Unit – 5

INTRODUCTION TO SECURITY POLICIES AND CYBER LAWS : Need for An Information

Security Policy, Introduction to Indian Cyber Law, Objective and Scope of the Digital Personal
Data Protection Act 2023, Intellectual Property Issues, Overview of Intellectual Property Related
Legislation in India, Patent, Copyright, Trademarks.

Need for An Information Security Policy :-

An information security policy is an aggregate of directives, regulations, rules, and practices that
prescribes how an organization manages, protects, and distributes information.

What is an Information Security Policy?

Since organizations have different structures and requirements, IT departments should create an
information security policy that is optimal for operational teams and users. The policy should
also provide the guidance required to comply with regulatory requirements—corporate, industry,
and government.

An information security policy should clearly define the organization’s overall cybersecurity
program’s objectives, scope, and goals. This creates a solid foundation for the policy and
provides context to the specific rules that employees must follow.

While there are common elements across information security policies, each policy should
reflect consideration of the unique operational aspects and specific threats related to an industry,
region, or organizational model that can put IT resources and data at risk. For example:

Industry:
 Healthcare-related organizations must meet strict Protected Health Information (PHI) data
protection standards set forth by HIPAA.
 Manufacturing companies have to protect and monitor remote internet of things (IoT) devices.

 Life sciences organizations must meet strict requirements related to electronic documents and
signatures

Region:
 Local regulations

 Adverse weather conditions—e.g., hurricanes, tornadoes

 Physical threats related to conflict

 Organizational model:

 Remote offices

 Field staff

 Contract workforce

The Importance of an Information Security Policy :-

An information security policy helps everyone in the organization understand the value of the
security measures that IT institutes, as well as the direction needed to adhere to the rules. It also
articulates the strategies in place and steps to be taken to reduce vulnerability, monitor for
incidents, and address security threats.

An information security policy provides clear direction on procedure in the event of a

security breach or disaster.

Important outcomes of an information security policy include:

Facilitates the confidentiality, integrity, and availability of data

A robust policy standardizes processes and rules to help organizations protect against threats to
data confidentiality, integrity, and availability.

Reduces the risk of security incidents

An information security policy outlines procedures for identifying, assessing, and mitigating
security vulnerabilities and risks. It also explains how to quickly respond to minimize damage in
the event of a security incident.

Executes security programs across an organization

To ensure successful execution, a security program needs an information security policy to

provide the framework for operationalizing procedures.

Provides clear statement of security policy to third parties :-

The policy summarizes the organization’s security posture and details how it protects IT assets
and resources. It allows organizations to quickly respond to third-party (e.g., customers’,
partners’, auditors’) requests for this information.

Helps to address regulatory compliance requirements :-

 The process of developing an information security policy helps organizations identify gaps in
security protocols relative to regulatory requirements.

11 Elements of an Information Security Policy :-

An information security policy should be comprehensive enough to address all

security considerations. It must also be accessible; everyone in the organization must
be able to understand it.

A robust information security policy includes the following key elements:

1. Purpose

2. Scope

3. Timeline

4. Authority

5. Information security objectives

6. Compliance requirements

7. Body—to detail security procedures, processes, and controls in the following areas:

 Acceptable usage policy

 Antivirus management

 Backup and disaster recovery

 Change management

 Cryptography usage

 Data and asset classification

 Data retention

 Data support and operations

 Data usage

 Email protection policies

 Identity and access management

 Incident response

 Insider Threat Protection

 Internet usage restrictions

 Mobile device policy

 Network security

 Password and credential protocols

 Patch management

 Personnel security

 Physical and environmental security

 Ransomware detection

 System update schedule

 Wireless network and guest access policy

8. Enforcement

9. User training

10. Contacts

11. Version history

Introduction to Indian Cyber Law

What is Cyber Law?

Cyber law is an integral part of the legal system. It deals with the legal issues of cyberspace.
Cyber law is also referred to as the Law of the Internet. These cyber laws help businesses prevent
identity and data theft, privacy violation and fraud. The Information Technology Act, of 2000, as
per the Indian Penal Code, addresses Cyberlaw and includes laws related to e-commerce, e-
contracts, digital signatures, intellectual property rights, and cyber security.

Cyber law is referred to as the Law of the Internet of Digital Law and applies to the
various categories of cyber-crimes, such as –

Crimes against People. Cyber harassment and stalking, sending offensive and sensitive
material, credit card fraud, spoofing, identity theft, online slandering, etc., are examples of
crimes against people.

Crimes against Property – Unrecognized and unapproved intrusion through cyberspace,

computer vandalism, the transmission of viruses in any network/system, copyright infringement,
IPR violations, and unauthorized possession of sensitive data are examples of Crimes against
Property.

