A Conundrum of Cybersecurity in India: Maintaining Security Mechanisms in E-Commerce for Prevention of Data-Breaches

Leave a Comment / Blog / By

Introduction

Industries are known for adopting automated facilities to generate maximum profit. The first industrial revolution caused the formation of innovative machinery in the west.1 Its second version was responsible for further mechanization resulting in automatic factories.2The third version resulted in a robust use of technology encompassing electronics, telecommunications, and computer systems, which laid the foundation of internet.3 Further, due to the emergence of the internet, conventional commercial transactions underwent an epoch of renaissance, resulting in e-commerce. According to the OECD, e-commerce is defined “as a new form of doing business that occurs across networks that employ non-proprietary protocols developed through an open standard-setting process such as the Internet”.4In the present context, e-commerce companies have exploited the phenomenon of global digitalization, thereby becoming successful in capturing markets all over the world. India is no exception in this regard. According to a survey by marketing data and analytics company Kantar, India has added 125 million online customers over the last three years, with an additional 80 million likely to join by 2025.5 Furthermore, the country is soon to become a home for 900 million internet users by 2025. However, these digital interfaces in the form of e-commerce platforms are vulnerable to cyber-attacks due to the high volume of online transactions and the involvement of sensitive customer data, according to a recent report, “The Anatomy of Fraud 2023” by “Bureau”, an AI-architecture platform.6

 

Today, “data” is considered the new oil of the 21st century7 because based on it, several organizations design their strategies, plan their products and services, and then invest.8 Further, in cases where cyber criminals are successful in stealing valuable data, the aftermath is “Data breach”.9 Recovery from a cyberattack or data breach can take a long time and be very expensive. In 2022, the average cost of a data breach was estimated to be a staggering $4.35 million based on a review of 550 incidents across 17 nations and 17 sectors.10 Also, it has become unavoidable for the customers to restrain from providing their sensitive information relating to financial status, personal characteristics etc. to e-commerce platforms.11 Therefore, apart from humongous financial losses, data breach can result in the violation of the right to privacy of millions of citizens, coupled with a threat to national security in certain circumstances.12 Therefore, in this backdrop, it becomes imperative to understand the Indian legal framework protecting from data-breaches particularly in the context of e-commerce, and suggest positive reforms and improvements therein.

Provisions under the Indian Legal Framework Governing Data Breach in E-Commerce

1. The Information Technology act, 200013

In India, there are several laws relating to e-commerce which are efficacious when it comes to protection from data breach. The Information Technology act, 200014 was the first e-commerce law passed by the Indian government. The UNCITRAL Model Law on Electronic Commerce (E Commerce Law), which was released in 1996, was the main goal of this legislation.,15 This legislation primarily enshrines offences relating to cybercrimes which also encompasses “data breach”. Under Section 2(w) of the act16 “intermediary” is defined to be inclusive of online marketplaces. Therefore, this definition is applicable to e-commerce websites such as Amazon, Flipkart etc.

Provisions of IT act imposing liability on perpetrators of data breach

Cybercriminals often attempt to damage the targeted computer systems or network interface such as e-commerce platforms in order to commit “data breach”. Section 43 of IT act demands compensation for damage in case where any person without permission of the owner or any person in-charge of the computer system for the time being acquires unauthorized access;17 extracts, copies or downloads valuable information;18 infects or causes to infect a system with virus;19 steals, conceals, destroys, or alters a computer source code himself or by any other person.20 Section 65 penalizes, Tampering with Computer source documents with imprisonment of 3 years, or with fine which extends to 2 lakh Rupees.21 Whereas Section 66 penalizes an act enshrined under Section 43 done dishonestly or fraudulently with imprisonment for a term extending to 2-3 years or with fine which may extend up to 5 lakhs.22 Section 66C Penalizes the commission of identity theft. Suppose a person dishonestly or fraudulently makes use of a password or electronic signature in order to commit a “data breach” or any other related crime. In that case, he shall be liable for imprisonment for 3 years and fine of l lakh Rs.23 Furthermore, a person shall be held liable under section 75 for data breach happening from outside India in case it affects the computer system or network present within India.24

