This article has been written by Abha Ghosh pursuing a Diploma in International Contract Negotiation, Drafting and Enforcement from LawSikho.
This article has been edited and published by Shashwat Kaushik.
Table of Contents
Introduction
In today’s generation, most of us own our personal computers, and the majority of our personal and professional activities are performed using this device known as a “computer.” The one who created it, as we all know, “Charles Babbage,” might not have imagined how he had gifted us both with a boon and a bane. Because of the intense work-from-home trend brought about by the pandemic, we all now have access to this invention known as the computer. Along with this, access to the World Wide Web or the Internet, has made it fast and easy for us to connect with people across borders and collaborate with them. During these collaborations and interactions, we have encountered advanced digital and AI technology that has enhanced the purposes of individuals as well as professionals to cater to various needs effectively and efficiently. However, we have also become prone to becoming victims of cyber-attacks. It means that individuals, organisations, systems, and networks are being targeted and compromised by cybercriminals or hackers daily. These frequent attacks might happen due to various factors such as inadequate cybersecurity measures, outdated software, a lack of employee awareness, poor network security, or vulnerabilities in systems and processes. Thus, it requires attention and action to mitigate the risk of cyber threats.
To mitigate this risk, cyber laws were framed. Cyber laws are a set of rules and regulations that are framed to protect individuals and organisations from fraudulent activities in this digital world of cybercrime. If an individual or an organisation in India has ever been a victim of cybercrime, then they must be aware of the laws, rules and regulations provided below. In India, there are several rules and regulations laid down by the Indian Penal Code 1860 and the Information Technology Act 2000.
Importance of cyber law
Safeguarding information integrity
Cybersecurity laws enable individuals and organisations to navigate through the challenges of facing ransom cybercriminals that perform these cyber-attacks. These laws help protect personally identifiable information, financial information, and health information. It provides privacy, prevents the dissemination of personal information and keeps it private when we use various online portals, e-commerce websites, shopping websites, etc.
Foster organisational trust and assurance
It builds trust and confidence in an organisation when they know that they have laws to protect their digital data, network servers, employees’ personal data, and the company’s data. Enables the smooth and effective functioning of the organisation’s structure by ensuring that the organisation has cybersecurity policies in place to prevent any kind of fraudulent activity. Most of the time, these criminals not only try to steal financial information but also hinder the reputation of an organisation with ill intent.
Mitigating criminal activities
The increase in cybercrime and cyberattacks during the pandemic had tremendously increased, wherein most of the reputed organisations and firms were being attacked by these hackers due to the existence of vulnerabilities in an organisation’s infrastructure. However, the existence of cyber laws had made it difficult for most of these hackers and the major organisations were able to put up strong security interfaces and checks like double authentication methods, e.g.: Microsoft authentication, to enable the smooth functioning of their organisation.
Facilitating digital evolution
Cyberlaws have tremendously helped in the digitization of activities in both personal and professional lives. We are free to use online applications and install applications on our smartphones after accepting the terms and conditions of the EULA or relevant rules and regulations of the application due to the existence of cyber laws.
Advocating for optimal cyber security protocols
Most organisations nowadays have their cybersecurity policies in place. It encourages organisations to implement these best practices, which are commonly used for the welfare of businesses, and effectively promote business activities across borders without any dilemma.
Safeguarding vital infrastructure
There are provisions in the cybersecurity laws that are there to protect different institutions and infrastructures, such as healthcare, finance, and public and private sector businesses, from cybersecurity attacks. It is equally important for maintaining public peace and national security.
Tackling privacy challenges
In matters of safeguarding personal rights and interests, cybersecurity plays a distinctive role by giving individuals control over how to use their data online safely.
Legal ramifications of cyber offences under Indian Penal Code 1860 and IT Act, 2000
The provisions that apply to cybercrimes related to India are as follows:
Theft
If your mobile is lost or stolen, the relevant section that applies is Section 379 of the IPC Act, which contains a punishment for theft that is three (3) years of imprisonment, a fine, or both.
Identity theft or cheating by personation: For example, we all use Facebook and Instagram nowadays and with the widespread use of social media platforms, individuals are vulnerable to identity theft. Punishment for identity theft under Section 66C of the IT Act is either for a term that can extend to three (3) years of imprisonment, a fine of up to Rs. 1 lakh or both.
Lost and found device
If you lose your mobile phone, data, or computer and it is found with someone else, the accused person can be imprisoned for a period of three years under Section 411 of the IPC Act, with a possibility of a fine or both. Additionally, as per IT Act Section 66B, a fine of up to Rs one lakh can be imposed, along with imprisonment for a period of three (3) years or both.
