Advertisement

Help
You are here: Rediff Home » India » Business » Interviews » Pavan Duggal, Cyber Laws expert
Search:  Rediff.com The Web
Advertisement
   Discuss   |      Email   |      Print | Get latest news on your desktop

Ticking quietly: a liability bomb
 
 · My Portfolio  · Live market report  · MF Selector  · Broker tips
Get Business updates:What's this?
Advertisement
May 30, 2006

India's cyber laws were put in place six years ago when the Information Technology Act was passed. Most companies are still unaware of the strict provisions of the law as the bazee.com case showed - the CEO of the company was held responsible for, and arrested, for explicit content put up for auction on his portal - and are thus exposed to serious liabilities, Pavan Duggal, cyber laws expert and supreme court advocate, tells Vandana Gombar.

What are the provisions of the Act that "all" companies - IT and non-IT - need to comply with?

The law mandates all companies to have an information technology security policy. This documents the architecture of the network, the roles and responsibility of employees, security parameters and authorisation required for data access, among other things. Only a handful of companies have such a policy in place.

Other compliances that are required include relate to retention and authentication of electronic records and security of data.

Why are companies, large and small, violating the law by non-compliance?

They are ignorant about the liabilities under the law. It takes a case like bazee to wake up people.

Apparently, even the bazee case has not woken up people?

Seems so. Almost 95 per cent of Indian firms are not storing electronic records as per requirement of the IT law.

Further, any company providing a (computer) network is liable for acts of omission and commission on the network, in its capacity as a network service provider. All outsourcing  (ITES) and IT companies are network service providers too.

If the breadth of the law is so vast, how come there aren't many cases being filed?

Numerous cases are coming up but companies are settling them out of court. I have personally advised many of them. The industry is yet to mature on cyber-compliance. It is sitting on a liability bomb.

Liability bomb? Isn't that alarmist?

This is not alarmist. This is objective reality. Let me give you the example of a case. Personal enmity pushed a lady to send malicious mail from an IP (Internet protocol) address which was traced to HDFC Bank [Get Quote]. The bank became part of the case simply because its network was used to send mails.

Can't HDFC Bank claim ignorance of what happened and escape its liabilities (as allowed under Section 79)?

It has to either prove that it had no knowledge of any contravention or demonstrate that it had exercised all due-diligence to prevent the commission of such an offence.

Proving of non-knowledge is a very difficult challenge for any company and since the law does not define what due-diligence is, this course of action also has its own challenges. The onus is on the network service provider to prove his innocence.

The case was ultimately settled out of court.

Powered by

Powered by
More Interviews
 Email  |    Print   |   Get latest news on your desktop

© 2008 Rediff.com India Limited. All Rights Reserved. Disclaimer | Feedback