Cyber security and Legal Liabilities

Legal Research Project

D A ANU NAIR
2013
 1

THE NATIONAL THE UNIVERSITY OF ADVANCED LEGAL STUDIES

(A State University Est. by Act 27, 2005 of Kerala State Legislature)
KOCHI, KERALA

Cyber security and Legal Liabilities

Legal Methods Project

D A ANU NAIR
1st Semester - B.A. LL.B. (Hons.)
Roll No: 2013

Submitted to: Mr Jacob Joseph

Faculty – Legal Methods (The National University of Advanced Legal Studies,
Kochi)
Date of Submission: 16 October 2023.
 2

ABSTRACT

Modern society has seen never-before-seen opportunities and difficulties due to the fast spread

of technology. Cyber security, which includes safeguarding digital assets and information from

various dangers and vulnerabilities, is one of the most urgent challenges. The legal environment

surrounding cyber security and the liability connected to cyber events continually changes as

technology advances. This project aims to give a thorough overview of cyber dangers, the legal

system that oversees cyber security, and the potential legal repercussions that people and

organizations might experience during a cyber incident.

 3

TABLE OF CONTENTS

1. Introduction 4
2. Cyber securities and legal liabilities 5-17
a. History of cyber world
b. What is cyber security
c. What is Cyber law
d. Types of cybercrime
e. Roles of cyberlaw in cybersecurity
f. Cyberlaws
g. Advantages of cyber law
h. New developments in cyber law
i. Need for cyber law
3. Conclusion 18
 4

INTRODUCTION

In today's post-pandemic world, most individuals and organizations have shifted to remote

employment and digital access to services in every industry. However, as a result, they have begun

to experience significant threats from data breaches and cyber-attacks. Exploiting infrastructure flaws

and other methods used by malevolent hackers to conduct these cyber-attacks are constantly

improving and getting more sophisticated, raising the possibility of a significant data breach?

Everyone must now understand cyber security regulations' legal complexities to function.

Different firms and organizations may wind up having a shoddy cyber security infrastructure

that does not abide by federal rules due to a lack of awareness about cyber security standards.

The following goals are the focus of this project:

1. Describe the idea of cyber security and its significance in contemporary society.

2. Give a general review of the national and international legal systems that regulate

cyber security.

3. Examine the possible legal repercussions that individuals and businesses may have

due to cyber incidents.

4. To demonstrate the legal repercussions of cyber-attacks and data breaches, analyze

case studies.

5. Provide information about cyber security risk management and new problems in the

area.
 5

Cyber security and Legal Liabilities

I. History of cyber world

The Internet is a worldwide network of interconnected computer networks that use the Internet

Protocol Suite (TCP/IP).1 It comprises millions of private and public, academic, business, and

government networks ranging in size from local to global in scope and connected via copper

lines, fiber-optic cables, wireless links, and other technologies. The Internet transports a vast

array of information resources and services, most notably the World Wide Web's (WWW)

inter-linked hypertext documents and the infrastructure to support electronic mail, as well as

popular services such as online chat, file transfer and file sharing, online gaming, and Voice

over Internet Protocol (VoIP) voice and video communication.

The Internet's origins may be traced back to the 1960s, when the United States financed military

research efforts to construct resilient, fault-tolerant, and distributed computer networks. This

research, as well as a period of civilian funding by the National Science Foundation for a new

U.S. backbone, spawned worldwide participation in the development of new networking

technologies, led to the commercialization of an international network in the mid-1990s, and

resulted in the subsequent popularization of countless applications in virtually every aspect of

modern human life.2

The Internet and World Wide Web are frequently used interchangeably in ordinary discourse.

However, the Internet and the World Wide Web are not synonymous. 3 The Internet is a

worldwide digital communications network. It is a hardware and software architecture that

1
ARTICLE:DEMAR'S TIME HAS ARRIVED, kiss-aida, https://www.kissaida.com/copy-of-cover-5
2
Dispute resolution mechanism of cyber laws in India, ICMCR | INTERNATIONAL CENTRE FOR MEDIATION AND
CONFLICT RESOLUTION, https://icmcrmediation.org/dispute-resolution-mechanism-of-cyber-laws-in-india/
3
Tech Xplore - Technology and Engineering news, Tech Xplore - Technology and Engineering news,
https://techxplore.com/tags/internet/sort/rank/1d/ (last visited Oct. 15, 2023).
 6

allows computers to communicate with one another. On the other hand, the Web is one of the

services communicated via the Internet. It is a collection of papers and other resources linked

via hyperlinks and Uniform Resource Locator [URLs].

