By Karen M. Sanzaro[1. Karen M. Sanzaro is a partner in the Atlanta office of Hunton & Williams, LLP. Karen’s practice focuses on outsourcing, global technology transactions, privacy and data security.] and Christyne Ferris[2. Christyne Ferris is an associate in the Atlanta office of Hunton & Williams, LLP. Christyne’s practice focuses on outsourcing, global technology and corporate securities.] On February 5, 2009, the President of India signed into law the Information Technology (Amendment) Act, 2008 (the “ITAA”)[3. Information Technology (Amendment) Act, 2008, No. 10 of 2009, India Code (2000).], a robust amendment to the country’s Information Technology Act, 2000 (the “IT Act”).[4. Information Technology Act, 2000, No. 21 of 2000, India Code (2000).] The IT Act was enacted primarily to promote e-commerce and give effect to e-commerce transactions, with provisions for the legal recognition of electronic documents and digital signatures. It also included provisions for the identification of, and establishment of penalties for, certain cybercrimes. The ITAA is the culmination of a multiyear effort to update the IT Act to take into account new technologies, increases in cybercrimes, the growth of the business process outsourcing industry in India and rising global concerns about data privacy and security.

While the ITAA is a significant step forward in establishing a data protection framework in India, and in providing assurances for those doing business with Indian entities, much of the detail was left to a rule-making process that has yet to be completed. The Indian government ministries charged with establishing these rules have sought input from the Data Security Council of India (DSCI), a self-regulatory body established by the National Association of Software and Services Companies (NASSCOM),[5. NASSCOM is an Indian IT trade association established in 1988 to facilitate business and trade in software and promote growth of the global offshoring industry.] on several key data security-related terms and provisions left undefined by the ITAA. The DSCI submitted its recommendations to the Department of Information Technology on May 11, 2009.[6. Making of Rules under Sections 43A, 67C and 79 of the Information Technology (Amendment) Act, 2008, available at http://www.dsci.in/index.php?option=com_content&view=article&id=52&Itemid=76.] Until the specifics are finalized and put into practice, companies outsourcing to Indian providers still face many uncertainties about how the law will change the IT landscape and what impact it may have on their relationships with their sourcing providers. Although its efficacy remains to be seen, the ITAA sets the stage for outsourcing providers and their customers to engage in a more robust dialogue about customers’ electronic data and the appropriate measures for securing such data.

The Catalyst for Change Increases in cybercrimes generally, coupled with the terrorist attack in Mumbai (largely effected through coordinated technology efforts), were likely a contributing factor in the recent passage of the ITAA, which had previously been stalled in India’s parliament since 2006. The ITAA expands the scope of cybercrimes (and includes cyber-terrorism), increases some of the penalties for cybercrimes and includes enhanced data retention, access and cooperation requirements for “intermediaries” (i.e., any person who receives, stores or transmits electronic records on behalf of another person, including ISPs and network and telecom providers) and others with responsibility for computer resources. The rapid growth of India’s outsourcing and information technology industries, in which the processing of data is often a critical component, is also a likely contributing factor in the ITAA’s passage. Without the confidence of the rest of the world, particularly the U.S. and Europe, India’s outsourcing industry could risk its competitive advantage. The ITAA represents an investment in India’s data security infrastructure and a signal to the outside world that India is still a stable place to do business.

The ITAA and Protection of Sensitive Personal Data For companies doing business in India or with Indian entities, Section 43A of the ITAA is of particular importance. Section 43A is a new provision designed to hold companies accountable for the protection of personal data. It provides:

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

This provision has a number of important implications for the Indian outsourcing industry and its customers in other parts of the globe.

Establishes Corporate Reasonable Standard Prior to its amendment, the IT Act focused more on individual hackers than on systematic data protection. The pre-amendment IT Act imposed liability on any “person” who (among other things) accesses or extracts data from a computer or network without the owner’s permission, damages the data or programs stored on a computer, or denies authorized access to a computer. The amendment, on the other hand, takes a broader view of the IT landscape in India by recognizing that corporations and other intermediaries also bear some responsibility in ensuring data in their possession is secure. Failure to do so creates a private right of action in the individuals whose sensitive personal information is compromised.

