HEMANT DUSANE

CYBER LAW
A N D DATA
P R I VA C Y
Disclaimer

Content, Images, Videos and supported information used for this

presentation is for educational purpose.

Content of this presentation is intended to provide a general guidance

to the subject matter. Specialist advice should be sought about your
specific circumstances.

All views expressed are personal and does not represent official views
of any organization. For any further information please contact
hemant@inventonus.com

www.inventonus.com
 Terms
“Cyber crime” is a generic term that refers to all criminal activities
done using the medium of computers, the internet, cyber space and
the worldwide web.

C Y B E R L A W A N D DATA P R I VA C Y
"Cyber Security“ means protecting information, equipment, devices,
computer, computer resource, communication device and information
stored therein from unauthorized access, use, disclosure, disruption,
modification or destruction.

“Cyber law” is a term used to describe the legal issues related to use
of communications technology, particularly "cyberspace", i.e. the
Internet. Cyber Law is represented by Indian IT ACT 2000

“Data privacy” is a set of regulations that govern how personal

information is handled, protected, and controlled. It's also known as
information privacy

4
Internet and smart Gadgets are now integral
part of our lives

C Y B E R L A W A N D DATA P R I VA C Y
5
6 C Y B E R L A W A N D DATA P R I VA C Y
 I N F O R M AT I O N S E C U R I T Y
PRINCIPLES
• Confidentiality: Data is confidential when only those people
who are authorized to access it can do so.

C Y B E R L A W A N D DATA P R I VA C Y
• Integrity means maintaining data in its correct state and
preventing it from being improperly modified, either by
accident or maliciously.

• Availability is the mirror image of confidentiality: while you

need to make sure that your data can't be accessed by
unauthorized users, you also need to ensure that it can be
accessed by those who have the proper permissions.

7
 SUPER
“The development
of full artificial
CONCERNS OF “I think we
intelligence could A D VA N C E M E N T should be
IN TECH very careful
spell the end of
the human race.” about
artificial
intelligence”
“… there’s some
prudence in thinking
about benchmarks
that would indicate
some general
intelligence
developing on the
horizon.”
"I am in the
camp that is “…eventually
concerned they'll think
about super faster than us
intelligence" and they'll get
rid of the slow
humans…”
8
CURRENT
SCENARIOS
Stressed Students / Staff – due to physical
distancing and self-isolation, making them
more vulnerable to online attacks

Shift in Risk Profile – Increase in

Remote access using Internet from
10% to 90%

No Monitoring / Inadequate
Monitoring -Lack of monitoring
controls to identify threats proactively

Limited controls on publicly

accessed infra and application –
essential controls are overlooked
in rush of completing activities.
CYBER CRIME
– UPWARD
TRENDS
• Huge increase in the use of Internet and
smart phones

• Individuals share personal and work-

related information on Internet

• Critical and sensitive information are

shared on Internet

• Financial transactions take place on

Internet

• Security controls are never 100% and

adequate

• BAD guys are always ahead of GOOD

guys
 T H R E AT E N V I R O N M E N T
• Lost or stolen laptops, computers or other
computer storage devices

• Social Media / Cloud Computing

• Hackers breaking into systems

• Internal security failures

• Viruses, Trojan Horses and computer security

loopholes

• Employees stealing information or allowing

access to information

• Info tossed into dumpsters- improper

disposition of information
R E C E N T D ATA B R E A C H E S

1. February 2024: Bank of America Data Breach

C Y B E R L A W A N D DATA P R I VA C Y
2. January 2024: AI Startup Anthropic Data Leak, Trello
Data Breach, Victoria Court System Data Breach

3. December 2023: Norton Healthcare Data Breach

4. November 2023: Toronto Public Library Data

Breach, Infosys Data Breach, Boeing Data Breach

5. October 2023: Indian Council of Medical Research

Data Breach, Air Europa Data Breach

6. September 2023: SONY Data Breach, Ontario Birth

Registry Data Breach (MOVEit)

12
E L E VAT E D
CYBERSECURITY • In 2023, there were 420 million
RISKS - ORIGIN cyberattacks, which equates to 13 attacks
per second. These attacks originated from
212 countries, with 28% coming from the
United States. There was also a spike in

C Y B E R L A W A N D DATA P R I VA C Y
attacks from China.

