The document provides a comprehensive overview of the Information Technology (IT) Act of 2000 and its subsequent amendments in 2008 and beyond, detailing its evolution, important provisions, and significant incidents leading to its updates. Key highlights include the shift in focus from e-commerce in 2000 to data protection and cybersecurity in 2008, along with the introduction of legal recognition for electronic records and signatures. Additionally, the document outlines penalties for computer-related offences and emphasizes the necessity of reasonable security practices to protect sensitive personal data.

1. IT AA 2008 Overview
Nanda Mohan Shenoy D
CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in
EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empanelled CPE Trainer
Director

2. Agenda
• PART-A
–Why should we know the IT Act?
–Background & Evolution of IT Act 2000/8
–Important Provisions of IT ACT 2000/8
2
www.bestfitsolutions.co.in

3. Evolution of IT Act
• The United Nations General Assembly
adopted the Model Law on Electronic
Commerce on 30th Jan 1997-UNCITRAL
Model Law of E-Commerce
• Draft e-Commerce Act 1998 released for
public comments
• IT Bill in 1999
3

4. Incident-1
• I Love you virus-5th May 2000
• The IT Act 2000 enacted on
–17th May
– 9th June Presidential
–17th October Bill passed
• India became the 12th Nation
to have the same
4

5. Incident-2
• Dec 2004
• CEO was arrested
• Sale of CD with
objectionable material
• The then PM orders
review of the IT Act
• Expert committee gives
the comment in Aug
2005
• Amendment in 2006
5

6. Incident-3
6
Relation to IT Act 2008?

7. Dates
• December 23& 24 - 2008 the IT
Amendment Bill immediately after 26/11
–8 Bills in 17 Minutes
• Got Presidential Assent on Feb 5th 2009
• Notified for effectiveness on 27th October
2009 with the passing of the rules.
• Amended on 11th April 2011 43A,79,6A
7

8. 2000 vs 2008
• 2000
–E-commerce
• 2008
–Security focused
–Data Protection
8
1

9. 2000 Vs 2008
2000 2008
Chapters xiii xiv
Sections 94 119*
Schedules IV II
9
2
The last section in the
amended act is Sec 90
,then how come 119
Sections?

10. Related Amendments
• 2000( Schedules)
–Indian Penal Code 1860
–The Indian Evidence Act 1872
–The Bankers Book Evidence Act 1891
–The RBI Act 1934
• 2008(Part 3 and 4)
–Indian Penal Code 1860
–The Indian Evidence Act 1872
10

11. Chapter wise Sections
11
I-PRELIMINARY(2) 1,2
II-DIGITAL SIGNATURE AND ELECTRONIC SIGNATURE(2) 3,3A
III-ELECTRONIC GOVERNANCE(10) 4,5,6,6A,7,7A,8,9,10,10A
IV-ATTRIBUTION, ACKNOWLEDGMENT AND DISPATCH OF
ELECTRONIC RECORDS(3)
11,12,13
V-SECURE ELECTRONIC RECORDS AND SECURE
ELECTRONIC SIGNATURES(3)
14,15,16
VI-REGULATION OF CERTIFYING AUTHORITIES(17) 17,18,19,20,21,22,23,24,25,26,27,2
8,29,30,31,32,33,34
VII-ELECTRONIC SIGNATURE CERTIFICATES(5) 35,36,37,38,39

12. Chapter wise Sections
12
VIII-DUTIES OF SUBSCRIBERS(4) 40,40A,41,42
IX-PENALTIES, COMPENSATION AND
ADJUDICATION(6)
43,43A,44,45,,46,,47
X-THE CYBER APPELLATE TRIBUNAL(21) 48,49,50,51,52,52A,52B,52C,52D,53,54,55,5
6,57,58,59,60,61,62,63,64
XI-OFFENCES(29) 65,66,66A,66B,66C,66D,66E,66F,67,67A,67B,
67C,68,69,69A,69B,70,70A,70B,71,72,72A,7
3,74,75,76,77,77A,77B,78
XII-INTERMEDIARIES NOT TO BE LIABLE IN
CERTAIN CASES(1)
79
XIIA-EXAMINER OF ELECTRONIC EVIDENCE(1) 79A
XIII-MISCELLANEOUS(15) 80,81,81A,,82,83,84,84A,84B,84C,85,86,87,
88,89,90,91,92,93,94

13. Exceptions-Schedule-I
• Documents or Transactions to which the Act
shall not apply
– A negotiable instrument (other than a cheque) as defined in sec
13 of the NI Act ,1881
– A power of Attorney as defined in Sec1 A of the Power of Attorney
Act 1882
– A Trust as defined in Sec 3 of the Indian Trust Act ,1882
– A will as defined in clause (h) of the Sec 2 of the Indian
Succession Act ,1925
– Any contract for sale or conveyance of immovable property or any
interest in such property
– Any such class of documents or transaction notified by Central
Government
13

14. Chapter-III-Sec 3
3. Authentication of Electronic Records
(1) Subject to the provisions of this section
any subscriber may authenticate an
electronic record by affixing his Digital
Signature.
(2) The authentication of the electronic
record shall be effected by the use of
asymmetric crypto system and hash
function which envelop and transform the
initial electronic record into another
electronic record.
14

15. Chapter-III-Sec 3A
3-A. Electronic Signature
(1) Notwithstanding anything contained in
section 3, but subject to the provisions of
sub-section(2), a subscriber may
authenticate any electronic record by such
electronic signature or electronic
authentication technique which -
(a) Is considered reliable; and
(b) May be specified in the Second
Schedule
15

16. Chapter-III-Sec 3A
(2) For the purposes of this section any electronic signature or
electronic authentication technique shall be considered reliable if-
(a) the signature creation data or the authentication data are,
within the context in which they are used, linked to the signatory
or, as the case may be, the authenticator and of no other
person;
(b)The signature creation data or the authentication data were, at
the time of signing, under the control of the signatory or, as the
case may be, the authenticator and of no other person;
(c) Any alteration to the electronic signature made after affixing
such signature is detectable;
(d) Any alteration to the information made after its authentication
by electronic signature is detectable; and
(e) It fulfills such other conditions which may be prescribed.
16

17. Chapter-III-Sec 3A
(3) The Central Government may prescribe the
procedure for the purpose of ascertaining
whether electronic signature is that of the
person by whom it is purported to have been
affixed or authenticated.
(4) The Central Government may, by
notification in the Official Gazette, add to or
omit any electronic signature or electronic
authentication technique and the procedure
for affixing such signature from the Second
Schedule;
17

18. Schedule-II
• Schedule II of the IT Act 2000 defined the
various types of Electronic Signature
• Schedule II was empty when amended in
2008
• Government vide it's Gazzette notification
dated 27th January 2015 has issued
"Electronic Signature or Electronic
Authentication Technique and Procedure
Rules, 2015” under which e-authentication
technique using Aadhaar e-KYC services
is a valid electronic signature
18

19. How E-sign Looks
19

20. Screen Shot
20

21. Chapter-III-Sec 4
Legal Recognition of Electronic Records.
Where any law provides that information or any
other matter shall be in writing or in the
typewritten or printed form, then, notwithstanding
anything contained in such law, such
requirement shall be deemed to have been
satisfied if such information or matter is -
(a) Rendered or made available in an electronic
form; and
(b)accessible so as to be usable for a subsequent
reference
21

22. Chapter-III Sec 5
Legal recognition of Electronic Signature.
Where any law provides that information or any
other matter shall be authenticated by affixing the
signature or any document should be signed or
bear the signature of any person then, not
withstanding anything contained in such law, such
requirement shall be deemed to have been
satisfied, if such information or matter is
authenticated by means of electronic signature
affixed in such manner as may be prescribed by the
Central Government.
22

23. Chapter-III Sec-7
Retention of Electronic Records -
(1) Where any law provides that documents,
records or information shall be retained for
any specific period, then, that requirement
shall be deemed to have been satisfied if
such documents, records or information
are retained in the electronic form, if -
(a) the information contained therein
remains accessible so as to be usable
for a subsequent reference;
23

24. Chapter-III Sec-7 contd..
(b)the electronic record is retained in the
format in which it was originally
generated, sent or received or in a format
which can be demonstrated to represent
accurately the information originally
generated, sent or received;
(c)the details which will facilitate the
identification of the origin, destination,
date and time of dispatch or receipt of
such electronic record are available in the
electronic record:
24

25. Chapter-III Sec-7A
Audit of Documents etc in Electronic
form -
Where in any law for the time being in force,
there is a provision for audit of documents,
records or information, that provision shall
also be applicable for audit of documents,
records or information processed and
maintained in electronic form.
25

