Cybersecurity 2022 Comparisons

The Constitution of India guarantees the right to privacy (which includes the right to data security) to all citizens as part of the right to life and personal liberty under Articles 19 and 21, and as part of the freedoms guaranteed by Part III of the Constitution. This was also upheld by the Supreme Court of India (SCI) in 2017 in its landmark judgment of Justice K S Puttaswamy (Retd) and Another v Union of India and Others (2017) 10 SCC 1 (the "Privacy Judgment").

India does not currently have a comprehensive cybersecurity law. Cybersecurity, data breach notification and incident response are governed under the Information Technology Act, 2000 (ITA) and the ITA rules in India. The ITA defines “cybersecurity” as “protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction”.

Under the ITA, the Indian government has established the Indian Computer Emergency Response Team (CERT-In) as the national nodal agency for cybersecurity, to carry out the following functions:

• collection, analysis and dissemination of information on cyber incidents;
• forecast and alerts of cybersecurity incidents;
• emergency measures for handling cybersecurity incidents;
• co-ordination of cyber incidents response activities;
• issue of guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents;
• such other functions relating to cybersecurity as may be prescribed.

The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) prescribe that CERT-In will be responsible for responding to cybersecurity incidents and will assist cyber-users in the country in implementing measures to reduce the risk of cybersecurity incidents. CERT-In also has powers to issue directions to service providers, intermediaries, data centres, body corporates, etc, for enhancing cybersecurity infrastructure in the country.

The CERT-In Rules mandate CERT-In to operate an incident response help desk on a 24-hour basis on all days, including government and other public holidays, to facilitate reporting of cyber-authority incidents.

Further it is mandatory for the service providers, intermediaries, data centres and body corporates which handle sensitive personal data (SPD) to report all cybersecurity incidents to CERT-In “as early as possible”. CERT-In has also set up sectoral CERTs to implement cybersecurity measures at a sectoral level.

The details regarding the methods and formats for reporting cybersecurity accidents, vulnerability reporting and remediation, incident response procedures and dissemination of information on cybersecurity are published on CERT-Ins website and are updated from time to time.

For critical sectors, the government has set up the National Critical Information Infrastructure Protection Centre (NCIIPC) under the ITA, as the nodal agency, and has framed the NCIIPC Rules and guidelines to protect the nation’s critical information infrastructure (CII) from unauthorised access, modification, use, disclosure and disruption to ensure a safe, secure and resilient information infrastructure for critical sectors in the country.

Other relevant rules framed under the IT Act include the following.

• The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (Data Privacy Rules), which prescribe reasonable security practices and procedures to be implemented for collection and the processing of personal or sensitive personal data.
• The Information Technology (Information Security Practices and Procedures for Protected System) Rules 2018, which prescribes security measures for protected systems, as defined under the IT Act. Under the IT Act, the government may notify any computer resource that affects the facility of CII to be a "protected system".
• The Information Technology (Intermediaries Guidelines) Rules, 2011 (the Intermediaries Guidelines), which require intermediaries to implement reasonable security practices and procedures for securing their computer resources and information contained therein. The intermediaries are also required to report cybersecurity incidents (including information relating to such incidents) to CERT-In.

Other laws that contain cybersecurity-related provisions include the Indian Penal Code 1860, which deals in criminal offences, including those committed in cyberspace, and the Companies Act 2013, which requires the companies to implement security systems to ensure that electronic records are secured from unauthorised access.

The ITA prescribes that any service provider, intermediaries, data centres, body corporate or person who fails to provide the information called for by the CERT-In or comply with the CERT-In’s direction will be punishable with imprisonment for a term which may extend to one year or with a fine which may extend to INR100,000 or with both.

The ITA also prescribes deterrence in terms of compensations, penalties and punishments for offences such as damage to computer system, failure to protect data, computer-related offences, theft of computer resource or device, SPD leak, identity theft, cheating by impersonation, violation of privacy, cyberterrorism, online pornography (including child pornography), breach of confidentiality and privacy, breach of contract.

In addition to MeitY and NCIIPC, the government has established the National Security Council Secretariat as the central co-ordinating body for cybersecurity and internet governance.

The Ministry of Home Affairs has set up the Cyber and Information Security Division (C&IS) to deal with matters relating to cybersecurity, cybercrime, the National Information Security Policy & Guidelines (NISPG) and its implementation. C&IS comprises of a cybercrime wing, cybersecurity wing, information security wing, and a monitoring unit.

Further, the Home Ministry has established the Indian Cybercrime Co-ordination Centre (I4C) which is a nodal point in the fight against cybercrime and co-ordinates implementation of mutual legal assistance treaties (MLAT) with other countries.

The government has also set up the National Technical Research Organisation (NTRO) as a technical intelligence agency under the National Security Advisor in the Prime Minister's office. Its primary role is to develop technology capabilities in aviation and remote sensing, data gathering and processing, cybersecurity, strategic hardware and strategic monitoring. NCIIPC comes within NTRO’s ambit.

The ITA mandates the central government to appoint an adjudicating officer to conduct inquiries, and adjudicate matters (ie, contravention of any of the provisions of the ITA or of any rule, regulation, direction or order made thereunder, including non-compliance of CERT-In’s direction), with claims for injury or damages valued up to INR5 crores. Claims that exceed this amount must be filed before the competent civil court. Where more than one adjudicating officer is appointed, the ITA mandates the central government to specify the matters and places of jurisdiction of each adjudicating officer.

The inquiry and investigation procedure for the adjudicating officer is provided under the Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003. Any decision of the adjudicating officer can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

There are various sector-specific regulators engaged in supervising their relevant intermediaries on the progress of implementation and robustness of cybersecurity frameworks. They regularly conduct cybersecurity and system audits of the intermediaries, which are reported to the relevant regulators.

Sector-Specific Regulators

Banking sector

The Reserve Bank of India (RBI) governs both public and private sector banks. The RBI’s guidelines prescribe that the RBI can request an inspection any time of any of the banks’ cyber-resilience. The RBI has set up a Cyber Security and Information Technology Examination (CSITE) cell under the Department of Banking Supervision, to periodically assess the progress made by banks in the implementation of the cybersecurity framework (CSF), and other regulatory instructions and advisories through on-site examinations and off-site submissions. The RBI has an internal ombudsman scheme for commercial banks with more than ten branches as a redressal forum, and has proposed to set up an online portal to investigate and address cybersecurity concerns and complaints.