• “48% of attacks came from [IP addresses]

managed by [Internet services providers],
32% from organizations in business,
government, and other sectors, and 10%
from hosting or cloud providers. This
reflects an increase in the use of
compromised devices to launch attacks,
whether directly or via ‘residential proxies,’”

*according to Forescout Vedere Labs.

13
T O P 1 0 C Y B E R S E C U R I T Y T H R E AT S
Cyberattacks

• Includes malware, phishing, ransomware, and other forms of

malicious software.
• Cyberattack on critical infrastructure, such as a power grid, can

C Y B E R L A W A N D DATA P R I VA C Y
threaten national security and have a far-reaching impact on society.

Geopolitical Threats

•known as cyberwarfare, has become a major concern for global

security.
•Can potentially cause significant damage and disruption to financial
institutions, government agencies, and critical infrastructure.

Deepfake Technology Threats

• use AI to create realistic and convincing fake videos, audio

recordings, and images
• can potentially impersonate top-level executives, which can have
significant consequences for organizations and individuals

14
T O P 1 0 C Y B E R S E C U R I T Y T H R E AT S
Cloud-Based Cyber Threats

•aim to compromise the availability, integrity, and confidentiality of cloud-based

resources, which can lead to data breaches, financial losses, and damage to a
company’s reputation

C Y B E R L A W A N D DATA P R I VA C Y
IoT Vulnerabilities

•IoT devices from 15.1 billion in 2020 to more than 29 billion in 2030
•Cybercriminals can control botnets, which are networks of compromised
devices, to carry out their malicious exploits, such as launching DDoS attacks,
which can disrupt online services and websites.

Third-Party Cyber Threats

•Refer to potential cybersecurity risks and attacks that originate from external
sources, such as the systems of suppliers and contractors or outside
organizations’ networks or systems.

Intelligent Social Engineering Attacks

•hackers might use social engineering tactics and psychological manipulation to

trick employees into giving up sensitive company data or performing actions
that can compromise the security of their organizations

15
T O P 1 0 C Y B E R S E C U R I T Y T H R E AT S
AI-Enhanced Cyber Threats

• Many malicious actors are trying to figure out how to use

AI to accelerate their attacks and employ more effective
and sophisticated social engineering attacks.

C Y B E R L A W A N D DATA P R I VA C Y
Shortage of Skilled Professionals

•companies don’t have enough qualified and experienced

cybersecurity professionals to protect their systems and
data from cyber threats.

Mobile Security Threats

• Mobile devices, including smartphones, tablets, and

wearables, have become increasingly essential
productivity tools in today’s work-from-home world.
• cybercriminals are using spyware developed specifically
to spy on encrypted messaging applications, confidential
corporate data and personal information.

16
C Y B E R S E C U R I T Y T H R E AT S FA S T- F O R W A R D
2030
1. Supply chain compromise of software dependencies.

2. Advanced disinformation campaigns.

3. Rise of digital surveillance authoritarianism/loss of

C Y B E R L A W A N D DATA P R I VA C Y
privacy.

4. Human error and exploited legacy systems within

cyber-physical ecosystems.

5. Targeted attacks enhanced by smart device data.

6. Lack of analysis and control of space-based

infrastructure and objects.

7. Rise of advanced hybrid threats.

8. Skills shortage.

9. Cross-border ICT service providers as a single point of

failure.

10. Artificial intelligence abuse.

17
THE MAJOR
TYPES OF
CYBERCRIME Hacking Phishing Identity Theft

C Y B E R L A W A N D DATA P R I VA C Y
Ransomware
Cyberstalking Malware
Attacks

Intellectual
DDoS Attacks Cyberespionage
Property Theft

Cyberterrorism

18
K N O W YO U R C Y B E R E N E M Y ( K YC E )

Total estimated ransomware payments

in 2023: $1.1B USD.

Average ransomware payment:

C Y B E R L A W A N D DATA P R I VA C Y
$1.54M USD

Approximate annual increase in

ransomware payments: +90%

2023 payments ranged from: $20K -

$150M USD (now 3% of annual
revenue)

Prevalence determined by both

attempted attacks and verified
compromises.

Top Ransomware Threats of 2023:

Lockbit
Clop
Blackcat
Play

19
 SECURITY MEASURES
For Individuals For Institutes and organizations
• Avoid Phishing Scams, Think before you click. • Assess your corporate core IT infrastructure for remote working.

C Y B E R L A W A N D DATA P R I VA C Y
• Ensure your Wi-Fi connection is secure. • Implement strong security for networks and devices operating during
remote work.
• Be Cautious When Using Unsecured Networks.
• Integrate cybersecurity plans in your business model for remote
• Stick to password best practices and do testing. working.
• Set up two-factor authentication. • Establish security protocols for remote users to ensure authentication
• Ensure devices are protected with antivirus. and authorization

• Don’t Leave Devices Unattended. • Limit access to databases containing sensitive information.

• Keep apps and operating systems up to date. • Use secure tools to ensure protection of data. Train remote user to
use these tools and features securely.
• Adopt videoconferencing security best practices.
• Update your cybersecurity response plan to address the challenges of
• Know how to identify malicious activities. Pandemic.
• Don’t share personal information. • Maintain awareness about security, location, performance, and
overall work hygiene of all users.
• Be Vigilant, Be Skeptical, Be Safe.

21
 I T S I M P O R TA N C E
CYBER LAWS AND

22 C Y B E R L A W A N D DATA P R I VA C Y
 With the second-largest internet population in the world, India was no
exception to a growing digital village. While greater connectivity via the
NUMBER OF CYBER
CRIMES REPORTED world wide web promises large-scale progress, it also leaves our digital

ACROSS INDIA FROM societies open to new vulnerabilities. Cyber crimes know no borders
2012 TO 2022 and have evolved at a pace at par with emerging technologies.

C Y B E R L A W A N D DATA P R I VA C Y
23
 CYBER CRIME – ITS
NO MORE A FUN

• Cyber crime controlled by IT ACT 2000 and

C Y B E R L A W A N D DATA P R I VA C Y
respective IPC (constantly evolving)
• Complete control of Govt agencies over information
stored, processed and transmitted over internet
• Service providers like ISPs, email service providers,
etc. are liable to share information with Govt agencies
• Upgradation of Forensic labs, Upgradation of
Investigating agencies with latest technology
• Stringent punishment for cyber crimes

24
 W H AT I S C Y B E R L A W ?
• Like other laws of the nation, state, or world, a cyber law exists in the digital realm to tackle the legal issues arising
day by day. We have all heard about problems like data breaches, identity theft, malware attacks, and more.

• Cyber laws are essential in addressing the legal challenges and conflicts that arise in the rapidly evolving

C Y B E R L A W A N D DATA P R I VA C Y
landscape of cyberspace.

• These digital laws seek to establish a framework for the responsible and lawful use of technology and the Internet
while addressing privacy, intellectual property, digital security, and cybercrimes.

• It provides legal guidelines for individuals and organizations operating in the digital domain, ensuring their
actions comply with the law.
• Information Technology Act 2000 (IT Act 2000) and its Amendment
• Cyber law encompasses laws relating to:
• Digital Personal Data Protection Act 2023
• Cyber crimes (not limited to) • Indian Penal Code, 1860
· Electronic and digital signatures
• RBI Guidelines, Notifications and Rules
· Intellectual property
• National Cyber Security Policy, 2013
· Data protection and privacy
• National Critical Information Infrastructure Protection Centre (NCIIPC)
Regulations

https://www.meity.gov.in/content/cyber-laws

25
SCOPE OF CYBER LAW
Privacy and Data Protection

Intellectual Property

C Y B E R L A W A N D DATA P R I VA C Y
Cybercrimes

Cyber Security

Cyber Warfare and International Law

Free Expression Online

Regulation of Internet Service Providers (ISPs)

Consumer Protection

Emerging Technologies

26
 ROLE OF CYBER LAW

“ENSURINGYOUR TRASH DOESN’T BECOME

SOMEONE’S TREASURE.”

C Y B E R L A W A N D DATA P R I VA C Y
27
 INDIAN PENAL CODE, 1860

• Section 354-D: Voyeurism - imprisonment up to • Section 417: Punishment of Cheating -

seven years and fine. imprisonment up to one years or fine or both.

C Y B E R L A W A N D DATA P R I VA C Y
• Section 354-D: Stalking - imprisonment up to five • Section 471: Using as genuine a forged document
years and fine. or electronic record - imprisonment up to two years
or fine or both.
• Section 383: Punishment of Extortion -
imprisonment up to three years or fine or both. • Section 500: Punishment of Defamation -
imprisonment up to two years or fine or both.
• Section 379: Punishment of Theft - imprisonment up
to three years or fine or both. • Section 506: Punishment of Criminal Intimidation -
imprisonment up to two years or fine or both.
• Section 406: Punishment of Criminal Breach of Trust
- imprisonment up to three years or fine or both.

*IPC 1860 is now replaced by BNS 2023

28
 I N F O R M AT I O N A N D T E C H N O L O G Y
A C T, 2 0 0 0
• Section 65: Tampering with the Computer Source • Section 66-E: Publishing private images of other
Documents - imprisonment up to three years or fine persons without consent - imprisonment up to three
up to Rs. 20,000/- years or fine up to Rs. 2,00,000/-

C Y B E R L A W A N D DATA P R I VA C Y
• Section 66: Hacking the Computer System - • Section 66-F: Cyber Terrorism - imprisonment up to
imprisonment up to three years or fine up to Rs. life.
50,000/-
• Section 67: Publishing information which is obscene
• Section 66-A: Sending of Offensive Messages - via electronic form - imprisonment up to five years
imprisonment up to three years or fine. (Stroked off or fine up to Rs. 1,00,000/-
in 2015 by SC)
• Section 67-A: Publishing images or sexual content -
• Section 66-B: Receiving stolen computer or imprisonment up to seven years or fine up to Rs.
electronic device - imprisonment up to three years 1,00,000/-
or fine up to Rs. 1,00,000/-
• Section 71: Mis-representation - imprisonment up to
• Section 66-C: Fraudulently using password of any two years or fine up to Rs. 10,000/-
another person - imprisonment up to three years or
fine up to Rs. 1,00,000/-

29
“ SOME OF THE PROVISIONS OF IT ACT ARE
CONSIDERABLY LENIENT AS COMPARED TO THE HARSH
PROVISIONS OF INDIAN PENAL CODE, IS IT JUSTIFIABLE? ”

C Y B E R L A W A N D DATA P R I VA C Y
30
31 C Y B E R L A W A N D DATA P R I VA C Y
 D ATA P R I V A C Y
CYBER LAWS AND

32 C Y B E R L A W A N D DATA P R I VA C Y
D ATA P R I V A C Y

Data privacy, also called information privacy, is a

C Y B E R L A W A N D DATA P R I VA C Y
subset of security that focuses on personal
information.

Data privacy governs how data is collected,

shared, and used.

Data privacy is concerned with the proper

handling of sensitive information such as
financial data and intellectual property data.

33
D ATA P R I V A C Y P R I N C I P L E S
Collection purpose and means Accuracy and retention
•Data is collected for an intent that is directly related to •Data users must ensure personal data is accurate and
the data users’ function or activity. should not be kept longer than necessary.
•Must be collected legally and equitably.

C Y B E R L A W A N D DATA P R I VA C Y
•Purpose for which the data is used must be disclosed.
•Data collection should, of course, be necessary but not
excessive.

Use Security
•Private data must be used for the purpose for which the •Data users need to adopt security measures to
data is collected or for a directly related purpose. safeguard personal data from unauthorized and
•It should not be used for any other purposes unless accidental access, processing, and loss of use.
voluntary and explicit consent is obtained from the data
subject.

Openness Data access and corrections

•Data users must make personal data policies and •Data subjects have the right to request access to and
practices known to the public, regarding the types of correction of their data.
personal data they hold and how the data is used.

34
VA R I O U S DATA P R I VAC Y L A W S W O R L D W I D E

C Y B E R L A W A N D DATA P R I VA C Y
35
 D P D PA T I M E L I N E

36 C Y B E R L A W A N D DATA P R I VA C Y
 D I G I TA L P E R S O N A L DATA
P R O T E C T I O N A C T, 2 0 2 3
Key Definitions in the DPDP Act • Data Principal: “The individual to whom the personal data
relates, and where such individual is:
• Personal data: “Any data about an individual who is • a child, includes the parents or lawful guardian of such a child;
identifiable by or in relation to such data.” and

C Y B E R L A W A N D DATA P R I VA C Y
• a person with disability, includes her lawful guardian, acting on
• Digital personal data: “Personal data in digital form.” her behalf.”
• Data Fiduciary: “Any person who alone or in conjunction • Person:
with other persons determines the purpose and means of • an individual; a Hindu Undivided Family;
processing of personal data.” • a company; a firm;
• an association of persons or a body of individuals, whether
• Processing: “A wholly or partly automated operation or set incorporated or not;
of operations performed on digital personal data, and may • the State;
include operations such as collection, recording, • every artificial juristic person, not falling within any of the
organization, structuring, storage, adaptation, retrieval, use, preceding sub-clauses.
alignment or combination, indexing, sharing, disclosure by • Personal data breach: “Any unauthorized processing of
transmission, dissemination or otherwise making available, personal data or accidental disclosure, acquisition, sharing,
restriction, erasure or destruction.” use, alteration, destruction of or loss of access to personal
• Data Processor: “Any person who processes personal data data, that compromises the confidentiality, integrity or
on behalf of a Data Fiduciary.” availability of personal data.”

37
 D I G I TA L P E R S O N A L DATA
P R O T E C T I O N A C T, 2 0 2 3
Applicability of the DPDP Act Does not apply to personal data

C Y B E R L A W A N D DATA P R I VA C Y
• Processing of personal data collected within the • made or caused to be made publicly available by
territory of India when the data is collected in the user (for example, if an individual, while
digital form or is collected in non-digital form and blogging her views, has publicly made available her
digitized subsequently. personal data on social media, then processing of
that data won’t come under these regulations, the
Act illustrates);
• Processing of digital personal data outside of
India, if the processing is in connection with any
activity related to offering of goods or services to • processed by an individual for any personal or
users within the territory of India. domestic purpose;

• made available by any other person who is

under an obligation under any law for the time
being in force in India to make such personal data
publicly available.

38
 CITIZENS’ RIGHTS – DPDPA 2023

Right to Right to correction Right to grievance

C Y B E R L A W A N D DATA P R I VA C Y
Right to nominate
Information & erasure redressal

Right to seek more Right to correct Right to use readily Individual can nominate
information on how inaccurate/incomplete available means of any other individual to
their data is processed data and erase data that registering a grievance exercise these rights in
and the data fiduciary is no longer required with a data fiduciary. the event of death or
will make this data for processing. incapacity.
available in clear &
understandable way.

*At present, no timeline has been prescribed for implementing

the grievance redressal and data principal rights.

