Sify-Banner1
Pavan Duggal
Advocate, Supreme Court of India,
Head-Pavan Duggal Associates

Should Companies Have Mandatory Responsibility to Report Cyber Security Breaches?

Large numbers of companies are today increasingly using data and information in the electronic form. Companies and their activities, despite being their respective verticals of business, get distinctly covered under the Information Technology Act, 2000. The Information Technology Act, 2000, is India’s mother legislation dealing with all issues pertaining to digital and electronic aspects and covers all nuances pertaining to use of computers, computer systems, computer networks, computer resources, and communication devices as also data and information in the electronic form.

The law has gone one step further and has defined companies as intermediaries who are dealing, handling, or processing third-party data. The Information Technology Rules, 2011, have further mandated parameters of due diligence for companies in India.

With each passing week, the significance and importance of cyber security is only beginning to get increased. Every week, we keep on getting news of some cyber security breach from different parts of the world.

In India, cyber security breaches are constantly increasing, but most of the time they are not reported. Lack of reporting or underreporting of cyber security breaches in India provides a picture that everything is hunky-dory in India and that India needs to do nothing in terms of cyber security protection and preservation. However, nothing can be farther from the truth. The fact remains that Indian networks are extremely vulnerable and are increasingly attacked by cyber criminals and cyber terrorists across the world. Theses cyber criminals and hackers can either be state or non-state sectors.

The Government of India has initiated the Digital India program which aims to transform India into a knowledge society and economy. The government has announced various initiatives post-demonetization to strengthen digital ecosystem. Recently, the government has also launched a Cyber Suraksha Centre, which aims to protect the cyber security of both government and private networks.

In this context, the bigger issue that comes up is: should there be mandatory duty to report cyber security breaches for all legal entities? Most of the stakeholders still believe that cyber security is governmental responsibility and there is no responsibility of private sector in this aspect. However, in today’s Digital India, large numbers of India’s critical information infrastructure is located on the networks of private stakeholders; therefore, it is imperative that all private stakeholders must have a mandatory duty to report cyber security breaches. Reporting of cyber security breaches becomes a starting point of the process of evolution toward being a cyber-secure nation.

In this context, it is clear that very quickly India will need to start mandating reporting of cyber security breaches for all stakeholders using computers, computer systems, computer networks, computer resources, and communication devices. This becomes more topical as cyber security breaches come through the computer networks and platforms, which may or may not be physically located in India but which may impact computers, computer systems, and computer networks in India. However, till now, the law is silent on the said subject. The Information Technology Act, 2000, does not come up with specific mandatory responsibility to report breaches of cyber security for all stakeholders.

The Parliament needs to legislate a distinct mandatory duty for all stakeholders in this regard. In the interim, the government can, by means of secondary legislation, prescribe interim duties for stakeholders for reporting cyber security breaches, much beyond that are currently being prescribed.

It is imperative that India needs to place utmost importance on cyber security protection. India quickly needs to come up with detailed legal frameworks for regulating cyber security breach activities and other activities impacting the protection and preservation of cyber security of the digital and mobile ecosystem.

At the time when other nations are moving miles ahead, India is moving very slowly. Despite its push toward Digital India, the special importance and significance that India as a nation needs to accord to cyber security is distinctly missing. It is time for relevant actions to be taken to strengthen the Indian nation for protecting and preserving cyber security. Any delay in taking action in this direction could contribute to a situation which may impact the sovereignty, security, integrity, and defence of India. All eyes are now on the government to come up with appropriate cyber legal frameworks in this regard.

Share this:
Stay Updated on Enterprise Network and Carriers Industry.
Receive our Daily Newsletter.