Ours is a generation ruled by computers and the Internet. The predominant influence of the Internet over infinite lives all over the world has brought the issue of cyberlaws into focus. With laws being put in place to regulate and police cyberspace, there’s been a dramatic change in the way we browse, even perceive, the Internet. The 9.11 attacks in the US made nations redouble their efforts to keep track of the happenings on the Net. This also means that the good old days of the Internet are over. Almost everything that has transpired in the world has had a precedent. But the Internet has no examples to fall back on, and our dealings with this entity have been fuelled by suspicion and doubt. In the past, legal battles on this front have been extremely complex. After all, even the law could not explain the nuances of this Web-based genie. Given this situation, it was time to come up with some all-encompassing tool to deal with cases of cybercrime. Against this backdrop, the sheer effort put in by lawmakers in enacting cyberlaws should be lauded. A panel discussion, the last in the ten-part DQ-Citrix CIO Series, unraveled the intricacies and varying definitions of cybercrime and the problems that enterprises face today. On the panel were (from left) Ashish Rout (Bank of Punjab), Akhilesh Tuteja (KPMG), Arindam Bose (LG), Prasanto K Roy (chief editor, Dataquest and the moderator of the discussion), Dr Chandan Choudhary (IFS), cyberlaw consultant Pavan Duggal, and Avinash Surma (Delhi Stock Exchange). Excerpts from the discussion:

Issues that have hastened the enactment of cyberlaws
Avinash Surma (DSE): No new category of security lawsuits, arbitration, and enforcement proceedings has emerged. Shareholders and activists are using electronic bulletin boards and chat rooms to keep tabs on the management of their companies and to learn about the security measures that are being adopted. Similarly, the plaintiffs councils are using so-called datawarehousing websites to exchange data regarding security sites.

Ashish Rout (BoP): With no certifying authority and e-commerce catching up in a big way, there are many questions regarding safety measures that come to mind. Also, the challenges faced by Net banking while conducting transactions across the globe, are also a cause of concern.

Akhilesh Tuteja (KPMG): Though we have an IT act in place, we are all at sea (state of eternal ambiguity) regarding the exact implications of the same.

Arindam Bose (LG): We have ventured into the B2B and B2C areas and have started getting a lot of business on those fronts, so there are a lot of questions here. Also, we were victims of spamming once. However, the management decided that we did not want to make it public.

Pavan Duggal: I fully agree that everyone is at sea as far as cyberlaws are concerned as it is a very vast subject. There are two distinct trends here. There are companies that are proactive in prevention and others who believe in crossing the bridge once they get there. The latter is a larger group. So awareness is very low amongst enterprises.

Awareness levels among enterprises
KPMG: The awareness about cyberlaws is poor. Enterprises still believe that if they do not conduct business on the Net, they do not need to bother about cyberlaws. However, the industry is slowly helping create awareness. Irrespective of whether you are available online, it is mandatory for enterprises to be aware of the IT Act. Also, the number of people who believe that they will cross the bridge once they get to it is growing. The management needs to take the initiative in changing this attitude. Waiting for catastrophe to happen is in no way the right approach.

BoP: We have a security policy in pace and we continuously evaluate, review and update it. We also train our employees and customers to maintain their own systems. But there are loopholes despite all efforts. There are other problems like the difficulty in remembering 16 digit passwords. The document policy procedure is bound to fail at times.

DSE: The awareness level at the Delhi Stock Exchange is very high. We realize that something could go wrong at any moment and that keeps us on our toes. We are part of a global environment and so we maintain a strict vigil.

IFS: Our organization believes in creating awareness first and then carrying out a detailed audit on the existing security system. What we need to look at is 99.9% uptime. Once we insist on a high penalty, we can ensure that everyone adopts the best practices related to security.

Consultant: Though there is backup in most cases, it is not efficient enough. Also, companies prefer to absorb the loss generated due to spamming and accept cybercrime as business risk. This is done primarily as organizations believe that going to the police or reporting the crime would result in negative publicity, which would hinder their business prospects and potential clients. Once they announce their vulnerability to these kinds of crimes, they assume that they lose their credibility in the market. In most companies, the IT policy is treated as a mere formality.

One thing that companies fail to understand in India is that though it is termed as cyberlaw, the implications of the IT act go far beyond just transactions on the internet. It impacts any company and enterprise in the country, which does work in the electronic format, which deals with the computer, computer systems or network. Also, many corporations are jittery about the legality of the information they store. But companies have to adhere to the law. And given the many emerging technologies, there is enough confusion to deal with. So, the security policy is a must and the cyberlaw doesn’t actually do justice to it. We have very few tools of investigation and there is very little awareness on how one should carry out the investigation. Despite the bill being passed, we have not done anything effective regarding cybercrime.

Outsourcing and the law
KPMG: It is a good decision to outsource. But the pertinent question here is the penalty clause included in the service level agreements (SLAs). SLAs do exist, but are the ones that are in place good enough and can they be implemented? In this case, the smartness displayed by both parties will see them through, because in most cases, these agreements are not even read in their entirety. The IT act in itself is complex and the awareness level being very low, even the available clauses in the act are not being utilized to the fullest.

Consultant: SLAs are not covered under the IT act. Neither do we have any statutory damage clause should there be any violation of the same. Very few cases actually go to court as the courts are also not very proactive as far as SLAs are concerned. The time lag involved in following the legal route is a big deterrent too.

Backups
Audience query: Since we are talking about a paperless society, is it absolutely essential to maintain backups? Is that a prerequisite of the law?

Consultant: You must maintain a backup for all practical purposes. Section 9 of the IT act states that you can file any kind of electronic documentation, application or form with any government agency controlled by any kind of government, but it is not necessary that what you file electronically will be accepted by the government. Since this is the transition period, as far as the IT act is concerned, it would be advisable for you to maintain both paper and electronic backup.

IFS: Our organization has taken a calculated risk and decided that we will not maintain backups of any documents. We only copy documents that are extremely important and these are selecaent to create a law and plug all the loopholes for you. They have to become proactive. Ultimately it’s the recovery of these backups that has to be our priority.

Consultant: The law is silent on a lot of issues regarding electronic backups. So it’s better we preempt the authorities and keep ourselves on the right side of the law. We should maintain backups as a safety net.

Increasing awareness and better enforcement
KPMG: The corporate sector believes that since enterprises are happy otherwise, they needn’t really bother too much about cybercrimes, the IT act etc. But they should realize that the corporate sector would be the biggest beneficiary of this enactment. Since we also lack the tools of implementation, there is lot of hesitation. The corporate sector should take the first step forward.

Consultant: In context of the World Trade Center attacks, I strongly call upon companies to take every effort and use all possible means, methodologies and technologies that are available to at least have some semblance of control over what is happening in our country. The best idea for everyone is to take whatever possible precautions that you can. Only a proactive approach within your organization will help you save face, because you could be in an untoward situation tomorrow and that will cost you a huge amount of money and time to get through, apart from loss of face and trust as well.

DATAQUEST Report