Information Security - What India Needs??

It is quite interesting to note that when it comes to the Cyber Laws, Indian IT Act 2000 (amended by Information Technology Amendment Bill 2006, passed in Lok Sabha on Dec 22 and in Rajya Sabha on Dec 23 2008 and reinstated at Indian IT Act 2008) is one of the best Cyber Laws in the world.  Incidentally,  India was just the 12th nation when the act was initially put to effect in the year 2000.  However, the Act fails to provide any point with regards to the Privacy of Personal Information.  Today when Identity Theft is one of the prime concerns in the Digital Space, India is lacking big time on the Ensuring the Integrity and Protection of Information as stored, processed and transmitted using information technology and the allied systems.

An Analysis of the Personal Data Protection Law in India by CRID - University of Namur (Submitted to Commission of the European Communities, Directorate General Justice, Freedom and Security) identified the specific lacunae as present in this area.

CRID evaluated Indian Regulatory Scenario in its 71 pager report covering the aspects of  -

1. Federal Structure
2. Constitution of India
3. Judicial System
4. Administrative Tribunals System
5. Competence to Legislate on Data Protection
6. Influence of International Norms
7. General Legal Protection of Human Rights
8. Data Protection Legislation
9. The Right to Privacy in India
10. Statutory Safeguards of Privacy and Data Protection Interest Outside Data Protection Legislation
11. The Information Technology Act, 2000
12. The Amendments to the IT Act 2000

The evaluation of Indian Regulatory / Legal environment around Privacy and / or Protection of Data has been referenced to the Article 25 of Directive 95/46/EC that regulates the transfer of personal data from Member States of the European Union (EU) to “third countries” – i.e., countries outside the EU (and EEA). According to Art. 25(1), transfer of personal data “may take place only if the third country in question ensures an adequate level of protection”.

Salient Observations by CRID are -

1. Section 3.1.2.1 on page 30 states - No Such Concept as "Personal Data"
2. Para 2 of the section further elaborates - "The IT Act doesn’t provide for any definition of personal data"
3. Section 3.1.4.2 b) states - The research found no express provision in the IT Act requiring data to be kept accurate and up-to-date
4. Para below that (again referred as 3.1.4.2) states - The research haven't found any provision in the IT Act requiring processed and transferred data to be adequate, relevant and not excessive.
5. Section 3.1.4.3 establishes under the Head Principle of Transparency, the Information Technology Act, 2000 has no equivalent provision to the EU Privacy Directive's Articles 10 and 11
6. Section 3.1.4.4 establishes that no specific provision requires particular security requirements that are appropriate to the risks presented by the processing of personal data. Moreover, the IT Act lacks a provision ensuring that personal data should only be processed on the instructions from the controller
7. Section 3.1.4.5 establishes that the IT Act does not provide for any of the principles related to access, rectification and opposition by individual data subjects.
8. Section 3.1.4.6.The principle of Restriction on Onward Transfers establishes that  The IT Act does not provide for such a principle
9. Through and through the report highlights the areas where India Lacks in addressing Privacy and / or protection of Personal Data.  The report conclude "Given the absence of any general data protection Act, no Data Protection Authority has been established in India."

The points mentioned above certainly make a point that thought our Cyber Law is one of the Best, but it still is not the Best.  It needs to address the requirements on the lines of European Data Privacy Directive.  Moreover, the one place where India lacks is the general and overall lack of Understanding of its Cyber Laws by the Law Enforcement as well as Justice & Care Departments. A defined action plan needs to be implemented by the Law Makers to ensure that the intent and coverage of the Laws as defined and passed by the apex council are precipitated to the required levels in a manner to increase its Effectiveness and the Efficiency.

CardSystems Solutions Hack 2005 - Legal Suit Targetting Auditor

The topic sounds to be shocking, but if you read the article "In Legal First, Data-Breach Suit Targets Auditor" you would be surprised to know the proceedings that led to the Legal Suit. 

It will be really interesting to note the developments from here on as the Auditor may contest that the report was good for "As on Date" of Report and they are not liable for any subsequent breach as they are not keeping an eye on how the organization dealt with the information post the Audit Completion.


But does the role of Auditor end with the submission of report, specifically when the identified organization fails a previous Audit for storing sensitive data in an unprotected manner or in a manner that is not as per the specifications?  

Should not the Auditor go back at the records of previous Audit and identify the reasons that might have led to the failure in complying to the requirement?


Isn't the Auditor supposed to maintain the integrity of Audit Process and NOT overlook serious issue that were being reported for a period of 5 years preceding the Audit?


There are lot of questions that create a eye of suspicion on the role of Auditors.  Many a times the Auditors tend to turn a blind eye towards certain issues that are present due to organizational work culture.  They don't tend to highlight the issues for the reason that they feel they are not responsible for that.


We had earlier seen a law emanating out from the hi-profile case of Enron and Arthur Anderson, where both the companies disappeared from the Market.  As if that was not enough a lesson to be learnt by the Auditors that we often get to know of similar cases, though not of that profile.


Would that mean we will soon see another law stemming out, something that would Regulate and Govern the Audit Scenario?  Should not the Auditors tighten their belts to ensure that the Audits and the Audit Reports are fair and square, resulting in what they are actually supposed to result in, rather than twisting the results one way or other?

It is quite interesting that the Noble Profession of Auditors is fast becoming Commercialized, and at this pace, i would not be surprised to see a License Regime enforced for the Auditors on same line as the Lawyers and Formation of a Regulatory Body Like Auditor's Council to Govern Auditors'.