Cyber Security Measures
Importance of Cyber Security
Protection against hacking, malware, data breaches
In the digital age, where businesses, government functions, and personal communications are increasingly dependent on technology, cyber security is vital to protect sensitive data and maintain the integrity of critical systems.
Cyber threats include unauthorized access (hacking), malicious software (malware), ransomware attacks, phishing, denial-of-service (DoS) attacks, and large-scale data breaches. These threats can lead to:
- Financial loss: Theft of money or disruption of financial transactions
- Identity theft: Unauthorized access to Aadhaar, PAN, or bank details
- Reputational damage: For individuals, corporates, and governments
- National security risks: Targeting defense or critical infrastructure
Indian Context
India has witnessed multiple high-profile cyber attacks, including on banks, healthcare systems, and government websites. Cyber security is therefore essential for securing Digital India, financial inclusion, and national sovereignty.
Legal Framework for Cyber Security
IT Act, 2000 and Rules
The Information Technology Act, 2000 is the primary legislation for regulating cyber activities in India. It lays down penalties and remedies for cyber crimes, as well as responsibilities of intermediaries and service providers.
Relevant provisions related to cyber security include:
- Section 43: Penalty for unauthorized access and data theft
- Section 66: Punishment for hacking
- Section 66F: Cyber terrorism
- Section 69: Government powers to intercept, monitor, and decrypt
- Section 70: Declaring protected systems of national importance
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 mandate data protection standards for companies and organizations handling personal data.
National Cyber Security Policy
Introduced in 2013 by the Ministry of Electronics and Information Technology (MeitY), this policy aims to build a secure and resilient cyberspace for citizens, businesses, and the government.
Key objectives:
- Create a secure cyber ecosystem
- Encourage R&D in cyber security
- Promote cyber security awareness and education
- Establish institutional mechanisms and legal frameworks
- Protect critical infrastructure like power grids, banking systems, telecom
A revised version of the policy is under development to address emerging threats like AI-based attacks, deepfakes, and cyber warfare.
CERT-In (Indian Computer Emergency Response Team)
Mandate and Functions
CERT-In is the national nodal agency for responding to cyber security incidents in India. It operates under the Ministry of Electronics and Information Technology (MeitY).
Key functions of CERT-In:
- Issue alerts and advisories on cyber threats
- Coordinate responses to major cyber incidents
- Assist in handling vulnerabilities and security breaches
- Conduct audits and assessments of critical information infrastructure
- Promote awareness and training on cyber hygiene
CERT-In Rules 2022
The CERT-In Directions 2022 were issued to strengthen compliance among service providers, intermediaries, and data centres. Major features include:
- Mandatory reporting of cyber incidents within 6 hours
- Preservation of system logs for 180 days
- Mandatory Know Your Customer (KYC) and registration for VPN providers and cloud services
Goal: To ensure accountability and quick response to cyber threats in India’s expanding digital infrastructure.
Conclusion
The combined efforts of legislation, national policy, and regulatory institutions like CERT-In aim to build a secure cyber environment. As cyber threats grow in complexity, so must India’s legal, institutional, and technological readiness.
Data Protection and Privacy
Personal Data Protection Bill / Digital Personal Data Protection Act, 2023
Meaning of Personal Data and Data Principal
The Digital Personal Data Protection (DPDP) Act, 2023 is a landmark legislation enacted to safeguard individuals’ personal data and regulate its processing by data fiduciaries.
Personal Data is defined as any data about an individual who is identifiable by or in relation to such data. This includes name, contact details, Aadhaar number, biometric data, location, etc.
Data Principal refers to the individual to whom the personal data relates — the natural person whose data is collected. For instance, an internet user registering on a website is a data principal.
Obligations of Data Fiduciaries
Data Fiduciary is any entity (company, platform, organization, etc.) that determines the purpose and means of processing personal data. Their key responsibilities under the Act include:
- Notice: Inform the data principal clearly about data collection and its purpose.
- Consent: Obtain informed, specific, and freely given consent for data processing.
- Purpose Limitation: Use the data only for the stated purpose.
- Data Minimization: Collect only data that is necessary.
- Security Safeguards: Implement technical and organizational safeguards against breaches.
- Grievance Redressal: Provide a mechanism for users to file complaints.
Data Protection Board of India
The Act establishes the Data Protection Board of India as the adjudicating body for non-compliance and breach of data protection rules.
Functions of the Board:
- Inquire into data breaches and impose penalties
- Oversee compliance by data fiduciaries
- Direct corrective actions to protect the rights of data principals
Penalties: The DPDP Act prescribes monetary penalties up to ₹250 crore depending on the nature and severity of the offence.
Privacy under Article 21 of the Constitution
Right to privacy as a fundamental right
Article 21 of the Constitution of India guarantees that "No person shall be deprived of his life or personal liberty except according to procedure established by law."
In the historic Justice K.S. Puttaswamy v. Union of India (2017) judgment, a 9-judge bench of the Supreme Court unanimously held that the Right to Privacy is a fundamental right protected under Article 21 and part of the right to life and personal liberty.
Implications:
- State and private actors must ensure data protection and avoid unauthorized surveillance
- Laws regulating personal data must meet the test of legality, necessity, and proportionality
- Strengthened individual autonomy in the digital age
Post this judgment, the demand for comprehensive data protection laws gained momentum, ultimately resulting in the DPDP Act, 2023.
Section 72 of IT Act, 2000: Breach of Confidentiality
Protection against unauthorized disclosure by intermediaries or officials
Section 72 of the Information Technology Act, 2000 penalizes any person who, having secured access to personal information or documents during the exercise of powers under the IT Act, discloses such information without consent.
Essential Ingredients:
- Access obtained by virtue of powers under the Act
- Unauthorized disclosure or misuse of information
- Without the consent of the concerned person
Punishment: Imprisonment up to 2 years, or fine up to ₹1 lakh, or both.
Example:
Example 1. If a government officer accesses citizen data from a digital database during an investigation and later shares it with an unauthorized third party for profit, it would amount to a breach under Section 72.
Answer:
Since the officer accessed the data through legal powers but misused it without the consent of the data principal, this amounts to unauthorized disclosure punishable under Section 72 of the IT Act.
Conclusion
While Article 21 guarantees privacy, and the DPDP Act regulates data processing comprehensively, provisions like Section 72 address misuse by public officials or system administrators. Together, these legal instruments form a robust privacy protection framework for Indian citizens.