Ashish Chandra outlines the legal recourse available for Indian companies facing cyber-attacks
On a pleasant Friday evening in Mumbai last month, my iPhone started flashing with updates on the “WannaCry” virus. With an end-of-week party on my mind, I thought at first that the messages were promoting a new pub. My excitement didn’t last long as media platforms across India gradually revealed WannaCry was a global cyber-attack.
Ten questions arising from such a large-scale cyber-attack are answered below.
1. What is the WannaCry attack and what impact is it having in India?
The WannaCry ransomware attack is an ongoing worldwide cyber-attack by the WannaCry ransomware crypto worm, which targets computers running a Microsoft Windows operating system by encrypting data and demanding ransom payments in the bitcoin cryptocurrency. The attack began on Friday 12 May and has been described as unprecedented in scale, infecting more than 230,000 computers across more than 150 countries.
Based on recent news reports, some government and private establishments in India have been affected. The extent of the damage is as yet unknown.
2. What is the general law in India on cyber security?
The relevant sections of the Information Technology Act, 2000 (IT Act), as amended to date, are as follows:
- Section 2(1)(nb) defines “cyber security”, section 2(1)(ze) defines “secure system”, and section 2(1)(zf) defines “security procedure”.
- Section 16 empowers the central government to prescribe security procedures and practices. Using this authority, the government has notified the Information Technology (Use of electronic records and digital signatures) Rules, 2004. These rules essentially state that any electronic record which is authenticated by a secured digital signature is a “secured electronic record”.
- Section 43A passively obligates a body corporate to adopt reasonable security practices and procedures when possessing, dealing with or handling any sensitive personal data or information. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, were made pursuant to section 43A.
- Under section 70, the government can declare any computer resource which affects critical information infrastructure to be a protected system. On 26 July 2010, the government notified the TETRA communication network, with hardware and software installed around New Delhi, as a protected system. On 11 December 2015, the government notified various systems of the Unique Identification Authority of India as a protected system.
- In addition, India adopted a National Cyber Security Policy in 2013.
[ihc-hide-content ihc_mb_type=”show” ihc_mb_who=”3″ ihc_mb_template=”2″ ]
Unless a body corporate is dealing with sensitive personal data or information, there is no statutory requirement under the IT Act to adopt any specific cyber security procedure. However, regulations specific to industries such as banking or telecommunications may stipulate requirements with respect to data security. Further, companies may undertake contractual obligations under their service agreements, business terms with clients, employment terms, user terms and conditions, privacy policies, etc., to adopt a specific cyber or data safety and security policy or procedure.
3. Does a WannaCry attack need to be reported to anyone?
Section 70B(4) of the IT Act empowers the Indian Computer Emergency Response Team (CERT-In) to collect information on cyber incidents. Rule 12(1)(a) of the Information Technology (The Indian Computer emergency response team and manner of performing functions and duties) Rules, 2013, provides both optional and mandatory reporting of cyber security incidents. Rule 13 empowers CERT-In to collect and analyse information relating to cyber incidents from individuals, organizations and computer resources.
Any non-compliance with section 70B and the above rules in terms of providing information to CERT-In may result in up to one year of imprisonment, a fine of ₹100,000 (US$1,500), or both. In some cases, failure to report a cyber security incident thereby preventing CERT-In from handling information security could also lead to counts of abetment of other serious offences relating to cyber security under the IT Act.
Companies should be aware of additional reporting requirements under industry-specific regulations and under contracts or terms and conditions signed with third parties or users.
4. What legal recourse is available to an organization that is affected by a WannaCry attack?
The law depends on the nature of the person and the computer system that has been affected by the attack.
If the affected computer system contains “sensitive personal data or information”:
- Where a user’s sensitive personal data or information has been affected, causing either a “wrongful loss” to the affected person or a “wrongful gain” to any other person, and the body corporate or the service provider which has stored or processed the user’s sensitive personal data or information has been negligent in implementing and maintaining reasonable security practices and procedures, the body corporate will be liable, under section 43A of the IT Act, to pay damages by way of compensation to the user.
- Bodies corporate or service providers which have used third party servers to store or process user data on a cloud can claim reimbursement of the compensation paid to users, and other legal and incidental costs and expenses, from the cloud’s service provider. Bodies corporate must check the terms of their agreement with cloud service providers, paying special attention to clauses on exclusion of liabilities and indemnities, force majeure and permitted downtime.
