Cyber Security

Unit 5

INTRODUCTION TO SECURITY POLICIES AND CYBER LAWS

Contents to Study

 Need for An Information Security Policy

 Introduction to Indian Cyber Law
 Objective and Scope of the Digital Personal Data Protection Act 2023
 Intellectual Property Issues
 Overview of Intellectual Property Related Legislation in India
 Patent
 Copyright
 Trademarks.

Need for an Information Security Policies: An information security policy is a set of rules,
guidelines, and procedures that outline how an organization should manage, protect, and
distribute its information assets. The policy aims to reduce the risk of data breaches,
unauthorized access, and other security threats by providing a structured approach to information
security management.

An effective information security policy should be tailored to the organization's specific needs
and risk profile, as well as being regularly updated to account for changes in the threat landscape,
technology, and business environment.

1.2 Why Does Your Organization Need an Information Security Policy?

Information security policies play a critical role in an organization's overall security posture.
They serve as a foundation for establishing a secure environment and mitigating potential risks.
The value of information security policies can be outlined as follows:

 Risk management: Information security policies provide a systematic approach to

identifying, assessing, and managing risks associated with information assets. By
addressing vulnerabilities and implementing appropriate controls, organizations can
minimize the potential damage caused by security incidents.

 Security culture and awareness: Information security policies promote a culture of

security awareness within an organization. By providing training and resources,
organizations can educate employees on security best practices and encourage them to
play an active role in protecting information assets.

 Trust and reputation: By implementing and maintaining a robust information security

policy, organizations can demonstrate their commitment to protecting customer,
employee, and partner data. This fosters trust and confidence, which is crucial for
maintaining a positive reputation and building strong business relationships.
  Competitive advantage: As data breaches and cyberattacks become more common,
organizations with effective information security policies can differentiate themselves
from competitors. Demonstrating strong security practices can provide a competitive
advantage, particularly when dealing with clients or partners who prioritize data
protection.

 Cost savings: By proactively addressing security risks, organizations can reduce the
financial impact of security incidents, including costs associated with data breaches,
system downtime, and regulatory fines.

 Continuous improvement: Information security policies include processes for regular

monitoring, auditing, and reviewing security practices. This allows organizations to
identify areas for improvement, adapt to evolving threats, and ensure that their security
measures remain effective over time.

Examples of Information Security Policies:

Acceptable Use Policy (AUP)

The AUP sets the ground rules for using an organization's IT resources, including computers,
mobile devices, networks, email systems, and the internet. It aims to prevent activities that may
compromise security, violate laws or regulations, or harm productivity. Key elements of an AUP
may include:

 Prohibited activities (e.g., accessing malicious websites, downloading copyrighted

materials, using offensive language in communications).

 Guidelines for email and instant messaging usage (e.g., avoiding phishing scams, not
sharing sensitive information via email).

 Rules for using social media and personal devices in the workplace.

 Procedures for reporting security incidents or policy violations.

 Consequences for violating the policy (e.g., disciplinary actions, termination).

Network Security Policy

This policy provides a framework for securing an organization's network infrastructure. It may
include:

 Network architecture and design principles (e.g., segmentation, redundancy).

 Firewall management and configuration (e.g., rules for inbound/outbound traffic,

monitoring for unauthorized access attempts).

 Intrusion detection and prevention systems (e.g., monitoring for suspicious network
activity, automatic response mechanisms).

 Wireless network security (e.g., secure encryption protocols, strong authentication

methods).
  Guidelines for connecting personal devices to the network (e.g., BYOD policies).

Access Control Policy

This policy defines how access to information assets is granted, managed, and monitored. It may
include:

 User authentication methods (e.g., passwords, multi-factor authentication, biometrics).

 Role-based access control (RBAC) or attribute-based access control (ABAC) models.

 Procedures for granting, modifying, and revoking access rights (e.g., approval workflows,
regular access reviews).

 Password management guidelines (e.g., password complexity requirements, expiration

periods, storage best practices).

 Logging and monitoring of user activities (e.g., tracking login attempts, auditing access to
sensitive data).

Data Management Policy

This policy governs the entire data lifecycle, from creation and storage to disposal. It may
include:

 Data classification schemes (e.g., public, internal, confidential, top secret).

 Handling procedures for different data types (e.g., storage locations, access restrictions,
encryption requirements).

 Data backup and recovery processes (e.g., frequency, storage media, offsite storage).

 Data retention and disposal policies (e.g., legal requirements, secure deletion methods).