RBI also issued Guidelines on Regulation of Payment Aggregators and Payment Gateways, directing the payment aggregators to put in place adequate information and data security infrastructure and systems for prevention and detection of frauds, and has specifically recommended implementation of data security standards and best practices such as PCI-DSS, PA-DSS, the latest encryption standards and transport channel security. Payment aggregators must establish a mechanism for monitoring, handling and follow-up of cybersecurity incidents and breaches, and mandatorily report incidents to RBI and CERT-In.   

In 2021, RBI issued a statement proposing guidelines to regulate outsourcing in payment systems, primarily to optimise efficiency, lower the costs, and eliminate vulnerabilities and cybersecurity risks.

RBI regularly conducts audits and enquiries into the banks’ security frameworks, and has imposed penalties on the banks for non-compliance of RBI’s cybersecurity framework for banks. For instance, in the past couple of years, RBI has imposed monetary penalties on several banks, including of INR3 crore on SBM Bank (India) Ltd., INR1 crore on the Corporation Bank and INR1 crore on the Union Bank of India, for non-compliance of certain RBI directions including non-compliance of cybersecurity frameworks in banks.

Insurance sector

The Insurance Regulatory and Development Authority (IRDA) is the nodal agency for governance and regulation of the insurance sector in India. The IRDA conducts regular on-site and off-site inspections of insurers to ensure compliance with the legal and regulatory framework. The IRDA also has guidelines on Information and Cyber Security for Insurers (IRDA Cyber Security Policy), requiring vulnerability assessment and penetration testing annually and closing any identified gaps within a month. Some other relevant guidelines issued by IRDA are: IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017; IRDAI (Maintenance of Insurance Records) Regulations, 2015; and the IRDAI (Protection of Policyholders’ Interests) Regulations, 2017, which contain a number of provisions and regulations on data security. Additionally, IRDAI has recently issued guidelines to insurers on structuring cyber insurance for individuals and identifying gaps that need to be filled. As per the guidelines, cyber insurance should provide cover against theft of funds and identity, unauthorised online transactions, email spoofing, etc.

Telecom sector

Telecom operators in India are governed by regulations laid down by the following regulatory bodies:

• the Telecom Regulatory Authority of India (TRAI);
• the Department of Telecom (DoT);
• the TDSAT;
• the Group on Telecom and IT (GOTIT);
• the Wireless Planning Commission (WPC); and
• the Digital Communications Commission (DCC).

Further, the Unified Access Service Licence (UASL) extends information security to the telecom networks as well as to third-party operators. The regulator requires telecom operators to audit their network (internal/external) at least once a year.

TRAI has released its recommendations on cloud services in relation to creation of a regulatory framework for cloud services, and constituting an industry-led body of all cloud service providers (CSP).

Securities

The Securities Exchange Board of India (SEBI) has issued detailed guidelines to market infrastructure institutions (MIIs) to set up their respective Cyber Security Operation Centre (C-SOC) and to oversee their operations through dedicated security analysts. The cyber-resilience framework also extends to stockbrokers and depository participants.

Health sector

The Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations 2002 (IMCR) impose patient confidentiality obligations on medical practitioners. The Ministry of Health and Family Welfare introduced a draft legislation in 2017, known as the Digital Information Security in Healthcare Act (the "DISH Act"), to regulate the generation, collection, storage, transmission, access and use of all digital health data. The DISH Act also provides for the establishment of a National Digital Health Authority as statutory body to enforce privacy and security measures for health data, and to regulate storage and exchange of health records.

The expert committee report and the Data Protection Bill, 2021 (DP Bill) prescribe central government to appoint a Data Protection Authority (DPA) to ensure compliance of the data protection laws, register data fiduciaries, conduct inquiries and adjudication of privacy complaints, issue codes of practice, monitor cross-border transfer of personal data, advise state authorities and promote awareness on data protection. In the case of significant data fiduciaries, the expert committee report and DP Bill proposes appointment of a data protection officer (DPO) to address data principals’ grievances.

The Ministry of Health and Family Welfare had approved a Health Data Management Policy (HDM Policy) largely based on the DP Bill to govern data in the National Digital Health Ecosystem. The HDM Policy recognises entities such as data fiduciaries and data processors similar to the DP Bill, and establishes a consent-based data sharing framework.

The ITA provides for the appointment of an adjudicating officer to deal with claims of injury or damages not exceeding INR5 crore. MeitY has appointed the Secretary of the Department of Information Technology of each Indian state or union territory as the adjudicating officer under the ITA.

A written complaint can be made to the adjudicating officer based on the location of the computer system or the computer network, together with a fee based on the damages claimed as compensation. The adjudicating officer thereafter issues a notice to the parties notifying the date and time for further proceedings and, based on the parties’ evidence, decides whether to pass orders (if the respondent pleads guilty) or to carry out an investigation. If the officer is convinced that the scope of the case extends to the offence instead of contravention, and entails punishment greater than a mere financial penalty, the officer will transfer the case to the magistrate having jurisdiction.

The first appeal from the adjudicating officer’s decisions can be filed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and the subsequent appeal before the High Court.

The DP Bill prescribes filing the complaint before the data protection officer, which can be appealed before the adjudicating officer of the DPA, who will have the authority to impose penalties on the data fiduciary. The maximum penalty for violation of the DP Bill’s provisions is INR15 crores or 4% of the data fiduciary’s total global turnover in the preceding financial year, whichever is higher. DP also prescribes imprisonment of up to three years and/or a penalty up to INR200,000 against any persons who knowingly or intentionally and without the consent of data fiduciary re-identifies personal data which has been de-identified by a data fiduciary/data processor, or re-identifies and processes such personal data. The aforesaid offences under DP are cognisable (ie, the police have the power to arrest the offender without a court warrant) and non-bailable.

The DP Bill proposes the central government to establish an appellate tribunal to adjudicate on appeals from the orders of the DPA, and the SCI as the final appellate authority for all purposes under the DP Bill.

India does not have state-specific cybersecurity laws or regulations. However, several state governments have taken initiatives to promote cybersecurity. For example, the Maharashtra state government launched the Cyber Safe Initiative to spread awareness regarding laws on cybercrime, bank frauds, child pornography, online gaming, cyber defamation, false information sites, etc. Further, the Karnataka government had established a Centre of Excellence in Cyber Security to build awareness and facilitate innovation, standardisation and best practices for cybersecurity.

