Every Company CEO in India needs to ask this question to
himself. “Are We ITA 2008 Compliant?”. Every Director of a Company and also
every IAS officer in charge of an e-governance project should also ask this
question to himself.
If he does not know the answer, it is time to explore
what is the Compliance prescription under ITA 2008, the amended Information
Technology Act 2000 which was notified for effectiveness from October 27,
2009.
For simplicity, let me say ITA 2008 is bigger than
SOX…bigger than HIPAA..bigger than Data Protection Act.. if what you know
these terms mean.
Why? .. because non compliance of ITA 2008 can bring in
financial liabilities to your company and may even land the CEO or a
Director in jail.
Let’s see some of the areas that should make a CEO sit
up and take notice.
Any company which receives, stores or transmits data on
behalf of another person has an obligation to excercise “Due Diligence”
which interalia includes
a) Identifying which of the information is “Sensitive
Personal Information” and
b) Follow reasonable security practices to protect them.
c) Understand the data retention requirements and
implement systems to comply with them
d) Understand that the GOI has the powers to block,
intercept or ask for data decryption keys, information on data traffic etc
e) Expect you to conduct e-audit of all the documents
you maintain in e-form
f) Adhere to the encryption policies as may be announced
etc
g) Ensure that without the permission of the owner of an
information does not even provide access to the information to others
h) Ensure that any security obligations agreed to in a
contractual agreement are not breached
Failure to comply with the above may result in damages
payable for which there is no specified upper limit, besides possible
imprisonment of upto 7 years.
It is also necessary for Companies to understand that
even if any of their employees contravene the provisions of the Act
including committing of such personal offences such as searching for child
pornography using the corporate network, then there could be vicarious
liabilities on the organization and its Directors and Executives.
Prevention of these liabilities requires a Cyber Law
Compliance Programme with special focus on ITA 2008. Even if the
organization is ISO 27001 certified, it is recommended that the
organization should review its security and examine ITA 2008 compliance.
The clock has already started ticking from October 27,
2009. All company secretaries need to immediately put up a note to their
Board that a Board meeting is called for to examine the risk exposure of
the company to ITA 2008 and to recommend necessary action. This is the
first step in due diligence under ITA 2008 for a corporate entity.
Hope your company has started the compliance drive..
Wish you all the best..
Just in case you need to clarify what more needs to be
done, check out for more information at www.naavi.org.