Defines Personal Data Perhaps one of the more important consequences of the ITAA is that it introduces the concept of personal data into Indian law. The original IT Act punished unauthorized extraction of or damage to data, but it did not explicitly target personal data. The ITAA, however, requires companies to maintain the security of “sensitive personal data,” thus recognizing that certain data deserves a higher level of protection.

The ITAA, however, limits the protections afforded to “sensitive” personal data, which is defined in the act as “such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.”[7. Section 43A(iii) of the IT Act, as amended by the ITAA.] The Central Government of India has not yet prescribed what constitutes “sensitive personal data,” but the DSCI, at the government’s behest, has recommended that personal information be defined consistently with the EU Data Directive,[8. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “EU Data Directive”).] as information that can identify an individual through one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Sensitive personal information, however, would be defined more narrowly to include health and financial data (but not embracing the broader EU concept of data regarding racial, ethnic, political and religious beliefs, which the DSCI has noted is often publicly known in India).

Notably, the DSCI’s draft recommendations limited sensitive personal information to data pertaining to a person’s health or sex life.[9. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “EU Data Directive”).] As the protection of Section 43A is afforded only to “sensitive” personal data, this would have left financial data unprotected. Although the DSCI has now expanded its proposed definition of sensitive information to include financial data, it is not clear why the act extends the protection only to sensitive personal data or whether the Central Government will ultimately adopt a more expansive definition of sensitive personal data. The EU Data Directive, for instance, affords basic protections to all personal data, and distinguishes sensitive personal data for certain additional protections.

Establishes Security Standards The ITAA also requires the use of “reasonable security practices and procedures,” which it defines as practices and procedures designed to protect sensitive personal information from unauthorized access, damage, use, modification, disclosure or impairment. What constitutes “reasonable security practices and procedures” may be specified in an agreement between the parties or in an applicable law. In the absence of an agreement or law, reasonable security practices may be prescribed by the Indian Central Government. Although this provides little clarity in describing the practices and procedures required, it stresses the need for companies to take a comprehensive and systematic approach to data protection (at least with respect to sensitive personal data).

As of the date of this article, the Indian Central Government had not yet prescribed “reasonable security practices and procedures.” However, the DSCI, noting that appropriate security measures may vary from one organization to the next depending on the type of information processed (and rejecting a “one-size-fits-all” approach), has recommended that companies: (1) adopt one or a combination of industry-recognized security standards, namely ISO 27001[10. ISO 27001 is an international information security management system (ISMS) standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that specifies a set of requirements for the establishment, monitoring, maintenance and improvement of an ISMS aimed at managing information security risks based on a set of high level principles.] and/or the OECD Privacy Principles for design and operation of Information Security Management Systems,[11. Presumably, the Organisation for Economic Cooperation and Development’s revised Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, adopted in July 2002, although the DSCI did not include a specific reference.] and implement such standards within their organization in a manner that is appropriate given the nature of the company’s information assets and its corresponding risk assessment; and (2) publicly declare that it is following ISO 27001 principles (presumably via a website, privacy policy or similar publication, although the method of declaration is not specified). In addition, companies would be obligated to document the standard in writing, along with the specific controls they have implemented to meet the standard and how such controls are deployed. There is no requirement that companies undergo an audit (external or otherwise) to verify that the controls are in place or the effectiveness of the controls. However, in the event of a security breach, a company would be obligated to demonstrate to investigators that it had a written security policy, that it was following such policy, and that the controls required by its policy were commensurate with the assets being protected.

Other Important Provisions While businesses focus on the new data protection rules, a host of other provisions of the ITAA has also received attention. Section 66 expands the definition of cybercrime to include identity theft and makes it punishable by up to three years in jail. Sections 66A – 66F define and impose penalties for other cybercrimes, including cyber-terrorism. The ITAA protects intermediaries, such as network service providers, when unlawful content is transmitted on their sites or via their networks, as long as they were not involved in the transmission and exercised “due diligence” in discharging their duties under the ITAA. The DSCI has recommended that intermediaries, in order to obtain the protections of the ITAA, declare their privacy, security and operational policies and procedures for the handling of third-party content and require their subscribers to agree to such policies.

