2. CASES
Nadeem Kashmiri and HSBC
Karan Bahree and Mphasis
My case - Hyundai
3. ISSUES
Liability of Company
Protection of data – Concern for outsourcing
industry
Privacy of data – Individual’s concern
4. SEC. 43A – COMPENSATION FOR FAILURE
TO
PROTECT DATA
If body corporate, possessing, dealing or
handling any sensitive personal data or
information in a computer resource which it
owns, controls or operates, is negligent in
implementing and maintaining reasonable
security practices and procedures and
thereby causes wrongful loss or wrongful
gain to any person
Liability– Damages by the way of
compensation
6. WHO IS LIABLE?
Sec.85: Offences by companies
• The company itself, being a legal person;
• The top management including directors; and
• The managers (persons directly responsible for the data)
If it is proved that -
• they had knowledge of a contravention; or
• they have not used due diligence
• that it was caused due to their negligence
7. ISSUES
Whatis Sensitive Personal data or
Information?
Whatare Reasonable Security
Practices and Procedures?
8. THE SOLUTION
The Information Technology (Reasonable
security practices and procedures and sensitive
personal data or information) Rules, 2011
Enforceable from 11th April, 11
To be read with Sec. 43A
9. SENSITIVE PERSONAL DATA OR
INFORMATION
Rule 3 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011
10. REASONABLE SECURITY
PRACTICES
Implementing comprehensive documented
information security programme and information
security policies
Containing –
Managerial, technical, operational and physical
security control measures commensurate with the
information assets held by the person.
Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011
11. REASONABLE SECURITY PRACTICES
The International Standard IS/ISO/IEC 27001 on
“Information Technology – Security Techniques –
Information Security Management System – Requirements”
is one such standard OR
If following other than IS/ISO/IEC codes of best practices
for data protection, shall get it duly approved and notified
by the Central Government OR
An agreement between the parties regarding protection of
“Sensitive Personal Information”
12. AUDITING
Necessary to get the codes or procedure certified or
audited on regular basis
Needs to be done by the Government Certified Auditor
Will be known as “Govt. Certified IT Auditor”
Not appointed yet
CERT-IN has empanelled IT Auditors
14. COLLECTION OF INFORMATION
About obtaining consent of the information provider
Consent in writing through letter/fax/email from the provider
of the SPDI regarding purpose of usage before collection of
such information
Need to specify –
Fact that SPDI is being collected
What type of SPDI it is
How long SPDI will be held
Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or
information) Rules, 2011
15. COLLECTION OF INFORMATION
Provider should know –
Purpose of collection
Intended recipients
Details of the agency collecting the information and agency
retaining the information
Body Corporate not to retain information longer than required
Option should be given to withdraw the information provided
SPDI shall be used only for the purpose for which it has been
collected
Shall appoint “Grievance Officer” to address any discrepancies
and grievances about information in a timely manner – Max. time
– One month
16. PRIVACY AND DISCLOSURE OF
INFORMATION POLICY
Policy about handling of SPDI
Shall be published on website or should be available to view/inspect @
any time
Shall provide for –
Type of SPDI collected
Purpose of collection and usage
Clear and easily accessible statements of IT Sec. practices and policies
Statement that the reasonable security practices and procedures as provided
under rule 8 have been complied
Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011
17. DISCLOSURE
Disclosure –
Prior permission of provider necessary before disclosure
to third party OR
Disclosure clause needs to be specified in the original
contract OR
Must be necessary by law
Third party receiving SPDI shall not disclose it
further
Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011
18. TRANSFER OF INFORMATION
Transfer to be made only if it is necessary for
performance of lawful contract
Disclosure clause should be a part of Privacy and
Disclosure Policy
Transferee to ensure same level of data
protection is adhered while and after transfer
Details of transferee should be given to provider
Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011
19. SEC 72(A) (CRIMINAL
OFFENCE)
Punishment for Disclosure of information in
breach of lawful contract -
Knowingly or intentionally disclosing “Personal
Information" in breach of lawful contract
IMP – Follow contract
Punishment - Imprisonment upto 3 years or fine
up to 5 lakh or with both (Cognizable but Bailable)
20. GRAMM–LEACH–BLILEY ACT
(GLBA, USA)
Focuses on finance
Safeguards Rule - Disclosure of Nonpublic Personal
Information
It requires financial institutions to develop a written information
security plan that describes how the company is prepared for, and
plans to continue to protect clients’ nonpublic personal
information.
This plan must include –
Denoting at least one employee to manage the safeguards,
Constructing a thorough risk analysis on each department handling
the nonpublic information,
Develop, monitor, and test a program to secure the information, and
Change the safeguards as needed with the changes in how
information is collected, stored, and used.
21. THE FEDERAL INFORMATION
SECURITY MANAGEMENT ACT OF 2002
(FISMA, USA)
Focus on economic and national security interests of
the United States
Emphasized on "risk-based policy for cost-effective
security“
Responsibility attached to federal agencies, NIST and
the Office of Management and Budget (OMB) to
strengthen information system security
Not mandatory
No penalty for non-compliance
22. DATA PROTECTION DIRECTIVE
(EU)
European Union directive regulating the processing of
personal data within the EU
Protection of individual’s personal data and its free
movement
Coming soon - European Data Protection Regulation
Not mandatory
No penalty for non-compliance
23. PREAMBLE OF THE IT ACT
Purpose behind enacting IT Act –
To provide legal recognition to e-commerce
To facilitate e-governance
To provide remedy to cyber crimes
To provide legal recognition to digital evidence
o Preamble doesn’t specify that the Act aims @
establishing IT Security framework in India
24. BENEFITS
Compliance with legislation
No liability on organisation
Increased reliability and security of systems
Systems rationalization
Improved management controls
Improved risk management and contingency
planning
25.
26.
27. GET IN TOUCH
HONE
+9 19 6 2 3 4 4 4 4 4 8
M A IL
O N TA C T@ A G A R R A H U R K A R .C O M
S
Notas del editor
Rule 3. Sensitive personal data or information.— Sensitive personal data or information of a person means such personal information which consists of information relating to;― (i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.