Cyber Laws For CxO
Be Aware... Be Empowered
April 2010
Editor
Naavi
www.naavi.org
Publisher
Ujvala Consultants Pvt Ltd
www.ujvala.com
Knowledge+
Corporate Policies and Cyber Laws
Indian economy has a huge stake in the development of the IT Sector. Information Technology has already absorbed the Communication Technology and developed into a larger segment of industry recognized as Infocomm industry. India has an opportunity to be one of the leading countries in the world in the Infocomm sector and hence it is critical that we nurse this industry towards prosperity through various means.
While India has the necessary manpower and skill-sets to be a global leader, the one factor that often threatens the growth of Infocomm is the adverse effects of the emerging Cyber Crime scenario. The National Policies of India since the 80’s has therefore been to encourage the growth of Infocomm sector by providing the industry with a strong legal foundation.
It was this “Policy” to encourage “E-Commerce” that first led to the drafting of Cyber Laws in our country in the form of ITA 2000. In the last decade it was observed that the risks in Cyber Space were growing more and more menacing and therefore the National Policies for development of the Infocomm sector further dictated substantial amendments to ITA 2000 and the new version of ITA 2000 referred to as ITA 2008 became effective from October 27, 2009.
We may therefore recognize that the Policy of using Infocomm as a development tool for India and “Security” as a critical necessity for this development that has given birth to the Cyber Laws in India now in the form of ITA 2008.
Citizens and Companies are bound by these laws and hence Laws of the Land become the backbone of the corporate policies that drive the day to day activities of a Company. It is in this context that Cyber Laws become the foundation for determining Corporate Policies in any given Company.
Since ITA 2008 applies to all Companies which use Electronic Documents, Computers and Other similar electronic devices as part of their business infrastructure, the incidence of ITA 2008 runs through every fabric of corporate policy.
“Clause 49” of the Listing Requirements introduced by SEBI is an initiative to ensure that Shareholders are appropriately assured by the Corporate Managements that their Company is a Law Compliant entity and any liability that may arise due to non compliance has been adequately insured against.
ITA 2008 in combination with Clause 49 has now become a lethal combination that has stirred a hornet’s nest in every Corporate Board Room.
Cautious Company managements are now asking themselves, “Are We Compliant with ITA 2008?” If not, “Are we right in providing Clause 49 certification in our next annual report?” But as is the true spirit of the Indian psyche, some feel “Chalta Hai!” and many comfort themselves that “All Iz Well”.
But any Company committed to high standards of Corporate Governance needs to sit up and take notice..
“here is a new legislatory provision that has come into existence during this financial year…” ..”We have seen some Corporate CEOs facing criminal charges under the Act for vicarious liabilities…” “We have seen many Banks being asked to pay compensation for frauds committed by somebody else…”’We have seen at least one major IT company losing Rs 20 crores of shareholder’s money attributable to negligence in security of the info systems…”
If this is the scenario, it is necessary for such responsible companies to review the internal controls specifically from the point of view of ITA 2008 and its compliance requirements. If not, it would be unethical to sign this year’s annual report with an inaccurate Clause 49 certification and expose the CEO and the Directors to a possible charge of deliberately misleading the shareholders.
It is necessary for the Companies to recognize that ITA 2008 expects that “If any Cyber Crime occurs with the use of Company assets, it may be attributed to the Company itself besides the person who actually misused the systems. Once the Company is attributed of a Crime, the Directors and Officials have to prove that they have not been negligent in implementation of any provisions expected of them in ITA 2008 or else face the wrath of the law as if they had committed the offence with a malicious intention.
Even if criminal charges are avoided, the financial liabilities that fall on the Company and attributable to the neglect of the Company officials could be adversely affecting the financial position of the Company.
It is therefore necessary for the Corporate CxOs to appraise themselves with the ITA 2008 liability risks and undertake appropriate action to counter them.
If a Company undertakes an ITA 2008 Compliance Gap analysis, they would find that there are many areas under which the Company may find itself short of the expectations of law.
For example, under section 70B, CERT IN has certain powers to demand information from a Company. Similarly, under 69,69A and 69B, CERT IN can give certain directions to Companies. Failure to meet these requests is punishable with imprisonment and fine.
Likewise there are various responsibilities which ITA 2008 casts on a Company, and risk associated with the non compliance of each of these responsibilities could result in either civil penalties or criminal punishments.
ITA 2008 Risk Assessment Domains
The diagram above represents different steps in risk assessment and risk mitigation which a Company has to pass through before the Company can be reasonably confident that it has fulfilled the due diligence responsibilities envisaged in the ITA 2008.
The road ahead for Indian Companies particularly those which are required to comply with Corporate Governance requirements is to start an ITA 2008 audit to identify the compliance gaps and then proceed to implement them with a reasonable schedule.
