Compliance audit under the Information Technology Act, 2000


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Rule 3. Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;― (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
  • Compliance audit under the Information Technology Act, 2000

    2. 2. CASES Nadeem Kashmiri and HSBC Karan Bahree and Mphasis My case - Hyundai
    3. 3. ISSUES Liability of Company Protection of data – Concern for outsourcing industry Privacy of data – Individual’s concern
    4. 4. SEC. 43A – COMPENSATION FOR FAILURETOPROTECT DATA If body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person  Liability– Damages by the way of compensation
    5. 5. ADJUDICATION For claims upto Rs. 5 Crores – Adjudicating officer For claims above Rs. 5 Crores - Civil courts (Unlimited liability)
    6. 6. WHO IS LIABLE? Sec.85: Offences by companies • The company itself, being a legal person; • The top management including directors; and • The managers (persons directly responsible for the data) If it is proved that - • they had knowledge of a contravention; or • they have not used due diligence • that it was caused due to their negligence
    7. 7. ISSUES Whatis Sensitive Personal data or Information? Whatare Reasonable Security Practices and Procedures?
    8. 8. THE SOLUTION The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 Enforceable from 11th April, 11 To be read with Sec. 43A
    9. 9. SENSITIVE PERSONAL DATA ORINFORMATION Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
    10. 10. REASONABLE SECURITYPRACTICES  Implementing comprehensive documented information security programme and information security policies  Containing –  Managerial, technical, operational and physical security control measures commensurate with the information assets held by the person. Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
    11. 11. REASONABLE SECURITY PRACTICES The International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” is one such standard OR If following other than IS/ISO/IEC codes of best practices for data protection, shall get it duly approved and notified by the Central Government OR An agreement between the parties regarding protection of “Sensitive Personal Information”
    12. 12. AUDITING Necessary to get the codes or procedure certified or audited on regular basis Needs to be done by the Government Certified Auditor Will be known as “Govt. Certified IT Auditor” Not appointed yet CERT-IN has empanelled IT Auditors
    14. 14. COLLECTION OF INFORMATION About obtaining consent of the information provider Consent in writing through letter/fax/email from the provider of the SPDI regarding purpose of usage before collection of such information Need to specify –  Fact that SPDI is being collected  What type of SPDI it is  How long SPDI will be heldRule 5 - IT (Reasonable security practices and procedures and sensitive personal data orinformation) Rules, 2011
    15. 15. COLLECTION OF INFORMATION Provider should know –  Purpose of collection  Intended recipients  Details of the agency collecting the information and agency retaining the information Body Corporate not to retain information longer than required Option should be given to withdraw the information provided SPDI shall be used only for the purpose for which it has been collected Shall appoint “Grievance Officer” to address any discrepancies and grievances about information in a timely manner – Max. time – One month
    16. 16. PRIVACY AND DISCLOSURE OF INFORMATION POLICY Policy about handling of SPDI Shall be published on website or should be available to view/inspect @ any time Shall provide for –  Type of SPDI collected  Purpose of collection and usage  Clear and easily accessible statements of IT Sec. practices and policies  Statement that the reasonable security practices and procedures as provided under rule 8 have been compliedRule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information)Rules, 2011
    17. 17. DISCLOSURE  Disclosure –  Prior permission of provider necessary before disclosure to third party OR  Disclosure clause needs to be specified in the original contract OR  Must be necessary by law  Third party receiving SPDI shall not disclose it furtherRule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information)Rules, 2011
    18. 18. TRANSFER OF INFORMATION  Transfer to be made only if it is necessary for performance of lawful contract  Disclosure clause should be a part of Privacy and Disclosure Policy  Transferee to ensure same level of data protection is adhered while and after transfer  Details of transferee should be given to providerRule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information)Rules, 2011
    19. 19. SEC 72(A) (CRIMINAL OFFENCE) Punishment for Disclosure of information in breach of lawful contract - Knowingly or intentionally disclosing “Personal Information" in breach of lawful contract IMP – Follow contract Punishment - Imprisonment upto 3 years or fine up to 5 lakh or with both (Cognizable but Bailable)
    20. 20. GRAMM–LEACH–BLILEY ACT(GLBA, USA) Focuses on finance Safeguards Rule - Disclosure of Nonpublic Personal Information  It requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. This plan must include –  Denoting at least one employee to manage the safeguards,  Constructing a thorough risk analysis on each department handling the nonpublic information,  Develop, monitor, and test a program to secure the information, and  Change the safeguards as needed with the changes in how information is collected, stored, and used.
    21. 21. THE FEDERAL INFORMATIONSECURITY MANAGEMENT ACT OF 2002(FISMA, USA)  Focus on economic and national security interests of the United States  Emphasized on "risk-based policy for cost-effective security“  Responsibility attached to federal agencies, NIST and the Office of Management and Budget (OMB) to strengthen information system security  Not mandatory  No penalty for non-compliance
    22. 22. DATA PROTECTION DIRECTIVE (EU) European Union directive regulating the processing of personal data within the EU Protection of individual’s personal data and its free movement Coming soon - European Data Protection Regulation Not mandatory No penalty for non-compliance
    23. 23. PREAMBLE OF THE IT ACT Purpose behind enacting IT Act –  To provide legal recognition to e-commerce  To facilitate e-governance  To provide remedy to cyber crimes  To provide legal recognition to digital evidenceo Preamble doesn’t specify that the Act aims @ establishing IT Security framework in India
    24. 24. BENEFITS Compliance with legislation No liability on organisation Increased reliability and security of systems Systems rationalization Improved management controls Improved risk management and contingency planning
    25. 25. GET IN TOUCH HONE+9 19 6 2 3 4 4 4 4 4 8M A IL O N TA C T@ A G A R R A H U R K A R .C O M S