 Guidelines for sharing data internally and externally (e.g., secure file transfer methods,
third-party data sharing agreements).

Remote Access Policy

This policy sets the rules for employees and contractors who access the organization's network
and resources remotely. It may include:

 Approved remote access technologies (e.g., VPNs, remote desktop applications).

 Authentication and encryption requirements for remote connections.

 Device security guidelines (e.g., antivirus software, system updates, device encryption).

 Restrictions on remote access locations and networks (e.g., prohibiting public Wi-Fi
connections).
  Procedures for revoking remote access privileges (e.g., when an employee leaves the
organization).

Introduction to Indian Cyber Law

Cyber Law also called IT Law is the law regarding Information-technology including
computers and the internet. It is related to legal informatics and supervises the digital
circulation of information, software, information security, and e-commerce.
IT law does not consist of a separate area of law rather it encloses aspects of contract,
intellectual property, privacy, and data protection laws. Intellectual property is a key element
of IT law. The area of software license is controversial and still evolving in Europe and
elsewhere.
According to the Ministry of Electronics and Information Technology, Government of
India:

Cyber Laws yields legal recognition to electronic documents and a structure to support e-filing
and e-commerce transactions and also provides a legal structure to reduce, check cybercrimes.
Importance of Cyber Law:
1. It covers all transactions over the internet.
2. It keeps eye on all activities over the internet.
3. It touches every action and every reaction in cyberspace.

Areas of Cyber Law:

Cyber laws contain different types of purposes. Some laws create rules for how individuals and
companies may use computers and the internet while some laws protect people from becoming
the victims of crime through unscrupulous activities on the internet. The major areas of cyber
law include:
Fraud:
Consumers depend on cyber laws to protect them from online fraud. Laws are made to prevent
identity theft, credit card theft, and other financial crimes that happen online. A person who
commits identity theft may face confederate or state criminal charges. They might also
encounter a civil action brought by a victim. Cyber lawyers work to both defend and prosecute
against allegations of fraud using the internet.
Copyright:
The internet has made copyright violations easier. In the early days of online communication,
copyright violations were too easy. Both companies and individuals need lawyers to bring an
action to impose copyright protections. Copyright violation is an area of cyber law that protects
the rights of individuals and companies to profit from their creative works.
Defamation:
Several personnel uses the internet to speak their mind. When people use the internet to say
things that are not true, it can cross the line into defamation. Defamation laws are civil laws that
save individuals from fake public statements that can harm a business or someone’s reputation.
When people use the internet to make statements that violate civil laws, that is called Defamation
law.
Harassment and Stalking:

Sometimes online statements can violate criminal laws that forbid harassment and stalking.
When a person makes threatening statements again and again about someone else online, there
is a violation of both civil and criminal laws. Cyber lawyers both prosecute and defend people
when stalking occurs using the internet and other forms of electronic communication.

Freedom of Speech:

Freedom of speech is an important area of cyber law. Even though cyber laws forbid certain
behaviors online, freedom of speech laws also allows people to speak their minds. Cyber lawyers
must advise their clients on the limits of free speech including laws that prohibit obscenity.
Cyber lawyers may also defend their clients when there is a debate about whether their actions
consist of permissible free speech.

Trade Secrets:

Companies doing business online often depend on cyber laws to protect their trade secrets. For
example, Google and other online search engines spend lots of time developing the algorithms
that produce search results. They also spend a great deal of time developing other features like
maps, intelligent assistance, and flight search services to name a few. Cyber laws help these
companies to take legal action as necessary to protect their trade secrets.

Contracts and Employment Law:

Every time you click a button that says you agree to the terms and conditions of using a
website, you have used cyber law. There are terms and conditions for every website that are
somehow related to privacy concerns.

Advantages of Cyber Law:

 Organizations are now able to carry out e-commerce using the legal infrastructure provided
by the Act.

 Digital signatures have been given legal validity and sanction in the Act.

 It has opened the doors for the entry of corporate companies for issuing Digital Signatures
Certificates in the business of being Certifying Authorities.

 It allows Government to issue notifications on the web thus heralding e-governance.

 It gives authority to the companies or organizations to file any form, application, or any
other document with any office, authority, body, or agency owned or controlled by the
suitable Government in e-form using such e-form as may be prescribed by the suitable
Government.

 The IT Act also addresses the important issues of security, which are so critical to the
success of electronic transactions.

 Cyber Law provides both hardware and software security.