The following non-governmental authorities assist the Indian government in cybersecurity measures:

• the Data Security Council of India (DSCI) – a not-for-profit industry body under the National Association of Software and Services Companies (NASSCOM) that engages with governments and their agencies, regulators, industry sectors, industry associations and think tanks for policy advocacy, thought leadership, capacity-building and outreach activities;
• National Cyber Safety and Security Standards (NCSSS) – a self-governing body to protect the CII from cyber-related issues;
• the Internet and Mobile Association of India (IAMAI) – a not-for-profit industry body that addresses the issues, concerns and challenges of the internet and mobile economy;
• the Cellular Operators Association of India (COAI) – an industry association of mobile service providers, telecom equipment, internet and broadband service-providers in India, which interacts directly with ministries, policy-makers, regulators, financial institutions and technical bodies;
• the Internet Service Providers Association of India (ISPAI) – the recognised apex body of Indian ISPs worldwide; and
• the Computer Society of India (CSI) – a non-governmental organisation of professionals (software developers, scientists, academics, project managers, etc) which contribute to the government's formulation of information technology strategy and planning.

A formal memorandum of understanding (MoU) has been signed between the Central Board of Direct Taxes (CBDT) and SEBI for data exchange between the two organisations, on an automatic and regular basis. SEBI and CBDT will also exchange any information available in their respective databases, for the purpose of carrying out their functions under various laws.

In regard to government assistance, under the Digital India initiative, MeitY had set up the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre), operated by CERT-In, to work with internet service providers and companies to provide information and tools to users on botnet and malware threats. Similar proactive measures are deployed by sector-specific regulators from time to time.

Also, MEITY released the National Cyber Security Policy in 2013, which recommended creating a secure cyber-ecosystem, strengthening laws and creating mechanisms for the early warning of security threats, vulnerability management and the response to security threats. The policy intended to encourage all organisations to develop information security policies integrated with their business plans and implement the policies in accordance with international best practices. This policy is soon expected to be updated.

Finally, in a one of its kind public-private partnership, MeitY had launched Cyber Surakshit Bharat, a mission to strengthen the cybersecurity ecosystem in India by spreading awareness about cybercrime and undertaking capacity-building for chief information security officers (CISOs) and staff across all government departments. This initiative was founded by the IT giants Microsoft, Intel, WIPRO, Redhat and Dimension Data, in alliance with CERT-In, the National Informatics Centre (NIC), NASSCOM and the FIDO Alliance and consultancy firms Deloitte and EY.

Similar to world CERTs, Cert-In is the national nodal agency for responding to computer security incidents as and when they occur. CERT-In operates on similar principles as other CERTs, such as:

• collection, analysis and dissemination of information on cyber incidents;
• forecast and alerts of cybersecurity incidents;
• emergency measures for handling cybersecurity incidents;
• co-ordination of cyber incident response activities;
• issue of guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.

Further, the Indian cybersecurity laws follows the UK cybersecurity model. For example, the primary institutional authorities for critical information infrastructure (CII) in both jurisdictions are similar, such as the CIIPC in India and the National Cyber Security Centre in the UK. India and UK also have similar emergency response authorities, such as CERT-In and CERT-UK.

Additionally, the UK has a central authority, the National Cyber Security Centre, that co-ordinates between the UK government and its various industry stakeholders in cybersecurity matters. The MeitY is in the process of establishing a similar authority in India, known as the National Cyber Coordination Centre (NCCC), which will be implemented by CERT-In.

However, there are certain fundamental dissimilarities in the cybersecurity regimes of India and the UK. For instance, the UK does not have a comprehensive legal framework in respect of information technology and cybersecurity, whereas India has a comprehensive legislation to govern information technology and cybersecurity (the ITA). Also, in the absence of an all-inclusive cybersecurity framework, the various executive authorities in the UK function under separate laws (the Security Services Act, 1989, or the Civil Contingencies Act, 2004). Conversely, the central authorities for cybersecurity in India are established and operationalised under the ITA, and the various rules thereunder.

In regard to the CII, the guidelines for protection of the national critical information infrastructure provide for security certifications by third-party agencies (government or private agencies) to protect the assets for smooth and error-free operation. The certifications must also deal with enforcing or implementing any international security standards available globally for the protection of critical assets working in the CII by respective organisations. Each CII must list the certifications needed to be implemented for the protection of their assets and the areas.

As the recent attacks on cyber infrastructure indicate increasing targeting of SCADA systems and supporting infrastructure widely used in almost all critical industrial set-ups (oil, gas, nuclear, aviation, etc), there is an increased need to put in place the strategic controls recommended in the guidelines.

The Joint Parliamentary Committee, on 16 December 2021, presented a revised version of the comprehensive data privacy law, the DP Bill, in the Parliament. The draft bill introduces a number of significant changes, including expanding the scope of the law to cover non-personal data as well. The DP Bill also introduced stringent data breach reporting requirements, regulation of hardware manufacturers and enabling a certification mechanism for all digital and IoT devices to mitigate data breaches.

MeitY notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 replacing the Information Technology (Intermediaries guidelines) Rules, 2011. The new intermediary rules provide obligation on internet intermediaries to retain users’ information collected upon registration for 180 days, even after any cancellation or withdrawal of such registration. The rules also recognise certain intermediaries as "significant social media intermediaries" if the total registered users cross a certain threshold (subsequently notified as 5 million registered users) and require them to enable the identification of the first originator of the any information that is transmitted through such intermediary. This traceability obligation was challenged before the court on the ground of violation of the fundamental rights to privacy.

RBI introduced Guidelines on Regulation of Payment Aggregators and Payment Gateways introducing restriction on payment aggregators and merchants from storing card and card-related data. In September 2021, the RBI issued a circular mandating that no entity other than card issuers or card networks is allowed to store card data, and all such data previously stored should be deleted.

The Department of Science and Technology issued guidelines for acquiring and producing geospatial data and geospatial data services including maps. Under these guidelines, there is no restriction, and no requirement of any approval, clearance, license, etc, on the collection, generation, preparation, dissemination, storage, publication, updating and/or digitisation of geospatial data and maps within the territory of India, subject to certain restrictions. The guidelines also restrict foreign entities from creating and/or owning, or hosting geospatial data other than the prescribed threshold values.

The Bureau of Indian Standards issued standards for data privacy assurance, the IS 17428. The standard seeks to provide a privacy assurance framework for organisations to establish, implement, maintain and continually improve their data privacy management system.

