Crime in cyberspace

Ashish Chandra outlines the legal recourse available for Indian companies facing cyber-attacks

On a pleasant Friday evening in Mumbai last month, my iPhone started flashing with updates on the “WannaCry” virus. With an end-of-week party on my mind, I thought at first that the messages were promoting a new pub. My excitement didn’t last long as media platforms across India gradually revealed WannaCry was a global cyber-attack.

Ten questions arising from such a large-scale cyber-attack are answered below.

1. What is the WannaCry attack and what impact is it having in India?

The WannaCry ransomware attack is an ongoing worldwide cyber-attack by the WannaCry ransomware crypto worm, which targets computers running a Microsoft Windows operating system by encrypting data and demanding ransom payments in the bitcoin cryptocurrency. The attack began on Friday 12 May and has been described as unprecedented in scale, infecting more than 230,000 computers across more than 150 countries.

Based on recent news reports, some government and private establishments in India have been affected. The extent of the damage is as yet unknown.

2. What is the general law in India on cyber security?

The relevant sections of the Information Technology Act, 2000 (IT Act), as amended to date, are as follows:

• Section 2(1)(nb) defines “cyber security”, section 2(1)(ze) defines “secure system”, and section 2(1)(zf) defines “security procedure”.
• Section 16 empowers the central government to prescribe security procedures and practices. Using this authority, the government has notified the Information Technology (Use of electronic records and digital signatures) Rules, 2004. These rules essentially state that any electronic record which is authenticated by a secured digital signature is a “secured electronic record”.
• Section 43A passively obligates a body corporate to adopt reasonable security practices and procedures when possessing, dealing with or handling any sensitive personal data or information. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, were made pursuant to section 43A.
• Under section 70, the government can declare any computer resource which affects critical information infrastructure to be a protected system. On 26 July 2010, the government notified the TETRA communication network, with hardware and software installed around New Delhi, as a protected system. On 11 December 2015, the government notified various systems of the Unique Identification Authority of India as a protected system.
• In addition, India adopted a National Cyber Security Policy in 2013.

Ashish Chandra is the former general counsel at Snapdeal. The views expressed are personal and do not constitute legal advice. Readers are advised to consult a lawyer before acting on any points mentioned above. The author can be reached at ashish1109@gmail.com.