- Civil and criminal cases can be filed against persons behind the WannaCry attack. Under section 43 of the IT Act, persons affected by the WannaCry attack can seek damages by way of compensation from the attackers. Under section 66, attackers can be punished by up to three years of imprisonment, a fine of up to ₹500,000, or both. WannaCry attackers who gain access to a computer system either through identity theft (section 66C) or personation (section 66D) can be punished under each of these sections by up to three years of imprisonment, a fine of up to ₹100,000, or both.
If the affected computer system is a “protected system” under section 70, WannaCry attackers could face up to 10 years of imprisonment and will also be liable for a fine, with no upper monetary limit.
If the WannaCry attack constitutes cyber terrorism (as defined in section 66F), the attackers are subject to life imprisonment.
5. Can WannaCry attackers be punished under the Indian Penal Code?
Yes. Section 77 of the IT Act does not bar award of any compensation or imposition of any other penalty under any other law that is in force. Therefore, in addition to pursuing legal recourse under the IT Act, affected parties can also seek recourse under the Indian Penal Code (IPC). Depending on the nature of the computer system being attacked and the impact of the attack, one can invoke provisions with respect to “theft of data”, “extortion”, “waging of war”, etc. However, it would be interesting to see whether courts will extend traditional legal jurisprudence under the IPC to offences relating to data, information and illegal access to computer systems. Recently in State (National Capital Territory of Delhi) v Navjot Sandhu alias Afsan Guru (2005), the Supreme Court clarified that the term “war” is not contemplated as conventional warfare between two nations. Organizing and joining an insurrection against the Indian government is also a form of war.
6. Can affected persons or organizations make a claim against telecom companies or internet service providers for giving WannaCry attackers access to their systems?
Affected persons or companies could attempt to argue that WannaCry attackers used the systems of Indian telecom providers or internet service providers (ISPs) to gain access to their computer system or computer networks and therefore such telecom providers/ISPs should also be liable under the IT Act and IPC along with the WannaCry attackers. However, telecom providers/ISPs are protected from such claims under section 79 of the IT Act if they have acted merely as passive intermediaries.
7. It appears that the WannaCry attackers are from outside India. Do the IT Act and IPC apply to these persons?
Yes. Both the IT Act and the IPC have extraterritorial jurisdiction. Section 75 read with section 1(2) of the IT Act states that the act will apply to an offence or contravention committed outside India by any person irrespective of the person’s nationality if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. Further, the Information Technology (Amendment) Act, 2008, added a new sub-section (3) to section 4 of the IPC, giving the IPC extraterritorial jurisdiction for computer-related offences in the same manner as provided in section 75 of the IT Act.
8. How can one get these attackers to face prosecution and punishment in India?
A WannaCry attacker who is in a country other than India can be brought to India to face trial and punishment by using the relevant provisions under the Extradition Act, 1962. The website of the Central Bureau of Investigation shows that India has signed extradition treaties with 37 countries and extradition arrangements with eight countries. Extradition requests can normally be made only after a charge-sheet has been filed in court and the court has taken cognizance of the case.
During an investigation, the investigating office can use provisions of section 166A of the Code of Criminal Procedure, 1973. However, this only applies to countries with which India has a mutual legal assistance treaty or other similar reciprocal arrangements.
It will be extremely difficult to bring WannaCry attackers to justice if they are hidden or are in a country which is not covered under the Extradition Act.
9. Is there any international treaty which deals with such global cyber-attacks?
Yes. The Convention on Cybercrime deals with cyber-attacks, however, India is not yet a signatory to this convention. Signing and adopting this convention could give India quick information and other global assistance on cybercrimes which affect Indian citizens and/or Indian computer systems.
10. Is it okay to pay the WannaCry attackers in bitcoins?
To pay in bitcoins one first needs to acquire them. These can be obtained without payment by solving technical problems, popularly known as bitcoin “mining”. If you can’t mine bitcoins, you’ll have to buy them. The Reserve Bank of India has passively prohibited purchasing and trading in bitcoins through a press release on 24 December 2013. It is highly advisable to consult tax and exchange control lawyers before one buys or makes bitcoin payments in India.
[/ihc-hide-content]
Ashish Chandra is the former general counsel at Snapdeal. The views expressed are personal and do not constitute legal advice. Readers are advised to consult a lawyer before acting on any points mentioned above. The author can be reached at ashish1109@gmail.com.