SC passed a significant judgment in October 2021 in the Pegasus spyware issue, recognising the need to assess the impact of the Pegasus spyware on the right to privacy and freedom of speech. The court formed the three-member committee to make recommendations on enactment or amendment of the existing surveillance laws to ensure an improved right to privacy and cybersecurity and threat assessment measures. The committee has not as yet submitted its recommendations.

In March 2021, the Competition Commission of India (CCI), India’s antitrust regulator, initiated an investigation against WhatsApp, Inc. and Facebook, Inc. (now Meta Platforms, Inc.) assessing the impact of WhatsApp’s update requiring the users to agree to data sharing with Facebook to continue using the WhatsApp. CCI noted that WhatsApp’s unilateral terms violated the users’ voluntary agreement and appeared to be unfair and unreasonable for its users. Facebook, Inc. and WhatsApp, Inc. filed petitions before the Delhi High Court challenging CCI’s order, but the court dismissed these petitions.

Madras High Court passed an order in August 2021 dismissing a petitioner’s request to have his name redacted from court orders in criminal proceedings wherein he was finally acquitted. Recognising an individual’s right to privacy and anonymity as held in the Privacy Judgment, the court also noted that without a precise framework or objective criteria for redaction of the accused’s name in India’s criminal justice system, it would be more appropriate to await the new data protection law to exercise such right to be forgotten.

MeitY published its National Strategy on Blockchain in December 2021, with strategies and recommendations for creating a trusted digital platform using blockchain. The ministry recommends that data localisation should be enabled for blockchain-based systems in the country and may be achieved by hosting the blockchain infrastructure, data and smart contracts within the country.

RBI’s working group on digital lending activities issued its report on Digital Lending including Lending through Online Platforms and Mobile Apps in November 2021. The working group noted privacy lapses across digital lending apps in addition to inadequate transparency, lack of users’ choice to manage or delete their data after a loan has been paid, non-disclosure of partner banks or non-banking financial companies, and misuse of borrowers’ sensitive data. The working group had provided recommendations, such as data should be stored in servers locally in India and should only be collected from the borrower/prospective borrower with prior information on the purpose, usage and implication of such data and with explicit consent of the borrower in an auditable way. RBI is yet to take a final view on the proposed regime.

The Parliamentary Standing Committee presented its 233rd report on Atrocities and Crimes against Women and Children identifying virtual private network (VPN) services as a technological challenge and security threat. It recommended development of a co-ordination mechanism with international agencies to ensure that these VPNs are blocked. Currently, there are no statutory or other restrictions prohibiting or regulating the use of VPNs by individuals.

In 2021, India introduced the draft DNA Technology (Use and Application) Regulation Bill, 2019 for consideration by the Parliament. The bill seeks to regulate use of DNA technology for identifying persons for specific purposes such as solving crimes. It also prescribes DNA collection procedures, establishment of DNA data banks, a regulatory board, accreditation mechanisms, etc. However, the bill was not taken up in the Parliament. As the bill allows collection of DNA samples without consent in certain circumstances (such as for offences with imprisonment terms of above seven years), a person's right to privacy will have to be a serious consideration.

The Indian government is working towards updating its National Cybersecurity Strategy in order to improve its position in cyberspace. The updated National Cybersecurity Policy may be issued within this year.

India has continued to witness a tremendous increase in cybercrime and data breach incidents in 2021. Reportedly, some government websites were hacked, leaking COVID-19 lab test results of thousands of Indian citizens. A cyber-attack on an airline data service provider in May 2021 resulted in a data leak pertaining to 4.5 million passengers of the airline. In the same month, personally identifiable information and test results of 190,000 candidates for the 2020 common admission test were leaked and put up for sale. In April 2021, a million credit card records and details of 180 million pizza orders were leaked, including customers’ names, phone numbers, and email addresses. This exponential rise may deepen concerns about potential cybersecurity risks for consumers and businesses, as well as new kinds of data security breaches.

The government will soon be releasing the draft e-commerce policy that proposes to set up an e-commerce regulator with broad powers over e-commerce entities and platforms. The draft policy contains proposals on sharing source codes, algorithms and other data with the government, use of non-personal data of consumers, anti-piracy, cross-border data transfers, etc. This is an important development and it will be interesting to monitor the final policy in view of the provisions under the pending DP Bill, and, thereafter, the policy’s feasibility and enforceability.

Finally, India may see its first comprehensive, general data protection law introduced in this year.

The ITA and the IT rules are applicable for the protection of data, computer systems and infrastructures in India.

The ITA protects data which is defined as “a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer print-outs, magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer”.

The ITA protects data and computer systems, including computers, computer resources and computer networks from unauthorised access, downloads, and extraction of data, database and information, computer contaminant or virus, damage, disruption, denial of access by authorised persons, theft, concealment, destruction and alteration of computer source code, etc. The ITA also provides compensations, penalties and punishments in respect of offences related to the aforesaid activities.

The DP Rules prescribes protection of personal information and SPD. The DP Rules define personal information as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person”. Further, the DP Rules recognise the following as SPD:

• password;
• financial information, such as bank account, credit card or debit card, or other payment instrument details;
• physical, physiological and mental health condition;
• sexual orientation;
• medical records and history;
• biometric information;
• any detail relating to the above as provided to body corporate for providing service; and
• any of the information received from a body corporate in respect of the above, for processing, stored or processed under lawful contract or otherwise.

The CERT-In Rules require mandatory reporting of all cybersecurity incidents to the CERT-In at the earliest and in a prescribed format. The CERT-In is the central authority for reporting cyber incidents, analysing trends and patterns in intruder activities, determining the scope, priority and threat of a cyber incident and developing preventive strategies against cybersecurity incidents.

The ITA, the NCIIPC Rules and guidelines prescribe protection of India’s CII from unauthorised access, modification, use, disclosure and disruption, and ensure a safe, secure and resilient information infrastructure for critical sectors. The NCIIPC, as the nodal agency under the NCIIPC Rules, essentially protects and delivers advices aimed at reducing vulnerabilities of CII against cyberterrorism, cyberwarfare and other threats.

