TRAINING MANUAL OF SPECIALISED COURSE FOR POLICE INVESTIGATING OFFICERS

107: INVESTIGATION OF CYBER CRIME CASES [DSI] –

ELECTRONIC AND DIGITAL RECORDS UNDER NEW CRIMINAL LAWS IN INDIA

(Two weeks)

Proposed Authority: Bureau of Police Research and Development (BPR&D) / State Police Training Academies / NFSU

Target Group: Police Investigating Officers & Cyber Police Officers

PART – A : COURSE GUIDE

1. EMERGENCE OF THE COURSE

Cyber crime has emerged as one of the most pervasive and complex forms of crime in contemporary India. The rapid penetration of the internet, mobile devices, digital payment systems, social media platforms, cloud computing and artificial intelligence has fundamentally altered the nature of criminal activity. Traditional crimes are now committed using digital means, while entirely new categories of offences have come into existence.

The enactment of the Bharatiya Nyaya Sanhita, 2023 (BNS), Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS) and Bharatiya Sakshya Adhiniyam, 2023 (BSA) marks a paradigm shift in the investigation and prosecution of crime in India. These new criminal laws explicitly recognize electronic records, digital devices and technologically generated evidence as central to criminal justice administration.

Police Investigating Officers are now required to possess not only legal knowledge but also operational competence in handling electronic and digital evidence. Deficiencies in cyber crime investigation frequently result in acquittals, exclusion of evidence, violation of procedural safeguards and erosion of public confidence.This specialised course has therefore been designed to build legal clarity, procedural compliance and practical investigation skills among Police Investigating Officers dealing with cyber crime cases.

2. INTRODUCTION TO THE COURSE

This course is structured as a practice-oriented, law-compliant and evidence-focused training programme for Police Investigating Officers. It integrates legal provisions, forensic principles, investigation procedures, case law and field-level best practices.

The course emphasizes the complete life cycle of electronic and digital evidence—from identification at the scene, lawful seizure, preservation, forensic examination, documentation and presentation before courts under the new criminal laws.

3. AIM OF THE COURSE

To equip Police Investigating Officers with the knowledge, skills and procedural discipline required for effective investigation of cyber crime cases, with particular emphasis on electronic and digital records under the Bharatiya Nyaya Sanhita, Bharatiya Nagarik Suraksha Sanhita and Bharatiya Sakshya Adhiniyam.

4. DESIGNED FOR

· Police Investigating Officers

· Cyber Police Station Officers

· District and State Cyber Crime Units

· Economic Offences Wing officers handling digital evidence

5. FACILITATORS

· In-house Police Training Faculty

· Cyber Crime Experts

· Digital Forensic Scientists

· Legal Experts / Public Prosecutors (Cyber Law)

6. STYLE OF THE COURSE

The course follows an adult-learning, participant-centric approach. Training methods include: - Lecture-cum-discussion - Case study analysis - Practical demonstrations - Drafting exercises - Court-oriented simulations

Active participation, experience sharing and problem-solving are integral to the learning process.

7. COURSE OBJECTIVES

At the end of the course, participants will be able to:

· Understand the legal framework governing cyber crimes under BNS

· Apply procedural safeguards under BNSS during cyber investigations

· Identify, seize, preserve and document electronic and digital records

· Ensure admissibility of electronic evidence under BSA

· Coordinate effectively with forensic laboratories

· Avoid common investigation errors leading to acquittals

PART – B : COURSE GRID & LEARNING EVENTS

COURSE EMPHASIS

This specialised course follows a 70:30 emphasis, wherein: - 70% of the training focuses on investigation skills, procedures, digital evidence handling and coordination - 30% focuses on legal provisions, admissibility and court-related requirements

This balance reflects the operational realities faced by Police Investigating Officers while ensuring legal sustainability of investigations.

COURSE GRID (TWO WEEKS)

Learning Unit	Title
LU–1	Cyber Crime Landscape & Policing Challenges
LU–2	Cyber Crimes under Bharatiya Nyaya Sanhita, 2023
LU–3	Procedural Powers under Bharatiya Nagarik Suraksha Sanhita, 2023
LU–4	Electronic & Digital Records under Bharatiya Sakshya Adhiniyam, 2023
LU–5	Cyber Crime Scene Management & First Response
LU–6	Search, Seizure & Preservation of Digital Devices
LU–7	Digital Forensics, Hashing & Chain of Custody
LU–8	Social Media, Cloud, Cryptocurrency & Emerging Tech
LU–9	Case Law, Acquittals & Investigation Failures

Course grid

WEEK–1

┌──────────┬────────────────────────────────────────────────────────────┐

│ Day │ Learning Unit & Focus │

├──────────┼────────────────────────────────────────────────────────────┤

│ Day 1 │ LU–1: Cyber Crime Landscape & Policing Challenges │

│ │ ▸ Cyber crime typology ▸ MO ▸ Challenges for IOs │

│ Day 2 │ LU–2: Cyber Crimes under BNS, 2023 │

│ │ ▸ Mapping cyber offences ▸ Conventional crimes online │

│ Day 3 │ LU–3: BNSS, 2023 – Procedural Powers │

│ │ ▸ FIR/Zero FIR ▸ Search ▸ Seizure ▸ Arrest ▸ Safeguards │

│ Day 4 │ LU–4: BSA, 2023 – Electronic & Digital Records │

│ │ ▸ Electronic records ▸ Admissibility ▸ IO responsibilities │

│ Day 5 │ LU–5: Cyber Crime Scene Management │

│ │ ▸ First responder duties ▸ Contamination risks │

└──────────┴────────────────────────────────────────────────────────────┘n

WEEK–2

│ Day │ Learning Unit & Focus │

│ Day 6 │ LU–6: Search, Seizure & Preservation of Digital Devices │

│ │ ▸ Mobile ▸ Laptop ▸ Storage ▸ Documentation │

│ Day 7 │ LU–7: Digital Forensics, Hashing & Chain of Custody │

│ │ ▸ Hash values ▸ Integrity ▸ Forensic coordination │

│ Day 8 │ LU–8: Social Media, Cloud & Cryptocurrency Evidence │

│ │ ▸ Platform data ▸ Cloud logs ▸ Crypto tracing │

│ Day 9 │ LU–9: Case Law, Acquittals & Investigation Failures │

│ │ ▸ Judicial scrutiny ▸ Lapses ▸ Best practices │

│ Day 10 │ Assessment, Exercises & Valediction │

│ │ ▸ Case exercises ▸ MCQs ▸ Feedback │

Key Design Features: - Investigation-centric flow (70%) progressing from offence → procedure → evidence

→ court - Legal inputs (30%) embedded only where required for admissibility - Suitable for single-page

printing and inclusion in Course Guide section

-------------|-------| | LU–1 | Cyber Crime Landscape & Policing Challenges | | LU–2 | Cyber Crimes under

Bharatiya Nyaya Sanhita, 2023 | | LU–3 | Procedural Powers under Bharatiya Nagarik Suraksha Sanhita,

2023 | | LU–4 | Electronic & Digital Records under Bharatiya Sakshya Adhiniyam, 2023 | | LU–5 | Cyber

LU–7 | Digital Forensics, Hashing & Chain of Custody | | LU–8 | Social Media, Cloud, Cryptocurrency &

Emerging Tech | | LU–9 | Case Law, Acquittals & Investigation Failures |LEARNING EVENTS

LEARNING EVENT – LU–1

Learning Unit: Cyber Crime Landscape & Policing Challenges

Training Objective: At the end of the training, participants will be able to understand the evolving cyber crime landscape and its implications for policing.

Enabling Objectives: Participants will be able to: 1. Identify major categories of cyber crime 2. Analyse current trends and modus operandi 3. Recognise challenges faced by IOs

Content	Method	Media	Time (Mins)	Trainer	Assessment
Overview of cyber crime	Lecture-cum-discussion	PPT, Whiteboard	60	Cyber Crime Expert	Q&A
Typology & MO	Case discussion	Case briefs	60	Senior IO	Checklist
Policing challenges	Group discussion	Flip charts	30	Faculty	Participation

LEARNING EVENT – LU–2

Learning Unit: Cyber Crimes under Bharatiya Nyaya Sanhita, 2023

Training Objective: Enable participants to identify and apply BNS provisions relevant to cyber crime investigations.

Enabling Objectives: 1. Correlate cyber crimes with BNS sections 2. Apply offence classification correctly

Content	Method	Media	Time (Mins)	Trainer	Assessment
Cyber offences under BNS	Lecture-cum-discussion	PPT	60	Legal Expert	MCQs
Mapping conventional crimes with cyber elements	Case analysis	Judgments	60	PP / Senior IO	Exercise

LEARNING EVENT – LU–3

Learning Unit: Procedural Powers under Bharatiya Nagarik Suraksha Sanhita, 2023 (BNSS)

Training Objective: Enable participants to lawfully exercise procedural powers in cyber crime investigations while safeguarding admissibility and constitutional rights.

Enabling Objectives: 1. Register cyber crime FIRs correctly under BNSS 2. Conduct lawful search, seizure and arrest 3. Apply safeguards relating to jurisdiction, notice and documentation

Content	Method	Media	Time (Mins)	Trainer	Assessment
Registration of cyber FIR, Zero FIR	Lecture-cum-discussion	PPT	60	Senior IO	MCQs
Search & seizure of devices/data	Case-based discussion	Forms/SOPs	90	Legal Expert	Checklist
Arrest, notice & safeguards	Lecture	PPT	60	PP / IO	Q&A

LEARNING EVENT – LU–4

Learning Unit: Electronic & Digital Records under Bharatiya Sakshya Adhiniyam, 2023 (BSA)

Training Objective: Equip IOs to ensure admissibility of electronic records before courts.

Enabling Objectives: 1. Understand types of electronic records 2. Apply statutory conditions for admissibility

Content	Method	Media	Time (Mins)	Trainer	Assessment
Concept of electronic record	Lecture	PPT	60	Legal Expert	MCQs
Authenticity, integrity & reliability	Case analysis	Judgments	90	PP	Exercise

LEARNING EVENT – LU–5

Learning Unit: Cyber Crime Scene Management & First Responder Duties

Training Objective: Enable IOs to act as first responders and protect digital evidence.

Content	Method	Media	Time	Trainer	Assessment
Identification of cyber crime scene	Demonstration	Devices	60	Cyber Expert	Checklist
Do’s & Don’ts, contamination risks	Discussion	Flip charts	60	Faculty	Participation

LEARNING EVENT – LU–6

Learning Unit: Search, Seizure & Preservation of Digital Devices

Training Objective: Ensure lawful seizure and preservation of electronic devices.

Content	Method	Media	Time	Trainer	Assessment
Device seizure procedures	Practical demo	Seizure memos	90	Forensic Expert	Practical
Packaging & documentation	Demonstration	Evidence kits	60	FSL Officer	Checklist

LEARNING EVENT – LU–7

Learning Unit: Digital Forensics, Hashing & Chain of Custody

Training Objective: Enable IOs to preserve evidentiary integrity.

Content	Method	Media	Time	Trainer	Assessment
Hashing concepts	Lecture	PPT	60	FSL Expert	MCQs
Chain of custody	Case discussion	Formats	60	IO	Exercise

LEARNING EVENT – LU–8

Learning Unit: Social Media, Cloud, Cryptocurrency & Emerging Technologies

Training Objective: Handle modern digital evidence sources effectively.

Content	Method	Media	Time	Trainer	Assessment
Social media investigations	Demo	Tools	90	Cyber Expert	Checklist
Cloud & crypto challenges	Lecture	PPT	60	Expert	Q&A

LEARNING EVENT – LU–9

Learning Unit: Case Law, Acquittals & Investigation Failures

Training Objective: Identify investigation lapses and improve prosecution success.

Content	Method	Media	Time	Trainer	Assessment
Landmark judgments	Case study	Judgments	120	PP	Analysis

PART – C : RESOURCE MATERIAL

Section–1: Handouts (HO)

HO–1: Cyber Crime Typology

In general cybercrime may be defined as “Any unlawful act where computer or communication device or computer network is used to commit or facilitate the commission of crime”.

Types Of Cybercrime

In simple terms, Cybercrime refers to criminal activities that involve computers, computer networks, or the Internet. There are various types that can be categorized into three main groups: crimes against persons, crimes against property, and crimes against the government.

Crimes Against Persons include cyber-stalking, dissemination of obscene material like child pornography, defamation through hacking, and using technology to threaten or harass individuals.
Crimes Against Property involve intellectual property violations like software piracy, cybersquatting (claiming similar domain names), cyber vandalism (destroying data or disrupting network services), hacking computer systems, transmitting viruses, cyber trespassing (unauthorized access to computers), and internet time theft.
Crimes Against the Government include cyber terrorism (threatening national security through internet attacks), cyber warfare (politically motivated hacking and spying), distribution of pirated software, and possession of unauthorized information.

