The
Sun Report in UK on
leakage of information about 1000 Credit Card numbers from an Indian BPO
just when news about 40 million credit card details leaked in USA, appears to
be an effort to move away the discussion from the status of Data
Security in USA vis a vis India.
Under such circumstances quite
often we hear complaints that the absence of a specific Data Protection Act in
India is a matter of concern for the BPO service buyers from abroad. It is
strange that many top IT professionals and persons from the legal profession
also seem to endorse the view that "If there is no Act by name Data Protection
Act, then there is no protection for Data in India"
Let us see if this view has
any basis.
If we properly look at the
ITA_2000 it appears that whether by design or otherwise, ITA-2000 does address
the major issues which a new law on data protection is expected to do.
For example ITA-2000 not only
recognizes any attack on Data as an offence both for criminal and civil
penalties, but also addresses the issues of technical facilitation of data
protection and a good system of grievance redressal.
For example, ITA-2000
addresses Data Protection from the following perspectives.
a) Criminal
offence is recognized when data is unauthorizedly accessed
b) Civil
liabilities recognized when data is unauthorizedly accessed or assistance is
provided for such access.
c)
Accountability and protection during storage or transit facilitated in a
legally approved manner.
d) Definition
of data extends to all forms of digital documents including database, audio
and video files, digital data stored on credit cards etc.
e) Grievance
Redressal mechanism includes “Fast Track Courts”.
The reason why such a view
can be inferred from ITA-2000 is as follows:
Recognition of Criminal
Offence:
According to ITA-2000, whoever
affects any information residing in a computer resource injuriously by any
means, is liable to be punished with imprisonment up to three years, or
with fine which may extend up to two lakh rupees, or with both (This
section can be invoked even when the action is without intention to cause
loss to any person, provided he had knowledge that his action could cause
such loss).
“Affecting injuriously” can
cover loss of confidentiality as well as alteration, deletion etc.
Recognition of Civil
Liability:
If any person without
permission of the owner or any other person who is in-charge of a computer,
computer system or computer network accesses or secures access to such
computer, computer system or computer network he shall be liable to pay
damages by way of compensation not exceeding one crore rupees to the
person so affected.
If any person without permission of the owner
or any other person who is in-charge of a computer, computer system or
computer network provides any assistance to any person to
facilitate access to a computer, computer system or computer network in
contravention of the provisions of this Act, rules or regulations made there
under, he shall be liable to pay damages by way of compensation not exceeding
one crore rupees to the person so affected.
Thus Indian law recognizes civil liability upto
Rs 1 crore for the mere “Access of Data without permission” or for any form of
"assistance" in this regard which may perhaps include inadequate custody of
password user terminal, or access token which is used by another for
committing the offence.
we cannot expect anything better from an
exclusive Data Protection Act except perhaps increasing the limit on the
liability or the period of imprisonment.
Accountability and
Protection of data during storage or transit:
ITA-2000 recognizes “Digital
Signatures” which include a “Hashing Mechanism to protect data integrity” and
“Public Key encryption to ensure authentication”. If every data transmitted is
digitally signed, there is non repudiable accountability.
If encryption is used with
originator’s public key, data confidentiality is protected from every body
else. If it is encrypted with the recipient’s public key data confidentiality
is ensured against every one other than the intended recipient.
Additionally, innovative use
of “Hashing” and use of a “Enterprise level Data Storage Private Key” can
ensure that data in storage is protected and made available on “Need to Know
basis” as mandated by EU Data protection principles.
Data protection in storage and
transmission is part of the implementation issue which is part of the
compliance audit system.
Definition of Data
According to ITA-2000,
"Data" means a representation of information,
knowledge, facts, concepts or instructions which are being prepared or
have been prepared in a formalised manner, and is intended to be
processed, is being processed or has been processed in a computer system
or computer network. ,.and may be in any form (including computer
printouts magnetic or optical storage media, punched cards, punched tapes)
or stored internally in the memory of the computer;
"Computer Database" means a
representation of information, knowledge, facts, concepts or instructions
in text, image, audio, video that are being prepared or have been prepared
in a formalised manner or have been produced by a computer, computer
system or computer network and are intended for use in a computer,
computer system or computer network;
It may be noted that the
above definition includes even printouts, punched cards etc.
