The Information Technology (Amendment) Act, 2008, which came into effect in October 2009, has added Section 43 (A) to address data security and privacy issues. However, it is not without some concerns. Section 43 (A), which necessitates corporate bodies to protect all personal information they possess on computer resources, has received a mixed response from organizations. While some say the Act is a first step in a right direction, others feel that it won't have any major impact on Indian enterprises' security practices.
Asheesh Raina, the principal research analyst of IT research firm Gartner, feels that the Information Technology (Amendment) Act, 2008 is a step forward to curb the menace of cyber crimes and data privacy. The Act mentions that if an enterprise dealing in private information is found negligent in implementing a reasonable information security procedure, it will be liable to pay damages to the affected party. He says that large and private enterprises already have sufficient security controls in place, and this will be an additional compliance to adhere to. "The Information Technology (Amendment) Act, 2008 bares sufficient teeth in form of penalties, making it more actionable in nature," says Kartik Shahani, the managing director of McAfee India. Shahani feels that the Act will make Indian organizations more vigilant about data security and privacy issues, due to the involved implications.
Keshav Samant, the head of IT for Financial Technologies, believes that Indian organizations in verticals like BFSI and IT services are already compliant with strict international regulations. For such organizations, security initiatives are often a result of business requirements than compliance. While it may not bring in radical changes for large organizations, the Act will help the small and medium enterprise (SME). "It will push SMEs to establish reasonable security controls as a mandatory practice," adds Samant.
Surendra Singh, the regional director for SAARC of Websense Inc., disagrees that organizations like banks, service providers and telecom companies have enough security controls in place. "We often hear about leaks of customers' personal information, despite security controls. The new IT Act will ensure that security controls are firmed up, otherwise they will have to face legal implications."
While everyone considers the Information Technology (Amendment) Act, 2008 as a positive step, most feel the impact will be felt only after a year or two. Also, there is a need to educate enterprises about the Act. On this front, vendors like Websense and McAfee and law firms like Cyber Law Consulting claim to have begun educating their clients. McAfee supports DSCI, which promotes the essence of data security and the Information Technology (Amendment) Act, 2008.
Impact on IT security budgets
Regulatory requirements will now make it compulsory to implement reasonable security practices. Singh feels the Information Technology (Amendment) Act, 2008 will be a chief concern in this years' budget for Indian organizations.
Raina sees a marginal increase in IT budgets following the announcement. "This law will require everyone to maintain certain security benchmarks. Even smaller organizations have to legally maintain some level of security." Singh believes that although IT budgets may remain the same, there will be an increase in the budget towards protecting data, possibly at the expense of other security technologies. "Enterprises might negotiate harder with firewall, IDS, and antivirus vendors, so as to spend on data loss prevention (DLP) type of data protection technologies," he added.
The Act will create opportunities like IT (Amendment) Act, 2008 audit & compliance assignments, security awareness training, log management products and sale of network security devices.
PresidentCyber Law Consulting
The Information Technology (Amendment) Act, 2008, will create new opportunities within the information security market. Apart from security software vendors, IT and cyber law consultants, as well as system integrators will be able to create new business frontiers. Prashant Mali, the president of legal consulting firm Cyber Law Consulting, says the Act will create opportunities like IT (Amendment) Act, 2008 audit & compliance assignments, drafting of security practices, security awareness training, log management products, and sale of network security devices.
Raina feels the Information Technology (Amendment) Act, 2008 will act as a primary tool in marketing strategies of security vendors. Singh says, "Organizations will divert their investments towards data protection strategies. Some of Websense's customers have adopted data loss prevention kind of solution precisely because of the new Act." He plans to engage in some campaigns to create more awareness.
Unlike Websense, McAfee does not plan to use the Information Technology (Amendment) Act, 2008, for selling its goods. "Our marketing campaign will talk about compliance and regulations, but we will not use the new Act to get business," says Shahani.
You can follow our Twitter feed at @SearchSecIN.