. |
What are the provisions of the Act that "all" companies "" IT and non-IT "" need to comply with? |
|
The law mandates all companies to have an information technology security policy. This documents the architecture of the network, the roles and responsibility of employees, security parameters and authorisation required for data access, among other things. Only a handful of companies have such a policy in place. |
|
Other compliances that are required include relate to retention and authentication of electronic records and security of data. |
|
Why are companies, large and small, violating the law by non-compliance? |
|
They are ignorant about the liabilities under the law. It takes a case like bazee to wake up people. |
|
Apparently, even the bazee case has not woken up people? |
|
Seems so. Almost 95 per cent of Indian firms are not storing electronic records as per requirement of the IT law. |
|
Further, any company providing a (computer) network is liable for acts of omission and commission on the network, in its capacity as a network service provider. All outsourcing (ITES) and IT companies are network service providers too. |
|
If the breadth of the law is so vast, how come there aren't many cases being filed? |
|
Numerous cases are coming up but companies are settling them out of court. I have personally advised many of them. The industry is yet to mature on cyber-compliance. It is sitting on a liability bomb. |
|
Liability bomb? Isn't that alarmist? |
|
This is not alarmist. This is objective reality. Let me give you the example of a case. Personal enmity pushed a lady to send malicious mail from an IP (Internet protocol) address which was traced to HDFC Bank. The bank became part of the case simply because its network was used to send mails. |
|
Can't HDFC Bank claim ignorance of what happened and escape its liabilities (as allowed under Section 79)? |
|
It has to either prove that it had no knowledge of any contravention or demonstrate that it had exercised all due-diligence to prevent the commission of such an offence. |
|
Proving of non-knowledge is a very difficult challenge for any company and since the law does not define what due-diligence is, this course of action also has its own challenges. The onus is on the network service provider to prove his innocence. |
|
The case was ultimately settled out of court. |
|
|
|