The World Wide Web was created in 1989 by English physicist Tim Berners-Lee, currently

the Director of the World Wide Web Consortium, and later supported by Belgian computer

scientist Robert Cailliau while both worked at CERN in Geneva, Switzerland. They proposed

establishing a "web of nodes" in 1990 to store "hypertext pages" read by "browsers" over a

network, and that Web was deployed in December.4

Overall, Internet usage has increased dramatically. From 2000 to 2009, the global Internet user

population increased from 394 million to 1.858 billion. By 2010, 22% of the global population

had access to computers, with 1 billion Google searches per day, 300 million Internet users

reading blogs, and 2 billion YouTube videos viewed daily.

Following English (27%), the most popular languages on the Internet are Chinese (23%),

Spanish (8%), Japanese (5%), Portuguese and German (4% each), Arabic, French, and Russian

(3% each), and Korean (2%). By region, Asia has 42% of the world's Internet users, Europe

has 24%, North America has 14%, Latin America and the Caribbean have 10%, Africa has 6%,

the Middle East has 3%, and Australia/Oceania has 1%.5

I. What Is Cyber security?

Protecting systems, networks, and programs from cyber-attacks is the practice of cyber

security. These hacks try to disrupt regular corporate operations, extort money from users

through ransomware, or access, alter, or delete important information.

4
Internet Technologies | i-netsolutions.net, i-netsolutions.net |, https://i-netsolutions.net/internet-
technologies-7.html.
5
OVERVIEW OF CYBER LAWS INDIA (Oct. 4, 2012), https://taxguru.in/wp-content/uploads/2012/10/cyber-laws-
overview.pdf.
 7

Nowadays, there are more devices than humans, and hackers are getting more creative, making

it challenging to implement efficient cybersecurity measures.6

Multiple layers of security are dispersed across the computers, networks, programs, or data that

one wants to keep secure in an effective cybersecurity strategy. For a business to successfully

defend against cyber-attacks, the people, processes, and technology must all work

harmoniously.7

Everyone gains from cutting-edge cyber defense strategies in the linked world of today. A

cyber security attack may result in everything for a specific person, including identity theft,

extortion attempts, and the loss of crucial information like family photos. Critical

infrastructure, including hospitals, power plants, and financial service providers, is a necessity

for everyone. For our society to continue to run smoothly, these and other organizations must

be secure.

II. What is Cyber Law?

Cyber laws, also called internet laws, are legal informatics rules that govern software, e-

commerce, information security, and the digital transfer of information. It typically

encompasses various connected topics, including Internet access and usage, freedom of speech,

and privacy. The usage of the internet raises numerous security and privacy concerns.

Intelligent criminals have been reported to carry out unauthorized operations and potential

fraud using cutting-edge tactics. As a result, there is a great need to protect against them, and

the best way to do so is to impose a cyber security strategy. By holding these criminals

responsible for their destructive deeds and imposing the proper punishment determined by the

6
Cybersecurity and its types and importance Full Maza Blog (2023), https://fullmazablog.com/cybersecurity-
and-its-types-and-importance/ (last visited Oct 15, 2023).
7
Gaurav Sharma, Important skills to master for cybersecurity professionals TechGig (2022),
https://content.techgig.com/important-skills-to-master-for-cybersecurity-
professionals/articleshow/96400180.cms
 8

Federal Government, these regulations and laws are designed to protect individuals and

businesses online.

III. Types of Cybercrime

1. Hacking is a criminal offense in India and may lead to civil liabilities. Section 43 of the

Information Technology Act, 2000 (the "IT Act") proscribes, in respect of a computer,

computer system, computer network, or computer resource: unauthorized access; unauthorized

downloads, copies, or extraction of any data, information, or computer database; introduction

of "computer contaminants" or viruses; assistance of any person in order to facilitate access in

contravention to the IT Act; and any manipulation or tampering that causes services availed by

one person to be charged to another. Prior to amendments to the IT Act in 2008, section 66 of

said Act specifically defined hacking as the destruction, deletion, or alteration of any

information residing in a computer resource, or the diminishment of the value or utility of a

computer resource, or an action that affects a computer resource injuriously. These actions are

now within the purview of section 43 of the IT Act as amended in 2008, which no longer makes

specific reference to the term "hacking" but otherwise retains the language of the former section

66. Finally, section 43, as amended, also proscribes the stealing, concealment, destruction, or

alteration (or causing any person to do any of the preceding) of any computer source code used

for a computer resource with a desire to harm someone. 8

Those found guilty of violating section 43 are subject to a maximum three-year sentence in

prison, a fine of INR 500,000, or both.