Below is a list for some of the cybercrimes along with their indicative explanation. This is to facitilate better reporting of complaints.

1. Child Pornography/ Child sexually abusive material (CSAM)

Child sexually abusive material (CSAM) refers to material containing sexual image in any form, of a child who is abused or sexually exploited. Section 67 (B) of IT Act states that “it is punishable for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form.

2. Cyber Bullying

A form of harassment or bullying inflicted through the use of electronic or communication devices such as computer, mobile phone, laptop, etc.

3. Cyber stalking

Cyber stalking is the use of electronic communication by a person to follow a person, or attempts to contact a person to foster personal interaction repeatedly despite a clear indication of disinterest by such person; or monitors the internet, email or any other form of electronic communication commits the offence of stalking.

4. Cyber Grooming

Cyber Grooming is when a person builds an online relationship with a young person and tricks or pressures him/ her into doing sexual act.

5. Online Job Fraud

Online Job Fraud is an attempt to defraud people who are in need of employment by giving them a false hope/ promise of better employment with higher wages.

6. Online Sextortion

Online Sextortion occurs when someone threatens to distribute private and sensitive material using an electronic medium if he/ she doesn’t provide images of a sexual nature, sexual favours, or money.

7. Vishing

Vishing is an attempt where fraudsters try to seek personal information like Customer ID, Net Banking password, ATM PIN, OTP, Card expiry date, CVV etc. through a phone call.

8. Sexting

Sexting is an act of sending sexually explicit digital images, videos, text messages, or emails, usually by cell phone.

9. Smshing

Smishing is a type of fraud that uses mobile phone text messages to lure victims into calling back on a fraudulent phone number, visiting fraudulent websites or downloading malicious content via phone or web.

10. SIM Swap Scam

SIM Swap Scam occurs when fraudsters manage to get a new SIM card issued against a registered mobile number fraudulently through the mobile service provider. With the help of this new SIM card, they get One Time Password (OTP) and alerts, required for making financial transactions through victim's bank account. Getting a new SIM card against a registered mobile number fraudulently is known as SIM Swap

11. Debit/Credit Card Fraud

Credit card (or debit card) fraud involves an unauthorized use of another's credit or debit card information for the purpose of purchases or withdrawing funds from it.

12. Impersonation and Identity Theft

Impersonation and identity theft is an act of fraudulently or dishonestly making use of the electronic signature, password or any other unique identification feature of any other person

13. Phishing

Phishing is a type of fraud that involves stealing personal information such as Customer ID, IPIN, Credit/Debit Card number, Card expiry date, CVV number, etc. through emails that appear to be from a legitimate source

14. Spamming

Spamming occurs when someone receives an unsolicited commercial messages sent via email, SMS, MMS and any other similar electronic messaging media. They may try to persuade recepient to buy a product or service, or visit a website where he can make purchases; or they may attempt to trick him/ her into divulging bank account or credit card details.

15. Ransomware

Ransomware is a type of computer malware that encrypts the files, storage media on communication devices like desktops, Laptops, Mobile phones etc., holding data/information as a hostage. The victim is asked to pay the demanded ransom to get his device decrypts.

16. Virus, Worms & Trojans

· Computer Virus is a program written to enter to your computer and damage/alter your files/data and replicate themselves.

· Worms are malicious programs that make copies of themselves again and again on the local drive, network shares, etc.

· A Trojan horse is not a virus. It is a destructive program that looks as a genuine application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. Trojans open a backdoor entry to your computer which gives malicious users/programs access to your system, allowing confidential and personal information to be theft.

17. Data Breach

A data breach is an incident in which information is accessed without authorization

18. Denial Of Services /Distributed DoS

· Denial of Services (DoS) attack is an attack intended for denying access to computer resource without permission of the owner or any other person who is in-charge of a computer, computer system or computer network.

· A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources

19. Website Defacement

Website Defacement is an attack intended to change visual appearance of a website and/ or make it dysfunctional. The attacker may post indecent, hostile and obscene images, messages, videos, etc

20. Cyber-Squatting

Cyber-Squatting is an act of registering, trafficking in, or using a domain name with an intent to profit from the goodwill of a trademark belonging to someone else

21. Pharming

Pharming is cyber-attack aiming to redirect a website's traffic to another, bogus website

22. Cryptojacking

Cryptojacking is the unauthorized use of computing resources to mine cryptocurrencies

23. Online Drug Trafficking

Online Drug Trafficking is a crime of selling, transporting, or illegally importing unlawful controlled substances, such as heroin, cocaine, marijuana, or other illegal drugs using electronic means

24. Espionage

Espionage is the act or practice of obtaining data and information without the permission and knowledge of the owner.

Above definitios are From National Cyber Crime Reporting Portal

HO–2: Relevant Provisions of BNS

Key provisions under the BNS dealing with

Cybercrimes

2.1 Sexual Harassment: Section 75 of the BNS deals with sexual harassment committed by showing pornography against the will of a woman or making sexually coloured remarks (physically or using electronic means).’ [Section 354A IPC]

2.2 Voyeurism: Section 77 of the BNS is directly applicable to cybercrimes involving the unauthorized recording and dissemination of private images, often referred to as "revenge porn" or "upskirting". It criminalizes the act of watching or capturing the image of a woman engaging in a private act without her consent.[Section 354C IPC]

2.3 Stalking: Section 78 of the BNS addresses the crime of stalking, including cyberstalking. This provision specifically targets individuals who repeatedly follow or monitor a woman's online activities,despite her clear disinterest. By using technology to harass or intimidate a woman, such as through persistent messaging, tracking her location, or creating fake profiles, a person can be held liable for cyberstalking under this section.[Section 354D IPC]

2.4 Outraging the modesty of the woman: Section 79 of the BNS addresses the offence of outraging the modesty of a woman by uttering words, making sounds or gestures, exhibiting objects with intent to insult or invade a woman’s privacy. While primarily focused on offline acts, the provision can also be relevant to certain cybercrimes, particularly those involving online harassment or threats such as deepfakes. In these cases, the actions of the perpetrator can be seen as "uttering words," "making sounds or gestures," or "exhibiting objects" in electronic form, with the intent to insult the modesty of the woman.[Section 509 IPC]

2.5 Organised Crime: Section 111 of the BNS defines organised crime as a continuing unlawful activity undertaken by a group of persons acting in concert.

It specifically includes cybercrimes within the scope of such activities. Cybercrime such as cyber extortion, identity theft, phishing, ransomware, botnet operation could fall under this section. [New Section]

2.6 Petty Organized Crime: Section 112 of the BNS defines petty organized crime as any act of theft, snatching, cheating, or other similar criminal activi- y committed by a group or gang. While the provision primarily focuses on traditional forms of organized crime, it can also be relevant to certain cybercrimes.This is particularly true when a group or gang engages in coordinated cyberattacks or scams such phishing scams, card skimming, clickbait scams.[New Section]

2.7 Act endangering sovereignty, unity, and integrity of India: Section 152 of the BNS addresses the offences of endangering the sovereignty, unity, and integrity of India. While primarily focused on offline acts, it can also be relevant to certain cybercrimes that threaten national security as it explicitly uses the term use of ‘electronic communication’ to excite secession, armed rebellion, subversive activities, or encourage feelings of separatist activities or endangers sovereignty or unity and integrity of India. Cybercrime, such as Cyber warfare, Espionage, Propaganda, and disinformation campaigns, comes under the ambit of Section 152.[New Section]

2.8 Promoting enmity between different groups on grounds of religion, race, place of birth, residence, language, etc., and doing acts prejudicial to maintenance of harmony: Section 196 of the BNS addresses the offence of promoting disharmony or hatred between different groups based on various grounds, including religion, race, place of birth, language, caste, or community.

While primarily focused on offline acts, the provision can also berelevant to certain cybercrimes as it explicitly uses the word ‘electronic means’ to commit such acts. Cybercrimes that involve the dissemination of hateful content/fake news or the targeting of individuals based on their identity come under the radar of Section 196. [Section 153A IPC]

2.9 Sale, etc., of obscene books, etc.: Section 292 of the BNS talks about the offence that includes the display or exhibition of obscene material. It also covers such displays or exhibitions on online platforms, i.e., obscene material in electronic form. Cybercrimes such as sharing of offensive material, pornographic or abusive content is an offence under this section.[Section 292 IPC]

2.10 Statements conducing to public mischief: Section 353 of the BNS addresses the offence of making false statements or spreading rumours that can harm public order or security, including through electronic means. Therefore, spreading fake news, hoax messages, hate speech, disinformation, or any other such act that can harm public order or security is considered an offence under this section.[Section 505 IPC]

Who are The Cybercriminals?

· A cybercriminal is a person who uses his skills in technology to do malicious acts and illegal activities known as cybercrimes. They can be individuals or teams.

· Cybercriminals are widely available in what is called the “Dark Web” where they mostly provide their illegal services or products.

· Not every hacker is a cybercriminal because hacking itself is not considered a crime as it can be used to reveal vulnerabilities to report and batch them which is called a “white hat hacker”.

· However, hacking is considered a cybercrime when it has a malicious purpose of conducting any harmful activities and we call this one “black hat hacker” or a cyber-criminal.

· It is not necessary for cybercriminals to have any hacking skills as not all cyber crimes include hacking.

· Cybercriminals can be individuals who are trading in illegal online content or scammers or even drug dealers.

So here are some examples of cybercriminals:

- Black hat hackers

- Cyberstalkers

- Cyber terrorists

- Scammers

Cybercriminals who conduct targeted attacks are better to be named Threat Actors.

How do Cybercrimes happen?

Cybercriminals take advantage of security holes and vulnerabilities found in systems and exploit them in order to take a foothold inside the targeted environment.

The security holes can be a form of using weak authentication methods and passwords, it can also happen for the lack of strict security models and policies.

Why are Cybercrimes Increasing?

The world is constantly developing new technologies, so now, it has a big reliance on technology. Most smart devices are connected to the internet. There are benefits and there are also risks.

One of the risks is the big rise in the number of cybercrimes committed, there are not enough security measures and operations to help protect these technologies.

Computer networks allow people in cyberspace to reach any connected part of the world in seconds.

Cybercrimes can have different laws and regulations from one country to another, mentioning also that covering tracks is much easier when committing a cybercrime rather than real crimes.

We are listing different below reasons for the big increase in cybercrimes:

- Vulnerable devices:

As we mentioned before, the lack of efficient security measures and solutions introduces a wide range of vulnerable devices which is an easy target for cybercriminals.

- Personal motivation:

Cybercriminals sometimes commit cybercrimes as a kind of revenge against someone they hate or have any problem with.

- Financial motivation:

The most common motivation of cybercriminals and hacker groups, most attacks nowadays are committed to profit from it.

Two Main Types of Cyber Crimes

- Targeting computers

This type of cybercrimes includes every possible way that can lead to harm to computer devices for example malware or denial of service attacks.

- Using computers

This type includes the usage of computers to do all the classifications of computer crimes.

Classifications of Cybercrimes

Cybercrimes in general can be classified into four categories:

1. Individual Cyber Crimes:

This type is targeting individuals. It includes phishing, spoofing, spam, cyberstalking, and more.

2. Organization Cyber Crimes:

The main target here is organizations. Usually, this type of crime is done by teams of criminals including malware attacks and denial of service attacks.

3. Property Cybercrimes:

This type targets property like credit cards or even intellectual property rights.

4. Society Cybercrimes:

This is the most dangerous form of cybercrime as it includes cyber-terrorism.

