This article is written by Risabh Mishra, pursuing a Diploma in Entrepreneurship, Administration and Business Laws from LawSikho.

Introduction

As we grow we must be better persons the way we were before and for that we must adapt to our environment. These adaptations may bring new things in our personality, traits, perception, skills and many more or they may degrade the same. In a similar fashion, all these things apply to software updates in their own way.

Software updates are important for them to perform much better as every software cannot be said to be perfect. It always requires updates be it change in services, circumstances, legal compliances, glitches and security. Updates fine tune the software to work in a more secured and legally sound environment. These are important to reduce the risk associated with it because of connectivity with the internet, and sustain in the market. 

Cyber security is defined under the Information Technology Act, 2000 with very wide interpretation as it not only covers protection of information but also its use, distortion and modification. Cyber Security is one of the biggest threats which impacts hundreds of million people around the world. Only way to mitigate the security threats is to update the software. Lack of security not only makes a person vulnerable but sometimes it may impact a whole security of the nation. Thus, treats must be mitigated timely for security.

Software updates

Basically an update replaces the older version of the software with the new one. They are free of charge generally. All software needs to be updated with time to sustain in the market, legal compliances, cyber security and glitches or in technical terms “Bugs”. Generally, when the software company winds up the business or stops supporting the product all the activities related to updates are brought to an end. All these updates are categorized into versions to help identification and differentiation from previous versions. Categorization of software into version also helps to identify the applied fixes.[1]  

Software updates must not be confused with software upgrade; they both are different in operation and functions. The differences between them are as follows:[2]

S. No.	SOFTWARE UPDATE	SOFTWARE UPGRADE
	Minor improvements are made in existing software.	Whole new software with improvements is provided by replacing older one.
	These are free of cost.	These require additional cost.
	It supersedes older versions of the same product.	It supersedes the old product itself.
	These are compulsory for the running of the program.	These are not necessarily compulsory for running a program.
	Updates are frequent in nature.	Upgrades are not so frequent and are generally opted for much better performance.

One of the best examples to understand between software upgrades and software updates is Accounting software. With the introduction of GST Laws all accounting software needs to be updated because GST Laws entirely changed the billing system. Older software dealt with VAT and CST or any other taxation law but in the present legal environment they have to be dealt with GST which is a whole new change because the billing system which was in compliance with VAT and CST or any other taxation law has to be replaced with GST laws.

Why software updates are important 

Software updates are important for many reasons such as it fixes errors, fixes conflicts with other software or hardware, security and it updates new features by replacing older or outer ones. From all the above reasons security is one of the main concerns because without it software becomes vulnerable and attracts attention of hackers.  Hackers take advantage of these vulnerabilities and send malware or other any kind of virus through any link, compromised message or media to software. When these links or messages are accessed in software, they steal the data from the software such as bank details, messages, photos or any other data.

Another security concern is that these viruses may be transmitted to other devices also and makes the data of such software vulnerable. If the attack is for ransom then hackers may encrypt the data and shall ask for ransom against the encryption key.

By stealing data a lot of crimes may be committed in the names of such data owners. One of the biggest security breaches that happened in the 21st century till date is of Yahoo which impacted around 3 billion users’ data. The attackers posed as state sponsored actors and they compromised the users’ data such as real names, telephone numbers, date of birth, e-mail addresses and passwords. Initially, impact assessment estimated 500 million affected users but later it turned out to be 3 billion users. It costs the valuation of the company because when this security breach came into light Yahoo was about to be acquired by Verizone for around $4.48 billion but because of this security breach the valuation was reduced by $350 million. Another biggest security breach is Zynga, one of the biggest online gaming companies. A Pakistani hacker stole the details of around 218 million users which were confirmed by company to be stolen.[3]

Law governing cyber security in India

Information Technology Act, 2000

Information Technology Act, 2000 (hereinafter referred as IT Act) is the main legislation which governs cyber security in India. It defines cyber security as protection from unauthorized access, use, destruction, disruption disclosure or modification of information, equipment, devices, computer, computer resource, communication device and information stored therein.[4] It also defines the term “access” which means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network with its grammatical variations and cognate expressions.[5] The definition of access is made in technical terms to cover all the aspects of technicality. It provides legal recognition and protection of transactions made through electronic means and in addition to these rules were made under IT Act focusing on information security, defines reasonable security practices to be followed by corporate, role of intermediary, (CERT in) etc. Moreover, if the body corporate is negligent in handling, possessing or dealing in personal data or sensitive personal data they have to compensate for damages caused to the victim. To prevent and mitigate criminal activities provision for imprisonment and penalties are incorporated under this Act against the wrongdoers.[6]

Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 or CERT Rules

As the title suggests, provisions under CERT Rules are for collection, dissemination and analysis of information on cyber incidents and measures for containing such incidents. Nodal agency is established for implementation of above mentioned responsibilities. There are instances which have to be mandatorily reported, instances such as:

1. 1. targeted invasion; 
   2. unauthorized access to IT systems or data;
   3. defacement of websites, malicious code attacks, denial of service and distributed denial of service (DDoS) attacks, attacks on domain name systems and network services; and 
   4. attacks on applications for governance activities and commercial activities.

