Learning Objectives
- Understand the key sections of IT Act 2000
- Introduction to DPDPA 2023 and its implications
- Know CERT-In's role and reporting requirements
- Overview of the regulatory landscape for cybersecurity in India
1. Information Technology Act 2000
๐ Historical Context
The IT Act 2000 was India's first legislation addressing electronic commerce and cybercrime. It provides legal recognition for electronic transactions and defines cybercrimes and penalties. Major amendments in 2008 significantly expanded its scope.
Key Sections Every Security Professional Must Know
| Section | Subject | Key Points |
|---|---|---|
| Section 43 | Penalty for damage to computer systems | Compensation up to โน5 crore for unauthorized access, data theft, virus introduction |
| Section 43A | Compensation for failure to protect data | Bodies corporate liable for negligent data handling |
| Section 66 | Computer-related offences | Criminal prosecution for dishonest/fraudulent acts; up to 3 years imprisonment |
| Section 66C | Identity theft | Using another's electronic signature, password; up to 3 years imprisonment |
| Section 66F | Cyber terrorism | Attacks on critical infrastructure; imprisonment up to life |
| Section 69 | Powers to monitor/decrypt | Government can intercept/decrypt in interest of national security |
| Section 72 | Breach of confidentiality | Penalty for unauthorized disclosure of information |
| Section 79 | Intermediary liability | Safe harbor for intermediaries following due diligence |
๐ก Case Law: Shreya Singhal v. Union of India (2015)
The Supreme Court struck down Section 66A (offensive messages) as unconstitutional, being too vague and violating free speech. However, it upheld Section 69A (blocking websites) with procedural safeguards. This landmark case shaped how cyber laws are interpreted in India.
2. Digital Personal Data Protection Act 2023
๐ India's Data Protection Law
The DPDPA 2023, passed in August 2023, is India's comprehensive data protection law. It establishes rights for individuals (Data Principals) and obligations for organizations processing personal data (Data Fiduciaries).
Key Definitions
- Personal Data: Any data about an individual who is identifiable
- Data Principal: The individual whose data is being processed
- Data Fiduciary: Entity that determines purpose and means of processing
- Data Processor: Entity processing data on behalf of a fiduciary
- Significant Data Fiduciary: Large-scale processors with additional obligations
Core Principles
| Principle | Description |
|---|---|
| Lawful Processing | Data can only be processed with consent or for legitimate purposes specified in law |
| Purpose Limitation | Data collected for specific purposes cannot be used for unrelated purposes |
| Data Minimization | Collect only data that is necessary for the stated purpose |
| Accuracy | Ensure personal data is accurate and kept up to date |
| Storage Limitation | Delete data when it's no longer needed for the purpose |
| Security Safeguards | Implement reasonable security measures to protect data |
Penalties Under DPDPA 2023
| Violation | Maximum Penalty |
|---|---|
| Failure to take security safeguards resulting in breach | โน250 crore |
| Non-compliance by Significant Data Fiduciary | โน150 crore |
| Failure to notify Data Protection Board of breach | โน200 crore |
| Processing children's data in violation of law | โน200 crore |
| Other violations | โน50 crore |
โ ๏ธ Important Note
Module 5 of this course covers DPDPA 2023 in comprehensive detail. This lesson provides only an introductionโyou'll learn about consent mechanisms, breach notification procedures, cross-border transfers, and compliance frameworks in depth later.
3. CERT-In and Incident Reporting
๐ What is CERT-In?
CERT-In (Indian Computer Emergency Response Team) is the national nodal agency for responding to cybersecurity incidents. Established under Section 70B of the IT Act, it coordinates incident response and issues security advisories.
CERT-In Directions 2022: Critical Requirements
โ ๏ธ 6-Hour Reporting Rule
Organizations must report specified cyber incidents to CERT-In within 6 hours of becoming aware of them. This is one of the strictest reporting timelines globally.
Incidents Requiring Mandatory Reporting
- Targeted scanning/probing of critical systems
- Compromise of critical systems or information
- Unauthorized access to IT systems or data
- Defacement of websites
- Malicious code attacks (ransomware, spyware, etc.)
- Attacks on servers and network devices
- Identity theft and phishing attacks
- Data breaches
- Attacks on critical infrastructure
- Unauthorized access to social media accounts
Log Retention Requirements
Organizations must maintain logs for 180 days:
- All ICT system logs (including firewalls, IDS/IPS)
- VPN logs with validated user information
- Virtual asset service provider transaction records
- Data centers must maintain accurate customer information
4. Regulatory Landscape Overview
Sector-Specific Regulations
| Sector | Regulator | Key Cybersecurity Requirements |
|---|---|---|
| Banking | RBI | Cyber Security Framework, Master Direction on Digital Payment Security |
| Insurance | IRDAI | Cybersecurity Guidelines, Information Security Framework |
| Securities | SEBI | Cyber Security and Cyber Resilience Framework |
| Telecom | DoT/TRAI | Telecom Security Directives |
| Healthcare | NHA/MoHFW | ABDM Data Security Guidelines |
๐ก RBI Cyber Security Framework
RBI requires banks to have: CISO appointment, Board-approved cyber security policy, SOC operations, regular VAPT, incident response capabilities, and cybersecurity insurance. Non-compliance can result in penalties and restrictions on operations.
Summary
- IT Act 2000: Foundation of cyber law in India with civil and criminal provisions
- DPDPA 2023: Comprehensive data protection law with significant penalties
- CERT-In: National incident response agency with mandatory 6-hour reporting
- Sector Regulations: Additional requirements from RBI, SEBI, IRDAI based on industry
๐ฏ Module 1 Complete!
You've finished all lessons. Now take the assessment to unlock Module 2.
Take Module 1 Assessment โ