Responsibilities of intermediaries (inclusive of e-commerce platforms) under IT act and rules

Apart from imposition of liability upon offenders committing data breach, IT act makes sure that intermediaries are duty bound to make sure that all the responsibilities have been fulfilled and no negligence on their part has been reported. Section 79 of the IT act25 is renowned for its enriching jurisprudence surrounding the grant of exemption to intermediaries.26 Section 79(2) explicates the conditions to be fulfilled for claiming exemption. Section 79(2)(a) targets the limited functionality of intermediaries wherein it can only provide access to a communication system over which information made available by third parties is temporarily stored or hosted. Further, section 79(2)(b) which is separated by “or” makes it clear that intermediary must not have initiated the transmission, selected the receiver of transmission, and selected or modified the information contained within the transmission. Thereafter, comes section 79(2)(c) which makes a condition for observance of “due diligence” and is neither separated by “or” nor “and”. However, this ambiguity was addressed by Delhi High court by stating that “The use of the words “or” between (a) and (b) makes them disjunctive, although (c) has to co-exist with (a) or (b) whichever is applicable.”27 In particular, Clauses (b) and (c) mandate absence of deliberate negligent act on part of intermediary coupled with observance of due diligence. This due diligence is further elaborated in rule 3 of IT (intermediary guidelines) Rules, 2011.28

Furthermore, Section 79(3) negates the exemption on fulfillment of certain conditions. According to its clause (a), intermediary must not be involved in conspiracy or abetment or aid or inducement via threats or promise in the commission of unlawful act. Also, clause (b) mandates the intermediary to expeditiously disable access to the material present on its interface without vitiating the evidence in any manner upon receiving “actual knowledge”. This section was read down in Shreya Singhal v. Union of India29wherein it was stipulated that “to mean that the intermediary upon receiving actual knowledge that a court order has been passed asking it to expeditiously remove or disable access to certain material must then fail to expeditiously remove or disable access to that material.”

The “Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011”,30 commonly known as SPDI Rules, describe security procedures for the gathering and processing of sensitive personal data. These regulations are available on the department’s website. Intermediaries are required to inform CERT-In31 of cybersecurity issues. The “International Standard ISO/IEC 27001 on Information Technology” is also acknowledged by the SPDI Rules – Security Procedures and Information Security Management System requirements as an acceptable security standard that business organizations can use to safeguard personal data. Also, the “Companies (Management and Administration) Rules, 2014”32set down the cybersecurity responsibilities for company directors and executives, requiring them to protect electronic documents from unauthorized access and alteration.

Responsibility of Government as per the Provisions of IT Act

As per section 16 of the IT act,33 for the purposes of sections 14 and 15, the Central Government may regulate the security policies and practices. As long as the Central Government keeps in mind the business conditions, the nature of transactions, and any other relevant elements it may deem acceptable while prescribing such security methods and practices. As per section 69B,34 government has the power to authorize to monitor and collect traffic data or information through any computer resource for cyber security reasons. Under 69B (1), the central government may for prevention of any intrusion or spread of computer contaminant authorize any agency to monitor and collect traffic data or information generated in any computer resource.  Furthermore, the “National Cyber Security Policy”35was launched by the Ministry of Communication and Information Technology in 2013 with the goals of fostering a safe online community, enhancing legal protections and cyberattack early warning systems, and coordinating with national and worldwide standards.

