This article has been written by Monisha Mukherjee Gangopadhyay pursuing a Remote freelancing and profile building program from LawSikho.

This article has been edited and published by Shashwat Kaushik.

Introduction

The practice of employees working from a location other than their usual designated central office space is generally termed as remote work. Such de-centralized work ‘online’ could be done from the very home of the employee/employees concerned, at a shared office space or even at any public space other than the usual office space. Before the days of Skype and Zoom calls, a NASA engineer by the name of Jack Nilles laid the foundation for modern remote working when he coined the term “telecommuting” in 1973. Thanks to COVID-19 and some of its outcomes, remote work policies are no longer rare and far in between. There are arguments for and against such a mode of working from a distance, the chief among the disadvantages cited being that it arises from the point of view of data security.

Download Now

Remote work and its pros and cons

Remote work policies have enabled an enhancement of work-life balance and productivity by way of leveraging technological advancements and reducing costs incurred in infrastructure. Despite this, there remains very little scope for passing over the disadvantages of remote work; the most common among them are the cyber security risks of remote work in the form of phishing, shoulder surfing, and webcam hacking, to name only a few. Another drawback to working remotely lies in the communication gap that may arise between the members of a team, which is liable to result in decreased collaboration, isolation, and eventually the loss of productivity. Instances where the employer leaves the onus of managing basic infrastructure like a proper workstation and even an internet connection to the employee himself may result in utter disaster. An ideal remote working policy should ensure that both the employer and the employees benefit from the arrangement. Hence the necessity of having clear-cut guidelines for the eligibility and job type of the concerned employees, as well as the conditions of work.

Not all countries are prone to work remotely

There are differences, however, with regard to preferences for remote work between developed and developing countries. This is mostly due to differences in tradition and culture, leadership styles and productivity from remote work. Thus, the USA encourages remote work, while Asian countries like India and Japan aren’t as bullish on remote work. Productivity reportedly decreased by 20% in Japan in the process of remote working, while it rose by about 77% in the USA and the UK. 

This might be due to communication challenges and a general emphasis on office presence in Japan, as in most Asian cultures. Another strong reason why developed countries in the West have been able to handle remote work far more efficiently is because of the availability of platforms and tools for remote work, which include strong cyber security laws and policies to safeguard personal information, which are essential for remote employment.

Cyber security risks of remote working

Some of the most common cyber security risks that remote workers face are phishing and social engineering attacks, DDOS (distributed denial of service) attacks, personal device risks, shoulder surfing, cloud security misconfiguration, webcam hacking and so on. Social engineering attacks are launched by cyber criminals by using convincing e-mails, messages or phone calls to employees for the purpose of revealing sensitive information. Where remote workers among employees of concern are isolated, employees may not have immediate access to colleagues for the purpose of verifying the legitimacy of communication. Home networks are generally susceptible to cyber-attacks and malware infections. Cybercriminals often seek outdated systems as an entry point into the corporate network. Security teams can monitor and enforce security policies more effectively when the employees concerned are physically present in the office. When employees use personal devices for work, they may not have security measures up to the mark and consequently stand the chance of inadvertently exposing sensitive information, resulting in security threats to the organisation concerned. Cybercriminals with malicious intentions are often seen engaging in spying on screens for the purpose of gaining unauthorised access to sensitive information. This may happen when the employees take the liberty of working in coffee shops, airports, or any other public place. Misconfigurations in cloud services may result in the exposure of sensitive data to unauthorised persons. Thus, remote workers should be properly trained to understand the importance of proper configuration and access controls to avoid cloud security misconfiguration. Webcam hacking may take place if attackers are able to access video streams and disrupt virtual meetings. This may lead to data breaches and even reputational damage.

The way out

Employees often become complacent and ignore the best practices of cyber security. They should be educated on the potential risks of sharing personal information or work-related information on social media. Cyber security measures to avoid cyber crimes should first and foremost consist of cyber security training. Data reveals that less than 45 percent of developing countries receive cyber security training in the face of the threats of working from home. Remote workers should have proper training and be kept updated on the latest cyber threats and best practices required of them to avoid cyber crimes. Organisations must also ensure that remote workers have easy access to cyber security police and that company data is kept centrally in secure cloud-based or onsite storage systems. Strong access control measures like multi-factor authentication and role-based permissions should be implemented. There is undoubtedly a need for data encryption, both at rest and in transit, to protect sensitive information regarding the concerned organisation.

Legal respite

Last but not least, mention should be made of a few case laws in India relating to the issue of cyber security. In Shreya Singhal vs. Union of India, the Hon’ble Supreme Court of India held that the right to privacy is a fundamental right. This sets the legal framework for data protection in India. In the famous AADHAAR case (also known as Puttaswamy vs. Union of India), while the validity of the AADHAAR as an instrument of social welfare was upheld, the right to privacy of the individual was also held as a fundamental right. Hence, the provision for mandatory linking of AADHAAR numbers with bank account numbers and mobile phone SIM numbers was struck down. While recognising the right to privacy as a fundamental right, the honourable court emphasised the necessity of striking a balance between security and privacy concerns. As a result of the AADHAAR verdict, the government of India has been required to bring in stricter safeguards in the form of regulations to maintain the privacy of individuals in the country. 