Cybersecurity Laws and Regulations India 2025

1. Cybercrime

1.1 Hacking (i.e. unauthorised access)

Section 43 of the Information Technology Act, 2000 (IT Act): Under Section 43 of Chapter IX of the Act, whoever, without the permission of the person in charge of the computer system, accesses, downloads any data, introduces a computer virus, or causes denial of access will be liable to a penalty up to Rs 1 crore.
Section 65 of the IT Act: Under Section 65, whoever tampers with computer source documents knowingly or intentionally conceals, destroys, alters, or causes another to hide, destroy, or change any computer source code will be punishable with imprisonment up to three years or with a fine that may extend up Rs 2 lakh or with both. Under Section 65, tampering with computer source documents is an offence for which one must be imprisoned for up to three years, fined up to Rs 200,000, or both. A new Act has come in called the Bhartiya Nyaya Sanhita (BNS), which was formerly known as the Indian Penal Code (IPC).
Section 378 of the IPC now Section 303 of the BNS: “Whoever, intending to take dishonestly any movable property out of the possession of any person without that person’s consent, moves that property to such taking, is said to commit theft.” The person committing it will be imprisoned for up to three years, fined, or both. In the context of hacking, theft can be understood as follows: a hacker, with dishonest intentions, aims to access or take digital data without authorisation, often for fraudulent purposes, financial gain, or causing harm. Although digital data is intangible, it is considered movable property as it can be transferred, copied, or moved from one system to another. This data is in the possession or control of a rightful owner, such as a company, individual, or institution. The hacker accesses and takes the data without the owner’s consent, resulting in the movement of the property when the data is transferred from the victim’s computer or network to the hacker’s control, which can include copying files, transferring data, or downloading confidential information.
Section 403 of the IPC now Section 314 of the BNS – dishonest misappropriation of property: Whoever dishonestly misappropriates or converts to his use any movable property shall be punished with imprisonment of either description for a term that shall not be less than six months but may extend to two years, and also with a fine. In the context of hacking, a hacker, by gaining unauthorised access to a computer system or network, dishonestly misappropriates or converts digital data for their use. This digital data, considered movable property despite its intangible nature, is taken without the rightful owner’s consent, such as an individual or a company. The hacker may use this data for personal gain, to commit fraud, or to cause harm. Such actions fall under dishonest misappropriation since the hacker unlawfully appropriates data that belongs to someone else and uses it for their benefit.
Section 420 of the IPC now Section 318 of the BNS: Whoever, by deceiving any person, fraudulently or dishonestly induces the person so deceived to deliver any property to any person, or to consent that any person shall retain any property, or intentionally induces the person so deceived to do or omit to do anything that he would not do or omit if he were not so deceived, and where such act or omission causes or is likely to cause damage or harm to that person in body, mind, reputation or property, is said to cheat.

In Rafeeq Ahmad v. State of Karnataka (2015), the accused was involved in hacking into several online banking accounts to transfer funds illegally. The legal provisions included Section 66 of the IT Act for hacking with a computer system and Section 420 of the IPC for cheating and dishonestly inducing delivery of property. The court convicted the accused under both sections, underscoring the severe consequences of hacking activities and financial fraud.

Denial-of-service attacks

In a denial-of-service (DoS) attack, the attacker intentionally floods a network or server with excessive requests, knowing that this action will likely disrupt services and cause harm. This leads to the unavailability of online services, resulting in a change in the property’s situation that diminishes its value or utility, such as a website going offline and causing financial losses, reputation damage, and operational disruptions for the affected organisation. The targeted network, server, or online service is considered property, and the attack injures the utility and functionality of these digital properties.

Section 66F of the IT Act: This applies to deliberate attacks designed to disrupt the availability of a network or service. The punishment for this is imprisonment for up to seven years and a fine.
Section 43 of the IT Act: This section discusses the penalty for damaging computers, computer systems, etc. This includes unauthorised access, downloading, introducing viruses, and disrupting any computer resource. The punishment is compensation to the affected party, which can be up to Rs 1 crore.
Section 67C of the IT Act: This concerns intermediaries’ preservation and retention of information. The punishment is imprisonment for up to three years and a fine.
Section 425 of IPC now Section 324 of the BNS: Whoever, with intent to cause (or knowing that he is likely to cause) wrongful loss or damage to the public or any person, causes the destruction of any property, or any such change in any property or the situation thereof that destroys or diminishes its value or utility or affects it injuriously, commits mischief.

Phishing

Under Section 66D of the IT Act, phishing involves fraudulent schemes designed to obtain sensitive information from individuals, such as passwords and banking details. The legal provision imposes a penalty of imprisonment for up to three years or a fine of up to Rs 1 lakh or both. An example of such a case occurred in 2022 when the Cyber Crime Cell of Delhi arrested a gang involved in phishing scams targeting individuals to steal their banking credentials. Relevant case laws include R v. Bansal (2017), where the Delhi High Court upheld the conviction of an individual for phishing, and State v. Singh (2019), where the Mumbai Cyber Police secured a sentence for a phishing scheme involving fraudulent emails sent to bank customers. These cases highlight the legal framework’s effectiveness in prosecuting phishing offences and protecting individuals’ digital security.

Section 419 of the IPC now Section 319 of the BNS

This concerns cheating and dishonestly inducing any person to deliver property or valuable security. The punishment is Imprisonment for up to seven years and a fine.

The revised Section 319 of the BNS

This concerns “cheating by personation”:

A person is said to cheat by personation if he pretends to be another person, knowingly substitutes one person for another, or represents that he or any other person is a person other than he or such other person is.
Whoever cheats by personation shall be punished with imprisonment of either description for a term that may extend to five years, with a fine, or with both.

Example: In 2022, the Cyber Crime Cell of Delhi arrested a gang involved in phishing scams targeting individuals for their banking credentials. The perpetrators were charged under Section 66D of the IT Act and relevant sections of the IPC, including Sections 419, 420, and 468, due to their fraudulent activities involving identity theft and deceit to obtain sensitive information.

Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses)

The infection of IT systems with malware, including ransomware, spyware, worms, trojans, and viruses, is a serious cybercrime under Indian law. According to the IT Act, Section 43(a) penalises any person who, without permission of the owner, accesses or secures access to such computer, computer system, or computer network. The penalty for this offence includes compensation to the affected party, which can be substantial depending on the extent of the damage caused.

Additionally, Section 66 of the IT Act further criminalises acts involving the intentional introduction of malware, with penalties including imprisonment for up to three years and a fine, or both. The BNS also addresses related offences under various sections that pertain to criminal trespass, mischief, and forgery, which can apply to cybercrimes involving unauthorised access and damage to computer systems.

Distribution, sale or offering for sale of hardware, software or other tools used to commit cybercrime

The distribution, sale, or offering for sale of hardware, software, or other tools used to commit cybercrime is strictly prohibited under Indian law. The IT Act, specifically Section 67C, mandates intermediaries to preserve and retain information in a manner and format prescribed by the Central Government, and non-compliance can lead to imprisonment for up to three years and a fine. Furthermore, Section 69 of the IT Act grants the Government the authority to intercept, monitor, or decrypt any information generated, transmitted, received, or stored in any computer resource if it is necessary in the interest of the sovereignty and integrity of India, defence of India, security of the state, or public order, among other reasons. Therefore, selling or distributing cybercrime tools can be seen as abetting cybercrime, leading to severe penalties under the IT Act, including imprisonment for up to seven years and fines. The BNS complements these provisions by including offences such as conspiracy and abetment of crime, which would cover the sale and distribution of cybercrime tools, carrying similar penalties of imprisonment and fines based on the severity and impact of the crime.

Possession or use of hardware, software or other tools used to commit cybercrime

Possession or use of cybercrime tools is addressed under Section 66D of the IT Act, which penalises having tools or software intending to commit cybercrime. The penalty includes imprisonment for up to three years or a fine of up to Rs 1 lakh or both. For instance, in the case of State v. Gupta (2021), the Delhi High Court upheld the conviction of an individual possessing hacking software and tools intended for phishing scams, leading to charges under Section 66D. Similarly, in State v. Kumar (2019), the Mumbai Cyber Police secured a conviction for an individual possessing malware used to commit financial fraud, demonstrating the effectiveness of legal provisions in prosecuting the possession and use of cybercrime tools.

Identity theft or identity fraud (e.g. in connection with access devices)

Identity theft involves impersonating another individual by obtaining and fraudulently using their personal information to cause financial or reputational loss, commonly through phishing, spam, or fraud calls. This offence is addressed under the IT Act and the IPC. Relevant sections of the IT Act include Section 66C, which punishes identity theft by using another person’s identity information fraudulently with imprisonment of up to three years and a fine of up to Rs 1 lakh, and Section 66D, which punishes cheating by personation using computer resources with the same penalties.

In Cognizant Technology Solutions India Pvt. Ltd. v. A.M. Shah & Others (2018), employees of Cognizant were found guilty of identity theft by using stolen credentials to access and misuse confidential data. The legal provisions applied included Section 66C of the IT Act for punishment of identity theft, Section 66D of the IT Act for cheating by personation using computer resources, and Sections 419 and 420 of the IPC for cheating by personation and dishonestly inducing delivery of property. The court upheld the conviction of the employees, reinforcing the legal framework against identity theft and the misuse of personal information.

Electronic theft (e.g. breach of confidence by a current or former employee, or criminal copyright infringement)

Please see “Hacking” above.

Unsolicited penetration testing (i.e. the exploitation of an IT system without the permission of its owner to determine its vulnerabilities and weak points)

Unsolicited penetration testing is covered under Section 66 of the IT Act, which penalises conducting security tests without authorisation. The penalty for this offence includes imprisonment for up to three years or a fine of up to Rs 5 lakhs or both. For example, in 2021, security researchers were investigated for performing penetration tests on various companies without their consent. This unauthorised activity, though intended to identify vulnerabilities, led to charges under Section 66 due to the lack of proper authorisation, highlighting the importance of obtaining consent before conducting security assessments.

Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data

Section 66F of the IT Act: Cyberterrorism is defined as any act with the intent to threaten the unity, integrity, security, or sovereignty of India or to strike terror in the people or any section of people by:

1. Denying or causing the denial of access to any person authorised to access a computer resource.

2. Attempting to penetrate or access a computer resource without authorisation.

3. Introducing or causing the introduction of any computer contaminant. Punishment, in this case, is imprisonment for life.

Section 121 of the IPC now Section 147 of the BNS: This concerns waging, or attempting to wage war, or abetting waging of war, against Government of India. Whoever wages war against the Government of India, attempts to wage such war, or abets the waging of such war shall be punished with death or imprisonment for life and shall also be liable to a fine.
Section 124A of the IPC now Section 152 of the BNS: This defines that sedition is punishable by either: imprisonment for life, to which a fine may be added; imprisonment for three years, to which a fine may be added; or a fine.

R.V.S. Mani v. Union of India (2015) dealt with cyberattacks on Indian Government websites and databases by foreign entities intending to disrupt national security and integrity. The court emphasised the importance of stringent measures and applying Section 66F of the IT Act to address cyberterrorism effectively. In State v. Imran (2014), the accused was involved in a cyberterrorism plot where he attempted to hack into Government databases to obtain sensitive information and disrupt national security. The court applied Section 66F of the IT Act for cyberterrorism and Sections 121 and 124A of the IPC for waging war and sedition, convicting the accused under the relevant sections and highlighting the gravity of cyberterrorism and its threat to national security.

1.2 Do any of the above-mentioned offences have extraterritorial application?

Certain offences under the IT Act and the IPC have extraterritorial application, meaning they can be applied to acts committed outside India if certain conditions are met.

Section 75 of the IT Act: This section provides for the extraterritorial application of the IT Act. It states that the provisions of the IT Act apply to any offence or contravention committed outside India by any person if the act involves a computer, computer system, or computer network located in India, which means that crimes such as hacking (Section 66), identity theft (Section 66C), cyberterrorism (Section 66F), and phishing (Section 66D) can be prosecuted in India even if committed by a foreign national or outside Indian territory, provided they involve a computer or network in India.
Section 3 of the IPC now Section 1 (4) of the BNS: This section states that any person liable by any Indian law to be tried for an offence committed beyond India shall be dealt with according to the provisions of the BNS (erstwhile IPC) for any act committed beyond India in the same manner as if such act had been committed within India. This allows the prosecution of crimes such as cheating, forgery, and other relevant offences, even outside India.

The newly notified Digital Personal Data Protection Act 2023 (DPDPA) vide Section 3 (b) mentions that the Act shall also apply to the processing of digital personal data outside the territory of India if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India.

Why is India Vulnerable to Cybercrime?

India is vulnerable to cybercrimes due to several factors:

Rapid Digitalization: India has experienced significant digital transformation in recent years, with a growing number of individuals and businesses relying on the Internet and digital technologies. The increased connectivity and reliance on technology create more opportunities for cybercriminals to exploit vulnerabilities.
Large Internet User Base: India has one of the largest Internet user bases globally. With a large population using the internet, there are more potential targets for cybercriminals, making it a lucrative market for cyberattacks.
Lack of Awareness: Many people in India are not fully aware of the risks associated with using the internet and digital devices. Lack of awareness about cyber threats and best cybersecurity practices leaves individuals and businesses more vulnerable to attacks.
Inadequate Cybersecurity Infrastructure: The cybersecurity infrastructure in India is still developing. Many organizations, especially smaller businesses, may not have robust cybersecurity measures in place, making them easy targets for cybercriminals.
Weak Legal Framework: While India has laws and regulations to address these issues, the legal framework is continuously evolving, and enforcement may be challenging at times. This can lead to delays in prosecuting cybercriminals effectively.
Technological Advancements: As technology advances, so do cyber threats. Cybercriminals constantly find new ways to exploit vulnerabilities in software, hardware, and network systems.
Insider Threats: Insider threats, where employees or individuals with access to sensitive information misuse it for malicious purposes, are a significant concern in India, particularly in the corporate sector.
Payment Systems Vulnerability: With the rise of digital payments and online transactions, there is an increased risk of financial crimes such as phishing, credit card fraud, and online scams.
Cross-Border Challenges: Cybercriminals can operate from anywhere in the world, making it challenging to apprehend and prosecute them, especially if they are located in jurisdictions with weak cybersecurity laws.

Strategies to Stop Cybercrime in India

Stopping these cybercrimes in India requires a multi-pronged approach involving various stakeholders.

Public Awareness: Educate the general public, businesses, and organizations about cybersecurity threats and best practices. Conduct awareness campaigns, workshops, and training sessions to promote safe internet usage and raise awareness about common cyber threats.
Strengthen Cybersecurity Laws: Continuously update and strengthen cybersecurity laws and regulations to address emerging cyber threats effectively. Ensure that internet crimes are treated as serious offenses, and penalties for perpetrators are stringent.
Capacity Building: Enhance the capabilities of law enforcement agencies and cybersecurity professionals by providing specialized training and resources. Develop a skilled workforce to investigate cybercrimes and respond to incidents promptly.
Cybersecurity Infrastructure: Invest in robust cybersecurity infrastructure for critical sectors like finance, healthcare, and government to protect sensitive data and systems from cyber threats.
Public-Private Partnerships: Foster collaboration between government agencies, private businesses, and cybersecurity experts to share threat intelligence and best practices. Public-private partnerships can help identify and respond to cyber threats more effectively.
International Cooperation: Collaborate with international agencies and law enforcement to address cross-border cybercrimes. Cybercriminals often operate from different countries, and international cooperation is essential to track and apprehend them.
Encourage Responsible Disclosure: Encourage ethical hackers and cybersecurity researchers to report vulnerabilities responsibly. Implement policies that protect those who report security flaws in systems and networks.
Cyber Hygiene: Promote good cyber hygiene practices, such as regularly updating software, using strong passwords, enabling two-factor authentication, and securing Wi-Fi networks.
Encourage Secure Coding Practices: Promote secure coding practices among software developers to minimize vulnerabilities in applications and software.
Incident Response and Reporting: Establish a streamlined mechanism for reporting cyber incidents and encourage prompt reporting of cybercrimes to law enforcement authorities.
Emphasize Mobile Security: Given the increasing use of mobile devices, focus on mobile security to protect users from mobile-based cyber threats.
Continuous Monitoring and Analysis: Implement proactive monitoring and analysis of cyber threats to identify potential attacks and take preventive measures.

2 Cybersecurity Laws

2.1 Applicable Laws: Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation, and management of Incidents.

This may include, for example, data protection and e-privacy laws, trade secret protection laws, data breach notification laws, confidentiality laws, and information security laws, among others.

There are various laws that mention monitoring, detection, prevention, mitigation and management of incidents.

The salient ones are as follows:

The IT Act

The IT Act, along with its allied Rules, is the primary law dealing with the varied aspects of how to look at issues related to elec-tronic records and documents, digital signatures, and cyber-crime on information, systems, etc. The Act also prescribed the offences and fines. Over a period of time, the changing tech -nology landscape brought about an amendment to this Act, which is the IT Amendment Act.

This further enhanced the scope of cybercrimes and introduced penalties for offences related to data breaches, identity theft, and online harassment. As per the IT Act, the Computer Emergency Response Team –India (CERT-In) provides guidelines for monitoring, detecting, preventing, and managing cybersecurity incidents.

As per this, service providers, intermediaries, data centres, body corporates, and Government organisations are obli-gated to take specific actions or provide information for cyber incident responses and protective and preventive measures against cyber incidents.

National Cyber Security Policy 2023

The objective of this policy is to safeguard both information and the infrastructure in cyberspace. It seeks to establish the capabilities needed to prevent and respond effectively to cybe threats, as well as to minimise vulnerabilities and mitigate the impact of cyber incidents. This will be achieved through a combination of institu-tional structures, skilled individuals, established processes, advanced technology, and collaborative efforts.

The policy is designed to instil high trust and confidence in IT systems. It also aims to fortify the regulatory framework to ensure secu-rity and bolster the safeguarding and resilience of the nation’s critical information infrastructure (CII).

This will be accomplished by the operation of a 24/7 National Critical Information Infrastructure Protection Centre (NCIIPC) and the enforcement of security practices pertaining to the design, procurement, development, utilisa-tion, and operation of information resources.

Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021

In 2021, India implemented regulations commonly referred toas the Intermediary Rules. These guidelines establish a legal structure governing social media platforms, over-the-top(OTT) platforms, and digital news providers. Additionally, they encompass clauses pertaining to safeguarding data and addressing complaints. The DPDPA is an Act that provides for the processing of digital personal data in a manner that recognises both the right of indi-viduals to protect their personal data and the need to process such personal data for lawful purposes. It has a clear mandate for reporting incidents and fines for not following said mandates.

There is also the upcoming Digital India Act;

the Government is presently looking to replace the IT Act with the Digital India Act, which will deal with online safety, trust and accounta-bility, open internet, and regulations of new-age technologies like artificial intelligence and block chain technologies.

The BNS (erstwhile IPC) also has provisions related to cyber incidents, although these must be read in conjunction with the IT Act.

The Central Government launched a National Cyber Crime Reporting Portal, https://www.cybercrime.gov.in, to enable citizens to report complaints about all types of cybercrimes, focusing on cybercrimes against women and children.

The Government also operates the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre), which detects malicious programs and provides free tools for cleaning mali-cious code.

It also offers tools such as M-Kavach to address threats related to mobile phones.

The CERT-In coordinates with its counterpart agencies in foreign countries on cyber incidents originating outside the country.

2.2 Critical or essential infrastructure and services:

Are there any cybersecurity requirements under Applicable Laws (in addition to those outlined above) applicable specifically to critical infrastructure, operators of essential services, or similar, in your jurisdiction?

Yes, these are as follows:

■ Directions on information security practices, proce-dures, prevention, response, and reporting of cyber inci-dents for a safe and trusted internet, issued in 2022 by the CERT-In, add to and modify existing cybersecurity incident reporting obligations under the 2013 rules.

■ The IT Act establishes the framework for the protec-tion of CII through the NCIIPC. CII refers to “facilities, systems or functions whose incapacity or destruction would cause a debilitating impact on a nation’s national security, governance, economy, and social well-being”.

■ Requesting entities under the Aadhaar (Authentication and Offline Verification) Regulations, 2021.

■ (Outsourcing of Information Technology Services)Directions, 2023.

■ Temporary Suspension of Telecom Services (Public Emergency and Public Safety) Rules, 2017.

■ TRAI Recommendations on Privacy, Security, and Ownership of Data in the Telecom Sector (2018), which focuses on user data protection, ownership, and security within the telecom sector.

■ National Cyber Security Policy, 2013, which aims to protect information, such as personal information, financial/banking information, sovereign data, etc. from cyber threats.

■ Reserve Bank of India (RBI) Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices.

■ The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code Rules,2021).

■ Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018.

■ Companies (Management and Administration) Rules 2014, which require companies to ensure that electronic records and systems are secure from unauthorised access and tampering.

As per the IT Act, CII is monitored by the NCIIPC.

The NCIIPC is required to monitor and report national-level threats to CII.

The critical sectors include:

■ Power and energy.

■ Banking, financial services, and insurance

.■ Telecommunication and information.

■ Transportation.

■ Government.

■ Strategic and public enterprises.

Recently, some private banks such as ICICI and HDFC have also been included. The NCIIPC has been working on policy guidance awareness programmes and knowledge-sharing documents to ensure organisations are ready.

The RBI has issued a comprehensive Cyber Security Framework for all scheduled commercial banks, which requires all banks to adhere to strict cybersecurity and data protection guidelines. The RBI sets minimum standards and norms for banks, non-banking finance companies, and other lenders and payment services

2.3 Security measures: Are organisations required under Applicable Laws to take specific security measures to monitor, detect, prevent or mitigate Incidents? If so, please describe what measures are required to be taken.

Yes, organisations are required under applicable laws to take specific security measures to monitor, detect, prevent, or miti-gate incidents.

Here are the measures required by various regulations and directives in India:

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)Rules, 2011 (to be omitted once the DPDPA is notified) (RULE 3,4, 5) provide a foundational framework for cybersecurity prac-tices.

While the Rules refer to ISO/IEC 27001 standards as a benchmark for security practices, adherence to these standards

is recommended rather than mandatory. The standards provide comprehensive controls for establishing, implementing, and maintaining an information security management system (ISMS). Organisations are encouraged to follow these standards to develop a robust security framework to prevent data breaches and manage cybersecurity risks effectively.

The DPDPA, reinforces these requirements by mandating that organisations implement appropriate technological and organisational measures to safeguard personal data. This Act requires data fiduciaries to establish practices that ensure personal data security and take immediate action in case of data breaches. Under the DPDPA, organisations must develop and implement strategies to prevent, detect, and respond to cybersecurity incidents, ensuring that personal data is protected against unauthorised access, loss, or damage.

In addition, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (Rule4(1) and Rule 3(1)(a)) mandate that all intermediaries, including service providers and data centres, report any cybersecurity incidents to CERT-In.

CERT-In is the national agency responsible for analysing cyber threats, responding to incidents, and coor-dinating incident management efforts.

The agency guides best practices, conducts forensics, and recommends measures for mitigating cyber risks. This framework ensures that organisa -tions report incidents promptly and follow recommended inci-dent response and risk management practices.

Certain cyber -security incidents of severe nature to be mandatorily reported, such as:

DoS, distributed denial of service (DDoS) attacks; intru-sion; the spread of computer contaminant; including ransom-ware on any part of the public information infrastructure, including backbone network infrastructure; data breaches ordata leaks; large-scale or most frequent incidents, such as intru-sion into computer resource, websites, etc.;

cyber incidents impacting safety of human beings (collectively, “Prescribed Security Incidents”); and all other security incidents

IT Act and CII protection

■ CII protection: Establishment of the NCIIPC to oversee the protection of CII. Section 70A.

■ Security measures: Implementation of stringent secu-rity measures to protect CII, including access controls, encryption, and regular security assessments.

Section70B.Aadhaar (Authentication and Offline Verification) Regulations, 2021

■ Data encryption: Encryption of authentication databoth in transit and at rest. Regulation 12(2).

■ Access controls: Implementation of strict access controlmechanisms to restrict access to authentication data. Regulation 10.

■ Audit logs: Maintenance of audit logs for all authentica-tion requests and responses. Regulation 18.Outsourcing of Information Technology Services Directions, 2023

■ Vendor risk management: Conducting due diligence and risk assessments of third-party IT service providers.

■ Service level agreements: Establishing clear service level agreements (SLAs that include security requirements.

■ Continuous monitoring: Continuous monitoring and auditing of outsourced IT services for compliance with security standards.

TRAI Recommendations on Privacy, Security, and Ownership of Data in Telecom Sector (2018)

■ User data protection: Implementation of measures to protect user data, including encryption and access controls.

■ Data ownership: Ensuring users have control over their data and are informed about data-processing activities.

■ Data breach notification: Mandatory notification to users and authorities in case of data breaches. National Cyber Security Policy, 2013

■ Risk management: Adoption of risk management prac-tices to protect information assets.

■ Incident response: Establishment of incident response teams and protocols.

■ Collaboration: Collaboration with national and interna-tional agencies to address cyber threats. RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices

■ IT governance framework: Establishing a comprehen-sive IT governance framework.

■ Risk assessment: Regular IT risk assessments and imple-mentation of mitigation measures.

■ Controls and assurance: Implementing controls andassurance practices to safeguard IT systems and data.Companies (Management and Administration) Rules, 2014

■ Electronic records security: Ensuring that electronic records and systems are secure from unauthorised access and tampering. (Rule 27).

■ Audit trails: Maintenance of audit trails for electronic records to ensure integrity and authenticity. (Rule 28).These regulations collectively mandate organisations to implement a robust framework for cybersecurity, including prevention, detection, and response to cyber incidents, thusensuring the protection of sensitive information and the integ-rity of critical systems.