The National Cyber Security Policy, 2013 aims to create a cybersecurity framework, leading to specific actions and programmes to enhance the security posture of India’s cyberspace. The Cyber Security Policy prescribes various objectives, which include:

• to create a secure cyber-ecosystem in the country, generate adequate trust and confidence in IT systems and transactions in cyberspace and thereby enhance adoption of IT in all sectors of the economy;
• to create an assurance framework for design of security policies and for promotion and enabling actions for compliance to global security standards and best practices by way of conformity assessment (product, process, technology and people);
• to strengthen the regulatory framework for ensuring a secure cyberspace ecosystem;
• to enhance and create national and sectoral level 24x7 mechanisms for obtaining strategic information regarding threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective predictive, preventive, protective, response and recovery actions;
• to enhance the protection and resilience of the CII by operating NCIIPC, and mandating security practices related to the design, acquisition, development, use and operation of information resources;
• to enable protection of information while in process, handling, storage and transit so as to safeguard privacy of citizens' data and for reducing economic losses due to cybercrime or data theft;
• to enable effective prevention, investigation and prosecution of cybercrime and enhancement of law enforcement capabilities through appropriate legislative intervention.

The government is working towards updating its National Cybersecurity Strategy in order to improve its position in cyberspace.

The Payment and Settlement Systems Act, 2007, mandates all information received by the RBI from a payment system and system provider to be confidential, subject to certain safeguarding interests, such as protection of:

• the integrity, effectiveness and security of the payment system;
• the interest of banking or monetary policy;
• the operation of the payment systems generally; or
• in the public interest.

The Companies (Management and Administration) Rules, 2014, mandate adequate cybersecurity in respect of an electronic voting system, which is used by members of a company to exercise their right to vote at general meetings.

As India currently does not have a specific DPA, cybersecurity issues are adjudicated by an adjudicating officer appointed under the ITA, having the powers of a civil court.

At present, there is no over-arching cybersecurity agency for India similar to ENISA.

However, in addition to Cert-In and NCIIPC, the government has established the National Security Council Secretariat as the central co-ordinating body for cybersecurity and internet governance.

As part of the government’s Digital India initiative, MeitY has set up Cyber Swachhta Kendra as a botnet cleaning and malware analysis centre.

The Ministry of Home Affairs has set up a Cyber and Information Security Division (C&IS) to deal with matters relating to cybersecurity, cybercrime, National Information Security Policy & Guidelines (NISPG) and its implementation. C&IS comprises of a cybercrime wing, cybersecurity wing, information security wing, and a monitoring unit.

Further, the Home Ministry has established the Indian Cybercrime Co-ordination Centre (I4C), which is a nodal point in the fight against cybercrime and co-ordinates implementation of Mutual Legal Assistance Treaties (MLAT) with other countries.

The government has also set up the National Technical Research Organisation (NTRO) as a technical intelligence agency under the National Security Advisor in the Prime Minister's office. The primary role is to develop technology capabilities in aviation and remote sensing, data gathering and processing cybersecurity, strategic hardware and strategic monitoring. NCIIPC comes within NTRO’s ambit.

The Ministry of External Affairs has set up a New Emerging and Strategic Technologies Division (NEST) to engage in technology diplomacy and deal with the foreign policy and international legal aspects of new and emerging technologies.

Currently, the Indian laws do not prescribe for data protection authorities. However, the DP Bill prescribes establishment of a DPA for addressing issues related to data privacy and protection. Under the DP Bill, a complaint can be filed before a data protection officer, which can be appealed before an adjudicating officer of the DPA. The DPA will have the authority to impose penalties on any data fiduciary, with a maximum penalty for violation of the DP Bill’s provisions of INR15 crores or 4% of the data fiduciary’s total global turnover in the preceding financial year, whichever is higher.

The RBI is the nodal banking and financial sector regulator in India. The sub-CERT for the banking and finance sector is the Institute for Development and Research in Banking Technology (IDRBT), which is an autonomous centre for development and research in banking technology set up by the RBI. The IDRBT owns the Indian Financial Network (INFINET), which is the communication backbone for the banking and finance sector in India.

The RBI’s Regulations, and Guidelines on Information Security, Electronic Banking, Technology Risk Management, and Cyber Frauds (the "RBI Cyber Security Guidelines") provide detailed guidance on information technology governance for banks in India.

The RBI has also issued guidelines on CSF in banks, prescribing banking companies to have an adaptive incident response, management and recovery framework to deal with adverse incidents and disruptions.        

Information Technology Framework for the NBFC Sector was set up in 2017, focusing on IT policy, IT governance information and cybersecurity.

The Finance Minister has proposed to establish a CERT-Fin, which will act as an umbrella CERT for the finance sector. The RBI will be the lead regulator, until such CERT-Fin is set up.

SEBI has also issued guidelines on Cyber Security and Cyber Resilience for Stock Exchanges, Clearing Corporation and Depositories. Further, the IRDA has issued guidelines on Information and Cyber Security for Insurers, for cybersecurity protection of information in relation to the policyholders.

NITI Aayog (the government’s policy think-tank) released a draft framework on Data Empowerment and Protection Architecture (DEPA) in consultation with industry regulators, banks and fintech entities, to set up a mechanism for secure consent-based data sharing in the fintech sector. This would empower individuals with control over their personal data. Individuals will be able to share their financial data across banks, insurers, lenders, mutual fund houses, investors, tax collectors, and pension funds in a secure manner. DEPA is also proposed to be introduced for other sectors, such as health and telecom sectors.

In the insurance sector, IRDI has issued the Guidelines on Information and Cyber Security for Insurers ("Insurance Cyber Guidelines") under which the insurers must put in place adequate measures to ensure that cybersecurity issues are addressed. Insurers are also mandated to appoint a chief information security officer (CISO), formulate a cyber crisis management plan and conduct audits.

In the telecommunications sector, the Department of Telecommunication (DOT) has prescribed the licence conditions and cybersecurity obligations on the licensee entity under the unified licence.

There are CERTs established under the Ministry of Power to mitigate cybersecurity threats in power systems, and four sub-CERTs for transmission, thermal, hydro and distribution to co-ordinate with power utilities.

The Information Technology (Intermediaries Guidelines) Rules, 2011, under the ITA, impose an obligation on any intermediary to report cyber incidents to the CERT-In.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "DP Rules") prescribe reasonable security practices that should be supplemented by documented information security programmes and policies. One such security standard prescribed is the International Standard on Information Technology Security Techniques and Information Security Management System Requirements, such as the ISO 27001, and the use of codes of best practices created by self-regulatory bodies. RBI has prescribed baseline cybersecurity and resilience requirements for banks, in sync with global security standards.

