable security practices and procedures as provided

under rule 8 have been complied

Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information)

Rules, 2011

DISCLOSURE

Disclosure –

Prior permission of provider necessary before disclosure

to third party OR

Disclosure clause needs to be specified in the original

contract OR

Must be necessary by law

Third party receiving SPDI shall not disclose it

further

Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information)

Rules, 2011

TRANSFER OF INFORMATION

Transfer to be made only if it is necessary for

performance of lawful contract

Disclosure clause should be a part of Privacy and

Disclosure Policy

Transferee to ensure same level of data

protection is adhered while and after transfer

Details of transferee should be given to provider

Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information)

Rules, 2011

SEC 72(A) (CRIMINAL OFFENCE)

Punishment for Disclosure of information in

breach of lawful contract -

Knowingly or intentionally disclosing “Personal

Information" in breach of lawful contract

IMP – Follow contract

Punishment - Imprisonment upto 3 years or fine

up to 5 lakh or with both (Cognizable but Bailable)

GRAMM–LEACH–BLILEY ACT (GLBA,

USA)

Focuses on finance

Safeguards Rule - Disclosure of Nonpublic Personal

Information

It requires financial institutions to develop a written information

security plan that describes how the company is prepared for, and

plans to continue to protect clients’ nonpublic personal

information.

This plan must include –

Denoting at least one employee to manage the safeguards,

Constructing a thorough risk analysis on each department handling

the nonpublic information,

Develop, monitor, and test a program to secure the information, and

Change the safeguards as needed with the changes in how

information is collected, stored, and used.

THE FEDERAL INFORMATION SECURITY

MANAGEMENT ACT OF 2002 (FISMA, USA)

Focus on economic and national security interests of

the United States

Emphasized on “risk-based policy for cost-effective

security”

Responsibility attached to federal agencies, NIST and

the Office of Management and Budget (OMB) to

strengthen information system security

Not mandatory

No penalty for non-compliance

DATA PROTECTION DIRECTIVE (EU)

European Union directive regulating the processing of

personal data within the EU

Protection of individual’s personal data and its free

movement

Coming soon - European Data Protection Regulation

Not mandatory

No penalty for non-compliance

PREAMBLE OF THE IT ACT

Purpose behind enacting IT Act –

To provide legal recognition to e-commerce

To facilitate e-governance

To provide remedy to cyber crimes

To provide legal recognition to digital evidence

o Preamble doesn’t specify that the Act aims @

establishing IT Security framework in India

BENEFITS

Compliance with legislation

No liability on organisation

Increased reliability and security of systems

Systems rationalization

Improved management controls

Improved risk management and contingency

planning

GET IN TOUCH

PHONE

+919623444448

EMAIL

CONTACT@SAGARRAHURKAR.COM