This article has been written by Rishabh Mishra, pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.

Introduction

As we grow we must be better persons the way we were before and for that, we must adapt to our environment. These adaptations may bring new things in our personality, traits, perception, skills, and many more or they may degrade the same. In a similar fashion, all these things apply to software updates in their own way.

Software updates are important for them to perform much better as every software cannot be said to be perfect. It always requires updates be it changes in services, circumstances, legal compliances, glitches, and security. Updates fine-tune the software to work in a more secure and legally sound environment. These are important to reduce the risk associated with it because of connectivity with the internet, and sustain in the market. 

Cybersecurity is defined under the Information Technology Act, 2000 with very wide interpretation as it not only covers protection of information but also its use, distortion, and modification. Cybersecurity is one of the biggest threats which impacts hundreds of million people around the world. The only way to mitigate the security threats is to update the software. Lack of security not only makes a person vulnerable but sometimes it may impact the security of the nation. Thus, threats must be mitigated timely for security.

Software updates

Basically, an update replaces the older version of the software with the new one. They are free of charge generally. All software needs to be updated with time to sustain in the market, legal compliances, cybersecurity, and glitches or in technical terms “Bugs”. Generally, when the software company winds up the business or stops supporting the product all the activities related to updates are brought to an end. All these updates are categorized into versions to help identify and differentiation from previous versions. Categorization of software into version also helps to identify the applied fixes. Software updates must not be confused with software upgrades; they both are different in operation and functions. The differences between them are as follows:

S. No.	SOFTWARE UPDATE	SOFTWARE UPGRADE
	Minor improvements are made in existing software.	Whole new software with improvements is provided by replacing an older ones.
2.	These are free of cost	These require additional costs.
3.	It supersedes older versions of the same product.	It supersedes the old product itself.
4.	These are compulsory for the running of the program.	These are not necessarily compulsory for running programs.
5.	Updates are frequent in nature.	Upgrades are not so frequent and are generally opted for much better performance.

One of the best examples to understand between software upgrades and software updates is Accounting software. With the introduction of GST Laws, all accounting software needs to be updated because GST Laws entirely changed the billing system. Older software dealt with VAT and CST or any other tax law but in the present legal environment, they have to be dealt with GST which is a whole new change because the billing system which was in compliance with VAT and CST or any other taxation law has to be replaced with GST laws.

Why are software updates important?

Software updates are important for many reasons such as it fixes errors, fixes conflicts with other software or hardware, security and it updates new features by replacing older or outer ones. From all the above reasons security is one of the main concerns because without it software becomes vulnerable and attracts the attention of hackers.  Hackers take advantage of these vulnerabilities and send malware or any kind of virus through any link, compromised message, or media to software. When these links or messages are accessed in software, they steal the data from the software such as bank details, messages, photos, or any other data.

Another security concern is that these viruses may be transmitted to other devices also and makes the data of such software vulnerable. If the attack is for ransom then hackers may encrypt the data and shall ask for ransom against the encryption key.

By stealing data a lot of crimes may be committed in the names of such data owners. One of the biggest security breaches that happened in the 21st century to date is Yahoo which impacted around 3 billion users’ data. The attackers posed as state-sponsored actors and they compromised the users’ data such as real names, telephone numbers, date of birth, e-mail addresses, and passwords. Initially, impact assessment estimated 500 million affected users but later it turned out to be 3 billion users. It costs the valuation of the company because when this security breach came to light Yahoo was about to be acquired by Verizon for around $4.48 billion but because of this security breach, the valuation was reduced by $350 million. Another biggest security breach is Zynga, one of the biggest online gaming companies. A Pakistani hacker stole the details of around 218 million users which were confirmed by the company to be stolen.

Law governing cybersecurity in India

Information Technology act, 2000

Information Technology Act, 2000 (hereinafter referred to as IT Act) is the main legislation that governs the cybersecurity in India. It defines cybersecurity as protection from unauthorized access, use, destruction, disruption disclosure, or modification of information, equipment, devices, computer, computer resource, communication device, and information stored therein.4 It also defines the term “access” which means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network with its grammatical variations and cognate expressions.5 The definition of access is made in technical terms to cover all the aspects of technicality. It provides legal recognition and protection of transactions made through electronic means and in addition to these rules were made under IT Act focusing on information security, defines reasonable security practices to be followed by corporate, the role of intermediary, (CERT in), etc. Moreover, if a body corporate is negligent in handling, possessing, or dealing in personal data or sensitive personal data they have to compensate for damages caused to the victim. To prevent and mitigate criminal activities provision for imprisonment and penalties are incorporated under this Act against the wrongdoers.

Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 or CERT Rules

As the title suggests, provisions under CERT Rules are for collection, dissemination, and analysis of information on cyber incidents and measures for containing such incidents. The nodal agency is established for the implementation of above-mentioned responsibilities. There are instances that have to be mandatorily reported, instances such as:

1. a targeted invasion 
2. unauthorized access to IT systems or data;
3. defacement of websites, malicious code attacks, denial of service and distributed denial of service (DDoS) attacks, attacks on domain name systems and network services; and 
4. attacks on applications for governance activities and commercial activities.

Information Technology (Reasonable security practices and procedures and Sensitive Personal Data or information) Rules 2011 or SPDI Rules

SPDI Rules are applicable to those business entities which hold personal data and sensitive personal data. The rules mandates for following compliances:

1. to have the consent of the person for the collection of his information;
2. the information must be taken only for legal purposes;
3. disclosure and privacy policy must be made by organizations;
4. must follow restrictions imposed on data transfer and disclosures for security concerns.

These rules also made provisions for government authorities to follow procedures if they seek personal data or sensitive personal data information from business entities. They have to apply for information to such entities with specific reasons under and the manner in which they are going to use it. Thus, government authorities cannot use information as per their whims and business entities shall be protected from the accountability of unauthorized use.

Both the rules mentioned above are made under the Information Technology Act, 2000. With these laws, the state has tried to play its part for the protection of information and data stored in electronic format. The state has also tried to protect the unauthorized use of information by any individual, person, and even government entity.

How can updating software timely can reduce cyber risks?

Updated software is not only good for the user but also for the businesses and timely update of software not only protects breaches or attempt towards it but it may reduce the cost of the breach if anyway happened by 47% or by 54% for small and medium businesses as per Kaspersky report on “How Businesses can Minimize the Cost of a Breach.” Findings under this report suggest measures to mitigate cyber risks, which are as follows:

1. Software must be renewed on a priority basis by businesses;

Businesses must be prepared to invest money in renewals to save it in long-term;

1. The latest versions of the operating system must be used with auto-update features to ensure up to date software;
2. Vulnerable nodes must be separated neatly from the rest of the network while addressing the attack vector if the software cannot be updated;
3. Vulnerability assessment and patch assessment feature must be enabled at an endpoint protection solution;
4. IT training can help IT managers who are frontline employees in IT division to boost their security knowledge and can learn, improvise and develop new practical cybersecurity skills; and
5. Software must be protected always even if there is no availability of its updates if it is related to critical IT or operational technology systems.

Above measures suggested by Kaspersky on the basis of a survey conducted by it where they felt that there will be less investment in the cybersecurity sector because of the pandemic situation which resulted in volatility in the global economic situation. By adopting these measures businesses can not only mitigate the risk but also can save money.  

Conclusion

Updates are important for software as they mitigate the risks associated with it. Risks of threats such as financial threat, data theft, ransom attacks, etc are challenges to businesses that must be mitigated for smooth functioning and for sustaining in the market. Security updates in software may also prevent the businesses from falling into legal troubles which could sometimes cost huge losses or whole valuation of the company or shutting of business. But all these can be mitigated with an update and even if no software is available, measures suggested by Kaspersky can be adopted as it mitigates risks and saves money. The measures suggested above can be universally applied without any legal barriers as these are technical and are related to management. So far as legislation is concerned in relation to cybersecurity they are more concerned with the protection of data or information and accountability in case of leak of such data. Updates of software for cybersecurity in respect of legislation are only limited to its compliance for maintaining check and balance. Updates must not pose a threat in itself to cybersecurity, if it does then there is no law in India that acts proactively in such cases to mitigate the risk, and such threats are eliminated only after causing some kind of loss or attempt to do it.

References

1. https://www.computerhope.com/jargon/u/update.htm#:~:text=An%20update%20is%20new%2C%20improved,publisher%20free%20of%20additional%20 charge.
2. https://www.parkersoftware.com/blog/whats-the-difference-between-a-software-upgrade-and-a-software-update/
3. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
4. https://www.dynamicciso.com/50-of-data-breaches-cost-reduces-with-timely-software-updates-kaspersky/

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: