Tag Archives: Information Technology Act

Social media, Fake news: Govt is proposing amendments to Intermediary Guidelines under Information Technology Act

The Ministry of Electronics and Information Technology on 24 December, 2018 released the Draft Information Technology (Intermediary Guidelines) (Amendment) Rules, 2018 (the “Draft Intermediary Rules”) and has invited comments and suggestions from all stakeholders on the same.

An ‘Intermediary’ under the Information Technology Act, 2000 is any person who on behalf of another person stores or transmits that message or provides any service with respect to that message. An Intermediary cannot knowingly host, publish or initiate the transmission, select the receiver of transmission, or select or modify the information therein. Thus, this would include telecom service providers, internet service providers, web-hosting service providers, search engines, online-payment sites, online auction sites, online market places, and also social media platforms, which seem to be the primary subject of the proposed amendment.

The Draft Intermediary Rules seeks to address the calling attention motion on “Misuse of Social Media Platform and spreading of fake news” admitted in the Rajya Sabha during the monsoon session this year. Thus, in order to strengthen the legal framework and make the social media platforms accountable the following amendments and new provisions are proposed under the Draft Intermediary Rules. Whilst the changes bring in more strict compliance from intermediaries and might drive the cost of compliance fairly high as well, it remains yet to be seen how many of these proposed changes make it to the final amendments.

Due Diligence obligations of the Intermediaries:

The Draft Intermediary Rules prescribes the following due diligence measures to be taken by Intermediaries:

Restriction on the proliferation of certain information by users

  • The Draft Intermediary Rules already requires Intermediaries to publish rules and regulations, privacy policy and user agreement, and such rules must inform the users[1] not to host, display, upload, modify, publish, transmit, update or share such information. The Draft Intermediary Rules however includes information which promotes cigarettes or any other tobacco products or consumption of intoxicant including alcohol and Electronic Nicotine Delivery System (ENDS) & like products that enable nicotine delivery in the list except to the extent permissible under the Drugs and Cosmetics Act, 1940.
  • The Intermediary is also required to inform its users at least once every month that in cases of non-compliance with rules and regulations, the Intermediary has the right to immediately terminate the access or usage rights of the users and remove non-compliant information.

Intermediaries to assist Government Agencies

  • Intermediaries with more than 50 Lakh users in India, or those Intermediaries specially notified by the government must be a registered company in India, have a permanent registered office in India, and appoint a nodal person of contact and alternate senior designated functionary for 24×7 coordination with law enforcement agencies in India.
  • The Intermediary must assist any government agency, security of the state, cyber security agency (those legally authorised) in matters of cyber security; or investigation or detection or prosecution or prevention of offence(s); protective or cyber security and those upon a lawful order. Such assistance must be provided within 72 hours and can be extended to tracing out the originator of information on its platform.
  • The government can seek the information about unlawful acts from the intermediaries by court order or by being notified by the government itself and the parameter to judge unlawful activities would be Article 19(2) of the Constitution, which would include inter alia, interests of the sovereignty and integrity of India, security of state, friendly relations with foreign states public order, decency or morality, etc. The timeline to comply with this is 24 hours, and such information and records must be preserved by the Intermediaries for at least 180 days for investigational purposes (or longer if court or government agency prescribes).

Intermediaries to develop internal mechanisms to tackle unlawful information

  • The Intermediary is required to use the help of technology based automated tools or appropriate mechanisms that should be deployed with appropriate controls for a proactive identification and removal or disabling of unlawful information or content.

Author: Mr. Avaneesh Satyang

 Sources: Invitation for Comments/Suggestions:

http://meity.gov.in/content/comments-suggestions-invited-draft-%E2%80%9C-information-technology-intermediary-guidelines

Draft Intermediary Rules:

http://meity.gov.in/writereaddata/files/Draft_Intermediary_Amendment_24122018.pdf

[1] A ‘User’ under the Draft Intermediary Rules means any person who accesses or avails any computer resource of intermediary for the purpose of hosting, publishing, sharing, transacting, displaying or uploading information or views and includes other persons jointly participating in using the computer resource of an intermediary.

Advertisements

Regulatory Update: Ministry of Electronics and Information Technology- Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018.

The Ministry of Electronics and Information Technology (MEITY) vide notification dated 22nd May, 2018 has notified the Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 (“Rules”) which shall come into force on the date of publication in the Official Gazette.

