This article is written by Shambhavi Tripathi, a 3rd-year student of LL.B. in Panjab University, Chandigarh. The article explains the concept of cyber security and its importance, impact of cyber security breaches and cyber security laws. It also discusses the concept of “cyber jurisprudence” in brief.
Cyber law is a very vast area with many sub- disciplines emerging out of it. Few of the sub- disciplines of cyber law are artificial intelligence law, information security law and cyber-security law. Cyber law and cyber security law are often mistaken as the same, but cyber security law can be considered as a branch of cyber law.
Cyber law can be defined as the law which governs the whole cyber space and all its elements. It protects from cyber crimes and lays down punishments for its violation. Cyber law is a common term which refers to legal jurisdiction and regulation of various aspects of internet and computer security. On the other hand, cyber security law can be defined as “the new emerging legal discipline within the cyber law umbrella, which deals with all the legal policy and regulatory issues pertaining to cyber security, its protection, preservation, maintenance and continued advancements.”
Concept of Cyber Security Breaches
A cyber security breach is an incident that results in unauthorized or illegal access to computer systems, networks, stored data, software/ hardware, services, devices by violating the security mechanisms of the systems. Cyber security breaches happen when the security policy, mechanisms or system are violated. In simple terms, a cyber security breach occurs when an individual (read cyber criminal) illegally enters a private or confidential IT perimeter. A cyber security breach is also known as a cyber security violation. A cyber security breach is one of the earliest stages of a cyber attack by a malicious intruder, such as a hacker, cracker or application. A cyber security breach can range from low-risk to highly critical depending on the nature of the incident.
In an organization or corporation, security breaches are carefully monitored, identified and processed by a software or hardware firewall. If any kind of intrusion, breach or violation is detected, this firewall issues a notification to the network or security administrator.
A cyber security breach occurs when an unauthorized party enters security measures to reach protected areas of a system to gain information or spread viruses. A cyber security breach can provide access to the valuable information to the intruder such as company accounts, intellectual property, and personal information of customers. If a cyber criminal steals such confidential information, a security breach has occurred. Such information is often sold on the dark web and can be used to commit crimes such as identity theft.
Importance of Cyber Security
A strong cyber security is extremely important for an organization to prevent its data and systems from being violated and misused. Cyber attacks cost organizations billions of pounds and can cause serious damage. Impacted organizations stand to lose sensitive data, and face fines and reputational damage. Cyber security is important because:
- The costs of cyber security breaches are rising: It is considered as a duty of organization to have a strong cyber security mechanism to prevent data breach of the customers. With the emergence and popularity of privacy laws, liability of organizations has increased. If there is breach of security then the organizations are heavily fined. There are also non-financial costs to be considered, like reputational damage.
- Cyber attacks are constantly developing: With the advancements in science and technology, cyber attacks also continue to grow in sophistication, with cyber attackers using well advanced technology to breach into someone’s system. This includes social engineering, malware and ransomware (used for Petya, WannaCry and NotPetya).
- Cyber crime is a big business: Cyber crime is a big business in terms of financial gain. According to a study conducted by Bromium, in 2018, the cyber crime economy was estimated to be worth $1.5 trillion. However, money is not the only factor; attackers can also be driven by political, ethical or social motivations.
- Cyber security is a critical, board-level issue: New regulations and reporting requirements make cyber security risk oversight a challenge. The board will continue to seek assurances from management that their cyber risk strategies will reduce the risk of attacks and limit financial and operational impacts.
Impact of Cyber Security Breach
A successful breach of cyber security can cause major damage to an organization and its business. It can affect business’ standing and consumer trust. Impact of a breach is different for each organization depending on the timing and duration, kind of breach and the industry in which it operates. For example, a data breach may have more critical consequences for the financial sector than the manufacturing sector. However, there are certain common impacts of cyber security breach. The impact of a cyber security breach can be broadly divided into five categories:
Financial losses: Cyber crime costs small business unreasonably more than big businesses. For a large corporation, the financial impact of a breach may run into the millions, but at their scale, such monetary implications are barely affecting them. On the other hand, small businesses shell out an average of Rs. 26,85,859 to recover from a single data breach in direct expenses alone. A casual negligence on cyber security could quite easily put an organization or corporation out of business. Businesses that suffered a cyber breach will also generally incur costs associated with repairing affected systems, networks and devices. Cyber attacks often result in substantial financial loss arising from:
- Disruption to trading (eg inability to carry out transactions online).
- Loss of business or contract.
- Theft of money or financial information.
Reputational damage: Cyber attacks can damage an organization’s reputation and corrode the trust the customers have for that organization. The effect of reputational damage can even impact the suppliers, or affect relationships one may have with partners, investors and other third parties vested in someone’s business.
Loss of customer and stakeholder trust can be the most harmful impact of cyber security breach, since the majority of people would not want to do business with an organization or corporation that had been breached and attacked because of poor cyber security system, especially if it failed to protect its customers’ data. Taking a reputational hit may also affect the ability of the organization to hire the best talent, suppliers, investors and customers. This, in turn, could potentially lead to:
Loss of customers.
Loss of sales.
Reduction in profits.