Thus the definition of data is
wide and covers all the requirements of the IT industry.
Grievance Redressal
The civil liabilities
under ITA-2000 are subject to adjudication through an adjudication officer
appointed under the Act.
Such adjudicating officers are
already available in all States of India and comprise of the IT Secretary of
the State who is IT savvy.
The adjudicator is not bound
by Civil Procedure Code, can resort to online dispute resolution mechanism and
is expected to resolve conflicts normally within 4 months through an enquiry
process extendable by another two months if required. His decisions will
however be equivalent to that of a civil court and appealable to the High
Court (In the absence of an appellate tribunal which is yet to be
commissioned).
According to the Act, it is
mandatory to settle civil disputes through the adjudicator and hence even if
one of the parties like to delay proceedings with judicial intervention, it is
not possible at the stage below the High Court.
In summary, we can state that
there are enough provisions in ITA-2000 which make the demand for a separate
data protection act redundant.
Perhaps some “Due Diligence
Guidelines “ will emerge in due course. CyLawCom process advocated by Cyber
Law College is already addressing this issue in its recommendations.
Where Action is Required:
It is however accepted that
there has been a feeling in the industry and international markets that the
absence of data protection laws is a huge drag on the reliability of Indian
BPOs.
Also some provisions of
ITA-2000 discussed above have not been recognized by the parties concerned and
hence there is no recognition that just as ITA-2000 is some times called a
"Digital Signature Law", there is no harm in calling it a "Data Protection
Law" also.
For example, one area where
such ignorance prevails is on the role adjudicators. It is possible that many
of the adjudicators may not know their powers and responsibilities. Many
corporate legal advisors may be equally in the dark about the benefits of
adjudication and fail to recommend this process for dispute resolution.
Perhaps some Courts also might not have realized the lack of
jurisdiction in matters coming under Chapter IX of ITA-2000.
Need for a Security BPO for
BPOs
If despite a robust data
protection law, India has to still face criticism of the ignorant
international community, one of the main reasons is lack of proper
education regarding the provisions of ITA-2000. Additionally there are
other issues such as the employee fraud factor which is a problem which cannot
be tackled except with a multifaceted approach to Information Security in BPOs.
These problems need to
be addressed on a war footing by all stake holders such as the IT industry,
Ministry of Communications and Information Technology and Nasscom.
IT industry in India
has unfortunately not exhibited a long term vision and has not been able to
harness the long term business potential of some of the spin offs from
ITA-2000. It is high time that the top companies in the industry
realize that instead of crying that there is no Data Protection Law in India,
they can contribute to the strengthening of the Data Protection environment in
India with their participation in some of the projects pioneered by Naavi.org
such as the Cyber Evidence Archival Center, Arbitration.in, CyLawCom.org etc.
so that international community may feel confident about the Indian
Cyber Security system.
Ministry of Communications
and Information Technology (MCIT) should also realize that instead of
trying to re-invent the wheel and making wholesale changes to ITA-2000, they
should invest in educating the industry on the existing laws and also
participate in existing projects such as Cyber Evidence Archival,
Arbitration.in and CyLawCom, if necessary through the enormous funds they have
allocated for e-Governance projects. This will help in the full realization of
the potential of these projects and also project India to world leadership in
Information Security.
Nasscom also has a
significant role in creating an awareness of the data protection
aspects enshrined in ITA-2000. It can also help bringing together industry
participation towards implementation of CyLawCom audit standards across the
BPO industry and improving the grievance redressal system with the
introduction of online dispute resolution mechanisms as proposed by
arbitration.in.
Let us hope that at least in
the second half of 2005, when MCIT is addressing the issue of reviewing
ITA-2000 and Nasscom is addressing the post Mphasis Fraud security issues,
some of the points raised here in will get the attention due to them.
If Indian BPO industry has to
realize its ambitions despite the security issues and the international
pressure against outsourcing, many of the suggestions made here in require to
be addressed with a BPO for BPOs in which MCIT and Nasscom will
have joint stakes with the IT industry.
Naavi.org makes an open offer
to MCIT and Nasscom to share its vision of the BPO for BPOs so
that a security blanket can be drawn for the Indian BPOs that would
ensure security for the information that the industry is expected to handle.
(Comments
welcome)
Naavi
June 24,2005
Comments
are welcome
