In March this year an IBM survey concluded that cyber crimes pose a bigger threat to India Inc than physical crimes. The survey conducted among 3,000 CIOs, including 150 from India, found that 91 per cent Indian and 84 per cent global IT executives believed that organised and sophisticated criminal groups were replacing lone hackers, crippling their IT infrastructure.
Though no data is available on India’s losses due to security breaches, a Gartner study in the US found that around 2.4 million online banking customers lost $925 million last year because of phishing attacks alone. Similarly, in the UK, a Forrester report estimated that 600,000 from a total of 15 million online banking customers have switched to offline banking as a result of security fears.
So how well prepared are we in India to counter such threats, given that we do not have comprehensive data protection legislation? The problem gets further complicated by the fact that out of every 500 cyber crimes in India, only 50 are reported to the police and out of that only one is actually registered. And the conviction rate is as low as 2 per cent.
The threat perception may be high but the Indian companies’ awareness about information security remains very low. A CII-PwC Information Security survey in 2003 identified that a large percentage of breaches were caused due to ‘primitive’ levels of security. The study says unknown methods of attack, which resulted in a security breach, are more than 2 to 3 times in India than global standards.
But that doesn’t mean India Inc is doing nothing. According to a 2004 CII-PwC study, 41 per cent Indian corporates have a comprehensive security policy in place as compared to just 17 per cent in 2002-03. However, very little progress is reported on the front of India’s legal preparedness. In contrast, as many as 40 countries have enacted laws that protect the privacy and integrity of personal data.
In the US, the government has made it mandatory that financial institutions protect data provided by consumers and maintain customer information confidentiality through the Gramm-Leach Bliley Act. Businesses that do not implement security plans could be fined up to $35,000 a day.
A similar protective policy exists for UK citizens through the Data Protection Act. Both these legislations regulate all stages of the data protection cycle like registration, storage, retrieval, and dissemination of personal data.
The Indian Information Technology Act, which came into force in 2000 has remained static and many crucial definitions are too vague to be applied to specific crimes.
For example, phishing, cyber stalking, and cyber harassment –the new face of crimes — are presently not covered under the IT Act.
Companies mostly avoid reporting crimes and when they do so, the cases are not registered under the IT Act, as law enforcement agencies find it easier to handle cyber crimes under the IPC. Further, most of the sections of cyber crimes under the IT Act are covered under civil procedures, which take a long time to deliver justice.
Of the total 481 cyber crime cases registered last year only 179 cases were registered under the IT Act and the rest under IPC, according to the National Crime Records Bureau. The IT act mandates a civil liability of Rs 1 crore for data leakage, but this provision has never been applied so far, except damages worth Rs 25 lakh in a lone case. The act does not lay down any such duty upon banks.
Organisations are not obliged under the IT Act to implement data security measures to protect consumers and clients. All this makes it obvious that qualitative progress cannot be made without enacting comprehensive data protection legislation.