Digital Personal Data Protection Act 2023:

Digital Personal Data Protection Act 2023 are formed to protect the rights and duties related to
the management of large amounts of digital personal data created in the economy. It aims to
maintain a balance between individual privacy rights and at the same allow data to be used for
various purposes. Recently Digital Personal Data Protection Act (DPDPA), 2023 was passed
that will replace the existing Information Technology Act, 2000, the Draft Indian
Telecommunication Bill, 2022, and a Policy addressing the governance of non-personal data.

Digital Personal Data Protection Act 2023

Objective: To provide a comprehensive framework for the Protection and Processing of
Personal Data. It recognizes both the rights of the individuals to protect their Personal Data and
the need to process such Personal Data for lawful purposes and other related matters.
Definition of Data: Any representation of information, fact(s), concept(s), opinion(s), and
instruction(s) which is capable of being communicated, interpreted, and processed by human
beings or by automated means. Further, any data about an individual (Data Principal) who is
identifiable by or in relation to such data has been referred to as Personal Data in the Act.
DPDP Act 2023 Key Features
The Digital Personal Data Protection Act 2023 introduces several key features designed to
enhance data privacy and security. These include:
Applicability
 The Bill applies to the processing of digital personal data within India where such data is:
(i) collected online, or (ii) collected offline and is digitised.
 It will also apply to the processing of personal data outside India if it is for offering goods
or services in India.
Consent
 Personal data may be processed only for a lawful purpose after obtaining the consent of the
individual.
 For individuals below 18 years of age, consent will be provided by the parent or the legal
guardian.
 A notice must be given before seeking consent. The notice should contain details about the
personal data to be collected and the purpose of processing.
 Consent may be withdrawn at any point of time.
Rights of data principal
Data principal is an individual whose data is being processed. An individual will have the right
 To obtain information about processing
 To seek correction and erasure of personal data
 To nominate another person to exercise rights in the event of death or incapacity and
 Grievance redressal.

Duties of Data Principals

Data Principals must not
 Register a false or frivolous complaint
 Furnish any false particulars or impersonate another person in specified cases
 Violation of duties will be punishable with a penalty of up to Rs 10,000.
Duties of Data Fiduciaries
Data fiduciaries are the entities that determine the purpose and means of processing. They must
 Make reasonable efforts to ensure the accuracy and completeness of data.
 Build reasonable security safeguards to prevent a data breach.
 Inform the Data Protection Board of India and affected persons in the event of a breach.
 Erase personal data as soon as the purpose has been met and retention is not necessary for
legal purposes.
Transfer of Personal Data outside India
 The central government will notify countries where a data fiduciary may transfer personal
data.
 Transfers will be subject to prescribed terms and conditions.
Exemptions
 Rights of the data principal and obligations of data fiduciaries (except data security) will
not apply in specified cases. These include
 prevention and investigation of offences, and
 enforcement of legal rights or claims.
The central government may, by notification, exempt certain activities from the application of
the Bill. These include
 Processing by government entities in the interest of the security of the state and public
order, and
 Research, archiving, or statistical purposes.
Data Protection Board of India
The central government will establish the Data Protection Board of India. Main functions of
the Board will be:
 monitoring compliance and imposing penalties,
 directing data fiduciaries to take necessary measures in the event of a data breach, and
 Grievance redressal

Penalties and Appeal

The act specifies penalties for various offences such as:

 Penality of Rs 200 crore for non-fulfilment of obligations for children, and

 Penality of Rs 250 crore for failure to take security measures to prevent data breaches
The decisions of the board can be appealed to Telecom Dispute Settlement and Appellate
Tribunal.
Main Provisions of DPDP Act
The main provisions of the DPDP Act focus on establishing a robust legal framework for data
protection:
 Data Processing Guidelines: Specifies conditions under which data can be processed,
including provisions for sensitive personal data.
 Accountability and Transparency: Requires data fiduciaries to implement policies,
maintain records, and conduct data protection impact assessments.
 Penalties for Non-Compliance: Introduces significant penalties for violations, including
financial fines and corrective actions.
 Grievance Redressal Mechanism: Outlines procedures for individuals to address
complaints regarding data processing violations.

Intellectual Property issues in Cyber space:

Intellectual Property (IP) simply refers to the creation of the mind. It refers to the possession of
thought or design by the one who came up with it. It offers the owner of any inventive design or
any form of distinct work some exclusive rights, that make it unlawful to copy or reuse that work
without the owner’s permission. It is a part of property law. People associated with literature,
music, invention, etc. can use it in business practices.