Organisation’s data
In the event of a cyber attack when an organisation’s data is stolen, the accused can face imprisonment for a period of three (3) years as per Section 379 of the IPC Act, along with a possibility of a fine or both. Similarly, under IT Act Section 66B, a fine of up to Rs one lakh and imprisonment for a period of three (3) years, or both, can be imposed.
Password theft
Using someone’s password to conduct illegal and fraudulent activities can lead to a punishment under Section 419 of the IPC three years of imprisonment, a fine or both. The punishment can extend to a period of seven years under Section 420 of the IPC.
Biometric theft
Misusing someone’s thumb impression can result in imprisonment for up to three (3) years under IT Act Section 66B, a fine of up to one lakh or both.
Sale or distribution of obscene material
As per IPC Section 292, selling, distributing, exhibiting or possessing obscene materials or engaging in advertising, publication or transmission of such materials can lead to imprisonment of up to two (2) years and a fine up to Rs 2000. For repeat offenders, the penalties may increase to Rs 5,000 and imprisonment for up to five years. However, there is an exception to this rule; if the said material is used for educational and religious activities, then the same is exempt.
Voyeurism
A man who engages in an act of observing a woman without their consent while they are engaging in intimate activities, thereby capturing and sharing images of their private parts, faces imprisonment of (one to three) 1 to 3 years in the first instance and a fine under Section 354 of the IPC. Repeat offenders may face imprisonment, which may extend from (three to seven) 3 to 7 years, along with a fine up to (two) 2 lakhs or both, as per Section 66E of the IT Act 2000.
Cyberstalking
Engaging in malicious acts to harass, scare, intimidate or attempt to harm a woman to engage her in a conversation despite her consent
with the intention of financial gain causing harm, instilling fear or causing damage to the personal life or career; this also includes activities such as tracking physical location, stealing identities for financial gain, issuing death threats, blackmailing with personal information, spreading false accusations online, etc. The above harmful acts amount to Cyberstalking. Under Section 354D of the IPC, such an offender can be imprisoned for a period of up to three years, with a fine for the first conviction and up to 5 years for the second or subsequent conviction.
According to Section 67 of the IT Act, if a stalker shares any obscene material online with the victim through electronic media, such a stalker can be punished with imprisonment up to (five) 5 years and a fine of one lakh in the first instance. In the second instance, the punishment increases to ten (10) years of imprisonment with a fine of Rs 2 lakhs.
Forgery and email spoofing
This is a technique used by hackers to send an email to users which appears to be genuine in the first place. This method is used to attack the user or recipient of an email making him/her believe that the email has been received by a trusted source. Eg: Spam emails, as per Section 271 of IPC if a document or electronic record which the creator is aware is a forged document is used in a manner or with the intention that it is a genuine document then such offender shall be punished in the same manner as if he has forged such documents or email records.
These examples illustrate the prevalence of cyber-attacks and thefts in today’s digital landscape.
Four different types of cyber laws in India
Information Technology Act (2000)
The Information Technology Act, enacted in 2000, is a comprehensive law that governs information technology in India. It aims to provide a legal framework for electronic transactions, promote e-governance, and protect sensitive personal data.
One of the key features of the Act is its recognition of electronic records and digital signatures as legally valid. This provision has facilitated the growth of e-commerce and e-banking in India by enabling secure and legally binding transactions over the internet. The Act also establishes the legal framework for digital signatures, ensuring that they are as legally binding as handwritten signatures.
Another significant aspect of the Act is its focus on cybersecurity. It criminalises various forms of cybercrime, such as hacking, unauthorised access to computer systems, and denial of service attacks. The Act also empowers law enforcement agencies to investigate and prosecute cybercrimes effectively.
To protect sensitive personal data, the Act mandates organisations to implement reasonable security safeguards to prevent unauthorised access, disclosure, or misuse of such data. This provision has helped enhance privacy protection and reduce the risk of data breaches.
The Information Technology Act has played a crucial role in shaping the legal landscape of information technology in India. It has facilitated the adoption of digital technologies across various sectors, including e-governance, e-banking, and e-commerce. The Act has also contributed to improving cybersecurity and protecting sensitive personal data, making the digital environment more secure and reliable for individuals and businesses alike.
However, the Act has also been criticised for some of its provisions, such as the broad powers granted to law enforcement agencies to intercept and monitor electronic communications. There have also been concerns about the potential misuse of the Act to suppress dissent and free speech online.
Despite these criticisms, the Information Technology Act remains a landmark piece of legislation that has transformed the legal framework for information technology in India. It has helped bridge the gap between the physical and digital worlds, enabling individuals and businesses to harness the benefits of technology while ensuring a certain degree of legal certainty and protection.