Crimes against Government - Crimes against the Government are considered an attack on that
nation's sovereignty, which may often lead to a state of war. This category is the most crucial of
all. It includes crimes like hacking government websites, accessing confidential information,
cyber warfare and terrorism, introducing viruses and using pirated software, etc.

Major Cyber Crimes

Here are the top cyber crimes that are common globally.

Phishing Scams

The term "phishing" means a fraudulent attempt to acquire information such as usernames,
passwords, home addresses, credit card details, or even social security numbers by posing as a
trusted entity in an electronic communication.

Phishing is usually carried out through email spoofing or instant messaging and can open direct
users to enter their financial or sensitive details on a fake website.
Identity Theft Scams

Cybercriminals can do all sorts of things with personal identity, including making purchases in
your name, easily accessing your credit card, stealing users' hard-earned savings, exfiltrating
bank account information, and more.

These cyber criminals use this information for any criminal purpose. To avoid them, you should
not divulge too much information on social networks and other websites.
Denial of Service Attack

The Denial of Service or DOS attack is a cyber attack that temporarily slows down the function
of web applications instead of stealing information.

Attackers perform this attack for huge traffic using specialized bots so legitimate users cannot
easily access the website.

Cyberstalking

Cyberstalking means using electronic communications, including the Internet, to stalk, hurt,
harass, or intimidate a person or group of people by sending them threatening emails.

Invasion of Privacy

Invasion of privacy means the act of interfering with the personal life of an individual. It
includes hacking into your PC, reading emails or monitoring online activities. Most of these
crimes are punishable by law. If you come across any threat, you can contact the police and also
file a complaint against the offender.

Main Types of Regulations Covered by Cyber Law

India's cyber law, the Information Technology Act of 2000, covers many regulations to address
cybercrime and protect digital assets. Here are the main types of regulations covered by cyber
law in India:

Cybercrime

Cyber law in India defines and penalizes various types of cybercrimes, such as hacking,
cyberstalking, identity theft, phishing, and cyberterrorism. Consumers trust cyber laws to protect
them from online fraud. These laws are in place to prevent identity theft, credit card theft, and
other online financial crimes. A person guilty of identity theft may face federal or state criminal
charges.
Why is Cyber Law Needed?

Cyber laws exist to protect people from online fraud. They prevent online crimes, including
credit card and identity theft. A person who commits such thefts stands to face criminal charges.

Being highly sophisticated and developing every day, cyberspaces have become common. Thus,
the increase in cyber crimes is inevitable. As of 2022, the approximate number of internet users
worldwide was 5.3 billion, up from 4.9 billion in 2021. Given this rapid increase in the use of
cyberspace, the implementation and use of strict cyber rules help establish a safe environment for
users.
 With more and more transactions being conducted online, it is imperative to have legal
frameworks to regulate these transactions and protect the interests of the parties involved.

Advantages of Cyber Law

These are some of the advantages of cyber law listed below:

 Cyber law protects individuals and businesses from various cybercrimes, such as
hacking, identity theft, online fraud, and cyberbullying.

 Cyber law mandates the protection of personal information and data privacy, ensuring
that internet users have control over their personal information and that organizations
take adequate measures to protect such information.

 Cyber law provides a legal framework for e-commerce transactions and helps establish
trust between parties by providing a secure and reliable platform for online transactions.
 These laws effectively regulate internet-related activities, including online transactions,
intellectual property rights, and content regulation.
 Cyber laws encourage innovation by protecting intellectual property rights, promoting
technological research and development, and enabling the creation of new digital
products and services.

Emerging Trends in Cyber Law

As technology advances, cyber law also needs to evolve constantly. Some emerging trends in
cyber law include:

 Data protection laws: Increased data breaches pose the need for strengthening data
protection laws to protect internet users' personal information.
 Artificial Intelligence and Machine Learning: AI can optimize data breaches and
interpret emerging security threats through machine learning techniques. In future, we
will see more and more use of AI and ML to determine vulnerable information and
information systems, recognize connections between threats, and locate profiles of
cybercriminals.
 Internet of Things (IoT): Blockchain data encryption ensures that the data is not
accessible by unauthorized parties while flowing through untrusted networks. As more
devices become connected to the internet, there is a need for laws and regulations to
address issues such as data privacy, security, and liability.
  Blockchain technology: The use of blockchain technology is increasing in various
industries, and laws and regulations are needed to govern its use, particularly in data
privacy and security areas.

