Home Blogs ‘India’s cybersecurity laws inadequate for IoT, Big Data, Cloud and AI’

‘India’s cybersecurity laws inadequate for IoT, Big Data, Cloud and AI’

Can India Inc. fully adopt technologies like Cloud, Big Data and Internet of Things in the absence of adequate cybersecurity laws, asks Pavan Duggal, Advocate, Supreme Court of India

A joint study by ASSOCHAM and EY has revealed that mobile frauds in India will increase by 65% in 2017. Moreover, the growing adoption of new and emerging technologies like Cloud, Big Data and Internet of Things (IoT) by India Inc. is also bringing to fore newer challenges from the security perspective. Ransomware is growing at a very fast pace in India. Other threats include increased frequency and dissemination of malicious spyware and malware. And in the absence of a national cybersecurity watchdog agency, cyber criminals today are increasingly trying to find loopholes in the security system of these technologies.

India a fertile jurisdiction for cybercrime

“The fact is that India has neither a dedicated cyber security law, nor adequate frameworks to regulate cyber security breaches and new technologies like Cloud, Big Data and IoT. This has led a lot of cyber criminals to believe that India is a fertile jurisdiction to target,” explains Pavan Duggal, Advocate, Supreme Court of India and President, www.cyberlaws.net. “For India to promote the better adoption and usage of new technologies like Cloud, Big Data and IoT, or even Artificial Intelligence, it is imperative for the legal framework to protect the data resident and provide effective mechanisms for the victims of cybersecurity breaches.”

The Information Technology Act, 2000, designated various acts as cybercrimes. A majority of these crimes are bailable offenses, which basically translates into inadequate deterrence to the offenders who violate the provisions of the law. The 2008 amendments to the Information Technology Act added new sections, detailing various new offenses as cybercrimes. However, given the fact that cybercrime as a phenomenon is constantly changing and reinventing itself, the current cyber legal frameworks are simply not adequate to protect Indian organizations against cybercrimes.

“You need to keep in mind that India does not have a dedicated cyber security law. The Information Technology Act, 2000, is not a cyber security law,” points out Duggal. Which is why, breaches of cyber security continue to go unreported and there is no statutory elaboration of rights, duties, and responsibilities of stakeholders in this regard. “The law does not also have effective provisions to deal with data protection. India needs to come up with dedicated legal frameworks to deal with specific verticals of activities in the digital and mobile ecosystem,” Duggal adds.

Digital India and cybersecurity

Pavan Duggal, Advocate, Supreme Court of India and President, www.cyberlaws.net

Another big challenge pertains to the inadequacy of the current legal frameworks to help and promote the Digital India vision by helping and promoting digital and mobile payments. “The rights, duties, and obligations of digital era intermediaries have clearly not been well-defined. The inadequacy of existing legal frameworks is reflected in the lack of effective remedies to affected persons in the digital ecosystem, especially in the cases that have emerged post-demonetization,” Duggal tells.

The threat of data in the Cloud being lost is also a real cause for worry. Duggal explains that Section 43 and 43A of the Information Technology Act, 2000, have some provisions to deal with such cases of breaches of data on the Cloud, but they are only by way of compensation. He says, “For normal data loss involving third-party data resident on the Cloud, a company can seek damages up to INR 50,000,000. However, if the data of the company is sensitive or personal data is stored on the Cloud, then the company and affected persons can seek unlimited damages by way of compensation against the offenders, provided the identity of offenders is adequately known.”

Role of Big Data Analytics

Now, Big Data Analytics can help companies that possess huge volumes of data to identify patterns of behavior and also the potential mistakes made in the corporate environment, which could have a detrimental impact on protection and preservation of cybersecurity. But, for organizations to use Big Data to help with cybersecurity, Duggal points that it is essential for organizations to have a clear vision and mindset. “They should recognize the value of Big Data Analytics and identify action points in the context of protection and preservation of cybersecurity.”

Then, does it make more sense to work with open-source software and systems than proprietary ones? Duggals shrugs. “We all know that there is no magical formula for absolute security. In fact, the entire concept of security is quite relative in nature. What was secure yesterday is not secure today and what is secure today will not be secure tomorrow. In this context, it is hard to say that open-source projects are more secure than proprietary ones.” So, open-source projects may provide more flexibility to stakeholders, but security is a different ballgame altogether in a country where the majority of stakeholders have no clarity on security issues.