8
Thakur, Harish C. "Extent of Protection Offered by the Indian Information Technology Act, 2000: A Case
Study." International Journal of Technology Transfer and Commercialisation, (2007).
https://doi.org/10.1504/ijttc.2007.014539.
 9

2. Denial-of-service attacks: Attacks that cause a denial of service (Do's) are likewise

prohibited by section 43 of the IT Act. The provisions of sections 43(e) and (f) apply to anyone

who, without the consent of the owner of a computer, computer system, or computer network,

interferes with or causes interference with that computer, computer system, or computer

network, and refuses or causes the refusal of access to any person authorized to access a

computer, computer system, or computer network by any means. As previously stated,

breaking the terms of section 43 is punishable by up to three years in prison, a fine of INR

500,000, or both.9

3. Phishing: Phishing is not explicitly mentioned in the law. However, the Delhi High Court

described phishing as "...a form of internet fraud...involving a deliberate misrepresentation or

theft of identity in order to perpetrate theft of data" in National Association of Software and

Services Companies v. Ajay Sood 2005 (30) PTC 437 (Del). As previously mentioned,

phishing assaults fall under this criteria and are generally covered under Section 43 of the IT

Act. Penalties for violating section 43 have already been described in the previous paragraph.

In addition, section 66C of the Information Technology (Amendment) Act, 2008 (the "IT

Amendment Act") states that whoever fraudulently or dishonestly makes use of the electronic

signature, password, or any other unique identification feature of any other person, shall be

punished with imprisonment of up to three years, and will also be liable to a fine of up to INR

9
Ryan Stevens, Banning Ransomware Payoffs: Cybersecurity Legislative Update, Duane Morris Government
Strategies (July 27, 2021), https://statecapitallobbyist.com/judiciary/banning-ransomware-payoffs-
cybersecurity-legislative-update/.
 10

100,000. Section 66D of the IT Amendment Act prescribes the same penalties for whoever,

utilizing any communication device or computer resource, cheats by personation.10

IV. Role of Cyber Laws in Cyber security

Cyber rules are essential to using the internet and have several functions. Most of these

regulations are designed to safeguard users from falling prey to cybercrimes, while some are

intended to control how people use the internet and computers more generally. Cyber laws

cover these three key areas:

Fraud: Cyber laws protect users from falling prey to online fraud. They are around to stop

crimes like identity and credit card theft. These statutes further proclaim that anyone who

attempts to conduct such fraud would face federal and state criminal charges.

Copyright: Besides outlawing copyright infringement, cyber laws also enforce copyright

protection. They grant people and organizations the right to safeguard and benefit from their

creative creations.

Defamation: Cyber laws are also enforced in online slander cases, which protects people and

companies from untrue claims made online that could hurt their reputations. 11

V. Cyber laws

Cyber security or cybercrime laws are regulations that protect information technology,

intending to require businesses and organizations to use a variety of defenses to secure their

10
India Legal, Tamil Nadu Police Registered FIR Against Twitter Handle Trying To Cause Unrest Among IPS &
CAPF, (June 21, 2020), https://www.indialegallive.com/top-news-of-the-day/tamil-nadu-police-registered-fir-
against-twitter-handle-trying-to-cause-unrest-among-ips-capf/.
11
LexTalk World, An overview of the cybersecurity laws in the EU, LexTalk World (Jan. 17, 2023),
https://www.lextalk.world/post/an-overview-of-the-cybersecurity-laws-in-the-eu.
 11

systems and data against intrusions. The various categories of international cyber and

cybercrime laws in India and the EU will be briefly discussed here.

---Cyber Security Laws in India

1. The Information Technology Act of 2000 was passed by the Indian Parliament and was

intended to protect the e-government, e-banking, and e-commerce sectors. However, its scope

has since been expanded to include all contemporary communication technologies. Provisions

for the protection of electronic data are included in the IT Act. Sections 43(a) through (h) of

the IT Act impose penalties for "cyber contraventions" and "cyber offenses" (sections 63–74).