Cyber Law also called IT Law is the law regarding Information-technology including
computers and the internet. It is related to legal informatics and supervises the digital
circulation of information, software, information security, and e-commerce.
IT law does not consist of a separate area of law rather it encloses aspects of contract,
intellectual property, privacy, and data protection laws. Intellectual property is a key element
of IT law. The area of software license is controversial and still evolving in Europe and
elsewhere.
According to the Ministry of Electronics and Information Technology, Government of
India :

Cyber Laws yields legal recognition to electronic documents and a structure to support e-
filing and e-commerce transactions and also provides a legal structure to reduce,
check cyber crimes.
Importance of Cyber Law:
1. It covers all transactions over the internet.
2. It keeps eye on all activities over the internet.
3. It touches every action and every reaction in cyberspace.

Area of Cyber Law:

Cyber laws contain different types of purposes. Some laws create rules for how individuals and
companies may use computers and the internet while some laws protect people from becoming
the victims of crime through unscrupulous activities on the internet. The major areas of cyber
law include:
1. Fraud:
Consumers depend on cyber laws to protect them from online fraud. Laws are made to
prevent identity theft, credit card theft, and other financial crimes that happen online. A
person who commits identity theft may face confederate or state criminal charges. They
might also encounter a civil action brought by a victim. Cyber lawyers work to both defend
and prosecute against allegations of fraud using the internet.

2. Copyright:
The internet has made copyright violations easier. In the early days of online
communication, copyright violations were too easy. Both companies and individuals need
lawyers to bring an action to impose copyright protections. Copyright violation is an area of
cyber law that protects the rights of individuals and companies to profit from their creative
works.

3. Defamation:
Several personnel uses the internet to speak their mind. When people use the internet to say
things that are not true, it can cross the line into defamation. Defamation laws are civil laws
that save individuals from fake public statements that can harm a business or someone’s
 reputation. When people use the internet to make statements that violate civil laws, that is
called Defamation law.

4. Harassment and Stalking:

Sometimes online statements can violate criminal laws that forbid harassment and stalking.
When a person makes threatening statements again and again about someone else online,
there is a violation of both civil and criminal laws. Cyber lawyers both prosecute and
defend people when stalking occurs using the internet and other forms of electronic
communication.

5. Freedom of Speech:

Freedom of speech is an important area of cyber law. Even though cyber laws forbid certain
behaviors online, freedom of speech laws also allows people to speak their minds. Cyber
lawyers must advise their clients on the limits of free speech including laws that prohibit
obscenity. Cyber lawyers may also defend their clients when there is a debate about
whether their actions consist of permissible free speech.

6. Trade Secrets:
Companies doing business online often depend on cyber laws to protect their trade secrets.
For example, Google and other online search engines spend lots of time developing the
algorithms that produce search results. They also spend a great deal of time developing
other features like maps, intelligent assistance, and flight search services to name a few.
Cyber laws help these companies to take legal action as necessary to protect their trade
secrets.

7. Contracts and Employment Law:

Every time you click a button that says you agree to the terms and conditions of using a
website, you have used cyber law. There are terms and conditions for every website that are
somehow related to privacy concerns.

Advantages of Cyber Law:

 Organizations are now able to carry out e-commerce using the legal infrastructure provided
by the Act.

 Digital signatures have been given legal validity and sanction in the Act.

 It has opened the doors for the entry of corporate companies for issuing Digital Signatures
Certificates in the business of being Certifying Authorities.

 It allows Government to issue notifications on the web thus heralding e-governance.

 It gives authority to the companies or organizations to file any form, application, or any
other document with any office, authority, body, or agency owned or controlled by the
 suitable Government in e-form using such e-form as may be prescribed by the suitable
Government.

 The IT Act also addresses the important issues of security, which are so critical to the
success of electronic transactions.

 Cyber Law provides both hardware and software security.

Objective and Scope of the Digital Personal Data Protection Act 2023 :-

What is the India Digital Personal Data Protection Act (DPDPA) 2023?

The India Digital Personal Data Protection Act 2023 (DPDPA) is a landmark legislation
that aims to safeguard the privacy of individuals in the digital age. The Ac t came into
effect on September 1, 2023, and it applies to all organizations that process personal
data of individuals in India.

What is personal data?

Personal data is defined under the DPDPA as "any data that relates to a natural person
who can be identified, directly or indirectly, in particular by reference to an identifier such
as a name, an identification number, location data, or an online identifier." This broad
definition encompasses a wide range of information, including but not limited to:

 Name, address, and contact information

 Date of birth and gender
 Financial information, such as bank account numbers and credit card details
 Online browsing history and search queries
 Social media posts and messages
 Location data, such as GPS coordinates

What data is protected by the DPDPA?

