Here is something to soothe clients who have been in a tizzy following the
latest reports of data theft expose in Indian BPOs. The communications and
IT ministry has now finalised the much-awaited amendments to the IT Act '00
to tighten data protection norms in the country.

It has prescribed a new section, which not only puts the responsibility on
'body corporate' or companies (including BPOs) to protect sensitive data,
but also provides for a civil liability with damages of up to Rs 5 crore in
case of any negligence.

In the context of call centres, this provision could imply that BPOs will
have to take the responsibility of protecting their data or information, in
line with prescribed security practices and procedures, and cannot shrug off
this responsibility, sources said.

It may be recalled that last year the expert committee set-up to review the
IT Act, had recommended that any negligence in implementation of reasonable
security practices by the 'body corporate' should attract damages "by way of
compensation not exceeding Rs 1 crore to the person affected".

Now the final version of the proposed amendment — which is likely to be
placed before the Parliament during the Winter session — makes the data
protection by companies, even more stringent.

Most of the other recommendations made by the Expert Committee have been
incorporated in the IT Act amendment. "The scope of Section 72, which deals
with criminal liability for leakage of information, is being expanded
further to provide for criminal liability in respect of information in
breach of a lawful contract.

This will prevent any intermediary and service provider who has secured any
material or information from a user, who has entered into a contract with
him, from passing it on to others without the consent of the user, sources
said. Violation will attract a punishment with imprisonment for a term of up
to two years or with a fine of up to Rs 5 lakh or both.

The stringent data protection norms may offer additional comfort to foreign
companies who outsource work to India, in the wake of recent reports of
information security breaches in Indian BPOs — the latest being a sting
operation undertaken by a UK-based television station.
The programme, to be telecast this week, shows two Indian middlemen
allegedly selling details of credit cards, driving licences and passports of
about 2 lakh UK citizens, allegedly obtained from Indian call centres.

Sources further said, new sections will be inserted in the Indian Penal
Code to provide for criminal liability for new forms of crime like
e-commerce frauds through wrongful use of digital signatures and
impersonation — phishing and identity theft, among others.

The punishment for identity theft may be extended to two years and also
fined, whereas punishment for impersonation will be extended to five years
and fined. The amendments also provide for punishment up to two years with
fine for sending offensive messages through computer or any communication
instrument.

Also, publication of sexually explicit act material will attract stringent
punishment — imprisonment of up to five years and fine of Rs 10 lakh in case
of first offence, and imprisonment of up to seven years and fine up to Rs 10
lakh for second-time offence.

Source: Economic Times - 06 October '06
-----------------------------------------------------------------
http://www.CyberLawTimes.com


[Non-text portions of this message have been removed]