http://www.financialexpress.com/fe_full_story.php?content_id=76698 PAVAN DUGGAL December 13, 2004 Security is one of the biggest concerns that affects the world today, not only in the actual world but in the context of the electronic format and the information stored therein. There is an increasing emphasis on legal issues concerning information security. India enacted its first cyber law, namely the Information Technology Act, 2000 which came into force on October 17, 2000. A perusal of the preamble of the same clearly shows that this is not a law dedicated to security. However, one of the main objectives of the IT Act, 2000 is to provide legal recognition for "electronic commerce", which involves the use of alternatives to paper-based methods of communication and storage of information. Security is thus covered in some measure under IT Act, 2000. The definitional clause of the Indian cyber laws does not define security. However, it defines secure system and security procedure and a secure electronic record. The Indian cyber law also details secure digital signatures. It makes breach of security an act that attracts consequences of civil liability. If a person without the permission of the owner or any other person in charge of a computer, computer system or computer network, accesses or secures access to the same, he will be liable to pay statutory damages by way of compensation, not exceeding Rs 1 crore. Thus, merely gaining access to such a computer or system by breaching or violating the security processes or mechanisms is enough to attract civil liability. Breach of security is also implicitly recognised as a penal offence, as hacking is punishable under Section 66 of the IT Act, 2000 with three years imprisonment and a fine of Rs 2 lakh. The appropriate government has been given the discretion to declare any computer as a protected system. Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of the law, shall be punished with imprisonment of either description for a term which may extended to ten years and shall be liable to fine. As per amendments made in the Indian Evidence Act, 1872 by the IT Act, in any proceedings involving a secure electronic record, the court shall presume, unless contrary is proved, that the secure electronic record has not been altered since the specific point of time, to which the secure status relates. Also, in any proceedings involving secure digital signatures the court shall presume unless the contrary is proved that the secure digital signature is affixed by the subscriber with the intention of signing or approving the electronic record. Some issues of security relating to certifying authorities have been specified in the IT (Certifying Authorities) Rules, 2000 and the IT security guidelines. These guidelines are pretty exhaustive and detail different aspects of physical and operational security and information management including sensitive information security, system integrity and security measures. In conclusion, I am of the opinion that the legal issues relating to security are likely to develop over a period of time as the law on security of information and networks evolves to keep pace with the developments on the technological front. It is the responsibility of each computer user to ensure that the security of computers, computer systems and computer networks is preserved and not violated. Only in preservation of security of the same lies the path of progress and prosperity. The author is a Supreme Court advocate and cyber law consultant. He can be reached at pduggal@private and pavanduggal@private _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Mon Dec 13 2004 - 04:49:51 PST