IT Amendment Act, 2008- An act to amend the IT

Act 2000
The Information Technology (Amendment) Act, 2008 an act to amend the IT Act
2000 received the assent of the President on 5th February 2009. Several legal &
security experts are in the process of analyzing the contents and possible impacts of
the amendments. The objective of this note is to try and study the possible
implications and impacts on Indian companies. This note is not intended to be a
comprehensive analysis of the amendments, but only certain key points which could
impact Indian Companies
Data Protection
The IT Act 2000 did not have any specific reference to Data Protection, the closet
being a provision to treat data vandalism as an offense. The Government introduced a
separate bill called Personal Data Protection Act 2006 which his pending in the
Parliament and is likely to lapse. The ITA 2008 has introduced two sections which
address Data Protection aspects to an extent, which gives rise to certain key
considerations for the sector.
The sections under consideration are:
Section 43A: Compensation for failure to protect data
Section 72A: Punishment for disclosure of information in breach of lawful contract
Section 43A states
Where a body corporate, possessing, dealing or handling any sensitive personal data
or information in a computer resource which it owns, controls or operates, is
negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person, such
body corporate shall be liable to pay damages by way of compensation, to the person
so affected.
By way of explanation: Body corporate means Indian companies

Reasonable security practices mean a mutual contract between the customer and
service provider OR as per the specified law. In absence of both then as specified by
the Central Government
Hence it would be important for Indian companies to seriously look at SLAs and
agreements which have been signed with clients to understand the data protection
implications. The same goes for understanding the applicable laws.
A major modification is that this clause doesnt mention the compensation limit of Rs.
1 Crore which was there as part of section 43 of the ITA 2000. This implies that there
is no upper limit for damages that can be claimed. This essentially is unlimited
liability for Indian companies, which could cause serious business implications.
Section 72A:
Under this section disclosure without consent exposes a person including an
intermediary to three years imprisonment of fine upto Rs. Five lacs or both. This
section uses the term personal information and not sensitive personal information
as in section 43A. Hence it could apply to any information which is obtained in order
to deliver services. Hence in some ways broadens the definition of information.
2. Information Preservation
Across the amendments there are several references to service providers or
intermediaries, which in some form would apply to all Indian companies.
e.g. Section 67C: Preservation and Retention of information by intermediaries.
Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe.
Any intermediary who intentionally or knowingly contravenes the provisions shall be
punished with an imprisonment for a term which may extend to 3 years and shall also
be liable to fine.
The notifications on time for preservation etc. are not yet released. However since this
is a cognizable offense any police inspector can start investigations against the CEO
of a company.

Apart from the two aspects discussed in this note, there are other areas which could
also be considerations for E.g.
Sec 69: Power to issue directions for interception or monitoring or decryption of any
information through any computer resource.
Sec 69B: Power to authorize to monitor and collect traffic data or information
through any computer resource for Cyber Security.etc.
In summary, IT Risk management and response needs to be looked at by all
companies for various reasons including customer assurance, compliance, customer
regulations, protection of information assets etc. The ITA 2008 amendments provide
us with few additional factors for considerations which could have significant impact
on business. Information technology regulations and laws would only get more
stringent and defined; hence its imperative for organizations to be aware and
prepared.