39
W H AT A R E T H E P E N A LT I E S F O R N O N -
COMPLIANCE?

There are penalties for non-compliance of the

C Y B E R L A W A N D DATA P R I VA C Y
provisions by data fiduciaries up to INR250 crore.
Some of these are:

• Breach in observance of duty of data principal up to

INR10,000

• Failure to notify the data protection board and

affected data principals in the event of a personal
data breach is up to INR200 crore

• Breach in observance of additional obligation in

relation to children up to INR200 crore

40
K E Y I S S U E S A N D A N A LY S I S
Exemptions for
The bill's provisions may The bill overrides
government agencies The absence of
enable data collection consent for certain
could lead to unchecked regulation on harm

C Y B E R L A W A N D DATA P R I VA C Y
and surveillance under purposes, which could
data processing and arising from data
the guise of national affect individual
potential privacy processing is a concern.
security. autonomy and privacy.
violations.

The short appointment

The bill does not include The mechanism for cross-
term of the Data Definitions of "child" and
the right to data border data transfer
Protection Board consent verification raise
portability and the right needs to ensure
members might impact practical challenges.
to be forgotten. adequate protection.
their independence.

Lack of clarity on what

Certain exemptions from
constitutes detrimental
notice for consent might
effects on the well-being
affect informed consent.
of a child.

41
 D P D PA S U M M A R Y

42 C Y B E R L A W A N D DATA P R I VA C Y
 NEXT STEPS : KEY ACTIONS
Privacy
Privacy Governance
Governance
• Establish a privacy governance with cross functional expertise in risk, legal, compliance, technology and create/ update Privacy Framework
• Appoint a DPO based in India, reporting to the board or equivalent committee, for compliance with the proposed Act

Data Discovery and • Conduct data discovery to identify PII and different data principals whose data is processed within the organization, classify information
Classification and identify controls be implemented on the different classes of information as per the proposed regulation

Consent / Notice
• Obtain freely given, clear, unambiguous consent for all purposes for which PII is collected. Provide option to withdraw consent.

C Y B E R L A W A N D DATA P R I VA C Y
• Provide a notice to the data principal, at the time of collecting data, clearly defining the purpose of processing

Cross border • Identify the movement of personal data to different jurisdictions and assess the impact as per the regulation
Data Management
• Establish required contracts, data protection measures required to allow the data transfer

Data Principal Rights • Communicate the rights of the data principal through the privacy notice
• Establish a process for the data principal to exercise their rights and to respond to the request as per the prescribed timelines

Breach Management • Establish a process to identify personal data breaches and report the same to the Data Protection Board as well as the impacted Data
Principals
Vendor/Third Party • Identify third parties with whom PII is shared and update relevant data privacy clauses within the contracts.
Management
• Conduct periodic assessments on third parties to ensure compliance to privacy requirements

Data Protection Impact • Establish a process to conduct DPIA on the personal data processing activities and identify risks to the rights of Data Principals
Assessment
• Identify, track and monitor closure of risks identified during the process

Privacy Audits/Reviews • Appoint an External Auditor to conduct periodic privacy audits

• Establish process to identify risks, track closure of observations

43
 P R I VA C Y C A S E S T U DY
Facebook-Cambridge Analytica Scandal: personal data of millions of Facebook users
had been harvested without their consent by Cambridge Analytica, a political

C Y B E R L A W A N D DATA P R I VA C Y
consulting firm.

Lesson Learned: Transparency and informed consent are crucial in handling personal
data, and organizations must prioritize data protection to maintain public trust.

44
 QUIZ TIME

45 C Y B E R L A W A N D DATA P R I VA C Y
 QUIZ TIME

46 C Y B E R L A W A N D DATA P R I VA C Y
S U M M A RY
• Information Security – Data Security and ultimately data
privacy requirements are ever growing.
• Laws and Regulations are helping individuals and
corporates to ensure certain practices are adhered to

C Y B E R L A W A N D DATA P R I VA C Y
protect data of an individual.
• Cybersecurity will require a significant workforce with
deep domain knowledge.
• Almost everything is hooked up to the internet in some
sort of form.
• Recent events have widened the eyes of many security
experts.
• The ability to gain access to high security organizations,
infrastructures or mainframes has frightened many
people.
• Could one click of the mouse start World War III?

47
 T H A N K YO U

48 C Y B E R L A W A N D DATA P R I VA C Y