The IT Act was initially passed to establish a legal framework for online business and impose

computer abuse penalties. However, it is now also used to address data security and privacy

issues. The Information Technology (Guidelines for Intermediaries and Digital Media Ethics

Code) Rules, 2021, which limit the usage of intermediaries, including social media

intermediates, and define their obligations to protect users' personal information online;

The following are some of the areas of data collection, transfer, and processing that are the

focus of and are governed by the IT Rules:

The Information Technology (Reasonable Security Practices and Procedures and Sensitive

Personal Data or Information) Rules, which impose strict security requirements on

organizations that retain sensitive personal information about users;

The Information Technology (Guidelines for Cyber Cafe) Rules, which mandate that

cybercafés register with a registration agency and keep a record of patrons' identities and

internet usage, as well as The Information Technology (Electronic et al.) Rules give the
 12

Government the authority to mandate that certain services, like applications, certificates, and

licenses, be delivered electronically.12

The Personal Data Protection Bill 2019—a proposed piece of specialized data protection

legislation—was introduced to Parliament for consideration in late 2020 and again in 2021.

Due to concerns that it was too broad, the Government withdrew it in the first few days of

August 2022. It is currently being revised. However, enforcement may occasionally occur in

addition to the abovementioned laws based on the Copyright Act of 1957. Other laws, including

the Indian Penal Code of 1860, the Code of Criminal Procedure of 1973, the Indian Telegraph

Act of 1885, the Companies Act of 1956, and the Consumer Protection Act of 1986, may

occasionally apply, depending on the situation.

The Indian Penal Code, in particular, has sections that cover the majority of criminal statutes,

such as those about theft, fraud, identity theft, and intentional infliction of harm, all of which

may, in general, apply to cyber offenses. It is important to note that Section 81 of the IT Act

2000 contains a non-obstante clause that declares that its provisions take precedence over any

other statutes that may conflict with them. The IT Amendment Act clarifies that this does not

prevent anyone from exercising rights granted by the Copyright Act of 1957 or the Patents Act

of 1970.

2. The 1980 Indian Penal Code (IPC): Cyber frauds, including identity theft and other

thefts of sensitive information, are the main targets of this cybercrime prevention act.

3. 2013 Companies Act: The legislature made sure that all regulatory compliances,

including e-discovery, cyber forensics, and cybersecurity diligence, are covered by the

12
Christy Chung, Information Technology Rules from India, StormEye (Feb. 12, 2023),
https://www.stormeye.io/post/information-technology-rules-from-india.
 13

Corporation Act, which was passed back in 2013. The Companies Act outlines the directors'

and executives' duty to confirm cybersecurity obligations.

4. NIST Compliance: The National Institute of Standards and Technology (NIST) has

approved the Cybersecurity Framework (NCFS), which includes all the standards, best

practices, and guidelines required to handle cybersecurity risks appropriately.13

5. Following section 48(1) of the IT Act, the Ministry of Electronics and Information

Technology established the Cyber Regulations Appellate Tribunal (CRAT) in October 2006.

Thanks to the IT Amendment Act, the tribunal is now known as the Cyber Appellate Tribunal

(CAT). Any individual who feels wronged by a decision issued by the Controller of Certifying

Authorities or an adjudicating officer under this Act may file an appeal with the CAT under

the IT Act. According to section 49 of the IT Act 2000, the Central Government appoints the

chairperson of the CAT via notification. Before the IT Amendment Act, the chairperson was

called the presiding officer. The modified Act now stipulates that the CAT should consist of a

chairperson and such additional members as the Central Government may announce or

nominate.14

---Cybersecurity Laws in the European Union

In the European Union, there are four main cyber security rules. The EU GDPR, the

EU Cybersecurity Act, the NIS Directive, and ENISA are a few of them, and we will quickly

touch on each.

The European Union Agency for Cyber security (ENISA) was established to enhance

network and information security throughout all EU internetwork operations(Unicom,2021). It

13
Nandini Prashad, Cyber Laws In India That One Should Learn About!, News Magnify - A New Vision For The
Global News (Nov. 30, 2022), https://www.newsmagnify.com/technology/cyber-laws-in-india/.
14
Rachit Garg, Detailed analysis of an adjudicating officer u/s 46 of the Information Technology Act, 2000 -
iPleaders, IPleaders (June 6, 2021), https://blog.ipleaders.in/detailed-analysis-adjudicating-officer-u-s-46-
information-technology-act-2000/.
 14

was founded in 2004 with three main goals: The suggested action plan in the wake of a security

breach (i). (ii) Creating policies and providing support for their execution. (iii). Direct

assistance.

