The IT Amendment Act 2008 (ITAA), which came into effect last year, is regarded as a significant step in the direction of strengthening the country's data protection environment. Although awareness about the Act has increased over the past year, some organizations are still not aware about the actual steps that will help them to comply with the Act. Let's look at the kind of changes that IT Amendment Act 2008 will bring about in an organization's information security setup.
Changes in IT security policy
The IT Amendment Act 2008 is a comprehensive legislation that touches several aspects of the business of any organization which uses computers. Many sections of the Act are expected to directly or indirectly affect the compliance as well as IT security strategy of many organizations. Impact of IT Amendment Act 2008 may be different for different organizations. Na Vijayashankar (also known as Naavi), an independent cyberlaw consultant and founder of Ujvala Consultants, lists the following scenarios which may be applicable to an organization.
(1) If the company maintains third-party data and is obliged to follow 'reasonable security practices' under section 43A or 'contractual obligations' under section 72A of IT Amendment Act 2008. If it retains data, then the requirements of section 67C may also need to be checked.
(2) If the company maintains an Internet interface and allows its employees to access Internet and email. In such cases, it is necessary for the company to examine the requirements for information as well as obligations under sections 69, 69A and 69B of IT Amendment Act 2008. The organization has to ensure that if the regulator makes any demand for information or compliance, it is in a position to comply.
(3) If the company maintains authentication and audit requirements under sections 3, 3A or 7A of IT Amendment Act 2008.
(4) If the company is covered under the due diligence expectations of section 79 if it is an intermediary, or under section 85 in every case. This vicarious liability provision extends the compliance requirements to all civil and criminal liability clauses in IT Amendment Act 2008.
According to Naavi, apart from the above-mentioned sections of IT Amendment Act 2008, clause 49 of SEBI guidelines stipulate that every listed company in India is expected to provide CEO/CFO certification in its annual report that the company complies with all the regulatory requirements. Such a declaration will be incomplete without an IT Amendment Act audit.
The above-mentioned sections and their requirements clearly indicate the urgent need for an ITAA risk audit for companies. The whole exercise to comply with IT Amendment Act 2008 may require several changes on the information security policies, people, processes and technology fronts.
Prashant Mali, the president of legal consulting firm Cyber Law
Consulting, recommends that an IT security policy should now also have the penalty clauses which are suggested under various sections of the IT Amendment Act 2008 such as sections 43 and 66. Mali also says that the log and data retention policy should be extended to a minimum of one year.
According to Naavi, an organization can prepare for IT Amendment Act 2008 compliance in three steps. First, a risk assessment study is required to be undertaken to find out the risk exposure regarding various aspects and sections of the IT Amendment Act 2008 (as explained above). Second, steps can be taken toward mitigation of the risks by undertaking activities which contribute to due diligence. Finally, a review of the implementation can be done, and a compliance certification obtained. "The process is not much different from a SAS 70 audit or ISO 27001 audit, except that the focus is entirely on the ITAA 2008 provisions that affect corporate governance," explains Naavi.
Changes in people, processes, technology
People are the key to the implementation of compliance solutions. Mali therefore suggests conducting ITAA awareness programs which should explain the crimes and penalties under various sections of the law. For example, copying data in a pen drive without official permission of the owner is a crime under section (43)(b) of IT Amendment Act 2008. Indeed, the training of employees should be an essential part of due diligence. "Every team leader or divisional head needs to appreciate the concept of 'vicarious liability', and perform due diligence at his operational level. This will require changes in HR polices as well," advises Naavi. Besides, every process can be traced back to detect any security loophole which may result in non-compliance with IT Amendment Act 2008.
Due diligence activity may also require an enterprise to initiate technical measures for IT Amendment Act 2008 compliance. "Wherever data risks are involved, encryption would be a key technology required. For instances where communication is involved, digital signatures will be needed," states Naavi. For instance, companies that need to be capable of creating contractual obligations through email will require incorporation of digital signatures as a means of authentication. Data retention and e-auditing requirements of the IT Amendment Act 2008 call for automated solutions to secure archival with encryption of data, as well as appropriate tools for the periodical audit of stored electronic documents. Many types of information such as server logs need to be captured to satisfy the 'need to provide data traffic on demand.' Naavi observes that the entire documentation handling process and Internet access process will need to be tuned to the requirements of this compliance.
Several IT security consultancy and techno-legal firms have started promoting an IT Amendment Act 2008 audit and certification as a new offering in their compliance basket. Although ITAA compliance certification is not mandatory, it can certainly help an organization to understand the extent to which it is complaint with the Act.
You can follow our Twitter feed at @SearchSecIN