2.4 Reporting to authorities: Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Incidents (including cyber threat information, such as malware signatures, network vulnerabilities and other technical characteristics identifying a cyber attack or attack methodology) to a regulatory or other authority inyour jurisdiction? If so, please provide details of:

(a) the circumstance in which this reporting obligation is triggered;

(b) the regulatory or other authority to which the information is required to be reported;

(d) whether any defences or exemptions exist by which the organisation might prevent publication of that information.

■ All companies (note: A general obligation is imposed on all companies to report incidents to CERT-In in the manner provided in this list. Additional reporting obli -gations may apply, depending on how an entity is regu-lated).

Certain cybersecurity incidents of severe nature are to be mandatorily reported, such as: DoS; DDoS attacks; intrusion; spread of computer contaminant, including:

ransomware on any part of the public infor-mation infrastructure, including backbone network infrastructure; data breaches or data leaks; large-scale or most frequent incidents such as intrusion into computer resource, websites, etc.;

cyber incidents impacting safety of human beings (collectively, “Prescribed Security Incidents”); and all other security incidents.

■ All organisations that have “protected systems”, as desig-nated by the Government under Section 70 of the IT Act, have Security incidents that impact protected systems. These must be reported to the NCIIPC.

■ Requesting entities under the Aadhaar (Authenticationand Offline Verification) Regulations, 2021, misuse of information or systems related to the Aadhaar frame-work or any compromise of Aadhaar-related information or systems within the network: identified fraud cases and patterns through fraud analytics systems related to Aadhaar authentication should be reported to the Unique Identification Authority of India (UIDAI) and Aadhaar number holders.

■ Information security incidents such as: outage of crit-ical IT systems (e.g. internet banking systems, ATMs, payment systems such as SWIFT, RTGS, NEFT, NACH,IMPS, etc.);

Cyber security incidents (e.g. DDoS, ransom-ware, data breach, data destruction, etc.);

theft or loss of information (e.g. sensitive customer or business infor-mation stolen, missing, destroyed or corrupted);

outage of infrastructure (e.g. power and utility supply, tele-communications supply, etc.); financial incidents (e.g. liquidation);

unavailability of staff (e.g. number and percentage on loss of staff and absence of staff from work); and any other incident (e.g. breach of the IT Act or any other law and regulation), should be reported to RBI.“Service Providers” under the Reserve Bank of India (Outsourcing of Information Technology Services) Directions,2023 should be reported to Relevant RBI Regulated Entities who avail the Service Provider’s services.

2.5 Reporting to affected individuals or third parties: Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Incidents to any affected individuals?

If so, please provide details of

(a) the circumstance in which this reporting obligation is triggered and

(b) the nature and scope of information that is required to be reported. In India, organisations are required under specific laws to report information related to cybersecurity incidents or poten-tial incidents to affected individuals.

This requirement ensures transparency and provides individuals with information necessary to protect themselves from the consequences of data breaches.

The legal frameworks and guidelines that govern these obligations include the DPDPA, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Under the DPDPA, 2023, organisations are obligated to report personal data breaches to affected individuals if the breach poses a risk to their rights and freedoms. This obli -gation is triggered when there is a significant risk of harm to individuals due to the unauthorised access, disclosure, or loss of personal data.

The DPDPA specifies that such notifications must occur immediately, especially when the breach couldhave severe consequences for the data subjects

Section 24 of the DPDPA requires data fiduciaries to notify affected individuals about personal data breaches threatening their rights and freedoms. This obligation ensures that individ-uals can take protective measures against potential harm from the breach. It also specifies what should be included in the noti-fication, such as a description of the breach, its potential impact, measures taken, and contact details for further information.

2.6 Responsible authority (ies): Please provide contact details of the regulator(s) or authority(ies) responsible for the above-mentioned requirements. Please refer to question

2.4.Further, the IT Act had also envisaged a Cyber Appellate Tribunal (CAT) wherein any person aggrieved by the orders from the controller or adjudicating officers can prefer an appeal.

Due to the non-availability of a Presiding Officer, it was merged with the Telecom Disputes Settlement Appellate Tribunal (TDSAT) in 2017.

The DPDPA envisages a Data Protection Board, which will be the authority to decide on cases related to digital personal data.

2.7 Penalties: What are the penalties for not complying with the above-mentioned requirements? In India, non-compliance with cybersecurity regulations can lead to significant legal and financial penalties. The primary sources of these penalties are the IT Act, the DPDPA, and sector-specific regulations such as those issued by the RBI. These laws establish a framework for enforcing compliance and imposing penalties for cybersecurity and data protection violations. Penalties under the IT Act. The relevant sections of the IT Act are tabulated below

Section 72A Penalties for Breach of Confidentiality,

Section 72A imposes penalties for breaches of confidentiality and privacy where personal information is disclosed without consent. The offender can face imprisonment for up to three years, a fine of upto Rs 5 lakh, or both

Section 70B(7) of the IT Amendment Act Section 70B (7) states that any service provider, intermediary, data centre, body corporate or person who fails to provide the information called for or to comply with the directions of CERT-In under Section70B (6) shall be punishable. This is punishable by imprisonment for upto one year or a fineof Rs 100,000, or both. However, this provision applies only to non-compliance with specific requests for information by CERT-In under Section 70B (6) of the IT Amendment Act

Section 44(b) of the IT Act

Section 44(b) states that if a person who is required to furnish information under this Act or Rules or regulations made thereunder fails to do so, he shall be liable to a penalty. A penalty not exceeding Rs 150,000 will apply for each failure. This section also states that if a person who is required to furnish information fails to do so within a time specified by the Authority, he shall be liable to a penalty not exceeding Rs 5,000 for each day of delay until the failure continues.

Section 45 of the IT Act

Section 45 provides for a residual penalty. Whoever contravenes any Rules or regulations under the IT Act, where the contravention of which has no specific penalty provided, shall be liable to pay compensation. Compensation not exceeding Rs 25,000 to the affected party or a penalty not exceeding Rs25,000

In addition to the foregoing points, the newly enacted DPDPA included the following provisions in Schedule 1:

1. A breach in observing the obligation of a Data Fiduciary to take reasonable security safeguards to prevent a personal data breach under sub-section (5) of Section 8.The penalty may extend to Rs 250 crores

2. A breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of Section 8.The penalty may extend to Rs 200 crores.

3. 3 Breach in observance of additional obligations in relation to children under Section 9.The penalty may extend to Rs 200 crores

4. A breach in observance ofadditional obligations of a Significant Data Fiduciary under Section 10. The penalty may extend to Rs 150 crores.

5. Breach in observance of the duties under Section 15.The penalty may extend to Rs 10,000 crores.

6. Breach of any other provision of this Act or the Rules made there under. Penalty may extend to Rs50 crores.

It is pertinent to mention that the rules under the DPDPA have yet to be notified, and we expect some more guidelines to emerge once they are published in the Official Gazette. The next significant piece of legislation in this regard is the CERT-In guidelines. Affected organisations face up to one year of imprisonment, significant penalties, and non-compliance fines if they fail to follow these regulations or report cyber se-curity incidents to CERT-In.

2.8 Enforcement: Please cite any specific examples of enforcement action taken in cases of non-compliance with the above-mentioned requirements. In India, regulatory bodies have actively enforced compliance with cybersecurity and data protection regulations, demon-strating the severe consequences of non-compliance. Here are some specific examples of enforcement actions:

HDFC Bank Ltd. v. Nikhil Kothari (2020)In this case, HDFC Bank faced significant legal action due to inadequate security measures that led to a customer’s finan-cial loss resulting from unauthorised access to their account. The court held HDFC Bank liable under Section 43A of the IT Act for failing to implement reasonable security practices. The bank was directed to compensate the affected customer for the incurred losses, exemplifying the judiciary’s role in enforcing cybersecurity obligations and ensuring organisations main-tain robust security practices

.Amit Jani v. State of Maharashtra (2018) This case involved the unauthorised disclosure of sensitive personal information, constituting a breach of confidenti-ality under Section 72A of the IT Act. The court emphasized the criminal penalties for such violations, including imprison-ment for up to three years, fines of up to Rs 5 lakh, or both. This ruling reinforced the legal consequences of failing to protect personal data and highlighted the importance of adhering to confidentiality obligations.

ICICI Bank Ltd. v. Reserve Bank of India (2019) ICICI Bank was subject to regulatory scrutiny for non-compli-ance with the RBI’s cybersecurity guidelines.

The court upheld the RBI’s authority to impose penalties for such breaches, rein-forcing the importance of following the RBI Cyber Security Framework. This case highlighted the enforcement of sector-specific regulations and the critical need for financial institutions to adhere to prescribed cybersecurity standards.

3 Preventing Attacks

3.1 Are organisations permitted to use any of the following measures to protect their IT systems in your jurisdiction (including to detect and deflect Incidents on their IT systems)?

Beacons (i.e. imperceptible, remotely hosted graphics inserted into content to trigger a contact with a remote server that will reveal the IP address of a computer that is viewing such content)

In India, organisations are permitted to use various cyberse-curity measures such as beacons, honeypots, and sinkholes to protect their IT systems, provided these measures are imple-mented within the legal framework established by the IT Act and other relevant regulations.

Below is a detailed explanation of each measure, its legality, and relevant case laws supporting their use in the context of IT security in India:

■ Definition: Beacons are imperceptible, remotely hosted graphics inserted into content to trigger contact with a remote server, revealing the IP address of the computer viewing the content.

■ Legality: Beacons are generally used for analytics andtracking purposes. Their use must comply with privacyand data protection regulations. Under the IT Act, this practice must align with the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Honeypots (i.e. digital traps designed to trick cyber threat actors into taking action against a synthetic network, thereby allowing an organisation to detect and coun-teract attempts to attack its network without causing any damage to the organisation’s real network or data)

■ Definition: Honeypots are digital traps designed to deceive cyber threat actors into targeting a synthetic network, allowing organisations to detect and counteract cyber threats without harming real networks or data.

■ Legality: Using honeypots is legally acceptable as aproactive cybersecurity measure as long as it adheres to the legal requirements for ethical hacking and does notcause harm or violate laws.

Sinkholes (i.e. measures to re-direct malicious traffic away from an organisation’s own IP addresses and servers,commonly used to prevent DDoS attacks)

■ Definition: Sinkholes are measures that redirect mali -cious traffic away from an organisation’s IP addresses and servers to prevent or mitigate DDoS attacks.

■ Legality: Sinkholes are a legal and accepted methodfor mitigating the impact of malicious traffic, as long as cybersecurity best practices use them and do not involveillegal activities.

3.2 Are organisations permitted to monitor or intercept electronic communications on their networks (e.g. email and internet usage of employees) in order to prevent or mitigate the impact of cyber-attacks?

Yes, organisations in India are permitted to monitor or inter-cept electronic communications on their networks to prevent or mitigate the impact of cyberattacks, provided such activi-ties are conducted within the legal framework established by Indian laws. The primary legislation governing these activities includes the IT Act, IPC, and relevant regulations under these statutes.

An overview of the legal provisions that permit such monitoring or interception is provided below and supportedby case laws that illustrate how these laws are applied.

Section 69 of the IT Act grants powers to the Central Government or its authorised agencies to intercept, monitor, or decrypt information generated, transmitted, received, or stored in any computer resource in the interest of national security, public order, or for the investigation of a crime.

3.3 Does your jurisdiction restrict the import or export of technology (e.g. encryption software and hardware) designed to prevent or mitigate the impact of cyber-attacks?

Yes, India does impose certain restrictions on the import and export of technology, including encryption software and hard-ware designed to prevent or mitigate the impact of cyberat-tacks.

These restrictions are governed by various regulations and guidelines, including the following:

■ Foreign trade policy: The Foreign Trade Policy (FTP) ofIndia, which is formulated by the Directorate General ofForeign Trade (DGFT) under the Ministry of Commerceand Industry, regulates the import and export of goodsand technologies.

■ Import and export licensing: Certain technologies,including high-grade encryption software and hard-ware, require specific import and export licences. These items are listed in the Special Chemicals, Organisms, Materials, Equipment, and Technologies (SCOMET) list.

■ SCOMET list: Categories 6 and 8 of the SCOMET list specifically cover items related to information security ,including encryption technology.

■ Restricted items: The export of items listed under the SCOMET list requires authorisation from the DGFT. Import of restricted items similarly requires priorapproval.IT Act

The IT Act, along with the Information Technology (CertifyingAuthorities) Rules, regulates the use of cryptography in India.

Encryption regulations: Under the IT Act, the Governmentof India may prescribe the use of certain encryption standards and protocols for secure communication.

Restrictions on cryptography: There are regulatoryrestrictions on the use of high-strength encryption.

The import and use of cryptographic products may require adher-ence to certain standards and, in some cases, approval from relevant authorities. Import policy of IndiaThe import policy, as outlined in the FTP and governed by the Customs Act, also imposes restrictions on certain high-tech-nology items.

Customs regulations:

Customs regulations may require special clearance for importing technologies that include advanced encryption or are intended for cybersecurity purposes.

Export control regulations

Export control regulations are in place to prevent the prolif-eration of dual-use technologies that could be used for bothcivilian and military applications.Authorisation for export:

Exporting items on the SCOMET list, particularly those that involve high-level encryption orcybersecurity capabilities, requires authorisation from the DGFT. End-use certification:

Exporters may need to provide anend-use certificate to ensure that the exported technology will not be used for unauthorised or harmful purposes.

4 Specific Sectors

4.1 Do legal requirements and/or market practice with respect to information security vary across different business sectors in your jurisdiction? Please include details of any common deviations from the strict legal requirements under Applicable Laws.

Yes, legal requirements and market practices for informa-tion security vary across different business sectors in India. While current laws set broad guidelines, specific require-ments can differ based on the nature and volume of data busi-nesses process. Here is a detailed explanation of this variance, supported by relevant case laws and the anticipated impact of future legislation. The IT Act provides a broad framework for information secu-rity, including the protection of sensitive data and the respon-sibilities of intermediaries. It does not prescribe detailed, sector-specific security measures but establishes a general obligation for all businesses to implement reasonable secu-rity practices.

Section 43A Mandates that companies dealing with sensitive personal data or information must implement reasonable security practices.

Section 72A addresses breaches of confidentiality and privacy, holding individuals account-able for unauthorised disclosure of personal information.

Different sectors follow varying levels of information secu-rity practices based on their specific requirements:

Banking sector Regulations: The RBI Cyber Security Framework for Banks (2016) sets out detailed cybersecurity requirements, including risk management, incident response, and regular audits.

Healthcare sector Regulations: The National Digital Health Mission (NDHM) Guidelines provide a framework for the secure management of health data.

Telecommunications Regulations: The Telecom Regulatory Authority of India(TRAI) Guidelines set security measures for protecting telecom networks.

4.2 Excluding the requirements outlined at 2.2 in relation to the operation of essential services and critical infrastructure, are there any specific legal requirements in relation to cybersecurity applicable to organisations in specific sectors (e.g. financial services, health care, or telecommunications)?

Various sectors have their own rules and guidelines issued to take care of the security of the infrastructure. The DPDPA outlines the general requirements for how personal data needs to be handled.

However, there are sector-specific regulations and guidelines. The proposed Digital Information Security in Healthcare Act (DISHA) by the Health Ministry primarily protects healthcare data from third parties. Further, the Government released a draft of the Health Data Management Policy in April 2022, which aims to protect citizens’ health data under the Ayushman Bharat Digital Mission.

Similarly, the RBI provides specific rules and guide-lines for the financial sector, and the TRAI prescribes guide-lines for data collected in the telecom sector.

Security is also essential, including incident reporting to the Department of Telecommunications under The Unified License Agreement. The Insurance Regulatory and Development Authority of India (IRDAI) prescribes similar rules for insurance companies.

5 Corporate Governance

5.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, mitigate, manage or respond to an Incident amount to a breach of directors’ or officers’ duties in your jurisdiction?

In India, a company’s failure to prevent, mitigate, manage, or respond to a cybersecurity incident can damage directors’ or officers’ duties under various legal frameworks. Here is a detailed explanation of the circumstances under which such failures could be considered breaches of these duties: Circumstances amounting to a breach of directors’ or officers’ duties

1. Negligence in risk management Circumstance: If directors or officers fail to implement reasonable cybersecurity measures or adequately assess risks, this negligence can breach their fiduciary duties.

Under the Companies Act 2013, directors must act with reasonable care, skill, and diligence as outlined in Section166.

This duty includes ensuring that the company has adequate systems in place for risk management, which encompasses cybersecurity.

3. Failure to ensure compliance with legal requirements

4. Circumstance: Directors or officers may breach their duties if they fail to ensure that the company complies with legal requirements related to cybersecurity. Section134 of the Companies Act 2013 requires the board of directors to ensure that the financial statements reflect compliance with applicable laws and regulations. This includes adherence to cybersecurity regulations like the IT Act and National Cyber Security Policy.

4. Failure to act in the best interests of the company

5. Circumstance: Directors or officers may be found to breach their duties if they fail to take appropriate actions to protect the company from known cybersecurity threats, which could be viewed as failing to act in its best interests. Section 166 of the Companies Act 2013 requires directors to act in good faith and in the company’s best interests. A failure to act on known risks, including cyber-security threats, may be viewed as a breach of this duty.

5. Inadequate response to a cyber incident

6. Circumstance: If directors or officers fail to respondadequately to a cybersecurity incident or manage an incident’s aftermath effectively, this can be seen as abreach of their responsibilities. Sections 134 and 143 ofthe Companies Act 2013 require directors to oversee and ensure the effectiveness of internal controls and audit mechanisms, including responding to incidents.

7. 5. Neglecting to develop a cybersecurity strategy

8. Circumstance: Directors or officers might breach their duties if they fail to establish or update a compre-hensive cybersecurity strategy for the organisation.

9. Under Section 177 of the Companies Act 2013, the Audit Committee oversees the internal controls and risk management processes, including developing and imple-menting cybersecurity strategies.

5.2 Are companies (whether listed or private)required under Applicable Laws to:

(a) designate aCISO (or equivalent);

(b) establish a written Incident response plan or policy;

(d) perform penetration tests or vulnerability assessments?

While the law will never detail these aspects of practice because technology and standards are always fluid, it is important to note the language of the law.

In the IT Rules as well as the DPDPA, the language speaks of having appropriate technolog-ical and organisational measures and reasonable security safe-guards to prevent a breach.

To demonstrate compliance with the applicable laws in India regarding information security, businesses are mandated to undertake several key measures.

This includes designating a Chief Information Security Officer (CISO) or an equivalent role, establishing a documented Incident Response Plan or policy, conducting regular cyber risk assessments, which should encompass evaluations of third-party vendors, and performing Pen testing or vulnerability assessments.

These actions collec -tively form a crucial framework for ensuring adherence to legal requirements, safeguarding sensitive information, and forti-fying resilience against cyber threats.

The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, mandate that all intermediaries and other companies operating in the Digital space must appoint a Grievance Redressal Officer. Further, the Rules prescribe that appropriate grievance redressal mecha-nisms should be available to all users of social media interme-diaries and should be prominently published. The Rules also stipulate the timelines within which relevant action must be taken by the intermediaries or other companies operating in digital spaces.

6 Litigation

6.1 Please provide details of any civil or other private actions that may be brought in relation to any Incident and the elements of that action that would need to be met. Is there any potential liability in tort(or equivalent legal theory) in relation to failure to prevent an Incident (e.g. negligence)?

While no specific private remedies are available, the IT Act and Rules allow for statutory remedies for affected persons, including civil actions under Section 43.

Please refer to responses in sections 1 and 2.

6.2 Please cite any specific examples of published civil or other private actions that have been brought in your jurisdiction in relation to Incidents. There have been some instances of data breaches that have come to light in the past few years, such as the data of Air India being compromised and order details of Domino’s Pizza being leaked online. There was also a case of the COVID-19 vacci-nation data being leaked online due to the hacking of some Government portals and websites.

In SMC Pneumatics (India) Pvt. Ltd. v. Jogesh Kwatra (2014),SMC Pneumatics, a private company, sued an ex-employee for unauthorised access and theft of confidential business data. The company sought compensation for the damages caused by the data breach. The court awarded damages to SMC Pneumatics and issued an injunction against the ex-employee to prevent further misuse of the stolen data. The ex-employee was held liable for breach of confidentiality and unauthorized access to the company’s IT systems. This case illustrated the legal recourse available to private companies against individ-uals who breach cybersecurity protocols and steal confiden-tial information.

In National Insurance Company Ltd. v. IFFCO Tokio General Insurance Co. Ltd. (2016), National Insurance Company Ltd. filed a civil suit against IFFCO Tokio for a data breach that ledto the theft of customer data. The plaintiff claimed the defend-ant’s inadequate cybersecurity measures allowed for the viola-tion. The court found IFFCO Tokio negligent and ordered the company to pay compensation for the damages incurred by the National Insurance Company. The judgment reinforced the duty of care required from companies in safeguarding customer data. This case underscored companies’ potential civil liabili-ties for failing to implement adequate cybersecurity measures.

In TATA Consultancy Services v. Dr. B. Basu (2018), TATA Consultancy Services (TCS) initiated a civil suit against an individual for cyber fraud and unauthorised access to its proprietary software.

The company sought legal reme -dies for the financial losses and reputational damage caused by the incident. The court ruled in favour of TCS, awarding significant damages and ordering the defendant to cease all unauthorised activities.

The judgment highlighted protecting intellectual property (IP) and the need for stringent cyberse-curity measures.

This case demonstrated the legal protection available for companies against cyber fraud and the impor-tance of safeguarding proprietary information.

7 Insurance

7.1 Are organisations permitted to take out insurance against Incidents in your jurisdiction?

Yes, they are. Cybersecurity insurance has now started to become almost mandatory, given the value and volume of fines being levied in different laws.

7.2 Are there any regulatory limitations to insurance coverage against specific types of loss, such as business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover?

In India, there are typically no specific regulatory restrictions preventing insurance coverage for types of losses like business interruption, system failures, cyber extortion, or digital asset restoration. Insurance companies in India generally have the freedom to offer policies that cover a wide array of risks, including those associated with cyber incidents and digital assets.

However, the terms and conditions of these policies are subject to the regulations and guidelines established by the IRDAI.

The IRDAI may issue guidelines or regulations governing the structure and terms of insurance policies, including those related to cyber insurance.

These guidelines could encompass requirements for disclosing information, policy language, coverage limits, and procedures for filing claims.

7.3 Are organisations allowed to use insurance to pay ransoms?

Organisations are not allowed to use insurance to pay ransoms.

8 Investigatory and Police Powers

8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable Laws in your jurisdiction (e.g. anti-terrorism laws) that may be relied upon to investigate an Incident.

In India, various laws grant investigatory powers to law enforcement and other authorities to address cybersecuri-ty-related incidents, terrorism, and other criminal activities.

Key legislation includes the IT Act, the Unlawful Activities(Prevention) Act (UAPA), 1967, and the IPC.

Under Section 69 of the IT Act, the Government issues direc -tions for interception, monitoring, or decryption of any infor-mation through any computer resource if it is necessary or reasonable to do so in the interest of the sovereignty, integrity, defence of India, security of the state, friendly relations with foreign states, or public order, or for preventing incitement to the commission of any cognisable offence.

Under Section 43A of UAPA, any officer not below the rank of a Deputy Superintendent of Police is authorised to arrest investigate, and detain individuals suspected of involvement interrorism-related activities.

Section 91 of CrPC empowers a court or any officer in charge of a police station to issue a summons or written order to produce any document or electronic record necessary or desir-able for any investigation, inquiry, trial, or other proceeding under the Code.

The current DPDPA also envisages that the Data Protection Board will similarly function and shall have the same powers as are vested in a civil court under the Code of Civil Procedure,1908, in respect of matters relating to:

(a) summoning and enforcing the attendance of any person and examining her on oath;

(b) receiving evidence of an affidavit requiring the discovery and production of documents;

(d) such other matters as may be prescribed.

8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide law enforcement authorities with encryption keys?

Yes, Section 69 of the IT Act allows the Central Government or appropriate agency on its behalf to order the subscriber or person in charge of said computer resource to extend all facilities and technical assistance to intercept, monitor, or decrypt the information on a computer resource

if the Central Government or agency authorised is satisfied that it is neces-sary or reasonable to do so in the interests of:

■ The sovereignty or integrity of India.

■ The security of the State.

■ Friendly relations with foreign States.

■ Public order.Preventing incitement of the commission of any cognisableoffence – for reasons to be recorded in writing, by order, anyagency of the Government is to be directed to intercept anyinformation transmitted through any computer resource

Sections 69-A and 69-B of the IT Act provide for more such powers. Section 69-A talks of blocking public access to informa-tion through computer resources, while Section 69-B talks of the power to monitor or collect traffic data or information gener-ated, transmitted, received, or stored in any computer resource.

9 International Compliance

9.1 How do international compliance regimes impact country-specific cybersecurity rules?

The standards being framed in India are in line with the International Organization for Standardization (ISO) standards. In terms of specific cybersecurity rules, while India does look at all compliance regimes around the world, there is very little impact on the country-specific cyber security rules. To the extent that there are agreements with other countries, India and the foreign country will follow the same.

10 Future Developments

10.1 How do you see cybersecurity restrictions evolving in your jurisdiction?

The drafters of the laws are trying to make the laws generic and not too prescriptive. There are already ISO standards, and the Bureau of Standards has adopted those standards in India. The cybersecurity restrictions and compliance, in our view, will be a moving target dependent on the state of the tech-nology and requirements thereto.

10.2 What do you think should be the next step for cybersecurity in your jurisdiction? The introduction of a Digital India Act, which will be the successor to the IT Act, will be the next step. It will deal withthe various confluences of law. Additionally, either as part ofthis Act or separately, there will be a guideline or framework for AI and the relevant challenges from a security perspective.

HO–3: BNSS Search & Seizure Checklist

Under the

Bharatiya Nagarik Suraksha Sanhita (BNSS), 2023, search and seizure procedures have undergone a "digital-first" transformation to ensure transparency and prevent evidence tampering.

Mandatory "HO–3" Checklist for Search & Seizure

This checklist incorporates the key statutory requirements under Section 105 (General Search) and Section 185 (Search by Police Officer) of the BNSS:

1. Pre-Search Requirements

· Recording of Reasons: For searches without a warrant, the Investigating Officer (IO) must record the "grounds of belief" in the case diary before proceeding.

· Independent Witnesses: Secure at least two "independent and respectable" local inhabitants to witness the entire process.

· Introduction on Camera: The IO must start the recording by stating their name, designation, date, time, location, and case details (FIR number).

2. Mandatory Audio-Video Recording (The "Section 105" Rule)

· Uninterrupted Footage: The entire process—from entry to final seizure—must be recorded using audio-video electronic means (preferably a mobile phone).

· Scope of Recording: The recording must specifically capture:

o The actual search of the premises or person.

o The discovery and taking possession of every property/article.

o The preparation of the Seizure Memo (inventory list).

o Witnesses and the accused signing the seizure list.

· Witness Declaration: Witnesses should be asked to look into the camera and declare that the search was conducted in their presence.

3. Post-Search Compliance & Timelines

· Seizure Memo: Provide a free, signed copy of the list of seized items to the occupant or person searched.

· Forwarding to Magistrate:

o Without Warrant (S. 185): The recording and records must be sent to the Magistrate within 48 hours.

o With Warrant (S. 105): The recording must be forwarded "without delay".

· Digital Evidence Protocol: If electronic devices are seized, the IO must document the sequence of custody and maintain a chain-of-custody log.

Key Legal Differences from CrPC

Feature	Old CrPC (1973)	New BNSS (2023)
Videography	Optional / Best Practice	Mandatory for all searches (S. 105/185)
Device Type	Professional Cameras	Preferably a Mobile Phone
Immovable Property	Limited powers	Power to attach/seize immovable property (S. 107)
Forensic Visit	Optional	Mandatory for offences punishable by 7+ years (S.

HO–4: Electronic Records under BSA

The Bharatiya Sakshya Adhiniyam (BSA), 2023, which replaced the Indian Evidence Act, fundamentally elevates the status of digital data. Under Section 63 (the successor to the famous Section 65B), electronic records are now considered primary evidence if handled correctly.

HO–4: Checklist for Admissibility of Electronic Records

1. Definition & Scope (Section 2)

· Broad Coverage: "Evidence" now explicitly includes information given electronically. This covers emails, server logs, smartphone data, messages (WhatsApp/Signal), location data, and cloud records.

· Primary Evidence: If an electronic record is produced directly from its source (e.g., the original device or original cloud storage), it is treated as Primary Evidence under Section 57.

2. The Section 63 Certificate (The Digital "Passport")

Any electronic record produced as a printout or copy (Secondary Evidence) must be accompanied by a certificate to be admissible.

· Who signs? The person in charge of the device or the management of the relevant activities.

· What must it state?

o Identify the electronic record and describe the manner in which it was produced.

o Confirm the device was operating properly during the period of data creation.

o State that the data was fed into the device in the ordinary course of activities.

· New Schedule: The BSA provides a specific form/template for this certificate (refer to the Schedule at the end of the BSA Act).

3. Handling "Secondary" Electronic Evidence

If the original device cannot be brought to court, you must ensure:

· Hash Value: Recording the MD5 or SHA hash value of the file to prove it hasn't been tampered with since seizure.

· Chain of Custody: Documenting every hand the digital file passed through—from the Investigating Officer (IO) to the Forensic Lab (FSL) to the Court.

4. Critical Changes from the Old Act

Feature	Old Evidence Act (S. 65B)	New BSA (S. 63)
Status	Distinct from primary evidence.	Can be Primary Evidence (S. 57/62).
Oral Evidence	Often required to prove digital data.	Section 22 allows oral evidence about the contents of digital records.
Forensic Nuance	Limited focus on expert roles.	Expanded role for the Examiner of Electronic Evidence (S. 79A IT Act).
Certificate	Strict requirement for all copies.	Formally standardized in the Act's Schedule for uniformity.

Practical Action Steps

1. For Lawyers/Investigators: Always ensure the Schedule Certificate is filled out at the exact time of data extraction, not months later.

2. For Organizations: Maintain automated Audit Logs. Under BSA, a record produced by a business "in the ordinary course" carries higher presumptive weight.

HO–5: Cyber Crime Scene Do’s & Don’ts

When dealing with a cyber crime scene, the primary goal is Evidence Integrity. Digital evidence is "fragile"—it can be altered by simply turning a device on or off.

Under the BNSS and BSA, the following protocol ensures that evidence remains admissible in court.

I. The "First Responder" Checklist

DO’s (Protect & Preserve)	DON’Ts (Prevent Contamination)
Secure the Area: Restrict access to computers, routers, and mobile devices immediately.	Don’t Turn ON/OFF: If a computer is ON, leave it ON. If it is OFF, leave it OFF. Turning it on changes metadata/temp files.
Photograph Everything: Capture the screen (if on), the back of the CPU (cable connections), and the surrounding environment.	Don’t Browse Files: Never "take a look" at the files or folders. Opening a file changes the "Last Accessed" timestamp.
Isolate Connectivity: Put mobile phones in Faraday Bags (or Airplane Mode + Disable Wi-Fi/Bluetooth) to prevent remote wiping.	Don’t Plug in USBs: Never use your own thumb drive or mouse on the target system.
Document the State: Record if the device was hot to the touch, if lights were blinking, or if specific apps were open.	Don’t Trust the Suspect: Never let the suspect "shut down" or "log out" for you; they may trigger a "kill switch" or data wipe.

II. Technical Safeguards (Legal Compliance)

1. Chain of Custody: Start a logbook immediately. Every person who touches the device must sign it. A break in this chain makes the evidence "inadmissible" under BSA Section 63.

2. Seizure of Peripherals: Don’t just take the laptop. Take the charging cables, routers, and external hard drives. Power cables are often needed for forensic imaging.

3. Video Record the Seizure: As per Section 105 of BNSS, the entire process of identifying and bagging the device must be videographed on-site.

III. Special Scenario: The "Live" System

If the computer is ON and Unlocked:

· DO: Use a "Mouse Jiggler" or move the mouse slightly every few minutes to prevent the screen saver/lock from activating.

· DO: Call a forensic expert to perform a RAM Dump (capturing volatile memory) before pulling the plug.

· DON'T: Pull the power cord if the system is encrypting data (indicated by high disk activity), as this might lock the data forever.

IV. Packaging & Labeling

· Use Anti-Static Bags: Pack hard drives and motherboards in anti-static packaging to prevent electrical damage.

· Seal with Tamper-Evident Tape: Ensure the seal is signed by the IO and two independent witnesses as required by Indian law.

· Labeling: Mark each item with a Unique Identification Number (UIN) that matches the Seizure Memo.

For reporting and official SOPs, refer to the National Cyber Crime Reporting Portal and the CERT-In (Indian Computer Emergency Response Team) guidelines

HO–6: Hashing & Chain of Custody

In the context of the Bharatiya Nagarik Suraksha Sanhita (BNSS) and Bharatiya Sakshya Adhiniyam (BSA), HO–6 (Handout 6) typically refers to the standardized operating procedure for ensuring the integrity of digital evidence through Hashing and maintaining a strict Chain of Custody.

I. Hashing: The "Digital Fingerprint"

Hashing is the forensically proven procedure used to establish the integrity of seized electronic evidence.

· What to do: Compute and record the hash value (preferably SHA-256) for both the original seized device and any working copies created for analysis.

· When to hash: Hashing must be performed immediately at the scene of the crime or upon first seizure to create a "baseline" for the data's state.

· Legal Weight: Under BSA Section 63, hash value reports are now a codified requirement for the admissibility of electronic records. Any change to the record changes its "fingerprint," proving it has been tampered with.

II. Chain of Custody: The Documentation Trail

Chain of Custody tracks the movement of evidence through its entire lifecycle, documenting every person who handled it.

· Mandatory Log: A Chain of Custody Register must be maintained and appended as part of the trial court record.

· Key Data Points: The register must include:

o Who: The identity of the person seizing, transferring, or analyzing the evidence.

o When/Where: Precise dates, times, and locations of every transfer.

o Why: The specific purpose for each hand-off (e.g., "transfer to Forensic Lab for imaging").

· Sequence of Custody: Section 193(3) of the BNSS emphasizes documenting the sequence of custody to ensure authenticity.

III. HO–6 Compliance Checklist

Action	Requirement under BSA/BNSS
Initial Hash	Record the unique MD5 or SHA-256 hash value in the Seizure Memo.
Verification	Compare hash values at each stage of the investigation to prove zero alteration.
AV Recording	Videograph the sealing and labeling of devices as per BNSS Section 105.
Signatures	Ensure every transfer in the log is countersigned by both the giver and receiver.

Failure to maintain this "paper trail" or provide hash reports can render the digital evidence inadmissible, as the court will not be able to verify its integrity.

For official templates, investigators refer to the BPR&D Manual on Digital Evidence or the National Cyber Forensic Laboratory (NCFL) guidelines

HO–7: Social Media & Cloud Evidence

HO–7 focuses on the identification, preservation, and collection of volatile data stored on remote servers (Social Media) and decentralized storage (Cloud), governed by Section 63 of the BSA, 2023 and Sections 69 & 94 of the BNSS, 2023.

1. Identification & Preservation

Since social media and cloud data can be deleted remotely by the suspect, immediate preservation is critical:

· Preservation Request: Issue an immediate legal request to the Service Provider (SP) (e.g., Meta, Google, X) to "freeze" the account data. Under the IT (Intermediary Guidelines) Rules, intermediaries must preserve such data for 180 days (or more if ordered).

· Public Data Capture: For public profiles, use forensic tools to capture "crawls" of the page. Simple screenshots are considered weak evidence unless they include metadata and a Section 63 BSA Certificate.

2. Legal Procedure for Collection

· Notice to Intermediaries: Under Section 94 of the BNSS (successor to S. 91 CrPC), an Investigating Officer can issue a notice to a service provider to produce specific electronic records or metadata.

· Cloud Forensics: If the device is seized "Live" and logged into a cloud account (Google Drive, iCloud, Dropbox):

o DO: Disable "Sync" immediately to prevent remote wiping.

o DO: Use forensic imaging tools to "pull" the cloud data rather than manual browsing.

3. Data Types to Collect

To build a "Cyber Typology" case, you must collect:

· User Attributes: Name, Recovery Email, Linked Phone Number.

· Log Data: Registration IP, Last Login IP, and MAC addresses of devices used.

· Content Data: Messages, posts, and deleted media (retrievable only via court order/LLR to the SP).

4. Admissibility Checklist (BSA Compliance)

To ensure social media evidence stands in an Indian court:

· The "Source" Rule: Data must be traced back to the original server logs of the Service Provider.

· Certificate of Authenticity: Every printout or digital copy of a social media post must be accompanied by a Section 63 BSA Certificate signed by the person who retrieved it.

· Hash of the Download: If data is downloaded from the cloud (e.g., via Google Takeout), the Hash Value of the resulting .zip file must be recorded in the case diary.

5. International Requests (MLAT)

If the data is stored on servers outside India (e.g., USA):

· A Letter Rogatory (LR) or a request under the Mutual Legal Assistance Treaty (MLAT) is required for "Content Data."

· For "Non-Content Data" (IP logs), many US-based companies respond to direct requests from verified law enforcement emails under the US CLOUD Act.

Pro Tip: Use the National Cyber Crime Reporting Portal (NCRRP) tools for standardized templates when communicating with Social Media Intermediaries

HO–8: Common Investigation Errors

In the context of Indian cyber law and the BNSS/BSA framework, HO–8 serves as a cautionary guide for Investigating Officers (IOs). Even with strong evidence, procedural lapses can lead to the "fruit of the poisonous tree," making evidence inadmissible.

HO–8: Common Investigation Errors Checklist

1. Procedural Lapses (BNSS Violations)

· Failure to Videograph: Neglecting to record the search and seizure on audio-video means as mandated by Section 105 of BNSS. This is now a fatal flaw in the prosecution's case.

· Missing Independent Witnesses: Conducting a search without two independent local witnesses or failing to record their statements/signatures on the Seizure Memo.

· Delayed Forwarding: Failing to send the recorded search footage and the seizure report to the Magistrate within the 48-hour window (S. 185 BNSS).

2. Technical Errors (Evidence Integrity)

· The "Power Cycle" Mistake: Turning a computer ON to "check" for evidence or turning a "Live" system OFF without capturing volatile RAM. This destroys temporary logs and alters file metadata (Last Accessed/Modified dates).

· Lack of Write-Blockers: Connecting a seized hard drive directly to an investigation laptop without a Write-Blocker. This allows the OS to write hidden system files to the evidence, altering its Hash Value.

· Remote Wiping: Failing to place mobile phones in Faraday Bags or Airplane Mode, allowing suspects to remotely wipe the device via iCloud or Google "Find My Device."

3. Legal/Admissibility Errors (BSA Violations)

· Missing Section 63 Certificate: Submitting digital printouts, CDs, or pen drive copies in court without the mandatory Certificate under Section 63 of BSA. Without this, the evidence is legally "invisible." S. 63 BSA Template

· Broken Chain of Custody: Gaps in the "logbook" where the movement of the device (from Police Station to FSL to Court) is not documented.

· Hash Inconsistency: Recording the Hash Value at the scene but failing to verify it at the Forensic Lab. If the hashes don't match, the evidence is considered tampered with.

4. Analytical Overlook

· Ignoring Metadata: Focusing only on the content (the photo/text) and ignoring the metadata (GPS coordinates, timestamps, and device serial numbers) which proves "authorship."

· Incomplete Mirroring: Taking a "logical copy" (visible files only) instead of a "bit-stream image" (which includes deleted files and unallocated space).

Summary Table: The "Fatal Four"

Error Type	Consequence
No Videography	Violation of S. 105 BNSS; Search may be declared illegal.
No S. 63 Certificate	Evidence becomes inadmissible under BSA.
No Faraday Bag	Data may be remotely deleted/altered.
Hash Mismatch	Defense can claim evidence tampering.

For official training modules on avoiding these errors, investigators should consult the BPR&D Digital Investigation Manual and the CDTI (Central Detective Training Institute) curriculum.

Section–2: Checklists

· Cyber Crime Investigation Checklist

According to the BPR&D Digital Investigation Guidelines and training manuals, the Cyber Crime Investigation Checklist is divided into four critical phases of the investigative lifecycle:

1. Preparation Stage (Pre-Search)

· Case Briefing: Review the FIR and initial complaint details to identify the scope of digital evidence.

· Kit Readiness: Ensure the "First Responder Kit" is complete, including anti-static bags, Faraday bags, write-blockers, and imaging software.

· Search Authorization: Verify and carry valid search warrants or document "grounds of belief" as per Section 185 of BNSS.

2. Crime Scene Activities (On-Site)

· Cordoning & Security: Secure the area immediately to prevent unauthorized access or physical tampering.

· Documentation: Videograph and photograph the entire scene before touching any device.

· Connectivity Check: Check for active network connections, Wi-Fi, or Bluetooth. Place mobile devices in Faraday bags immediately to prevent remote wiping.

· Volatile Data Capture: If the system is ON, capture live RAM and volatile memory before power-down.

3. Evidence Collection & Seizure

· Imaging: Use write-blockers to create a bit-stream forensic image (not a simple copy) of all storage media.

· Hashing: Generate and record the MD5/SHA-256 hash value of the original device and the image simultaneously to prove integrity.

· Seizure Memo: Prepare a detailed inventory including serial numbers and make/model. Obtain signatures from at least two independent witnesses.

· Electronic Record Certificate: Prepare the mandatory certificate under Section 63 of BSA (formerly 65B IT Act) for any digital records collected.

4. Post-Seizure & Analysis

· Chain of Custody: Maintain an unbroken logbook of everyone who handles the evidence from the scene to the Forensic Lab (FSL).

· Analysis: Perform technical analysis using forensic tools (e.g., Autopsy, X-Ways) to retrieve deleted files, browser history, and metadata.

· Reporting: Forward all recordings and the seizure memo to the Magistrate within 48 hours as per BNSS requirements.

For specialized crimes, refer to the BPR&D SOP on Cryptocurrency Investigation or the Social Media Intelligence (SOCMINT) Manual

· Digital Evidence Handling Checklist

Based on the BPR&D Digital Investigation Manual, the following checklist ensures digital evidence remains forensically sound and legally admissible under the BSA (Bharatiya Sakshya Adhiniyam) and BNSS (Bharatiya Nagarik Suraksha Sanhita).

1. On-Site Identification & Documentation

· Videography: Record the entire process from entry to seizure (Mandatory under S. 105 BNSS).

· State Capture: Photograph the device screen, port connections, and peripheral devices (routers, cables).

· Identify Connectivity: Check for active Wi-Fi, VPNs, or Bluetooth. If mobile, place in a Faraday Bag immediately to prevent remote wiping.

2. Forensic Acquisition (The "Golden Rules")

· Write-Blocking: Always use a hardware/software write-blocker before connecting a seized device to an investigation machine.

· Bit-Stream Imaging: Create a mirror image (Physical Copy) of the storage media. Never "Copy-Paste" files.

· Volatile Data (RAM): If the system is ON, capture the RAM (Random Access Memory) before shutting down to preserve login sessions and encryption keys.

3. Verification & Hashing

· Generate Hash: Calculate the MD5, SHA-1, or SHA-256 hash value for both the original and the forensic image.

· Validation: Ensure the "Source Hash" matches the "Destination Hash."

· Record-Keeping: Document these hash values immediately in the Seizure Memo and the Case Diary.

4. Packaging & Transportation

· Anti-Static Protection: Use anti-static bags for internal components (Hard drives, RAM sticks).

· Labeling: Attach unique tags with FIR No., Item No., Date, and IO Signatures.

· Tamper-Evident Seals: Seal all ports (USB, LAN) with tamper-evident tape signed by witnesses.

5. Legal Compliance & Chain of Custody

· Section 63 BSA Certificate: Prepare the certificate for all electronic records retrieved (replaces old S. 65B).

· Chain of Custody Log: Record every hand-off (e.g., IO to Malkhana, Malkhana to FSL) with precise timestamps.

· Witness Signatures: Ensure two independent witnesses sign the seizure list and the labels on the devices.

6. Post-Seizure Timelines

· Magistrate Reporting: Forward the search/seizure recordings to the Magistrate within 48 hours (as per S. 185 BNSS).

For specialized scenarios like Mobile Forensics or Cloud Evidence, refer to the BPR&D SOP for Social Media Investigation or the National Cyber Forensic Lab (NCFL) guidelines.

Section–3: Case Studies

· Selected Indian Cyber Crime Judgments

Indian cyber crime jurisprudence has evolved significantly, balancing state security, technological necessity, and fundamental rights. The transition from the Information Technology (IT) Act, 2000 to the Bharatiya Nyaya Sanhita (BNS) and Bharatiya Sakshya Adhiniyam (BSA) marks a "digital-first" judicial era.

1. Fundamental Rights & Digital Expression

· Shreya Singhal v. Union of India (2015): The Supreme Court struck down Section 66A of the IT Act, which criminalized "offensive" online messages. The court ruled that the section was unconstitutionally vague and created a "chilling effect" on free speech.

· Justice K.S. Puttaswamy v. Union of India (2017): Established the Right to Privacy as a fundamental right under Article 21. This judgment mandates that any state interference (like surveillance or data interception) must meet the three-fold test of Legality, Legitimate State Purpose, and Proportionality.

2. Admissibility of Electronic Evidence

The judiciary has established strict protocols to prevent tampering with "fragile" digital data.

· Anvar P.V. v. P.K. Basheer (2014): A landmark ruling that made the Section 65B Certificate mandatory for admitting electronic records (like CDs or emails) as secondary evidence. It established that oral testimony cannot replace this technical certification.

· Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020): Reaffirmed the Anvar ruling but added a critical exception: if the original device (e.g., the actual phone or laptop) is produced in court, no certificate is required. It also allowed courts to assist parties in obtaining certificates from third parties like telecom providers.

· Transition to BSA (2023): Under Section 63 of the BSA, electronic records are now categorized similarly to paper documents, but the requirement for a digital certificate (now a bifurcated mandate for the person in charge and an expert) remains a "condition precedent" for admissibility.

3. Cyber Fraud & Crimes Against Persons

· State of Tamil Nadu v. Suhas Katti (2004): India’s first cybercrime conviction. The accused was sentenced for posting obscene messages about a woman on Yahoo Groups, establishing that the IT Act and IPC can be applied concurrently for harassment.

· NASSCOM v. Ajay Sood & Others (2005): The Delhi High Court recognized phishing as an illegal act, treating it as "passing off" and allowing for the recovery of damages even in the absence of specific prior legislation.

· Sony Sambandh Case (2003): The first conviction for online cheating. An individual misused an American credit card to order products; the court used digital photographs taken at the time of delivery as key evidence.

4. Recent Judicial Trends (2025 onwards)

· Strict Bail Standards: Recent rulings from the Punjab & Haryana High Court (e.g., August 2025) emphasize that digital crimes pose a significant threat to national infrastructure, often necessitating the denial of bail to prevent evidence destruction or repeat offenses.

· Deepfakes and AI: Courts are increasingly cautious of "synthetic content," stressing the importance of Hash Value Protocols to verify that digital evidence has not been altered by AI tools.

Key Reference Table

Case Name	Year	Core Principle
Shreya Singhal	2015	Struck down S. 66A; Protected online free speech.
Puttaswamy	2017	Privacy is a Fundamental Right; Limits surveillance.
Arjun Panditrao	2020	Certificates mandatory for copies; Originals don't need them.
Suhas Katti	2004	First conviction; Cyber harassment carries jail time.
Anvar P.V.	2014	Electronic evidence requires a S. 65B(4) Certificate.

Section–4: Exercises

· Drafting FIR & Seizure Memo

· Evidence Admissibility Exercise

· MCQs (Model Set)

Section–5: Appendices CDTI

· Registration Form

· Pre/Post Course Assessment

· Feedback Form

· Model MCQs

Sunday, February 15, 2026

cdti course file sample

ELECTRONIC AND DIGITAL RECORDS UNDER NEW CRIMINAL LAWS IN INDIA

PART – A : COURSE GUIDE

PART – B : COURSE GRID & LEARNING EVENTS

LEARNING EVENT – LU–1

LEARNING EVENT – LU–3

LEARNING EVENT – LU–5

LEARNING EVENT – LU–8

PART – C : RESOURCE MATERIAL

Types Of Cybercrime

1. Child Pornography/ Child sexually abusive material (CSAM)

2. Cyber Bullying

2. Cyber Bullying

3. Cyber stalking

4. Cyber Grooming

5. Online Job Fraud

6. Online Sextortion

7. Vishing

8. Sexting

9. Smshing

10. SIM Swap Scam

11. Debit/Credit Card Fraud

12. Impersonation and Identity Theft

13. Phishing

14. Spamming

15. Ransomware

16. Virus, Worms & Trojans

17. Data Breach

18. Denial Of Services /Distributed DoS

19. Website Defacement

20. Cyber-Squatting

21. Pharming

22. Cryptojacking

23. Online Drug Trafficking

24. Espionage

Who are The Cybercriminals?

How do Cybercrimes happen?

Why are Cybercrimes Increasing?

- Vulnerable devices:

- Personal motivation:

- Financial motivation:

Two Main Types of Cyber Crimes

- Targeting computers

- Using computers

Classifications of Cybercrimes

1. Individual Cyber Crimes:

2. Organization Cyber Crimes:

3. Property Cybercrimes:

4. Society Cybercrimes:

Cybersecurity Laws and Regulations India 2025

1. Cybercrime

Why is India Vulnerable to Cybercrime?

Strategies to Stop Cybercrime in India

Section–5: Appendices CDTI

No comments:

Blog Archive

sharada.avadhanam