Question : Reasonable Security Practices

Will the Minister of Electronics & Information Technology be pleased to state:-

(a) whether Section 43A of the IT Act makes the corporate body liable to pay compensation when it has failed to ensure reasonable security practices to protect data;

(b) if so, the details thereof and the statistics of the cases registered and convicted under the said section;

(c) the IT Rules on reasonable security practices does not specify the period within which corporate bodies are required to provide a policy for privacy and disclosure; and

(d) if so, the details thereof and the action taken by the Government in this regard?

(a) and (b): Yes, Sir. Section 43A of Information Technology (IT) Act, 2000 provides that where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation. Compensation claims upto ` 5 crore are handled by Adjudicating Officers while claims above ` 5 crore are handled by the relevant Courts. Currently, all State and Union Territories’ Government Information Technology Secretary are designated as ‘Adjudicating Officer’. Since Section 43A violations are civil in nature, there are no convictions. Further, since adjudication is done at State level, no repository of information related to cases are currently maintained by Central Government.

(c) and (d): The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 have been notified on 11th April 2011. The body corporate are required to provide a policy for privacy and disclosure from the date of notification.

********