Since the Information Technology (IT) Amendment Act 2008 (hereafter referred to as IT Act 2008) came into practice in October 2009, there have been several concerns regarding its certain sections and requirements. Corporate are especially concerned about section 43A, which requires them to follow ‘reasonable security practices’ to protect ‘sensitive personal information.’ GoI is yet to frame rules under specific sections like 43A, 67C, 84A and 79 of the IT Act 2008. Here are DSCI’s recommendations on drafting rules for these sections, with a special focus on Section 43A.
Reasonable security practices
Section 43A of IT Act 2008 defines terms like reasonable security practices and sensitive personal information, which are unclear. Kamlesh Bajaj, CEO, DSCI believes, “The rules will apply equally to all the companies, be it big or small. Reasonable security practices could vary from one organization to another depending upon the kind of information being processed and its size and type. Clearly, there cannot be one-size-fits-all kind of reasonable security practices under IT Act 2008.”
Today, there are several well-established information security frameworks and standards, which can be utilized to ascertain reasonable security practices, such as ISO 27001, Control Objectives for Information and related Technology, Committee of Sponsoring Organization’s ‘Internal Control – Integrated Framework’ and ‘Enterprise Risk Management – Integrated Framework’, payment card industry - data security standard, Organization for Economic Cooperation and Development guidelines for the security of information systems and networks, IT infrastructure library’s ‘security management’ guide, Information Security Forum’s The Standard of Good Practice for Information Security, and others.
For a small company, implementing the ISO 27001 framework would be too expensive. “We were not in favor of explicitly stating that a particular standard should be adhered to in order to have reasonable security practices, as it could result in a compliance checklist kind of a mindset,” says Bajaj.
DSCI suggests that a security program and policy depending upon the information asset and size of the organization should be declared. It should be a written document indicating how the policies will be implemented and what methods and procedures will be used. A company could resort to any framework to arrive at its security policy.
In case of a security breach, the auditors can go through the declared policy and check whether the due standards were being maintained.
Sensitive personal information
There are many ambiguities when it comes to defining sensitive personal information under IT Act 2008 such as should personal information be defined as information relating to an identified or identifiable person or should it be defined to include data such as racial or ethnic origins, political or religious beliefs, or health? DSCI advises that sensitive personal information under IT Act 2008 may be defined to include data on finance and health rather than racial or ethnic origins, given its sensitive nature.
The IT Act 2008 provides for encryption under Section 84A, which reads as follows: “The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.” Bajaj informs that the current IT act policy in the country allows encryption of only 40 bits of symmetric code. Hence, license issued to a telecom service provider is mandated by the department of telecommunication to carry encrypted data not beyond 40 bits. However, several banks and multinationals are already using 128/256 bits for secure communication. GoI’s main concern in this regard is national security as it would like to break in codes, whenever there is a terror suspect. Breaking codes beyond 40 and 56 bit is relatively difficult.
Under the encryption policy of IT Act 2008, DSCI proposes that the government should allow encryption of higher length for secure business communication, but at the same time develop capabilities to decipher it. “Government and law enforcement agencies (LEAs) will have to develop in-house capabilities to break in such codes. The person who is encrypting should store the code (key) somewhere. LEAs and intelligence agencies will have to focus on how to obtain this key.” observes Bajaj.
These rules under IT Act 2008 will provide organizations clarity on how they should handle personal information and the kind of controls they ought to have to protect the same.
DSCI’s complete recommendations on framing rules under IT Act 2008 can be accessed at http://www.dsci.in/sites/default/files/rules_for_it_act_dsci_consultation_paper.
You can follow our Twitter feed at @SearchSecIN