While dealing with technology or online activities it is prudent to take proper precautions. These precautions have been termed as cyber law due diligence. Worldwide the client has the focal point for business enterprises of all sizes and verticals. Thus enterprises are launching advanced, innovative products and services to attract customers. However, the big question is, are these services tested for risk assessments and controls. If so, what are these tests? Who’s testing them? Where are the results of such tests available for review?
In July 2015, two of India’s biggest banks received complaints that their customers were unable to access online services. It was only later that it was discovered that professional cyber criminals had launched DDOS (distributed denial of services) attacks from servers traced to Pakistan.
These are not stand alone crimes. The truth is far more shocking. Such incidents in India have been on the rise. Thus far in the year from 2,895 reported cases in FY14-15, cyber crime around technology and online services has reached to 6,284 cases in the current year according to a report by Price Water House Coopers (PwC). The report further elucidates the financial losses due to such attacks have risen by 135% in the past year. Industry estimates put such losses at $4 billion annually.
In 2011-12, a UK bank created a product to hold £1.88 billion for its high net-worth clients. To maintain the confidentiality of such clients the bank kept documents related to them in a special safe that only few employees knew about, with no supporting computer records. Post-audit, the UK Financial Conduct Authority (FCA) found that the bank did not take adequate measures to assess the risks involved with such clients and the service provided. As a result, their due diligence and other monitoring activity were found deficient.
The law on cyber law due diligence for Internet Intermediaries is incorporated in Information Technology Act 2000. Section 79 read with Information Technology (Intermediaries Guidelines) Rules, 2011 deals with cyber law due diligence that no person providing any service as an intermediaries shall be liable for third party information or data made available by him if he proves that offence was committed without his knowledge or that he had exercised all due diligence to prevent the of such contravention.
There has been lots of confusion against the Internet Intermediary liability applicability to the Intermediaries. Although internet intermediary liability has been clarified by Department of Electronics and Information Technology (DEIT) that these Rules provides a due diligence framework to be observed by intermediary while discharging his duties.
In case of Shreya Singhal v. Union of India the Supreme Court decided to substantially loosen the noose of due diligence obligations around intermediaries, under the IT Act. Thus, an intermediary would now, only be liable for failure to “expeditiously remove or disable access” to third-party content, if a court order, or a government-notification in this regard, has been made available to the intermediary.
The judgment is a relief for giant intermediaries like, granting them respite from the colossal task of acting upon millions of take-down requests at any given point of time, while analyzing the legitimacy of each request.
Yet doubts and problems still continue to persist for many. As a result of the doubts clouding it, cyber law due diligence requirements in India isneglected with impunity.