Regulations in India

In recent years, data security has emerged as a critical issue in India, driven by the rapid growth of digital technologies and the increasing volume of personal and sensitive data being processed and stored online. To address these concerns, the Indian government has enacted several laws and regulations aimed at protecting data privacy and ensuring the secure handling of personal information.

The Information Technology Act, 2000 (IT Act) is a landmark piece of legislation that laid the groundwork for regulating electronic transactions, data protection, and cybersecurity in India. This comprehensive framework has had a profound impact on the digital landscape of the country.

At the core of the IT Act is its focus on data protection. Recognising the importance of safeguarding personal information in the digital age, the Act mandates organisations to obtain explicit consent from individuals before collecting and processing their personal data. This provision empowers individuals with greater control over their personal information and ensures that organisations respect their privacy.

Furthermore, the IT Act establishes a robust legal framework for addressing cybercrimes. It criminalises unauthorised access to computer systems, data breaches, and cyber stalking, among other offenses. This legislative framework provides law enforcement agencies with the necessary tools to investigate and prosecute cybercriminals, thus deterring potential offenders and ensuring a safer cyberspace.

The IT Act also recognises the significance of electronic transactions in today’s interconnected world. It provides a legal framework for conducting electronic contracts, digital signatures, and other forms of electronic communication. This framework instills confidence in electronic transactions, facilitating seamless and secure digital commerce.

Moreover, the IT Act empowers the government to establish regulatory bodies and appoint cyber experts to oversee the implementation of the Act and promote cybersecurity. These measures help ensure that the Act remains relevant and effective in addressing emerging cybersecurity challenges.

Since its enactment, the IT Act has undergone several amendments to keep pace with technological advancements and evolving cyber threats. In 2008, the Act was amended to include provisions related to cyber terrorism and critical information infrastructure protection. More recently, in 2022, the IT Act was amended to enhance data protection safeguards and address concerns related to the processing of personal data by social media platforms and other intermediaries.

The IT Act has played a pivotal role in shaping India’s digital ecosystem, fostering trust in electronic transactions, and safeguarding the privacy rights of individuals. As technology continues to evolve, the IT Act will undoubtedly require further amendments to address emerging challenges and ensure a secure and vibrant cyberspace for all stakeholders.

In addition to the Information Technology Act, 2000, there are a number of other laws in India that deal with data protection. These laws include:

  1. The Right to Information Act, 2005
    This act gives individuals the right to access information held by public authorities. It aims to promote transparency and accountability in government functioning and empower citizens by providing them with access to information that they are entitled to. The act also provides for a mechanism for appealing decisions of public authorities regarding the disclosure of information.
  2. The Privacy Act, 2018
    This act protects the privacy of individuals in relation to the processing of their personal information. It regulates the collection, use, disclosure, and retention of personal information by both government and private entities. The act also provides for the establishment of a Privacy Commissioner to oversee compliance with the act and investigate complaints.
  3. The Personal Data Protection Bill, 2019
    This bill is a comprehensive bill that seeks to regulate the collection, storage, and use of personal data in India. It proposes to establish a Data Protection Authority to oversee compliance with the bill and investigate complaints. The bill also includes provisions for the protection of sensitive personal data, the right to be forgotten, and the right to data portability.

The Digital Personal Data Protection Act 2023 (DPDPA) is a landmark piece of legislation that aims to safeguard the privacy and security of individuals’ personal data in the digital age. Enacted last year, the DPDPA establishes a comprehensive framework for the collection, use, and disclosure of personal data by organisations operating within the country.

Key provisions of the DPDPA:

  1. Consent and transparency:
    • Organisations must obtain explicit consent from individuals before collecting, using, or disclosing their personal data.
    • Individuals have the right to be informed about the purposes of data processing and the entities involved.
  2. Data minimisation:
    • Organisations can only collect and process personal data that is necessary for specified, legitimate purposes.
    • Excessive data collection is prohibited.
  3. Purpose limitation:
    • Personal data can only be used for the purposes for which it was originally collected.
    • Unauthorised use or disclosure of personal data is strictly prohibited.
  4. Data security:
    • Organisations must implement appropriate security measures to protect personal data from unauthorised access, use, or disclosure.
    • Failure to protect personal data may result in penalties.
  5. Data subject rights:
    • Individuals have the right to access, rectify, erase, and restrict the processing of their personal data.
    • Organisations must provide mechanisms for individuals to exercise these rights easily.
  6. Data portability:
    • Individuals have the right to obtain a copy of their personal data in a structured, commonly used, and machine-readable format.
    • Organisations must facilitate the transfer of personal data to other service providers upon request.
  7. Data protection officers:
    • Organisations that process personal data on a large scale must appoint a Data Protection Officer (DPO) to oversee compliance with the DPDPA.
    • The DPO is responsible for ensuring that the organisation’s data processing activities are in line with the law.
  8. Cross-border data transfers:
    • Organisations must comply with specific requirements when transferring personal data outside the country.
    • Data transfers to countries with inadequate data protection laws may be restricted or prohibited.
  9. Enforcement and penalties:
    • The DPDPA establishes a Data Protection Authority to enforce compliance and investigate violations.
    • Organisations that breach the law may face significant fines and other penalties.

