Data is more like sunlight than oil .... it is like sunshine, we keep using it, it keeps regenerating, said the Google Chief Financial Officer, Ruth Porat. However, one never knows as to when this usage and regeneration disguises itself into misappropriation. Data in its crudest form can be used in a manner which is beneficial to the one generating the data, the one who processes it, and anyone who is consuming it. The issue which percolates to the lowest levels, is the security of managing/handling the copious volumes of data which is freely available in this digital ecosystem. As long as you are connected to the internet, you run the risk of being accessible to anyone else who is on the internet, and this applies to your data as well.

Cyber space crime has spared none. It has penetrated all major sectors including, the banking and finance, commercial facilities, postal services, transportation, e-retail platforms, etc. It is present in the form of phishing and social engineering, malware, spear phishing, ransom ware, hacking, software piracy, pornography, cybersquatting, etc.

Some of the major cyber-attacks that have taken place in India in the past are the Union Bank Of India Heist (2016), Wannacry Ransomware (2017), Data Theft At Zomato (2017). Cyber intelligence firm Cyble which dredges the Dark Web has red-flagged hacking episodes at Truecaller, Dunzo, Unacademy,, Bharat Earth Movers Limited (BEML), LimeRoad and IndiaBulls[1].A recent cyber-attack at one of the nuclear power plants of India and the Prime Minister’s social media handle makes one realize the gravity of the situation[2].

Regulatory Landscape

The main legislation governing the cyber space is the Information Technology Act, 2000 (“IT Act”) which defines cybersecurity as protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. In addition to providing legal recognition and protection for transactions carried out through electronic data and other means of electronic communication, the IT Act and various rules made there under, also focus on information security, defines reasonable security practices to be followed by corporates and redefines the role of intermediaries, recognizes the role of the Indian Computer Emergency Response Team (“CERT-In”) etc. Additionally, the IT Act also amended the scope of Indian Penal Code, Indian Evidence Act, 1872, The Bankers’ Books Evidence Act, 1891, and the Reserve Bank of India Act, 1934 and for matters connected therewith or incidental thereto[3], which were focusing on the regulation of the overly sensitive banking and financial services sector. Incidentally, while there is no comprehensive legislation for the governance of data in the country as on this date, there are sectoral legislations, directions, legal advisories which require specific compliance for the targeted sector.

The IT Act not only extends to the whole of India and, but it is also applicable to any offence or contravention committed outside India by any person[4]. Additionally, the legal sanctions under the IT Act extend to imprisonment, penalties, and also allow for a framework for compensation/ damages to be paid to the claimants. Further, if a body corporate, possessing, dealing or handling any personal data or sensitive personal data or information[5] in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate is liable to pay damages by way of compensation to the person so affected[6].

Some Relevant Rules Framed under the IT Act

Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (“CERT Rules”).

As per the CERT Rules, CERT-In has been established as the nodal agency responsible for the collection, analysis and dissemination of information on cyber incidents and taking emergency measures to contain such incidents. Further, under these Rules, it is mandatory to report to the CERT-In the following instances: (i) a targeted intrusion or the compromising of critical networks or systems; (ii) unauthorized access to IT systems or data; (iii) defacement of websites, malicious code attacks, denial of service and distributed denial of service (DDoS) attacks, attacks on domain name systems and network services; and (iv) attacks on applications such as e-governance and e-commerce. Additionally, it is also possible for individuals and organizations to voluntarily report any other cyber security incidents and vulnerabilities to CERT-In and seek requisite support and technical assistance to recover from them. Unfortunately, the reporting requirements under the law are inadequate and require a revision, for the same is not mandatory and is only a voluntary ask. This allows the entities to do away with the requirement to maintain requisite transparency.

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (“SPDI Rules”)

These SPDI Rules strictly govern the corporate entities that collect and process sensitive personal information in India. The Rules (i) mandate consent for the collection of information; (ii) insist that it be done only for a lawful purpose; (iii) require organizations to have a privacy policy; (iv) set out instructions for data retention; (v) give individuals the right to correct their information, and (vi) impose restrictions on disclosure, data transfer, security measures. Additionally, specific sectors such as banking, insurance, telecom, health, etc., have data privacy provisions under their respective sectoral rules. In absence of a lengthier or stricter legislation, the extant framework at least is in compliance with the basic principles of the data privacy, and provides a wider legroom for the enterprises to adopt the prevalent standards and best practices for the specific industry[7].


In December 2019, a new iteration of the data privacy and protection legislation was introduced, titled the Personal Data Protection Bill 2019 (“PDP Bill”). Section 24 of the PDP Bill directs data fiduciaries (data controller as per the PDP Bill terminology) to implement safeguards for several purposes, including to prevent misuse, unauthorized access to, modification, disclosure, or destruction of personal data. Further, Section 25 deals with the breach of personal data. The clause states that in cases where a data breach may cause harm to the data principal, the data fiduciary must inform the envisaged Data Protection Authority.

In the wake of the growing concerns around privacy and cybersecurity, threats (including political opportunities) are being evaluated by the government and prohibitions pertaining to vulnerable parts of the population (children) and high-risk applications (including e-commerce platforms) have been implemented.


One of the most relevant references of these times that can be made in the current scenario, is the overbearing dependence of the corporate world on Zoom, which led to a great number of people crashing into ‘office meetings/ Zoom parties’, disrupting the flow of a particular session. Increasingly, individuals, corporates[8] moved from the platform, to [apparently] stricter platforms for work related calls. Even inter-governmental bodies like the European Commission moved away from Zoom, for work related calls, in the wake of this cyber-threat[9].

Also, because of the seeming incursion of Chinese digital platforms into the ubiquitous web, countries like the United States of America, and India, quickly moved towards banning Chinese apps[10].


Cyber space infringement is a battle that we fight on everyday basis. India needs stringent laws and policy in place to combat these issues. The extant legal framework does not sufficiently address the concerns of the sector, and there is an imminent requirement to have a comprehensive legislation in place to address the concerns.

As we choose to stay connected, we are moving towards proliferation and assimilation of larger data sets, interacting with one another (big data, machine learning, Artificial Intelligence, Internet of Things); this opens the entire ecosystem to larger threats from social deviants. It is on the individuals as well as the body corporates to preserve the confidentiality, integrity of data, while ensuring that accessibility to the very data is not compromised on any front. As we welcome the impending legislation, companies in the healthcare and the banking & financial services sector are ensuring that they rely on their own technical and organizational security measures to ensure that the data available with them is not corrupted or is subject to any unwarranted and unauthorized access. The proactive vigilance observed by the body corporates and private individuals, is also being supported by the insurance industry, where cyber-security insurances have garnered immense popularity, and are augmenting the lack of an effective legal regime. It is oft said that the future is a click away, it is important that the click does not lead to any pernicious portal.