Key provisions of the IT Act include:
- Cybercrime offences: The IT Act defines and criminalises various forms of cybercrime, such as unauthorised access to computer systems, data theft, cyber fraud, and online harassment. These provisions aim to protect individuals and organisations from malicious activities conducted through digital platforms.
- Electronic transactions: The IT Act recognises the validity of electronic transactions and provides a legal framework for conducting business online. It establishes guidelines for digital signatures, electronic contracts, and online payments, ensuring the enforceability and security of electronic transactions.
- Data protection: The IT Act addresses data protection and privacy concerns in the digital age. It mandates organisations to take reasonable security measures to protect personal information collected and stored electronically. Additionally, it provides individuals with the right to access and correct their personal data.
- Cyber security: The IT Act emphasises the importance of cyber security and mandates organisations to implement appropriate security measures to protect their systems and data from unauthorised access, hacking, and cyberattacks.
- Cyber Appellate Tribunal: The IT Act establishes the Cyber Appellate Tribunal to adjudicate disputes and appeals related to cybercrimes and online transactions. This specialised tribunal ensures prompt and efficient resolution of cyber-related disputes.
Indian Penal Code (IPC) (1980)
The Indian Penal Code (IPC) (1980) serves as a comprehensive body of legislation that effectively tackles a broad spectrum of criminal offences, including those associated with cyber fraud. The significance of the IPC in safeguarding users who unfortunately fall victim to cyber fraud on various online portals cannot be overstated.
The IPC meticulously defines and categorises various forms of cyber fraud, ensuring that perpetrators are held legally accountable for their actions. It addresses common cyber fraud offences such as phishing scams, identity theft, digital forgery, and online extortion, among others. By establishing clear legal boundaries, the IPC provides a robust framework for investigating and prosecuting cyber fraud cases.
Furthermore, the IPC plays a crucial role in providing legal recourse and remedies for victims of cyber fraud. Through its provisions, individuals who have suffered financial losses or emotional distress as a result of cyber fraud can seek legal action against the perpetrators. The IPC empowers victims to file complaints, and seek compensation and restitution for the damages incurred.
Moreover, the IPC’s significance lies in its ability to deter potential cyber fraudsters. By outlining the severe consequences associated with such offences, the IPC sends a strong message that cyber fraud will not be tolerated. It acts as a preventive measure, discouraging individuals from engaging in fraudulent activities online.
To ensure its effectiveness in addressing the evolving landscape of cyber fraud, the IPC is subject to regular amendments and updates. These amendments reflect our continuous efforts to keep pace with the sophistication of cyber fraud techniques and emerging threats. The IPC’s adaptability ensures that it remains relevant and capable of safeguarding users from the ever-changing tactics employed by cybercriminals.
The IPC’s provisions are supplemented by the Information Technology Act, 2000, which specifically addresses cybercrimes and provides additional safeguards for online transactions and data protection.
Companies Act (2013)
This Act ensures that the companies meet the regulatory requirements and follow the rules and regulations laid down in the Act. It also covers laws relating to e-discovery, cyber forensics, and cybersecurity diligence that enable the company’s leaders to be diligent and compliant with the same, thereby adhering to the law.
NIST Compliance
The National Institute of Standards and Technology (NIST) framework serves as a comprehensive guide for organisations seeking to enhance their cybersecurity posture and address potential threats. Established in 2014, the framework consists of a set of standards, guidelines, and best practices designed to protect information systems and critical infrastructure from cyberattacks and data breaches.
At the core of NIST compliance lies the Cybersecurity Framework (CSF), a voluntary risk management framework that provides a structured approach to identifying, assessing, and mitigating cybersecurity risks. The CSF is based on five core functions:
- Identify: Organisations must identify and document their assets, systems, and data that require protection from cyber threats.
- Protect: Once assets have been identified, organisations must implement safeguards and controls to protect them from unauthorised access, use, or disclosure.
- Detect: To ensure timely response to cyber incidents, organisations must have mechanisms in place to detect and monitor suspicious activities within their systems.
- Respond: In the event of a cyber incident, organisations must have a response plan in place to minimise the damage and restore normal operations promptly.
- Recover: After a cyber incident has occurred, organisations must recover lost or compromised data and restore their systems to normal functionality.
By adhering to NIST compliance requirements, organisations can significantly enhance their cybersecurity posture, reduce the risk of data breaches, and meet regulatory requirements. NIST-compliant organisations benefit from improved security measures, increased resilience to cyber threats, and greater confidence from customers and stakeholders.
