Wednesday, November 4, 2009

Is your organization Information Technology Act 2008 compliant?

Every head of the Company in India needs to ask this question to him. "Are We Information Technology Act 2008 Compliant?". Every Director of a Company and also every IAS officer in charge of an e-governance project should also ask this question to himself.

If he does not know the answer, it is time to explore what is the Compliance prescription under Information Technology Act 2008, the amended Information Technology Act 2000 which came into force on Tuesday, October 27, 2009.

Just to make it more simple, let me say Information Technology Act 2008 is bigger  than Data Protection Act, bigger than HIPAA, and even bigger than SOX. if what you know these terms mean. Because non compliance of Information Technology Act 2008 can bring in financial liabilities to your company and may even land the CEO or a Director in jail.

Let's find out the areas of concern which a Director of a company or In charge of e-governance should take into account.

Any company which does e-commerce or a government office does e-governance for e.g. receives, stores or transmits data on behalf of another person has an obligation to exercise "Due Diligence" which means and includes as followse:

1.                  Understand the data retention requirements and implement systems to comply with them

2.                  Understand that the GOI has the powers to block, intercept or ask for data decryption keys, information on data traffic etc

3.                  Identifying which of the information is "Sensitive Personal Information" and

4.                  Follow reasonable security practices to protect them.

5.                  It is also necessary for Companies to understand that even if any of their employees contravene the provisions of the Act including committing of such personal offences such as searching for child pornography using the corporate network, then there could be vicarious liabilities on the organization and its Directors and Executives.

6.                  Ensure that without the permission of the owner of an information does not even provide access to the information to others

7.                  Expect you to conduct e-audit of all the documents you maintain in e-form

8.                  Adhere to the encryption policies as may be announced etc

9.                  Ensure that any security obligations agreed to in a contractual agreement are not breached

10.              Failure to comply with the above may result in damages payable for which there is no specified upper limit, besides possible imprisonment of upto 7 years.

Safety from these liabilities requires an Information Technology Law Compliance Programme . Even if the organization is ISO 27001 certified, it is suggested that the organization should review its security standards and examine Information Technology Act 2008 compliance.

The first step in due diligence under Information Technology Act  2008 for a corporate entity is that all company secretaries need to immediately put up a note to their Board that a Board meeting is called for to examine the risk exposure of the company to Information Technology Act  2008  and to recommend necessary action. As the law is already in action from 27th October 2009 Companies cannot wait and watch.

Dr.Tabrez Ahmad,
Associate Professor of Law,
KIIT University, Bhubaneswar, India,
Research Papers: