LEGAL PROJECT FILE

Cyber Laws, Safety, and Security in India

The Internet is defined as, ‘a system architecture that has revolutionized
communications and methods of commerce by allowing various computer
networks around the world to interconnect’.

This computer-generated world of the internet that involves interactions

between people, software and services is known as cyberspace. It is a
dynamic, exponential and undefined space. As information and the Internet
become more complex and large, it has become critical to maintain
systems up and running all the time for safety and security.

History of Cyber Law in India

In 1996, the United Nations Commission on International Trade Law

(UNCITRAL) adopted the Model Law on Electronic Commerce to bring
uniformity in the law in different countries. The Model Law on Electronic
Commerce aims to enable and facilitate commerce conducted by electronic
means by providing countries with a set of universally acceptable rules that
are aimed at removing legal obstacles and increasing legal predictability for
electronic commerce. This model law provides for equal treatment which is
essential for enabling paperless communication and fostering efficiency in
international trade. India became the 12th country to enable cyber law after
it passed the Information Technology Act, 2000.
 What is Cyber law?
Cyber law deals with legal issues related to use of inter-networked
information technology. It provides the legal rights and restrictions
governing technology. In short, cyber law is the law governing computers
and the internet. Cyber law encompasses laws relating to Cyber crimes,
Electronic and digital signatures Intellectual property, Data protection and
privacy etc. The Internet was initially developed as a research and
information sharing tool and was unregulated. As the time passed by it
became more transactional with e-business, e-commerce, e-governance
and e-procurement etc. All legal issues related to internet crime are dealt
with through cyber laws. As the number of internet users is on the rise, the
need for cyber laws and their application has also gathered great
momentum.

What is Cyber safety and security?

Cyber safety is the safe and responsible use of information and
communication technology. It is not only about keeping information safe
and secure, but also about being responsible with that information and
being respectful of other people online. Cyber safety and security can be
ensured by enacting laws, and use of technologies, processes and
practices that are designed to protect networks, computers, programs and
data from attack, damage or unauthorized access.

What is Cyber-crime?

Cyber-crime refers to an activity done with criminal intent in cyberspace. In

other words, any offence or crime in which a computer is used is a
cyber-crime. Even a petty offence like stealing can be brought within the
broader purview of cyber crime if the basic data or aid to such an offence is
a computer or information stored in a computer used (or misused) by the
fraudster. Cyber crimes can be against persons, property or government.
For example, cyber stalking, computer vandalism, stealing of data, hacking,
phishing, mail fraud etc. The term cyber-crime is not defined in Information
 Technology Act, 2000 neither in the National Cyber Security Policy 2013
nor in any other regulation in India. However, ‘Cybercrime’ has been
defined by the National Cyber-crime Reporting Portal (a body set up by the
government to facilitate reporting of cyber-crime complaints) to ‘mean any
unlawful act where a computer or communication device or computer
network is used to commit or facilitate the commission of crime’.

Cyber Security Breach Case Studies in India

Air India data breach

In February 2021, hackers broke into Air India’s database to steal the
personal information of 4.5 millionAir India customers. The data
compromise happened on the heels of another data breach at Akasa Air.
After the incident, Air India sent emails to the affected passengers that the
security of their data had been compromised and personal information such
as user ID and password had been stolen. The hackers obtained sensitive
information to access passengers’ GST invoices and reveal it in the public
domain. However, credit card information like CVC and CVV numbers were
not stolen as claimed by Air India in response to allegations.

Police exam data spill (2019) and Cyberabad data theft (2023)

The confidential data of over 50,000 individuals who attended the police
recruitment exam in December 2019 was violated by hackers. The
information of participants like birth dates, cell phone numbers, candidate
names, email IDs, FIR history, and criminal records, among others, was put
up for sale by hackers. The information leak was discovered by CloudSEK
when the hacker shared a sample of the stolen data with them. However,
the 2019 data spill pales in comparison to the data theft of 66.9 crore
people in 2023. The incident came to light when Cyberabad police sent
notices to 11 entities including three banks, an IT services company, and a
social media behemoth, asking the company representatives to present
themselves before them in pertinence to the massive data leak. The
 Cyberabad police reportedly arrested one Vinay Bharadwaj for thieving,
storing, and selling the personal information of 66.9 crore people and
companies across India.

Domino’s India data theft

The Indian arm of Domino’s Pizza revealed in April 2021 that a threat actor
had hacked their database and sold the compromised data on a hacking
forum. The actor claimed to have laid their hands on 13 TB of information
comprising data of 18 million orders reflecting customer names, addresses,
delivery locations, and phone numbers, along with the credit card
information of 1 million individuals from the database of Domino’s India.
However, the pizza chain claimed that customer credit card data wasn’t
compromised as they don’t maintain the financial records of their clients.

Safety measures to prevent data breach

• Remote monitoring: Having an IT team to monitor systems is integral to

organisational data security. Companies can either maintain an in-house IT
team or hire an IT agency for this purpose.
• Data backup and recovery: In some instances, company data files can
get deleted in the event of a data breach. Therefore, companies should
have information backed up for recovery. The responsibility of maintaining
automated remote data backup systems rests with IT teams.
• Destroy before deletion: When companies dispose of old records or
unnecessary excessive data, they should ensure that they don’t leave any
trail behind by annihilating such information.
• Employ the latest software: Organisations should see to it that all their
security tools are updated as outdated guardrails would be ineffective in
dealing with new threats.
 Cyber Crime Situation in India
State-sponsored cyber attacks against India increased by 278% between
2021 and September 2023, with services companies, including information
technology (IT) and business process outsourcing (BPO) firms, seeing the
highest share of attacks, a new report has found.During this period,
targeted cyber attacks on government agencies went up by 460%, while
startups and small and medium enterprises (SMEs) saw a whopping
increase by 508%.According to the 2023 India Threat Landscape Report by
Singapore-based cybersecurity firm Cyfirma, India is the most targeted
country globally, facing 13.7% of all cyber attacks.

Laws made by Indian Government to prevent Cyber

Crime

Information Technology Act, 2000

The Information Technology Act, 2000 extends to the whole of India. It also
applies to any offence or contravention committed outside India by any
person irrespective of his/her nationality, provided such offence or
contravention involves a computer, computer system or network located in
India. The courts in India have also recognised cybercrime (eg, the Gujarat
High Court in the case of Jaydeep Vrujlal Depani v State of Gujarat
R/SCR.A/5708/2018 Order), to mean ‘the offences that are committed
against individuals or groups of individuals with a criminal motive to
intentionally harm the reputation of the victim or cause physical or mental
harm, or loss, to the victim directly or indirectly, using modern
telecommunication networks such as Internet (networks including but not
limited to Chat rooms, emails, notice boards and groups) and mobile
phones (Bluetooth/SMS/ MMS)’. The Act provides legal infrastructure for
e-commerce, electronic records (like online contracts) and other activities
carried out by electronic means. It also deals with electronic governance
and cyber crimes.

The following types of cybercrimes are covered under the IT Act 2000.
● Identity theft – Identity theft is defined as theft of personnel
information of an individual to avail financial services or steal the
financial assets themselves.
● Cyberterrorism – Cyberterrorism is committed with the purpose of
causing grievous harm or extortion of any kind subjected towards a
person, groups of individuals, or governments.
● Cyberbullying – Cyberbullying is the act of intimidating, harassment,
defaming, or any other form of mental degradation through the use of
electronic means or modes such as social media.
● Hacking – Access of information through fraudulent or unethical
means is known as hacking. This is the most common form of
cybercrime know to the general public.
● Defamation – While every individual has his or her right to speech on
internet platforms as well, but if their statements cross a line and
harm the reputation of any individual or organization, then they can
be charged with the Defamation Law.
● Trade Secrets – Internet organization spends a lot of their time and
money in developing software, applications, and tools and rely on
Cyber Laws to protect their data and trade secrets against theft;
doing which is a punishable offense.
● Freedom of Speech – When it comes to the internet, there is a very
thin line between freedom of speech and being a cyber-offender. As
freedom of speech enables individuals to speak their mind, cyber law
refrains obscenity and crassness over the web.
● Harassment and Stalking – Harassment and stalking are prohibited
over internet platforms as well. Cyber laws protect the victims and
prosecute the offender against this offense.
 Section 66 A of the IT ACT, 2000

Section 66 A of the IT ACT, 2000 made it a punishable offence for any

person to send ‘grossly offensive’ or ‘menacing information’ using a
computer resource or communication device. Section 66A was inserted by
way of an amendment in the year 2009. The reason behind the amendment
was to address new forms of cyber crimes such as publishing sexually
explicit materials in electronic form, video voyeurism and breach of
confidentiality and leakage of data by intermediary, e-commerce frauds like
personation commonly known as Phishing, identity theft and offensive
messages through communication services. Therefore, the said Section 66
A IT Act, 2000 imposed punishment and criminalised the sending of
offensive messages through a computer or other communication devices.
However, the act used wide terms in this Section which were not defined
under the Act and hence caused a lot of confusion as the perception of an
individual in defining “grossly offensive” and “menacing information” varies
from one individual to another.

In the year 2012, in the matter of Shreya Singhal v. Union of India, a batch
of writ petitions were filed under Article 32 of the Constitution of India
raising an important question relating primarily to the fundamental right of
free speech and expression guaranteed by Article 19 of the Constitution of
India. The immediate cause for concern in these petitions was Section 66A
of the Information Technology Act of 2000. The petitioners argued that
wordings of the section were too wide and ambiguous leading to misuse.
Most of the terms used in the section had not been specifically defined
under the Act. Further, the petitioners argued that the section restricted the
right to free speech and expression prescribed under Article 19(1)(a) of the
Constitution of India.
On March 24, 2015, the Hon’ble Supreme Court struck down Section 66 A
of the IT Act, 2000 and declared it unconstitutional for “being violative of
Article 19(1)(a) of the Constitution of India.
 How Vulnerable is India to Cyber Attacks?
India has a large and growing population of internet users, with
more than 52% of the population or 759 million people
accessing the internet at least once a month in 2022 India is the
second largest online market in the world, behind China. By 2025,
the number is expected to grow to 900 million. India has a rapidly
expanding digital economy, with sectors such as healthcare,
education, finance, retail, and agriculture relying on online platforms
and services.

However, India’s outdated or inadequate cyber security

infrastructure, policies, and awareness, making it easy for hackers
to exploit the gaps and weaknesses in the system that’s why India
faces sophisticated and persistent cyber threats from
state-sponsored and non-state actors, who target India’s strategic,
economic, and national interests.

Initiatives Regarding Cyber Security taken by

Indian Government

National Cyber Security Policy- This policy aims to build a secure and
resilient cyberspace for citizens, businesses, and the government. It
outlines various objectives and strategies to protect cyberspace
information and infrastructure, build capabilities to prevent and respond to
 cyber attacks, and minimise damages through coordinated efforts of
institutional structures, people, processes, and technology.

Cyber Surakshit Bharat Initiative-This initiative was launched to raise

awareness about cyber crimes and create safety measures for Chief
Information Security Officers (CISOs) and frontline IT staff across all
government departments.

Indian Cyber Crime Coordination Centre (I4C)- This centre was

established to provide a framework and eco-system for law enforcement
agencies to deal with cyber crimes in a comprehensive and coordinated
manner. It has seven components, namely:

○ National Cyber Crime Threat Analytics Unit

○ National Cyber Crime Reporting Portal
○ National Cyber Crime Training Centre
○ Cyber Crime Ecosystem Management Unit
○ National Cyber Crime Research and Innovation Centre
National Cyber Crime Forensic Laboratory Ecosystem
○ Platform for Joint Cyber Crime Investigation Team.

Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis

Centre)- This centre was launched in 2017 to create a secure cyberspace
by detecting botnet infections in India and notifying, enabling cleaning and
securing systems of end users to prevent further infections.
 What Should India Do Further to Save Itself from
Cyber attacks?
Strengthening Existing legal Framework: India’s primary legislation
governing cyber crimes is theInformation Technology (IT) Act of 2000,
which has been amended several times to address new challenges and
threats. However, the IT Act still has some gaps and limitations, such as
the lack of clear definitions, procedures, and penalties for various cyber
offences, and the low conviction rate of cyber criminals. India needs to
enact comprehensive and updated laws that cover all aspects of cyber
security,such as cyber terrorism, cyber warfare, cyber espionage, and
cyber fraud.

Enhancing Cyber Security Capabilities: India has several initiatives and

policies to improve its cyber security, such as the National Cyber Security
Policy, the Cyber Cells and Cybercrime Investigation Units, the Cyber
Crime Reporting Platforms, and the Capacity Building and Training
programs. However, these efforts are still inadequate and fragmented, as
India faces a shortage of technical staff, cyber forensics facilities, cyber
security standards, and coordination among various stakeholders. India
needs to invest more in developing its human and technological
resources, establishing cyber security centers of excellence, adopting
best practices and standards, and fostering collaboration and information
sharing among different agencies and sectors.
Establish a Cyber Security Board: India must establish a cyber security
board with government and private sector participants that has the
authority to convene, following a significant cyber incident, to analyse
what happened and make concrete recommendations for improving
cybersecurity. Adopt a zero-trust architecture, and mandate a
standardised playbook for responding to cybersecurity vulnerabilities and
incidents. Urgently execute a plan for defending and modernising state
networks and updating its incident response policy.