 

2. The Digital Personal Data Protection Act, 202336

Recently, The Digital Personal Data Protection Act, 2023 (hereinafter referred to as “2023 act”) came into force in India on 11th August 2023. A fundamental change in how personal data is handled and processed in India is brought about by the 2023 Act. Every industry is impacted by important legislative provisions such as itemized notice, informed consent, purpose restriction, data processing standards, and rights of data principals.37 As per section 2(i), “Data Fiduciary”38 is “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.” From this definition, e-commerce platforms fall within the ambit of data fiduciary, as these are private companies determining the purpose of processing customers’ sensitive data, i.e., online buying and selling. Further, an illustration given under section 5(2)39 of the 2023 act, includes the example of an e-commerce platform testifying the aforementioned claim.

Responsibilities on part of data fiduciary and government with respect to prevention of data breach

As per section 8(5)40 of the 2023 act, the data fiduciary must build reasonable security safeguards to prevent data breaches. Failure to build such safeguards shall invite liability under section 33(1) of the 2023 act41 demanding compensation which may extend up to 250 crore rupees. In the event of personal data breach, the data fiduciary is bound to notify data principal and data protection board of India.42 It is also bound to erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes.43

Furthermore, as per section 37(1)(b) of the 2023 act, the government can in the general interests of public on being satisfied and after having given data fiduciary the opportunity of being heard can expeditiously block the public’s access to a particular information. This provision can be efficacious in preventing data breaches.

Suggestions and Conclusion

The present legal framework in India is compatible to tackle cybersecurity problems only when security algorithms are consistently updated in consonance with the cyber-attacker’s technology. Presently, due to emergence of artificial intelligence, cyber criminals are exploring new vulnerabilities in order to commit “data breach” and other cyber security related crimes. Although, the laws discussed in the aforementioned section provide strategic measures in the favor of national interest, imposes penalties upon cyber criminals and provide exemption to e-commerce platforms in certain scenarios, the reduction of the risks will gain pace only with a comprehensive analysis of the situation at hand.

For comprehensive risk analysis, the Indian government needs to ensure safety measures following the system theory of cyber-attack. The system-theoretic process analysis is a method that considers how each system component interacts with other system components to make systems safer and more secure.44 Leveson created it in order to identify hazardous conditions and risky control procedures that result in mishaps or system failures. Additionally, it produces extensive safety standards to prevent the occurrence of known dangerous scenarios.45 In order to identify possible hazards and dangers, it incorporates aspects such as software, hardware, human, organizational, and safety, among others. This system-based security algorithm will ensure maximum learning from incidents and accidents. Further, it will help in the identification of the root cause of the problem and can also be included in security safeguards enshrined in the 2011 SPDI rules.

Furthermore, one of the major reasons for the commission of data breaches are behavioural risks associated with humans. Therefore, in addition to countering the threats using the latest technologies, proper training sessions and interactive awareness campaigns must be included in the organizational framework of E-commerce platforms. Lastly, e-commerce platforms must implement “privacy by design” mechanisms in accordance with the 2023 Digital Personal Data Protection Act of India coupled with consideration of cybersecurity as part of their risk management. Conclusively, there are sundry concerns associated with e-commerce companies such as intellectual property rights, copyrights etc., but major concerns encompass cybersecurity risks and data exploitation in the present context. With proper implementation and strategic planning, the government in tandem with e-commerce platforms can become successful in reducing cyber-security risks including “data breaches” to a significant extent.

 

