Ours is a generation ruled by computers and the Internet. The predominant influence
of the Internet over infinite lives all over the world has brought the issue of
cyberlaws into focus. With laws being put in place to regulate and police
cyberspace, there’s been a dramatic change in the way we browse, even
perceive, the Internet. The 9.11 attacks in the US made nations redouble their
efforts to keep track of the happenings on the Net. This also means that the
good old days of the Internet are over. Almost everything that has transpired in
the world has had a precedent. But the Internet has no examples to fall back on,
and our dealings with this entity have been fuelled by suspicion and doubt. In
the past, legal battles on this front have been extremely complex. After all,
even the law could not explain the nuances of this Web-based genie. Given this
situation, it was time to come up with some all-encompassing tool to deal with
cases of cybercrime. Against this backdrop, the sheer effort put in by lawmakers
in enacting cyberlaws should be lauded. A panel discussion, the last in the
ten-part DQ-Citrix CIO Series, unraveled the intricacies and varying definitions
of cybercrime and the problems that enterprises face today. On the panel were
(from left) Ashish Rout (Bank of Punjab), Akhilesh Tuteja (KPMG), Arindam Bose (LG),
Prasanto K Roy (chief editor, Dataquest and the moderator of the discussion), Dr
Chandan Choudhary (IFS), cyberlaw consultant Pavan Duggal, and Avinash Surma
(Delhi Stock Exchange). Excerpts from the discussion:
|
Issues that have hastened the enactment of cyberlaws
Avinash Surma (DSE): No new category of security lawsuits, arbitration,
and enforcement proceedings has emerged. Shareholders and activists are using
electronic bulletin boards and chat rooms to keep tabs on the management of
their companies and to learn about the security measures that are being adopted.
Similarly, the plaintiffs councils are using so-called datawarehousing websites
to exchange data regarding security sites.
Ashish Rout (BoP): With no certifying authority and e-commerce
catching up in a big way, there are many questions regarding safety measures
that come to mind. Also, the challenges faced by Net banking while conducting
transactions across the globe, are also a cause of concern.
Akhilesh Tuteja (KPMG): Though we have an IT act in place, we are all
at sea (state of eternal ambiguity) regarding the exact implications of the
same.
Arindam Bose (LG): We have ventured into the B2B and B2C areas and
have started getting a lot of business on those fronts, so there are a lot of
questions here. Also, we were victims of spamming once. However, the management
decided that we did not want to make it public.
|
Pavan Duggal: I fully agree that everyone is at sea as far as
cyberlaws are concerned as it is a very vast subject. There are two distinct
trends here. There are companies that are proactive in prevention and others who
believe in crossing the bridge once they get there. The latter is a larger
group. So awareness is very low amongst enterprises.
Awareness levels among enterprises
KPMG: The awareness about cyberlaws is poor. Enterprises still believe
that if they do not conduct business on the Net, they do not need to bother
about cyberlaws. However, the industry is slowly helping create awareness.
Irrespective of whether you are available online, it is mandatory for
enterprises to be aware of the IT Act. Also, the number of people who believe
that they will cross the bridge once they get to it is growing. The management
needs to take the initiative in changing this attitude. Waiting for catastrophe
to happen is in no way the right approach.
BoP: We have a security policy in pace and we continuously evaluate,
review and update it. We also train our employees and customers to maintain
their own systems. But there are loopholes despite all efforts. There are other
problems like the difficulty in remembering 16 digit passwords. The document
policy procedure is bound to fail at times.
|
DSE: The awareness level at the Delhi Stock Exchange is very high. We
realize that something could go wrong at any moment and that keeps us on our
toes. We are part of a global environment and so we maintain a strict vigil.
IFS: Our organization believes in creating awareness first and then
carrying out a detailed audit on the existing security system. What we need to
look at is 99.9% uptime. Once we insist on a high penalty, we can ensure that
everyone adopts the best practices related to security.
|
Consultant: Though there is backup in most cases, it is not efficient
enough. Also, companies prefer to absorb the loss generated due to spamming and
accept cybercrime as business risk. This is done primarily as organizations
believe that going to the police or reporting the crime would result in negative
publicity, which would hinder their business prospects and potential clients.
Once they announce their vulnerability to these kinds of crimes, they assume
that they lose their credibility in the market. In most companies, the IT policy
is treated as a mere formality.
One thing that companies fail to understand in India is that though it is
termed as cyberlaw, the implications of the IT act go far beyond just
transactions on the internet. It impacts any company and enterprise in the
country, which does work in the electronic format, which deals with the
computer, computer systems or network. Also, many corporations are jittery about
the legality of the information they store. But companies have to adhere to the
law. And given the many emerging technologies, there is enough confusion to deal
with. So, the security policy is a must and the cyberlaw doesn’t actually do
justice to it. We have very few tools of investigation and there is very little
awareness on how one should carry out the investigation. Despite the bill being
passed, we have not done anything effective regarding cybercrime.
|
Outsourcing and the law
KPMG: It is a good decision to outsource. But the pertinent question here
is the penalty clause included in the service level agreements (SLAs). SLAs do
exist, but are the ones that are in place good enough and can they be
implemented? In this case, the smartness displayed by both parties will see them
through, because in most cases, these agreements are not even read in their
entirety. The IT act in itself is complex and the awareness level being very
low, even the available clauses in the act are not being utilized to the
fullest.
Consultant: SLAs are not covered under the IT act. Neither do we have
any statutory damage clause should there be any violation of the same. Very few
cases actually go to court as the courts are also not very proactive as far as
SLAs are concerned. The time lag involved in following the legal route is a big
deterrent too.
|
Backups
Audience query: Since we are talking about a paperless society, is it
absolutely essential to maintain backups? Is that a prerequisite of the law?
Consultant: You must maintain a backup for all practical purposes.
Section 9 of the IT act states that you can file any kind of electronic
documentation, application or form with any government agency controlled by any
kind of government, but it is not necessary that what you file electronically
will be accepted by the government. Since this is the transition period, as far
as the IT act is concerned, it would be advisable for you to maintain both paper
and electronic backup.
IFS: Our organization has taken a calculated risk and decided that we
will not maintain backups of any documents. We only copy documents that are
extremely important and these are selecaent to create a law and plug all the
loopholes for you. They have to become proactive. Ultimately it’s the recovery
of these backups that has to be our priority.
Consultant: The law is silent on a lot of issues regarding electronic
backups. So it’s better we preempt the authorities and keep ourselves on the
right side of the law. We should maintain backups as a safety net.
Increasing awareness and better enforcement
KPMG: The corporate sector believes that since enterprises are happy
otherwise, they needn’t really bother too much about cybercrimes, the IT act
etc. But they should realize that the corporate sector would be the biggest
beneficiary of this enactment. Since we also lack the tools of implementation,
there is lot of hesitation. The corporate sector should take the first step
forward.
Consultant: In context of the World Trade Center attacks, I strongly
call upon companies to take every effort and use all possible means,
methodologies and technologies that are available to at least have some
semblance of control over what is happening in our country. The best idea for
everyone is to take whatever possible precautions that you can. Only a proactive
approach within your organization will help you save face, because you could be
in an untoward situation tomorrow and that will cost you a huge amount of money
and time to get through, apart from loss of face and trust as well.
DATAQUEST Report