The Rules detail the responsibilities to be met by various organisations which have a protected system. “Protected System” means any computer, computer system or computer network of any organisations notified under section 70 of the Act, in the official gazette by appropriate Government.

Constitution of Information Security Steering Committee

The Rules mandate that an organisation having a Protected System shall constitute an Information Security Steering Committee (ISSC) whose chairman shall be the Chief Executive Officer/ Managing Director/ Secretary of the organisation (Rule 3 (1) (a)). The composition of the ISSC as mentioned Rule 3 (1) (b) shall be as follows:

  • IT Head or equivalent;
  • Chief Information Security Officer (CISO);
  • Financial Advisor or equivalent;
  • Representative of National Critical Information Infrastructure Protection Centre (NCIIPC);
  • Any other expert(s) to be nominated by the organisation.

The ISSC shall be the apex body and its responsibilities (as mentioned under Rule 3(2)) shall be as follows:

  • All the information security policies of a Protected System has to be approved by the ISSC.
  • Any significant change in the network configuration which has an impact on the Protected System shall be approved by ISSC.
  • It is mandatory that each significant change in the application(s) of the Protected System shall be approved by ISSC.
  • A mechanism has to be established which ensures timely communication of the cyber incident(s) related to Protected System to the ISSC.
  • Protected System shall be validated for assessment after every 2 (two) years.

The Rules also lay down certain roles and responsibilities for the organisations having a Protected System (as mentioned under Rule 3(3)). Some of the key responsibilities are as follows:

  • Nominate an officer as CISO whose roles and responsibilities shall be as per the latest Guidelines for Protection of Critical Information Infrastructure (“Guidelines”) and “Roles and Responsibilities of CISOs of Critical Sectors in India” released by the (NCIIPC);
  • Plan, establish, implement, operate, monitor, review, maintain and continually improve Information Security Management System (ISMS) of its system as per the latest Guidelines released by the NCIIPC or an industry accepted standard duly approved by the said NCIIPC;
  • Ensure that the network architecture of Protected System shall be documented;
  • The same shall be reviewed at least once a year, or whenever required, or according to the (ISMS);
  • Plan, develop, maintain and review the documents of inventory of hardware and software related to Protected System;
  • Ensure that the vulnerability/threat/risk (V/T/R) analysis for the cyber security architecture of Protected System shall be carried out at least once a year. Further the (V/T/R) analysis shall be initiated whenever there is significant change or upgrade in the system, by intimation of the same to ISSC;
  • Plan, establish, implement, operate, monitor, review, and continually improve Cyber Crisis Management Plan (CCMP) in close coordination with NCIIPC;
  • Ensure conduct of internal and external Information Security audits periodically.
  • Establish a Cyber Security Operation Center (C-SOC) using such tools and technologies to implement preventive, detective and corrective controls to secure against advanced and emerging cyber threats.
  • The records of unauthorised access, unusual and malicious activity, if any, shall be documented;
  • Establish a Network Operation Center (NOC) using tools and techniques to manage control and monitor the network(s) of Protected System.
  • Plan, develop, maintain and review the process of taking regular backup of logs of networking devices, perimeter devices, etc. and services supporting “Protected System” and the logs shall be handled as per the ISMS as suggested.

The Rules also lay down responsibilities of the CISO towards NCIIPC (As mentioned under Rule 4). They are as follows:

  • CISO shall maintain regular contact with the NCIIPC and will be responsible for implementing the security measures.
  • CISO shall share inform the NCIIPC, whenever there is any change, and incorporate the inputs/feedbacks suggested by the said (NCIIPC)- with regard to details of Critical Information Infrastructure (CII), details of ISSC, network architecture of the Protected System., etc.
  • CISO shall establish a process, in consultation with the NCIIPC, for sharing of logs of “Protected System” with NCIIPC to help detect anomalies and generate threat intelligence on real time basis.
  • CISO shall also establish a process of sharing documented records of Cyber Security Operation Center (related to unauthorised access, unusual and malicious activity) of Protected System with NCIIPC to facilitate issue of guidelines, advisories and vulnerability, audit notes etc. relating to Protected System.
  • CISO shall establish a process in consultation with NCIIPC, for timely communication of cyber incident(s) on Protected System to the said NCIIPC.

Available at:

http://meity.gov.in/writereaddata/files/NCIIPC-Rules-notification.pdf