Theft: Smaller organizations’ defenses and security systems are considerably less sophisticated and easier to penetrate, making them a softer target than bigger organizations. Cyber frauds and thefts lead to monetary losses, but stolen data can be worth more to hackers, especially when sold on the Dark Web. For example, on 31st October, 2019, it was found out that around 1.3 million debit and credit card data of Indian users have been put up for sale on the Dark Web by hackers, each card was sold for $100 and overall hackers could make $130 million out of it. Intellectual property theft is equally damaging, companies can lose years of effort and research and development investment in trade secrets or copyrighted material. Theft can be various kinds, for example:
- Theft of corporate information.
- Theft of financial information (eg bank details or credit/ debit card details).
- Theft of personal information of customers.
- Theft of money.
- Identity theft.
Fines: As discussed above, there is the prospect of monetary penalties, fines or costs for organizations that fail to implement proper cyber security systems. Various nations are considering implementing strict regulations for breach of systems due to weak cyber security systems. One of the examples is a measure proposed by the European Parliament for a privacy breach, applicable from 25 May 2018, is a fine of 20 million euros, or 4% global annum revenues whichever is higher.
Below-the-surface costs: In addition to the financial loss, fine or costs and economic costs of response, there are several other intangible costs that can continue to affect the organization’s business.
Cyber Security Law
Cyber security law is a rather new field for many countries and still developing worldwide. Countries are being increasingly concerned about the entire issue pertaining to cyber security and the threats it imposes. Cyber security impacts not only the economy of the nations but also the sovereignty of nations by threatening the power and authority of the governments. However, there is no international framework on cyber security and countries are taking it upon themselves to come up with their own national legislations to deal with cyber security breaches.
In India also there is no particular legislation for cyber security law, but the horizontally applicable cyber security measures are provided for in the IT Act, 2000 and the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (“CERT-In Rules”). For example, the CERT-In Rules require individuals and organizations affected by any kind of cyber security incidents to mandatorily report the same to the CERT-In in order to obtain assistance.
Specific security-related compliances for certain types of information are also found in the following:
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).
- Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 (“Protected System Rules”).
- Companies (Management and Administration) Rules, 2014 (“CMA Rules”).
Concept of Cyber Jurisprudence
Cyber law is a very new field and has had very little structured study as compared to other, older, branches of the law. To define cyber jurisprudence, we must define jurisprudence first. Black’s Law Dictionary gives us two different definitions of jurisprudence:
First is, “a method of legal study that concentrates on the logical structure of law, the meanings and uses of its concepts, and the formal terms and modes of its operation.” and the other, “a system, body or division of law.” In simple terms, it can be said that jurisprudence is the science and philosophy or theory of the law.
Now coming to cyber jurisprudence, it is the legal study that concentrates on the logical structure, the meanings and uses of its concepts, and the formal terms and modes of operation of cyber law. Legal issues relating to the electronic communication, computer systems and network in this world of internet is demanding a new kind of jurisprudence, cyber jurisprudence with a virtual approach. Cyber jurisprudence describes the principles of legal issues of cyber law, which exclusively regulates the cyber space and internet and deals with the complex idea of cyber jurisdiction.
There is an urgent need to establish a strong international cyber security regime which would fulfill all the needs of various concerns and issues. A common approach to cyber security can be developed, implemented and encouraged by applying the principles of governance, management and inclusiveness. This would encourage a system of cyber security which would ultimately lead to the development of a natural instinct for what is safe and what is risky. Need for the development of an international, multi-stakeholder regime that would include industry, governmental, international, and non- governmental organizations focused on cyber security in space. Apart from this, the emergence of cyber jurisprudence around the world has promoted the growth of new dimensions in law and cyber law. Development of cyber jurisprudence is opening new areas for better cyber legislations.
- Security Breach; Technopedia; Date of Access: 11.01.2019 <https://www.techopedia.com/definition/29060/security-breach>
- Cyber security for business- Impact of cyber attack on your business; NIBusinessInfo; Date of Access: 11.01.2019 < https://www.nibusinessinfo.co.uk/content/impact-cyber-attack-your-business>
- What is Cyber Security?; itgovernance; Date of Access: 11.01.2019< https://www.itgovernance.co.uk/what-is-cybersecurity>
- What is a security breach? By Steve Symanovich; Norton; Date of Access: 11.01.2019< https://us.norton.com/internetsecurity-privacy-security-breach.html>
- The Consequences of a Cyber Security Breach; Sunguard; Date of Access: 11.01.2019<https://www.sungardas.com/en/about/resources/articles/the-consequences-of-a-cyber-security-breach/>
- Jeff Kosseff: Defining Cybersecurity Law; 103 Iowa L. Rev. 985 (2018)<https://ilr.law.uiowa.edu/print/volume-103-issue-3/defining-cybersecurity-law/>
- India: Cybersecurity 2020; ICLG; Dated: 22.10.2019; Date of Access: 11.01.2019< https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/india>
- Stephenson, P.R.: Defining a Cyber Jurisprudence (2017); Annual ADFSL Conference on Digital Forensics, Security and Law; 8; https://commons.erau.edu/adfsl/2017/papers/8
- Shahid Jamal Tubrazy: Cyber Jurisprudence- An Emerging Concept; Academia; Date of Access:11.01.201<https://www.academia.edu/12889941/Cyber_Jurisprudence_an_Emerging_Concept>
- Cyber Security Law, Its Regulation And Relevance For Outer Space by Pavan Duggal; Date of Access: 11.01.2019 <http://www.unoosa.org/documents/pdf/hlf/HLF2017/presentations/Day2/Session_7b/Presentation5.pdf>
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.