NIS Directive: The European Parliament passed the Network and Information Systems

(NIS) Directive in 2016, intending to enhance cybersecurity broadly across all EU networks. It

primarily concentrated on operators of essential services (OESs) and digital service providers

(DSPs). Organizations that are essential to society or the economy, or OESs, will be negatively

impacted by security or data breaches. Any such occurrence must be reported to the Computer

Security Occurrence Response Teams (CSIRT) by both DSPs and OESs.

EU Cyber security Act: The EU Cyber security Act offers businesses throughout the

EU a certification framework for cyber security for digital goods, services, and processes.

EU GDPR: The EU General Data Protection Regulation (GDPR) was implemented in

May 2018 after being established in 2016 (Lim,2018). The EU GDPR intends to establish a

uniform standard for data protection across all of the EU's member states.

VI. Advantages of cyber law

Cyber laws safeguard people's and organizations' privacy online while preventing them from

being victims of cybercrimes. Therefore, the benefits of passing such laws are innumerable,

but in order to comprehend the significant advantages, let us go over a few key points:

Cyber laws govern every action on the internet and, in general, in cyberspace, just as regular

laws specify what people or institutions can and cannot do in a society.

Online transactions are protected by federal law just like offline ones are.

Online activity is continuously monitored by cybercrime officials so that any illegal conduct,

such as fraud or cybercrimes, can be dealt with appropriately.

 15

Creates legislation that can be used to prosecute cybercriminals.

Cyber laws assist in establishing digital assistance.

VII. New Developments in Cyber Law

Cyber laws must be updated and strengthened to ensure they are as complete as possible as

cyberspace advances dramatically. Here are a few new developments in cyber law:

The public's increasing knowledge of online privacy calls for the Federal Government to take

the most comprehensive action possible.

Vast volumes of data are now being transferred between computers thanks to cloud computing,

creating numerous vulnerabilities that can be attacked. Additionally, laws governing these

facilities must be passed.

A growing trend, cryptocurrencies like Bitcoin and Ethereum demand rules and regulations to

ensure secure banking and transactions.

The cyber security industry has made significant strides in response to the rise in malicious

cybercrimes. However, the rules and regulations in place today need to address these offenses

adequately. This necessitates the Government taking effective action to adopt new laws and

acts that are comprehensive and effective to counteract these threats and manage the

complexities and challenges that quickly developing technologies bring.

Scope

The cybersecurity industry has made significant strides in response to the rise in malicious

cybercrimes. However, the rules and regulations in place today need to address these offenses

adequately. This necessitates the Government taking effective action to adopt new laws and

acts that are comprehensive and effective to counteract these threats and manage the

complexities and challenges that quickly developing technologies bring.

 16

VIII. Need for cyber law

In today's technologically advanced society, the globe and its crimes are becoming increasingly

digitally complex. The Internet was initially designed as an unregulated research and

information-sharing platform. As time passed, it got more transactional, with e-business, e-

commerce, e-governance, and e-procurement, among other things. Cyber laws address all legal

issues relating to digital crime. As the number of people using the Internet grows, so does the

demand for cyber laws and their implementation.

Cyberlaw affects practically everyone in today's highly digitalized environment. For example

Almost all share transactions are in demat form.

Almost all businesses rely heavily on computer networks and store critical data electronically.

Government forms, such as income tax returns and corporate law forms, are now filled out

electronically.

Consumers are increasingly using credit cards to make purchases.

Most people communicate using email, cell phones, and SMS messages.

Even in "non-cybercrime" cases, computers/cell phones contain crucial evidence, such as

divorce, murder, kidnapping, tax fraud, organized crime, terrorist operations, and counterfeit

currency.

Online banking frauds, online share trading frauds, source code theft, credit card fraud, tax

evasion, virus attacks, cyber sabotage, phishing attacks, email hijacking, denial of service,

hacking, pornography, and other forms of cybercrime are becoming more frequent.

Digital signatures and e-contracts are rapidly replacing traditional business transactions.

Technology in and of itself is never a contentious issue, but who gets what and at what cost has

been a point of contention in government. In contrast to prior technologies, which had a trickle-

down impact, the cyber revolution promises to reach the masses swiftly. Such a promise and
 17

potential can be achieved only with an adequate legal system based on a particular

socioeconomic matrix.
 18

Conclusion

Cybercrimes can be effectively stopped in their tracks, but it will take the combined efforts of

international organizations, governments, and businesses. In order to preserve a safe, secure,

and open environment for everyone, cyber security laws and regulations governing each action

and activity are essential as cyberspace grows more widespread. The Government is anticipated

to make significant strides with cyber regulations in the future years, but ultimately, the

effectiveness of these rules will depend on the users.

19