There is no consensus or commonly applied framework for reasonable security, and the regulators have recommended a sector-wise framework based on various factors, including risk-based elements.

CERT-In operates on the aspects of “identifying” the cybersecurity risks and the incidents, “containment” of the cyber breach incident and minimising damage, “eradication” of cause of incident and “recovery” to restore normal operations.   

Under the ITA, the reasonable security practices and procedures include the security practices that are designed to protect any information from unauthorised access, damage, use, modification, disclosure or impairment, and are specified in a contractual agreement, or any law or as prescribed by the central government.

The DP Rules prescribe the following criteria to comply with the “reasonable security” practices and procedures:

• entities must implement the security practices and standards; and
• there must be a comprehensive documented information security programme and policies, containing managerial, technical, operational and physical security control measures, that are commensurate with the information assets being protected with the nature of business.

Written Information Security Plans or Programmes

The DP Rules prescribe the body corporates to have a comprehensive documented information security programme and security policies containing managerial, technical, operational and physical security measures.

Incident Response Plans

There is no statutory requirement under the cybersecurity laws to maintain an incident response plan. The Protected System Rules prescribe the central and state governments to implement a cyber crisis management plan for rapid identification, information exchange, swift response, and remedial actions to recover from malicious cyber-related incidents in the critical sectors.

The RBI requires banks to have a written incident response programme and cybersecurity policy to handle cyberthreats, and a cyber crisis management plan addressing detection, response, recovery and containment. The RBI requires mandatory reporting of cyber breach incidents within two to six hours of the incident.

The IRDA requires the insurers to have an incident response plan.

Appointment of Chief Information Security Officer or Equivalent

The NCIIPC guidelines recommend that all CIIs have an information security department headed by a CISO.

The RBI’s Cyber Security Guidelines mandate the appointment of a chief information security officer (CISO), along with a security steering committee in public/private sector banks, who must report any incident directly to the bank’s head of risk management.

The IRDA also requires the appointment of a CISO for implementing a cybersecurity framework.

The DP Rules provide for the appointment of a grievance officer to redress the information provider’s grievances.

Involvement of Board of Directors or Equivalent

The RBI and IRDA guidelines require involvement of the board of directors to approve cybersecurity policies and cyber crisis management plans, and take overall responsibility for the information security governance framework.

Conducting Internal Risk Assessments, Vulnerability Scanning, Penetration Tests

The DP Rules do not prescribe conducting internal risk assessments, vulnerability scanning, penetration tests, etc. The RBI mandates banks to have periodical vulnerability assessment and penetration testing exercises for all critical systems. The IRDA also has a cybersecurity policy which recognises the need for testing programmes, vulnerability assessments and penetration tests.

Multi-factor Authentication, Anti-phishing Measures, Ransomware, Threat Intelligence

The RBI has issued guidelines for banks to implement two-factor/multi-factor authentication to protect the customer account data and transaction details’ confidentiality, and in order to combat cyber-attacks by phishing, keylogging (ie, keyboard capturing or the action of recording the keys struck on a keyboard), spyware/malware, etc, that are targeted at banks and their customers.

Besides this, organisations such as DSCI issue periodic advisories on data breaches, recommendations to avoid data breaches, and strengthening the security measures. For instance, DSCI issued guidance on Targeted Phishing Campaign by Malicious Actors, anticipating a large-scale phishing attack against Indian organisations, targeting small, medium, and large enterprises. DSCI also provided information on mitigation measures. 

Insider Threat Programmes

There is no insider threat programme or standards under the current Indian cybersecurity framework.

Vendor and Service Provider Due Diligence, Oversight and Monitoring

The DP Rules do not have any provisions for vendor/service provider due diligence or monitoring. The IRDA, TRAI and RBI respective sectoral guidelines on outsourcing and cloud services provide guidance for companies and banks to carry out due diligence, audits and regular monitoring on vendors and service providers.

Use of Cloud, Outsourcing, Offshoring

The MeitY guidelines for government use of cloud services prescribe that the service providers must store the data within India. If the data is located in one or more discreet sites in foreign countries, the conditions for data location have to be mentioned in an agreement with the service providers.

The telecom regulations prohibit telecom companies from transferring customer account information outside India.

RBI proposes to issue guidelines to operators and participants to ensure that a code of conduct is adhered to in the outsourcing process.

TRAI has recommended creation of a regulatory framework for cloud services, including establishing the first industry-led body of all cloud service providers.

Payment of Ransomware

Currently, there are no regulations restricting payment of ransomware. However, legal experts have been advising the companies against making the payments for ransomware, as the remittance may likely trigger implications under the foreign exchange and money laundering laws.

Secure Software Development or Patching

There are no specific regulations in this regard. However, the guidelines provide that information security must be considered at all stages of an information asset – including software development, hardware, life cycle which typically includes planning and design, acquisition and implementation, patching, maintenance and support, and disposal – so as to minimise exposure to vulnerabilities.

Responsible Disclosure of Software Vulnerabilities

There is no mandate. However, it is possible for individuals and organisations to voluntarily report any cybersecurity incident relating to information or vulnerabilities to CERT-In, and seek requisite support and technical assistance to recover from them.

Training

The DP Rules do not prescribe any training requirements. The CERT-In prescribes stakeholders and other entities to conduct training on technical know-how. The RBI and IRDA also prescribe regular training and security awareness to human resources on cybersecurity policies and programmes.

India–US cyber-relationship (signed on 30 August 2016, valid for five years): India and the US have signed a memorandum of understanding (MoU) to co-operate on cybersecurity mechanisms and information sharing.

India–Israel on cybersecurity (signed 15 January 2018): India and Israel have signed an MoU to develop, promote and expand co-operation in the field of human resources development (HRD) through platforms such as training programmes and skills development.

India–UK on cybersecurity (signed 20 May 2016): the CERT-In and CERT-UK have signed an MoU to promote co-operation for exchange of knowledge and experience in detection, resolution and prevention of security-related incidents.

India–Brazil on cybersecurity (signed 25 January 2020): India has signed 15 MoUs with Brazil on 25 January 2020 in respect of various issues, including co-operation in cybersecurity, and addressing information and communication technologies-related issues.

Recently, in January 2021, Japan’s Ministry of Internal Affairs and Communications has signed an MoU with the Ministry of Communications of India regarding information and communications, and more particularly agreed to co-operate in areas including cybersecurity.