The DPDPA reflects the growing global recognition of the importance of personal data protection in the digital era. It empowers individuals with greater control over their personal data and holds organisations accountable for their data handling practices. By implementing comprehensive data protection measures, the DPDPA aims to foster trust in the digital economy and protect the fundamental rights of individuals in the digital age.

These laws, along with the Information Technology Act, 2000, provide a comprehensive framework for data protection in India. They aim to protect the privacy of individuals, ensure transparency and accountability in the processing of personal information, and empower individuals with rights and remedies in relation to their personal data.

In addition to these laws, there are several other regulations and guidelines issued by various government agencies that address specific aspects of data security. For example, the Reserve Bank of India (RBI) has issued guidelines for banks and financial institutions on data protection and cybersecurity. Similarly, the Telecom Regulatory Authority of India (TRAI) has issued regulations for telecom service providers on the protection of customer data.

These laws and regulations collectively form the legal framework for data security in India. They aim to protect the privacy of individuals, prevent the unauthorised use of personal information, and ensure the secure handling of data by organisations. However, it is important to note that data security is an ongoing process, and there is always room for improvement. As technology continues to evolve, new challenges and threats to data security will emerge, requiring policymakers and regulators to adapt and strengthen the existing legal framework to address these emerging concerns effectively.

The Information Technology Act of 2000 has been amended several times over the years to keep up with the evolving landscape of electronic data. The most recent amendment was made in 2018, which introduced several new provisions related to data protection. These provisions include:

  • The requirement for data controllers to obtain the consent of individuals before collecting their personal information.
  • The right to access their personal information and to request its correction or deletion.
  • The obligation of data controllers to take reasonable steps to protect personal information from unauthorised access, use, or disclosure.
  • The creation of a new offence of unauthorised access to personal information.

Future of remote work in developing countries in the landscape of partial cybersecurity

Therefore, the future of remote work in developing countries like India is full of challenges, in spite of the great potential that it holds. It may be expected that remote work in this country will grow with the advancement of digital technology, particularly with the advent of faster internet and cloud-based solutions. Digitisation and remote work policies, besides offering the scope of a far enhanced work-life balance, are also highly cost-effective due to the reduction of commuting costs as well as office space and infrastructure accruing thereon. To reap the harvest of such a technological storm worldwide, India needs to wake up to the major challenges of remote work, namely, cyber security and the digital divide. The government of this country must take initiatives to implement robust measures, along with adequate training for the users of remote platforms so that awareness is created. This would, it is expected, go to sufficient lengths to reduce cyber-related crimes. At an initial stage, intervention by the government in terms of the development of infrastructure and training is required to erase or, at least, minimise the digital divide that might be created due to unequal access to the internet and technology. Government regulations, including the evolution of legal frameworks and policies through intrinsic and extensive studies and research, are needed to adapt to the inevitably changing work landscape of the digital world.

Conclusion

To conclude, the COVID-19 pandemic has inflicted severe pain in the labour market, and there is an ever-growing emphasis on the availability of the internet to enable workers to perform remotely wherever feasible. The concept of remote work varies widely, though, depending on a country’s income level and the type of economy. Highly crucial to the success of a remote work policy is the availability of infrastructure in the form of the internet. Thus, while in developed countries one in every five jobs can be done from home, in low-income countries it is only one in 26. Just as there is no rose plant without thorns, so is the case of remote work – a remote work policy has to be backed up with a set of sound cyber security policies. The state of cyber security in developed countries as compared to developing countries differs in levels of complexity. While developed nations have highly evolved IT infrastructure with better redundancy and disaster recovery capabilities, larger funds for personnel training,  research and development, and extremely advanced security technologies, the intrinsically interconnected and complex IT systems create larger attack surfaces for vulnerabilities. These systems are liable to be targets for sophisticated cyber attacks due to perceived wealth and critical infrastructure. The developing countries, on the other hand, have access to international initiatives for capacity building and knowledge sharing and the rapid adoption of new technologies can offer an opportunity to build secure systems from scratch. Moreover, less complex IT infrastructure requires simpler security implementations. One of the major weaknesses of developing nations lies in insufficient funds for advanced security solutions, training for skill development, and advanced security solutions. It appears that collaboration and knowledge sharing between countries are essential to addressing global cyber security threats more efficiently.

References

LEAVE A REPLY

Please enter your comment!
Please enter your name here