26. Chapter-III Sec- 9
Sections 6, 7 and 8 Not to Confer Right to insist
document should be accepted in electronic form -
• Nothing contained in sections 6, 7 and 8 shall confer a
right upon any person to insist that any Ministry or
Department of the Central Government or the State
Government or any authority or body established by or
under any law or controlled or funded by the Central or
State Government should accept, issue, create, retain
and preserve any document in the form of electronic
records or effect any monetary transaction in the
electronic form.
26

27. Chapter-III Sec- 10 A
Validity of contracts formed through electronic
means.-
• Where in a contract formation, the
communication of proposals, the acceptance of
proposals, the revocation of proposals and
acceptances, as the case may be, are
expressed in electronic form or by means of an
electronic record, such contract shall not be
deemed to be unenforceable solely on the
ground that such electronic form or means was
used for that purpose.
27

28. Chapter-III
• Sec-13
–Desptach
–Timing
–Place
• Sec 12
–Acknowledgment
28

29. Chapter-V-Sec 15
Secure Electronic Signature. -
• An electronic signature shall be deemed to
be a secure electronic signature if-
– (i) The signature creation data, at the time of affixing
signature, was under the exclusive control of
signatory and no other person; and
– (ii) The signature creation data was stored and
affixed in such exclusive manner as may be
prescribed.
– Explanation - In case of digital signature, the
"signature creation data" means the private key of the
subscriber
40

30. Chapter-IX
• Section 43
–Penalty and Compensation for damage
to computer, computer system,
etc(Amended vide ITAA-2008)- how
much not stipulated in this section
• Section 43-A
–Compensation for failure to protect data.
41

31. Chapter-IX-Sec 43
If any person without permission of the owner or
any other person who is in charge of a
computer, computer system or computer
network, -
(a) Accesses or secures access to such
computer, computer system or computer
network or computer resource;
(b)downloads, copies or extracts any data,
computer data base or information from such
computer, computer system or computer
network including information or data held or
stored in any removable storage medium;
42

32. Chapter-IX-Sec43
(c) Introduces or causes to be introduced any
computer contaminant or computer virus into
any computer, computer system or computer
network
(d)damages or causes to be damaged any
computer, computer system or computer
network, data, computer data base or any
other programs residing in such computer,
computer system or computer network;
(e)Disrupts or causes disruption of any computer,
computer system or computer network;
43

33. What is damage ?
(f)Denies or causes the denial of access to any person
authorised to access any computer, computer system
or computer network by any means;
(g)provides any assistance to any person to facilitate
access to a computer, computer system or computer
network in contravention of the provisions of this Act,
rules or regulations made there under;
(h)Charges the services availed of by a person to the
account of another person by tampering with or
manipulating any computer, computer system, or
computer network;
44

34. What is damage ?
(i)destroys, deletes or alters any information
residing in a computer resource or diminishes
its value or utility or affects it injuriously by
any means;
(j) Steals, conceals, destroys or alters or
causes any person to steal, conceal, destroy
or alter any computer source code used for
a computer resource with an intention to
cause damage;
he shall be liable to pay damages by way of
compensation to the person so affected
45

35. Sec-43 A
• Where a body corporate, possessing,
dealing or handling any sensitive personal
data or information in a computer resource
which it owns, controls or operates, is
negligent in implementing and maintaining
reasonable security practices and
procedures and thereby causes wrongful loss
or wrongful gain to any person, such body
corporate shall be liable to pay damages by
way of compensation, to the person so
affected. (Change vide ITAA 2008)
46

36. Sec 43 A- Explanation
"Body corporate" means any
company and includes a firm, sole
proprietorship or other association
of individuals engaged in
commercial or professional
activities;
47

37. SPDI
"sensitive personal data or
information" means such
personal information as may
be prescribed by the Central
Government in consultation
with such professional bodies
or associations as it may deem
fit.
48

38. SPDI
It is defined in the
• THE INFORMATION TECHNOLOGY
(REASONABLE SECURITY PRACTICES
AND PROCEDURES AND SENSITIVE
PERSONAL DATA OR INFORMATION)
RULES, 2011
49

39. Sec3-SPDI -Rules
(i)Password
(ii)Financial information such as bank
account, credit card, debit card or other
payment instrument details
(iii)Physical, physiological and mental health
condition
(iv)Sexual orientation
(v)Medical records and history
(vi)Biometric information
50