Achieving and maintaining NIST compliance involves ongoing efforts, including regular risk assessments, the implementation of security controls, employee training, and continuous monitoring of cybersecurity threats. Organisations can leverage NIST resources, such as the Cybersecurity Framework Implementation Guide and the NIST Cybersecurity Practice Guides, to assist with their compliance efforts.
NIST compliance is essential for organisations that handle sensitive data, operate critical infrastructure, or are subject to regulatory requirements. By embracing NIST’s cybersecurity guidelines and best practices, organisations can proactively safeguard their information assets, mitigate cyber risks, and ensure the integrity and confidentiality of their data.
US case laws that have shaped the laws on hacking and data theft in the US
Now let us see below a few US case laws wherein there have been several landmark cases that have shaped the legal framework surrounding hacking and data theft in the US.
United States vs. Aaron Swartz (2013)
Aaron Swartz was a talented computer programmer, internet activist, and open access advocate. In 2011, he was arrested and charged with multiple counts of fraud and violating the Computer Fraud and Abuse Act (CFAA) for systematically downloading millions of academic articles from JSTOR, a subscription-based online academic journal database.
Swartz had been a research fellow at Harvard University, and he had legitimate access to JSTOR’s database. However, he used a Perl script to automate the downloading of articles from JSTOR, without the permission of JSTOR. Swartz’s actions were motivated by his belief that academic research should be freely available to everyone, and he intended to make the downloaded articles available to the public.
The case against Swartz drew widespread attention and sparked a debate about the scope of the CFAA and the appropriate balance between intellectual property rights and the public’s right to access information. Swartz became a symbol of the fight for open access and internet freedom.
In 2013, Swartz committed suicide while facing the prospect of a lengthy prison sentence. His death was a tragedy and a loss to the internet community and the open access movement.
United States vs. Albert Gonzalez (2009)
Case Summary: An individual named Albert Gonzalez, became a secret informer to the United States Secret Service. During the tenure of his service from 2003 to 2008, he had committed a lot of fraudulent activities, including identity thefts and computer crimes, as part of his covert operations. He was accused of combined credit card theft and reselling more than 170 million card and ATM numbers. He had created the biggest fraud in history. His activities also include data breaches from top companies, namely TJX Companies, BJ’s Wholesale Club and others. In the year 2020, he was sentenced to 20 years of federal imprisonment for conducting fraudulent activities in these cybercrimes.
Facebook, Inc. vs. Power Ventures, Inc. (2012)
In 2012, Facebook, Inc. filed a lawsuit against Power Ventures, Inc., a data analytics company. Facebook alleged that Power Ventures had violated the Computer Fraud and Abuse Act (CFAA) by accessing the data of Facebook users without their consent. Power Ventures collected this data by creating fake Facebook profiles and sending friend requests to real users. Once the friend requests were accepted, Power Ventures could access the personal information of those users, including their names, email addresses, and photos.
Power Ventures argued that its actions were not illegal because it did not access Facebook’s computer systems without authorization. Instead, it argued that it merely used the public features of Facebook’s website, such as the friend request system, to collect data.
The Ninth Circuit Court of Appeals disagreed with Power Ventures’ argument. The court held that Power Ventures’ actions violated the CFAA because they exceeded the scope of Facebook’s terms of service. The court noted that Facebook’s terms of service prohibited users from using fake profiles or sending friend requests to people they did not know. By creating fake profiles and sending friend requests to real users, Power Ventures violated Facebook’s terms of service and thereby exceeded the scope of its authorization to access Facebook’s website.
The court also held that Power Ventures’ actions caused Facebook harm. The court noted that Facebook spent significant resources developing and maintaining its website, and that Power Ventures’ actions interfered with Facebook’s ability to provide its services to its users.
The Ninth Circuit Court of Appeals’ decision in Facebook, Inc. vs. Power Ventures, Inc. is an important precedent for cases involving the unauthorized access of data from social media websites. The decision makes it clear that such actions can violate the CFAA, even if the defendant does not access the website’s computer systems without authorisation.
Conclusion
With the type of curbs that are being used in today’s generation to mitigate the risk of cyber threats and attacks in different countries, it can be good to sum up that the laws and risk mitigating solutions are strengthening its pace day by day. Having a good framework for cybersecurity in an organisation is a critical, mandatory requirement that has been followed by almost all organisations and has reduced the number of attacks. However, we as individuals need to be very careful while dealing in this world of the internet so we don’t become victims of such attacks.
References
- https://lawdocs.in/blog/cyber-crime-under-ipc#:~:text=a)%20IPC%2C%201860%2C%20section,imprisonment%20or%20fine%20or%20both.
- https://blog.ipleaders.in/punishments-cyber-crimes-ipc/
- https://indiankanoon.org/doc/1466184/