There are numerous types of tools of protection that come under the term “intellectual property”.
Notable among these are the following:

1. Patent
2. Trademark
3. Geographical indications
4. Layout Designs of Integrated Circuits
5. Trade secrets
6. Copyrights
7. Industrial Designs

In cyberspace, sometimes one person makes a profit by using another person’s creation
without the owner’s consent. This is a violation of privacy, and it is protected by IPR. We
have certain laws to avoid violation of Intellectual Property Rights in cyberspace and when it
is violated, then additionally we have several remedies in law.

Copyright Infringement: Copyright protection is given to the owner of any published

artistic, literary, or scientific work over his work to prohibit everyone else from exploiting
that work in his name and thereby gain profit from it.When these proprietary creations are
utilized by anyone without the permission of the owner, it leads to copyright infringement. If
copies of any software are made and sold on the internet without the permission of the owner
or even copying the content from any online source, these all are examples of copyright
infringement.

Copyright Issues in Cyberspace:

1. Linking –

It permits a Website user to visit another location on the Internet. By simply clicking on a
word or image on one Web page, the user can view another Web page elsewhere in the
world, or simply elsewhere on the same server as the original page.Linking damages the
rights or interests of the owner of the Linked webpage. It may create the supposition that the
two linked sites are the same and promote the same idea. In this way, the linked sites can lose
their income as it is often equal to the number of persons who visit their page.
2. Software Piracy –

Software piracy refers to the act of stealing software that is lawfully shielded. This stealing
comprises various actions like copying, spreading, altering, or trading the software. It also
comes under the Indian copyright act.

An example of software piracy is downloading a replica of Microsoft Word from any website
other than Microsoft to avoid paying for it as it is a paid software. Piracy can be of 3 types:

3. Cybersquatting –

Cybersquatting means unauthorized registration and use of Internet domain names that are
similar to any business’s trademarks, service marks, or company names. For example, let us
consider Xyz is a very famous company and the company hadn’t created a website yet. A
cybersquatter could buy xyz.com, looking to sell the domain to the company Xyz at a later
date for a profit. The domain name of a famous company can even be used to attract traffic
and this traffic will help cybersquatters earn a lot of money through advertising.

When more than one individual believes that they have the right to register a specific domain
name, then this can lead to a Domain Name Dispute. It arises when a registered trademark is
registered by another individual or organization who is not the owner of a trademark that is
registered.

Trademark Issues in Cyber space :

Trademark means a mark capable of being depicted diagrammatically and which may
distinguish the products or services of one person from those of others and will embody the
form of products, their packaging, and combination of colors. A registered service mark
represents a service. Trademark infringement refers to the unlawful use of a trademark or
service mark which can cause ambiguity, fraud, or confusion about the actual company a
product or service came from. Trademark owners can take the help of the law if they believe
their marks are being infringed.

Advantages of Intellectual Property Rights

 It provides exclusive rights to the creator’s or inventor’s.

 It gives freedom to inventor to share his knowledge without keeping its secret.
 It helps to creator financially.
 It provides legal defence to the creator.
Intellectual Property Legislations in India:
The twenty-first century witnessed the emergence of “Intellectual Capital” as a key wealth driver
of international trade between countries, thanks to rapid globalization and liberalization of
economies the world over. Intellectual property rights have become an irreplaceable element of
India’s business fraternity, whether in terms of new statues or judicial pronouncements. India’s
consent of the WTO (World Trade Organization) agreement has paved the way for its
compliance with TRIPS (Trade Related Aspects of Intellectual Property Rights). This article
explores the intellectual property laws in India, with specific emphasis on the amendments
brought forth by TRIPS.

Scope of Coverage

India’s legal framework caters to the following areas of intellectual property:

1. Trade Marks
2. Patents
3. Copyrights
4. Industrial designs
5. Geographical indications
6. Layout designs of integrated circuit
7. Varieties of plant
8. Information Technology and Cybercrimes
9. Data protection

Governing Regulations

1. Intellectual properties rights in India is governed under the following Acts:

2. Trade Marks Act, 1999
3. The Patents Act, 1970 (amended in 2005)
4. The Copyright Act, 1957
5. The Designs Act, 2000
6. The Geographical Indication of Goods (Registration and Protection) Act, 1999
7. The Protection of Plant Varieties and Farmers Rights Act, 2001
8. The Information Technology Act, 2000