India has also signed MoUs with Australia, Bangladesh, Indonesia, Kenya, Portugal, Serbia, the UAE, Vietnam, France, Malaysia, Mauritius, Morocco, Qatar and Singapore on cybersecurity co-operation.

Further, India has signed mutual legal assistance treaties (MLAT) with nearly 35 countries for cross-border co-operation in respect of access to data in different countries.

The DP Rules requires all body corporates to implement reasonable security practices and standards, as well as to document their security programmes and policies.

Similarly, the RBI requires banks to classify data based on business complexity and risk levels, and the sensitivity criteria of a bank. The IRDA cybersecurity policy also provides that systems must be classified under different categories based on their criticality and severity.

There is no specific security requirement provision in respect of material business data and material non-public information.

The National Critical Information Infrastructure Protection Centre (NCIIPC) is the nodal agency for protection of the Critical Information Infrastructure (CII), networks and systems in the country. The NCIIPC guidelines recommend that cybersecurity breach incidents must be reported to the NCIIPC. The NCIIPC regularly advises on reducing vulnerabilities of the CII, and against cyberterrorism, cyberwarfare and other threats.

The NCIIPC guidelines prescribe development of audit and certification agencies for protection of the CII. The NCIIPC also exchanges cyber incidents and other information relating to attacks and vulnerabilities with CERT-In and concerned organisations in cybersecurity in India.

There are no specific provisions relating to security requirements to prevent denial of service (DoS) attacks, under the ITA or the DP Rules. The NCIIPC guidelines and the sectoral cybersecurity guidelines prescribe preventive and corrective measures to address DoS attacks and similar attacks on systems. Further, the NCIIPC regularly advices on vulnerabilities based on the latest DoS attack incidents, which can be accessed on its website.

There are no specific security provisions for other data or systems under the current cybersecurity regime.

The CERT-In Rules define a cyber-incident as “any real or suspected adverse event that is likely to cause or causes an offence or contravention, harm to critical functions and services across the public and private sectors by impairing the confidentiality integrity, or availability, of electronic information, systems, services or networks resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource, changes to data or information without authorisation; or threatens public safety, undermines public confidence, have a negative impact on the national economy, or diminishes the security posture of the nation”.

The CERT-In Rules also define cybersecurity incident as “any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, and information without authorisation”.

A cybersecurity breach is also defined under the CERT-In Rules as “unauthorised acquisition or unauthorised use by a person as well as an entity of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource”.

Cybersecurity incidents prescribed under the CERT-In Rules must be mandatorily reported, including:

• targeted scanning/probing of critical networks/system;
• compromise of critical systems/information;
• unauthorised access of IT systems/data;
• defacement of a website or intrusion into a website and unauthorised changes, such as inserting malicious code, links to external websites, etc;
• malicious code attacks, such as the spreading of viruses, worms, Trojans, botnets and spyware;
• attacks on servers, such as databases, email and DNS and network devices, such as routers;
• identity theft, spoofing and phishing attacks;
• denial of service (DoS) and distributed denial of service (DDoS) attacks;
• attacks on critical infrastructure, SCADA systems and wireless networks; and
• attacks on applications, such as e-governance, e-commerce.

The data to be provided while incident reporting includes the sector details, location of the system, date and time of the occurrence, criticality, affected system/network, symptoms observed, and the relevant technical information such as type of incident, number of hosts affected, security systems deployed and actions to mitigate the damage.

The PDP Bill also defines personal data breaches and mandates data fiduciaries to report any personal data breach that may cause harm to the data principal to the DPA.

The ITA covers computer systems, and networks, resources, data and database.

Currently, there are no specific cybersecurity guidelines for medical devices, and the DP Rules and the NCIIPC guidelines apply. These include classifying data based on criticality, preparing a documented cybersecurity programme and appointing a CISO.

There is no specific cybersecurity framework and the security requirements under the DP Rules and CERT-In Rules are applicable to industrial control systems.

There is no specific statutory provision that applies to security requirements for the internet of things (IoT). The data privacy principles under the DP Rules are applicable. However, MeitY’s draft IoT Policy, 2015 (yet to be approved), proposes to appoint a nodal organisation for formalising privacy and security standards, and create a national expert committee for developing and adopting IoT standards in the country.

Further, TechSagar – India’s cyber-tech repository, supported by the National Cyber Security Co-ordinator and managed by DSCI – is a platform to discover India’s cyber-tech capabilities. It lists business and research capabilities of various entities from the IT industry, start-ups, academia and R&D institutes. Currently, about 180–190 capability definitions of IoT are listed on the TechSagar platform. TechSagar acknowledges the presence of 700+ companies, 125+ Academia, 20+ R&D centres and approximately 250 researchers that are active in the IoT space in India.

Also, NASSCOM, MeitY and ERNET have designed an IoT Centre of Excellence (CoE) to help Indian IoT start-ups to create market-leading products. This CoE is India’s largest deep-tech innovation ecosystem.

No information has been provided.

Incidents specified under the CERT-In Rules must be mandatorily reported to CERT-In. Data breaches in certain specific sectors such as finance, insurance and securities must be reported to the respective regulators. Cybersecurity incidents must be reported to the CISO.

There is no statutory requirement to report a cybersecurity incident to other companies or organisations. Contractually, a body corporate may require the vendor or service provider to promptly report any incident to the company.

There are no "risk of harm" thresholds or standards under the current privacy regime. The DP Bill prohibits processing of such information that could cause harm or significant harm to the data principals.

The relevant laws in India that govern network monitoring and cybersecurity defensive measures are:

• the ITA;
• the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (the Interception Rules);
• the DP Rules;
• the CERT-In Rules;
• the NCIIPC Rules; and
• the Sectoral Cyber Security Framework Policies.

The ITA provides a legal framework to address hacking and security breaches of IT infrastructure and prescribes penalties for negligently handling SPD. Furthermore, to the extent that the data intercepted and monitored by a body corporate includes the SPD of its customers or employees, the body corporate must comply with the DP Rules.

The Interception Rules prescribe that no person shall carry out any interception, monitoring or decryption of any information generated, transmitted, received or stored in any computer resource, unless authorised by India’s central or state governments. There is a lack of clarity on whether a company’s interception and monitoring of its internal servers will conflict with the above restriction.

In addition, India does not have any specific laws relating to employee monitoring and thus companies can monitor their networks and servers.

In the "Privacy Judgment" and the expert committee report, the courts have ruled that monitoring of employee communications and employee surveillance must be handled carefully, and recommends maintaining a balance between an employee’s privacy and the employer’s legitimate need to safeguard the company’s interest, until the new privacy law is enforced.