  1. Industrial Revolution – Technology, Factories, Change | Britannica Money,” Encyclopedia Britannica, 2023.[]
  2. Ibid.[]
  3. The 4 Industrial RevolutionsInstitute of Entrepreneurship Development, 2019 available athttps://ied.eu/project-updates/the-4-industrial-revolutions/ (last visited September 22, 2023).[]
  4. “Home,” Oecd-ilibrary.org, available athttps://www.oecd-ilibrary.org/sites/1885800a-en/index.html?itemId=/content/component/1885800a-en (last visited September 22, 2023).[]
  5. Livemint, “E-commerce surge: India to add 80 million online shoppers
    by 2025”         available athttps://www.livemint.com/industry/retail/ecommerce-surge-india-to-add-80-million-online-shoppers-by-2025-11682063858853.html (last visited
    September 17, 2023)    .[]
  6. Our Bureau, “Financials, e-commerce, gaming sectors most prone to cyber frauds: Study” Business Line, 2023 available at: https://www.thehindubusinessline.com/news/financials-e-commerce-gaming-sectors-most-prone-to-cyber-frauds-study/article67038050.ece (last visited:  September 22, 2023).[]
  7. The PyCoach, “Is Data the New Oil of the 21st Century or Just an Overrated Asset?” Medium (Towards Data Science, 2022) available athttps://towardsdatascience.com/is-data-the-new-oil-of-the-21st-century-or-just-an-overrated-asset-1dbb05b8ccdf (last visited September 22, 2023).[]
  8. Xiang Liu, Sayed Fayaz Ahmad, et.al., “Cyber security threats: A never-ending challenge for e-commerce” Frontiers in Psychology 8 (2022).[]
  9. A data breach refers to an “incident in which information is accessed without authorization,” according to Norton cybersecurity firm. Refer: “What is a data breach?,” @Norton, 2020available athttps://us.norton.com/blog/privacy/data-breaches-what-you-need-to-know (last visited September 22, 2023).[]
  10. “Cost of a data breach 2023 | IBM,” Ibm.com, 2023 available athttps://www.ibm.com/reports/data-breach (last visited September 15, 2023).[]
  11. S. S. Singh (2011). “Privacy and Data Protection in India: A Critical Assessment” 53(4) JILI 663–677. Available at: http://www.jstor.org/stable/45148583[]
  12. Ibid.[]
  13. The Information Technology Act, 2000 (Act 21 of 2000).[]
  14. Ibid.[]
  15. “United Nations Commission on International Trade Law |,” available at: https://uncitral.un.org/ (last visited September 22, 2023).[]
  16. Supra note 13, s. 2(w) (Substituted vide “The information Technology Amendment act, 2008”).[]
  17. Id., s. 43(a).[]
  18. Id., s. 43(b).[]
  19. Id., s. 43(c).[]
  20. Id., s. 43(j).[]
  21. Id., s. 65[]
  22. Id., s. 66[]
  23. Id., s. 66C[]
  24. Id., s. 75[]
  25. Id. s. 79.[]
  26. Pritika Rai Dhawan, “Intermediary liability in India”, 48 Economic and Political Weekly 121 (2013).[]
  27. Super Cassettes Industries Ltd. v. Myspace Inc. (2011) SCC Online Del 3131.[]
  28. Information Technology (intermediary guidelines) Rules, 2011.[]
  29. Shreya Singhal v. Union of India (2015) SCC Online SC 248, para 122. []
  30. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.[]
  31. Computer Emergency Response Team (India) (CERT-In) was formed in 2004 as per section 70B of IT act, 2000 under the Ministry of Communications and Information Technology.[]
  32. Companies (Management and Administration) Rules, 2014[]
  33. Supra note 13, s. 16.[]
  34. Id., s. 69B.[]
  35. The National Cyber Security Policy 2013[]
  36. The Digital Personal Data Protection Act, 2023 (No. 22 of 2023).[]
  37. Supratim Chakraborty & Himeli Chatterjee, “India’s Digital Personal Data Protection Act, 2023- Impact on Hospitality Sector” 68 SCC Online Blog Exp (2023).[]
  38. Supra note 35, s. 2(i).[]
  39. Id., s. 5(2).[]
  40. Id., s. 8(5).[]
  41. Id., s. 33(1) (Schedule I).[]
  42. Id., s. 8(6).[]
  43. Id., s. 7(a).[]
  44. J. Thomas, “Systems theoretic process-analysis STPA” (2016) Available at: http://psas.scripts.mit.edu/home/wp-content/uploads/2016/01/.[]
  45. N Leveson, “A new accident model for engineering safer systems” 42 Saf. Sci 247 (2004). doi: 10.1016/S0925-7535(03)00047-X.[]

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top