Since ITA 2008 is already effective from October 27, 2009, there is no option for Companies but to admit that they are non- compliant as of 31st March 2010 but have initiated steps to identify the ITA 2008 compliance requirements and make such a statement as part of the Director’s Report in the annual report.
Naavi
Cyber Crimes in a Corporate Environment
Companies face two kinds of Cyber Crimes ...one in which the Company or its assets are the target and the other in which Company’s assets is used as tools for a Cyber Crime either by its employees or others.
Protecting Company’s assets from being targeted is a part of the Information Security function of the Company. When a Company’s assets are adversely impacted by any Cyber Crime, the cause of action for initiating legal proceedings lie primarily with the Company. Even when the Company is not keen on pursuing damages caused by a cyber crime, the Shareholders of the Company would be interested in ensuring that the Company does not end up losing money on account of the Crime. Regulators such as SEBI or RBI should also be interested in ensuring that the Company does not for its own reasons ignore taking required legal steps to recover the losses.
If a Company is properly insured against losses caused by Cyber Crimes, the Insurance Company would be interested in pursuing the recovery of loss.
For example, recently WIPRO lost Rs 20 crores due to an employee fraud. According to available reports, the Company went into a compromise and wrote off nearly 50% of the loss. The directors of the company may however have to get this write off endorsed by the shareholders.
A second example is the case of Umashankar Vs ICICI Bank reported elsewhere in this news letter where ICICI Bank decided not to pursue its legal options against the fraudster though the fraud came to light within 24 hours of the fraud money going out of the control of the Bank. Here also there could be a Public Interest for which RBI or the share holders of ICICI Bank may question why the Bank pursues the policy of not taking legal action against fraudster-customers who use the Bank resources to defraud other fellow customers.
ITA 2008 provides certain security guidelines by prescribing “Reasonable Security Practices” under Section 43A, “Due Diligence” under sections 79 and 85 and contractual obligations under Section 72A.
The second type of Cyber Crimes that affect companies are any offence under ITA 2008 committed with the use of the Company’s resources. This could include even personal crimes such as sending of obscene messages by an employee to some body else which may not have anything to do with the business of the Company. In such cases the need for the Company to exercise “Due Diligence” under Section 85 may come under debate.
Thus in both types of crimes indicated above, there is a need for Companies to exercise “Due Diligence” and the step to achieve due diligence is through an ITA 2008 compliance audit. This therefore is the focus of Corporate Information Security requirements in the year 2010.
In a recent survey released by PWC, an interesting analysis emerged on the security practices followed by Indian Companies. Amongst the companies surveyed, 73 % of the companies had an overall information security strategy and over 80% were inclined to increase there is spending in the coming year.
38% of the participants surveyed were practicing half yearly risk assessments and over 59% said they do conduct employee awareness programmes.
Symantec also came out with a study which notes that Indian enterprises lost an average of Rs 94.56 lakh in organisation, customer and employee data, and an average of Rs 84.57 lakh in productivity costs in 2009.
However it is not clear if the “Information Security” that is being spoken off in the surveys is a purely technical information security survey or a “Techno Legal Information Security Survey”.
Legal Compliance Risk does not come for assessment in a purely technical information security survey and hence the possible liability that may arise on a company due to non compliance of ITA 2008 or similar laws is not thrown up in such surveys.
Since the awareness levels on Cyber Laws and their impact on Corporate functioning is still in nascent stage even in the higher levels of management, it is a reasonable assumption that the levels of Techno Legal Information Security compliance is likely to be very low.
Perhaps Cyber Laws For CxO should itself conduct a survey amongst the Indian Corporates to find out the extent of Awareness, Appreciation and Adoption of Techno Legal Compliance and its likely impact on the Companies.
In India, we donot even have a good statistics of Cyber Crime incidents not only in the Corporate sector but also in the overall scenario. National Crime Records Bureau (NCRB) does come up with some statistics about Cyber Crime cases registered with the Police but this also does not capture even a fraction of the crimes that are likely to be occurring. If after the ITA 2008 coming to effect, CERT-IN uses its powers under Section 70B, adequate information can be collected from the corporate sector about Cyber Crime incidents and their financial impact. This information is vital for future planning of Cyber Crime mitigation strategies.
Probably industry associations also can consider a mechanism where by reliable data can be collected in a manner which does not hurt the reputation of the reporting organization and collated for the benefit of all.
It is pertinent to mention here that the trend abroad as indicated by the HITECH Act in USA passed last year is to make it mandatory for organizations to disclose data breach or cyber crime incidents and penalize non compliance thereof. India has to take a cue from such legislations and organizations such as RBI, SEBI and Company Law Board should collect data on security breach incidents and pass it onto CERT-IN for collation. Alternatively, we need a reliable private sector initiative to emerge which serves a similar objective.
Naavi
A PDF Copy of the News Letter would be sent by e-mail to all persons who subscribe. Subscription is free.