The sectoral cybersecurity policies for banks, insurance companies, telecom companies and CII permit body corporates, including banks, to monitor the secure status of each system and network, mobile and home-working procedures, and critical systems. These may include third-party providers.

The UASL obliges telecom companies to monitor all intrusions, attacks and fraudulent activity on its technical facilities and report to the DoT.

The intersection of cybersecurity and privacy is an important point of discussion, more so due to increasing unauthorised data access through cyber-attacks, third-party data sharing and data compromises.

Existing privacy laws and cybersecurity laws include data breach notification requirements. However, these breach notification requirements function directly at the intersection of security and privacy.

Data protection requires protecting against unauthorised data access, regardless of how it occurs, while simultaneously securing sharing of data.

The DP Rules mandate compliance with reasonable security practices and procedures by documenting information security programme and information security policies, and adhering to security standards, such as ISO270001, or to government-approved codes of best practices.

Despite the statutory mandate, various cybersecurity breaches have led to the exposure of personal data and SPD (as discussed in 8.4 Significant Private Litigation).

A larger concern that remains is about people who are impacted with such cyber-attacks. In the absence of any statutory provision to notify the impacted persons and assess their loss, the reporting mechanism does not provide any direct benefits or remedies to the impacted persons. 

Hopefully, the DP Bill containing stringent provisions will bring some respite to the situation. 

There is no statutory provision mandating the sharing of cybersecurity information with the government, although the breach must be mandatorily reported to Cert-In.

Indian laws do not restrict or mandate any individual/body corporate to share voluntarily any information regarding cyberthreats with government agencies.

Please refer to 8.4 Significant Private Litigation.

Please refer to 1.2 Regulators.

There are no applicable legal standards. Instances of cybersecurity breach are adjudicated on a case-by-case basis.

There were no significant reported private litigations involving cybersecurity allegations or data security incidents/breaches in India in the past year.

SC passed a significant judgment in October 2021 in the Pegasus spyware issue, recognising the need to assess the impact of the Pegasus spyware on the right to privacy and freedom of speech. The court formed the three-member committee to make recommendations on enactment or amendment of the existing surveillance laws to ensure an improved right to privacy and cybersecurity and threat assessment measures. The committee has not as yet submitted its recommendations.

Madras High Court passed an order in August 2021 dismissing a petitioner’s request to have his name redacted from court orders in criminal proceedings wherein he was finally acquitted. Recognising an individual’s right to privacy and anonymity as held in the Privacy Judgment, the court also noted that without a precise framework or objective criteria for redaction of the accused’s name in India’s criminal justice system, it would be more appropriate to await the new data protection law to exercise such right to be forgotten.

In a landmark case involving collection and transfer of citizens’ personal data for COVID-19 tracking purposes by the government of Kerala (a southern Indian state) to a US-based data analysis company, the Kerala High Court had restricted the government from sharing citizens’ sensitive personal data, unless the data was anonymised. The court had also recognised the importance of the data subject’s informed consent prior to collecting their personal data and the safeguards to ensure confidentiality of the data collected.

India witnessed a tremendous increase in cybercrime and data breach incidents in 2021. Reportedly, some government websites were hacked, leaking the COVID-19 lab test results of thousands of Indian citizens. A cyber-attack on an airline data service provider in May 2021 resulted in the leak of 4.5 million passengers' data. In the same month, personally identifiable information and test results of 190,000 candidates for the 2020 common admission test were leaked and put up for sale. In April, details of 180 million pizza orders were leaked, including customers’ names, phone numbers, and email addresses.

Indian trading platform Upstox has openly acknowledged a breach of know-your-customer (KYC) data. Gathered by financial services companies to confirm the identity of their customers and prevent fraud or money laundering, KYC data can also be used by hackers to commit identity theft. Upstox told customers it would reset their passwords and take other precautions after it received emails warning that contact data and KYC details held in a third-party data warehouse may have been compromised.

Personally identifiable information of 500,000 Indian police personnel was put up for sale on a database sharing forum. An intelligence firm traced the data back to a police exam conducted in 2019.

Details of close to 35 million customer accounts of Juspay, including masked card data and card fingerprints, were taken from a server using an unrecycled access key.

Other than under the Companies Act, India does not have any laws enabling class action lawsuits. Under the Companies Act, shareholders or depositors can collectively approach the National Company Law Tribunal for redress where, for example, a company’s affairs are not managed in its best interests.

There is no prescribed procedure for conducting diligence in corporate transactions in relation to cybersecurity. The companies normally demand the target company’s cybersecurity policy and framework, the annual audit reports on cybersecurity measures, and details of any past breaches and reporting in that regard.

There is no specific legal provision requiring mandatory disclosure of cybersecurity risk profile or experience.

The surge in e-commerce and digital payments in 2021 will be consistent across the country. This exponential rise may deepen concerns about potential cybersecurity risks for consumers and businesses, as well as new kinds of data security breaches. Additionally, with remote working becoming the norm, such risks may continue until combined efforts are taken by the stakeholders, users and the government.

RBI, in coordination with CERT-In, has issued over ten advisories to supervised entities on various cyberthreats and best practices to be adopted. Additionally, a series of video conferences were conducted regarding cybersecurity preparedness and broad cyber/IT threats to sensitise the supervised entities.

India is set to enforce the DP Bill. The deliberations over the key issues of data localisation and government access to data shared on social media platforms are ongoing, and the possibility of further amendments to the DP Bill cannot be eliminated. Therefore, this may lead to some delays in finalising the new comprehensive law.

There is already higher awareness and focus on data privacy and cybersecurity. The government and other organisations have been working on developing policies and frameworks in respect of machine learning and artificial intelligence (AI) for cybersecurity solutions, anomaly detection and response, and on IoT infrastructure for automation and efficiency, specifically for the CII. Government and corporations will have to further secure the cloud-based model and the data stored in the cloud. Concepts such as blockchain to prevent data theft may also be in demand.

On the other hand, India is facing a shortage of cybersecurity skills in the workplace. Certain authorities, such as CERT-In and RBI, have been pro-actively conducting skill-development activities and encouraging greater awareness to deal with the increase in cyber incidents.

Some regulatory developments are anticipated. The National Cyber Security Strategy 2020 is a long-awaited policy initiative of the government, and is expected to bring in stronger security standards and priority allocation after it is notified.