40. Sec3-SPDI –Rules contd..
(vii) any detail relating to the above clauses as
provided to body corporate for providing service;
and
(viii) any of the information received under above
clauses by body corporate for processing, stored
or processed under lawful contract or otherwise:
provided that, any information that is freely
available or accessible in public domain or
furnished under the Right to Information Act,
2005 or any other law for the time being in force
shall not be regarded as sensitive personal data
or information for the purposes of these rules.
51

41. Biometrics
• PID Block
• Signer Certificate at server level
52
3
In what format is the biometric
information stored in the
computer

42. Reasonable Security Practices &
Procedures
• Security practices and procedures designed to protect
such information from unauthorized access, damage,
use, modification, disclosure or impairment, as may be
specified in an agreement between the parties or in
any law for the time being in force and in the absence
of such agreement or any law, such reasonable
security practices and procedures, as may be
prescribed by the Central Government in consultation
with such professional bodies or associations as it
may deem fit.
53

43. Reasonable Security Practices
Defined in the
• THE INFORMATION TECHNOLOGY
(REASONABLE SECURITY PRACTICES
AND PROCEDURES AND SENSITIVE
PERSONAL DATA OR INFORMATION)
RULES, 2011
54

44. Rules
(1) if they have implemented such security practices and
standards and have a comprehensive documented
information security programme and information security
policies that contain managerial, technical,operational and
physical security control measures that are commensurate
with the information assets being protected with the nature
of business.
In the event of an information security breach, it shall be
required to demonstrate, as and when called upon to do
so by the agency mandated under the law, that they have
implemented security control measures as per their
documented information security programme and
information security policies.
55

45. Rules-contd
(2) The International Standard IS/ISO/IEC 27001 on
“Information Technology – Security Techniques –
Information Security Management System – Requirements”
is one such standard referred to in sub-rule (1).
(3) Any industry association or an entity formed by such an
association, whose members are self-regulating by
following other than IS/ISO/IEC codes of best practices for
data protection as per sub-rule(1), shall get its codes of
best practices duly approved and notified by the Central
Government for effective implementation.
(4) The body corporate or a person on its behalf who have
implemented either IS/ISO/IEC
56

46. Rules-contd
(4) Those who have implemented either IS/ISO/IEC
27001 standard or the codes of best practices for data
protection as approved and notified under sub-rule (3)
shall be deemed to have complied with reasonable
security practices and procedures provided that such
standard or the codes of best practices have been
certified or audited on a regular basis by entities
through independent auditor, duly approved by the
Central Government. The audit of reasonable
security practices and procedures shall be carried out
by an auditor at least once a year or as and when
significant up gradation of its process and computer
resource
57

47. Chapter-XI Offences
Imprisonment
Fines
58

48. Chapter-XI
59
Offence Sec
Years Lac
Tampering with computer Source documents 65 3 2
Computer Related Offences to be read with Sec 43 66 3 5
Punishment for dishonestly receiving stolen
computer resource or communication device.(akin
to Sec 411 of IPC)
66B 3 1
Punishment for identity theft. 66C 3 1
Punishment for cheating by personation by using
computer resource
66D 3 1
Punishment for violation of privacy. 66E 3 2
Cyber Terrorism
66F
Life

49. Chapter-XI
60
Offence Sec
Years Lac
Transmission of obscene material in
electronic form in addition to publishing.
67 3(5) 5(10)
Punishment for publishing or transmitting of
material containing sexually explicit act in
electronic form
67A 5(7) 10(10)
Punishment for publishing or transmitting of
material depicting children in sexually explicit act in
electronic form
67B 5(7) 10(10)
Preservation and Retention of information by
intermediaries
67C 3 Not
defined
Non Compliance to the directions of the Controller 68 2 1
Failure to assist the agency seeking for interception
or monitoring or decryption of any information
through any computer resource
69 7 Not
defined

50. Sec 67A
61
4
Provided that the provisions of section 67, section 67-A and this section does not extend to any book, pamphlet, paper,
writing, drawing, painting, representation or figure in electronic form-
(i) The publication of which is proved to be justified as being for the public good on the ground that such book,
pamphlet, paper writing, drawing, painting, representation or figure is in the interest of science, literature, art or learning or
other objects of general concern; or
(ii) Which is kept or used for bonafide heritage or religious purposes.