Sections 69 through 69B grant the Central Government the authority to intercept, monitor and block access to electronic information in the interest of national security, and to monitor and collect “traffic data” (data identifying a person, computer system, or location to or from which the communication was transmitted, including origin, destination and other details) for purposes of enhancing cyber security, all in accordance with procedures and safeguards “as may be prescribed.” The Ministry of Communications & Information Technology has posted draft rules prescribing such procedures and safeguards at its website for public comment.[12. Draft Rules under IT (Amendment) Act, 2008 available at http://www.mit.gov.in/default.aspx?id=969.] Among other things, the draft rules require authorities to consider whether there are other ways to acquire the necessary information and to issue orders to monitor or intercept such information only if it is not possible to obtain the information by other reasonable means. The draft rules also place time limits on how long an interception or monitoring order may remain in force, how quickly intermediaries must respond to an order for monitoring or interception of information and how long security agencies and intermediaries may retain the information obtained.

Section 70B creates a government agency, dubbed the “Indian Computer Emergency Response Team,” with responsibility over the analysis and dissemination of information and alerts regarding cyber incidents, the coordination of responses to cyber incidents and the issuance of guidelines regarding information security practices and the prevention, response and reporting of cyber incidents.

Consequences for Outsourcing to India While the ITAA is an important first step for India in promoting and requiring appropriate data security protections, until it is formally adopted (via publication in the Official Gazette) and fully implemented, with “sensitive personal data” defined, “reasonable security practices and procedures” specified, and the corresponding rules promulgated, companies contemplating outsourcing operations or processes to an Indian provider should take care both in making the decision to move operations involving critical data offshore and in selecting and contracting with a provider.

Practice Pointers While the ITAA may not necessarily require immediate and specific changes in your existing outsourcing contracts, it will certainly bring data security issues to the forefront for the Indian outsourcing community. Thus, the ITAA’s recent enactment may represent an opportunity to revisit contracts that may not have adequately addressed the issue in the first instance, or longer-term contracts where the existing data security provisions are outdated or otherwise inadequate. The following are some data security considerations to take into account when evaluating your existing outsourcing relationships with Indian providers or in entering into new ones:

Diligence Your Provider’s Data Security Practices Thoroughly evaluate your Indian provider’s information security practices and procedures (including via a site visit, where feasible) before committing to a long-term relationship. Make sure the provider has a plan in place to address any identified gaps or deficiencies and follow up to make sure the plan is implemented. Document Compliance Obligations Your outsourcing agreement should expressly require your service provider to comply with those data security laws and regulations applicable to the provider (including the ITAA) and those applicable to the operations or functions it will perform for your company. Where applicable, include an obligation to comply with industry standards (e.g., the Payment Card Industry Data Security Standard ). In the event the Central Government has not prescribed reasonable security procedures, your outsourcing agreement should specifically define the provider’s data security obligations (which should supersede any less stringent requirements imposed by law). Address Security Breaches Determine and clearly document your provider’s obligations in the event of a security breach. Your outsourcing agreement should specifically address what constitutes a “security breach,” the circumstances under which the service provider is responsible for the breach, and what happens in the event of such a security breach. Obtain Robust Audit Rights Include robust audit rights in your agreement, allowing you to verify that your provider is doing what it agreed to do. These rights will be particularly important in the event there is a security breach. Negotiate Appropriate Remedies Negotiate, and document in your agreement, remedies in the event your provider fails to comply with its data security obligations. These might include indemnities, termination rights and/or other measures. Consider Liability Implications Consider and document the provider’s liability for direct and indirect damages for security breaches. We Can Help / About Hunton & Williams Hunton & Williams’ Global Technology, Outsourcing and Privacy practice has substantial experience advising clients in executing, managing and redefining large-scale outsourcing transactions. With our integrated privacy and sourcing practice, we are able to proactively assist our clients in addressing the complex data privacy and security issues typically encountered in outsourcing transactions. If you would like to discuss the Indian legislation, or need assistance in determining its impact on your organization’s proposed or existing outsourcing relationships, please contact us.