TRIPS – the Game Changer

The TRIPS agreement has made way for the harmonization of Indian laws connected with
Intellectual Property Rights. The agreement was implemented with the minimum standards for
the protection of IPR. A time-frame has been specified within which the participating countries
are required to effect changes in their respective laws to meet the requisite compliance standards.
The rest of the article seeks to highlight the amendments brought forth by the agreement in
intellectual property laws.
Patents

Patent was first introduced to the realms of Indian business in the year 1911 courtesy of the
Indian Patent and Designs Act, 1911. This Act was superseded in the year 1972 with the
enforcement of the Patents Act, 1970. The Act, which is now the governing Act for Patents in the
country till now, went through an amendment in 2005 to be compliant with the TRIPS agreement
and is now known as the Patents (Amendments) Act, 2005. The Amendment oversaw the
extension of product patent to all fields of technology including foods, drugs, chemicals, and
micro-organisms. Furthermore, the provisions pertaining to Exclusive Marketing Rights (EMRs)
has been repealed and a provision enabling grant of a compulsory license has been framed as its
replacement. For Further References: Patent for Business Idea in India

Trademarks

A trademark is a unique symbol that differentiates one brand from the other and is considered
essential for protecting the brand from being illegally replicated. The TRIPS agreement for the
protection of trademarks incorporates the protection of distinguishing marks, recognition of
service marks, indefinite periodical renewal of registration, abolition of compulsory licensing of
trademarks, etc. In view of enacting the newly fabricated laws, the Indian Trade and
Merchandise Marks Act, 1958 was annulled to pave the way for the Trade Marks Act, 1999. The
newly introduced governing regulation is designed in accordance with the international systems
and practices mandated by the TRIPS agreement. The Trademarks Act of 1999 provides for the
registration of service marks, the filing of multiclass applications, enhancing the term of
trademark registration to 10 years, the recognition of the concept of well-known marks, etc. The
Indian legal framework has also extended the protection to Domain Names. While the previous
regulation merely included Goods and Services for the purpose of registration, the infringement
rules for the current regulations have been modified to include the unauthorized use of similar or
confusingly similar marks. These amendments provide lesser room for defaults. The police are
now entitled to seize any infringing materials without producing a warrant. Trademark
infringement could impose the defaulter with imprisonment for a term of at least 6 months,
which may extend to three years. This would be coupled with a fine of not less than Rs. 50,000
which may even go up to Rs. 2,00,00.

The Madrid Protocol

The Amendment of the Trademark Act in 2010 led to India’s foray into the Madrid Protocol in
2013, thereby enabling Indian entities to register their trademarks in 97 countries by filing a
single application form. Likewise, foreign entities of the member countries are also allowed to
register their marks in India. For Further References: Registrable Trademarks Relative Grounds
for Trademark Refusal

Copyright

Not many Acts in India has passed the test of time, but the Copyright Act falls among such
exceptions. The Act was formulated in the year 1957 and has been amended from time-to-time to
be on par with the international standards as specified in TRIPS. The Act preserves the right of
artistic endeavors which includes painting, sculpting, drawing, engraving, photography, artistic
craftsmanship, dramatic work, literary work, musical work, sound recording, and
cinematography. and is reflective of the Berne Convention for Protection of Literary and Artistic
Works, 1886 and the Universal Copyrights Convention. Apart from these two conventions, the
country is a party to the Geneva Convention for the protection of rights of Producers or
Phonograms. The country is also an active member of the World Intellectual Property
Organization (WIPO) and the United Nations Educational, Scientific and Cultural Organization
(UNESCO). The following are some of the featured provisions of the Act:

The Act doesn’t mandate the need for qualitative work, as any unique work with little in
common with other works qualify for this purpose.The creator of the work is accorded with
lifetime copyrights, which will continue to be valid a little more after his/her lifespan, i.e. until
60 years after his/her death.The creator is not only vested with rights of authorship but the rights
of protecting his/her works against any amendments.The year 1984 witnessed the inclusion of
computer programming into the Act.

In the event of any defaults, the Copyright Act provides for civil remedies in the following
manner:

1. Permeant injunction.
2. Damages or accounts of profits.
3. Delivery of the infringing material for destruction.
4. Provision of the cost of legal proceedings to the defender.
5. Imprisonment of a period ranging between 6 months and two years.
6. A fine ranging between Rs. 50,000 and Rs. 2,00,000.