51. Chapter-XI
62
Offence Sec
Years Lac
Any person who secures access or attempts to
secure access to a protected system
70 10 Not
Defined
Penalty for misrepresentation to Controller/CA 71 2 1
Penalty for breach of confidentiality and privacy.- 72 2 1
Punishment for Disclosure of information in breach
of lawful contract
72A 3 5
Penalty for publishing electronic Signature
Certificate false in certain particulars
73 2 1
Use of Electronic Signature Certificate for any
fraudulent or unlawful purpose
74 2 1

52. Type of Offence
• Cognizable
>= 3 Lac
• Bailable
<= 3Lac
What is the liability under Sec 43A?
63
5

53. ISO 27001 Vs IT(A)A-2008
64
IT Act Section Annexure A Controls for the Section
Section 43: Penalty for damage to
computer, computer system, etc.
A.8.1.3 Acceptable Use of Assets
Section 65: Tampering with computer
source documents
A.8.1.3 Acceptable Use of Assets
A.8.2.3 Handling of Assets
A.9.1.1 Access control policy
Section 66: Hacking with computer
system
A.8.1.3 Acceptable Use of Assets
A.9.1.2 Access to networks and
network devices
A.13.1.1 Network Controls
A.13.1.2 Security of network
services
Section 67:,67A,67B,67C Publishing of
information which is obscene in
electronic form
A.8.1.3 Acceptable Use of Assets
A.13.2.1Information transfer
policies and procedures
A.13.2.3 Electronic messaging

54. ISO 27001 Vs IT(A)A-2008
65
IT Act Section Annexure A Controls for the Section
Section 72 & 72A : Penalty for breach
of confidentiality and privacy
A.8.1.3 Acceptable Use of Assets
A.9.1.1 Access control policy
A.9.2.3 Management of privileged access rights.
A.9.4.2 Secure log-on procedures
A.12.4.1 Event logging
A.12.4.2 Protection of log information
A.12.4.3 Administrator and operator logs
A.12.6 Technical vulnerability management
A.9.1.2 Access to networks and network devices
A.13.1.1 Network Controls
A.13.1.2 Security of Network Services
Section 85: Offences by companies A.5.1 Policies on Information Security
A.8.1.3 Acceptable Use of Assets
A.13.2.1Information transfer policies and
procedures
A.13.2.3 Electronic messaging

55. • Take the Online Quiz now
66

56. Evaluation & Feedback
• https://goo.gl/forms/E2JKPumUjh4h5k2
w1
• https://goo.gl/forms/vtx10YCC8GF1PQMM
2
67

57. List of Rules-1
• Information Technology (Certifying Authorities)
Rules, 2000.
• Information Technology (IT) Security Guidelines
Rule 19 (2)
• Security Guidelines For Certifying Authorities
Rule 19 (2)
• Form For Application For Issue Of Digital
Signature Certificate Rule 23
• The Cyber Regulations Appellate Tribunal
(Procedure) Rules, 2000

58. List of Rules-2
• Information Technology (Certifying Authority)
Regulations, 2001
• Cyber Regulations Appellate Tribunal
(Procedure For Investigation Of Misbehaviour or
Incapacity Of Presiding Officer) Rules, 2003
• Information Technology (Other Powers Of Civil
Court Vested In Cyber Appellate Tribunal) Rules
2003
• Information Technology (Other Standards)
Rules, 2003.

59. List of Rules-3
• The Information Technology (Qualification and
Experience of Adjudicating Officers and Manner
of Holding Enquiry) Rules, 2003
• The Cyber Regulations Appellate Tribunal
(Salary, Allowance and other Terms and
Conditions of Service of Presiding Officer)
Rules, 2003.
• Information Technology (Use Of Electronic
Records And Digital Signatures) Rules, 2004
• The Information Technology (Security
Procedure) Rules, 2004

60. List of Rules-4
• Blocking Of Websites Ministry Of
Communication And Information
Technology
• The information technology (reasonable
security practices and procedures and
sensitive personal data or information)
rules, 2011

61. ISACA and Cyber Framework
• Securing Sensitive Personal Data or
Information Under India’s IT Act Using
COBIT 5
• Securing Mobile Devices Using COBIT 5
for Information Security’
• Transforming Cybersecurity Using COBIT
5’
• Responding To Targeted Cyberattacks
• Advanced Persistent Threats: How To
Manage The Risk To Your Business

62. References
• http://www.cyberforensics.in/
• http://www.naavi.org/wp/
• http://www.cyberlawconsulting.com/
• http://www.cert-in.org.in/
• https://www.dsci.in/
90

63. nmdshenoy@yahoo.com,
09820409261
ধন্যবাদ
നന്ദിநன்றி
धन्यवाद
91
Search on ISACA Security Quiz-
www.bestfitsolutions.co.in