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 or SPDI Rules

SPDI Rules are applicable on those business entities which hold personal data and sensitive personal data. The rules mandates for following compliances:

1. to have consent of person for collection of his information;
2. information must be taken only for legal purposes;
3. disclosure and privacy policy must be made by organizations;
4. must follow restrictions imposed on data transfer and disclosures for security concerns.

These rules also made provisions for government authorities to follow procedure if they seek personal data or sensitive personal data information from business entities. They have to apply for information to such entities with specific reasons under and the manner in which they are going to use it.[7] Thus, government authorities cannot use information as per their whims and business entities shall be protected from accountability of unauthorized use.

Both the rules mentioned above are made under Information Technology Act, 2000. With these laws the state has tried to play its part for the protection of information and data stored in electronic format. State has also tried to protect the unauthorized use of information by any individual, person and even government entity.

How can updating software timely can reduce the cyber risks

Updated software is not only good for the user but also for the businesses and timely update of software not only protects breaches or attempt towards it but it may reduce the cost of breach if anyway happened by 47% or by 54% for small and medium businesses as per Kaspersky report on “How Businesses can Minimize the Cost of a Breach.” Findings under this report suggest measures to mitigate cyber risks, which are as follows:[8]

1. software must be renewed on priority basis by businesses;
2. businesses must be prepared to invest money in renewals to save it in long-term;
3. latest versions of operating system must be used with auto-update features to ensure up to date software;
4. vulnerable nodes must be separated neatly from rest of the network while addressing attack vector, if software cannot be updated;
5. vulnerability assessment and patch assessment feature must be enabled at an endpoint protection solution;
6. IT training can help IT managers who are frontline employees in IT division to boost their security knowledge and can learn, improvise and develop new practical cyber security skills; and
7. software must be protected always even if there is no availability of its updates if it is related to a critical IT or operational technology System.

Above measures suggested by Kaspersky on the basis of a survey conducted by it where they felt that there will be less investment in the cyber security sector because of a pandemic situation which resulted in volatility in the global economic situation. By adopting these measures businesses can not only mitigate the risk but also can save money.  

Conclusion

Updates are important for software as they mitigate the risks associated with it. Risks of threats such as financial threat, data theft, ransom attacks etc are challenges to businesses which must be mitigated for smooth functioning and for sustaining in the market. Security updates in software may also prevent the businesses from falling into legal troubles which could sometimes cost huge losses or the whole valuation of the company or shutting of business. But all these can be mitigated with an update and even if no software is available measures suggested by Kaspersky can be adopted as it mitigates risks and saves money. 

Measures suggested above can be universally applied without any legal barriers as these are technical and are related to management. So far as legislation is concerned in relation to cyber security they are more concerned with protection of data or information and accountability in case of leak of such data. Updates of software for cyber security in respect of legislation are only limited to its compliance for maintaining check and balance. Updates must not pose a threat in itself to cyber security, if it does then there is no law in India which acts proactively in such cases to mitigate the risk and such threats are eliminated only after causing some kind loss or attempt to do it.

References

1. https://www.computerhope.com/jargon/u/update.htm#:~:text=An%20update%20is%20new%2C%20improved,publisher%20free%20of%20additional%20charge
2. https://www.parkersoftware.com/blog/whats-the-difference-between-a-software-upgrade-and-a-software-update/
3. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
4. See Sub-Clause (nb) of Clause (1) Section 2 of Information technology Act, 2000 
5. See Sub-Clause (a) of Clause (1) Section 2 of Information technology Act, 2000
6. https://www.lexology.com/library/detail.aspx?g=d7b0a465-cc55-48e9-9534-b05bf0c036bd#:~:text=The%20main%20legislation%20governing%20the,%2C%20use%2C%20disclosure%2C%20disruption%2C
7. See Rule 6 of SPDI Rules, 2011
8. https://www.dynamicciso.com/50-of-data-breaches-cost-reduces-with-timely-software-updates-kaspersky

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: