Cyber security is no more
a problem of technology people of an organisation. Now the top
management is equally concerned and responsible for various cyber law
and cyber security related issues. Recently the Reserve Bank of India
(RBI) declared that it would constitute an IT
subsidiary for managing cyber security issues of banks in
India. Even the Indian government has appointed Dr.
Gulshan Rai as the first Chief Information Security
Officer (CISO) of India.
It has been long felt
that we need a dedicated cyber
security law of India. Presently few provisions pertaining
to cyber security can be found in information technology act, 2000.
However, the IT Act 2000 is not sufficient to address the complex and
techno legal issues of cyber security especially those arising at the
international level. International
legal issues of cyber security are still not clear as
there is no universally acceptable cyber
law treaty and cyber
security treaty (pdf). The position has become really
alarming as malware are easily defeating
cyber security products and services these days.
Recently the Ministry of
Corporate Affairs (MCA) notified
many provisions of the Indian
Companies Act, 2013 (PDF) and corresponding rules under
the same. Most of the corporate stakeholders have considered the new
company law of India as a purely corporate regulatory framework.
However, this is not true as the Indian Companies Act 2013 has
prescribed legal obligations that are far more complicated than the
traditional company law.
The truth is that the new
company law of India has prescribed many techno
legal compliance requirements that very few companies and
their directors are capable of managing. As a result cyber law and
cyber security related legal violations would be in abundant in the
coming times.
With the formulation of
the proposed cyber
security breach disclosure norms of India and possible
cyber
security laws in India, Indian companies and their
directors would find themselves in a legal fix. The powers of Serious
Frauds Investigation office (SFIO) have also been significantly
increased by the Companies Act 2013. SFIO has become very active in
prosecuting
Indian companies and their directors in the recent past. With the
notification of the Companies
(Inspection, Investigation and Inquiry) Rules, 2014 (PDF)
SFIO would become more active in this regard.
The legislature made it
sure that the regulatory compliances under Indian Companies Act 2013
should cover cyber law and cyber security compliances as well. The
directors’ liabilities under the Indian Companies Act 2013 also
cover cyber
law due diligence (PDF), cyber security due diligence,
e-discovery compliances, cyber forensics, etc on their part. Even the
cyber
security obligations of law firms in India has
significantly increased and various stakeholders, including companies
and law firms, must keep in mind the international legal issues of
cyber security.
The Companies
(Management and Administration) Rules, 2014 (PDF) also
prescribe many techno legal and cyber security obligations upon the
directors of a company. The directors must be well versed with the
techno legal regulatory provisions under the Companies Act 2013 and
other technology laws of India.
The cyber
security trends in India 2016, provided by Perry4Law
Organisation (P4LO), have also indicated that various
corporate stakeholders would be required to comply with cyber law and
cyber security related obligations in the near future. As on date,
companies and directors are not complying with the cyber law and
cyber security obligations as prescribed by Indian laws and
regulations.
As the cyber law and
cyber security obligations of the directors of companies operating in
India have been clearly mandated by various laws of India, it is in
their own interest to ensure their due compliance.