 The DPDPA protects personal data that is processed in India, regardless of whether the
data was originally collected in India or elsewhere. The Act also applies to the processing
of personal data of Indian citizens, even if the data is processed outside of India.

The DPDPA does not apply to personal data that is:

 Processed for law enforcement or national security purposes

 Processed for the purpose of journalism or artistic expression
 Processed for personal or family purposes

Key principles of the DPDPA

The DPDPA is based on six key principles:

1. Lawfulness: Personal data must be processed lawfully, fairly, and transparently.

2. Purpose Limitation: Personal data must be collected for specified, explicit, and
legitimate purposes and not further processed in a manner that is incompatible with those
purposes.
3. Data Minimization: Personal data must be adequate, relevant, and limited to what is
necessary in relation to the purposes for which they are processed.
4. Accuracy: Personal data must be accurate and, where necessary, kept up to date.
5. Storage Limitation: Personal data must be kept in a form which permits identification of
data subjects for no longer than is necessary for the purposes for which the personal data
are processed.
6. Integrity and Confidentiality: Personal data must be processed in a manner that ensures
appropriate security of the personal data, including protection against unauthorized or
unlawful processing and against accidental loss, destruction, or damage, using appropriate
technical or organizational measures.

Rights of data principals

 The DPDPA grants individuals several rights with respect to their personal data,
including:

 The right to access their personal data

 The right to rectification of inaccurate personal data
 The right to erasure of their personal data
 The right to restrict the processing of their personal data
 The right to data portability
 The right to object to the processing of their personal data

Enforcement of the DPDPA

The DPDPA is enforced by the Data Protection Authority of India (DPA), which is an
independent body responsible for overseeing the implementation of the Act. The DPA has
the power to investigate complaints, issue fines, and order organizations to comply with
the Act.

Final thoughts

The DPDPA is a significant piece of legislation that will have a profound impact on the
way that organizations collect, use, and share personal data in India. The Act provides
individuals with greater control over their personal data and imposes stricter obligations
on organizations that process personal data. Organizations that are subject to the DPDPA
should take steps to ensure that they are in compliance with the Act.

Intellectual Property Issues :- Intellectual Property Rights: Definition and Examples

Do you want to work on mechanical or software patents? Litigate rights in music or art? Or
counsel corporate clients on how to license their content while protecting it? The intellectual
property rights field is diverse, with many lucrative sectors.
Explore the definition and examples of intellectual property law while discovering the various
roles of IP lawyers.
What is the Definition of Intellectual Property Rights?
 The definition of intellectual property rights is any and all rights associated with intangible assets
owned by a person or company and protected against use without consent. Intangible assets refer
to non-physical property, including right of ownership in intellectual property . Examples of
intellectual property rights include:
 Patents
 Domain names
 Industrial design
 Confidential information
 Inventions
 Moral rights
 Database rights
 Works of authorship
 Service marks
 Logos
 Trademarks
 Design rights
 Business or trade names
 Commercial secrets
 Computer software
What Are the Types of Intellectual Property?
There are four main types of intellectual property rights, including patents, trademarks,
copyrights, and trade secrets. Owners of intellectual property frequently use more than one of
these types of intellectual property law to protect the same intangible assets. For instance,
trademark law protects a product’s name, whereas copyright law covers its tagline.
1. Patents
The U.S. Patent and Trademark Office grants property rights to original inventions, from
processes to machines. Patent law protects inventions from use by others and gives exclusive
rights to one or more inventors. Technology companies commonly use patents, as seen in
the patent for the first computer to protect their investment in creating new and innovative
products. The three types of patents consist of:
 Design patents: Protection for the aesthetics of a device or invention. Ornamental design patents
include a product’s shape (Coca-Cola bottle), emojis, fonts, or any other distinct visual traits.
 Plant patents: Safeguards for new varieties of plants. An example of a plant patent is pest-free
versions of fruit trees. But inventors may also want a design patient if the tree has unique visual
properties.
 Utility patents: Protection for a product that serves a practical purpose and is useful. IP
examples include vehicle safety systems, software, and pharmaceuticals. This was the first, and
is still the largest, area of patent law.
 2. Trademarks
Trademarks protect logos, sounds, words, colors, or symbols used by a company to distinguish
its service or product. Trademark examples include the Twitter logo, McDonald’s golden arches,
and the font used by Dunkin.
Although patents protect one product, trademarks may cover a group of products. The Lanham
Act, also called the Trademark Act of 1946, governs trademarks, infringement, and service
marks.
3. Copyrights
Copyright law protects the rights of the original creator of original works of intellectual property.
Unlike patents, copyrights must be tangible. For instance, you can’t copyright an idea. But you
can write down an original speech, poem, or song and get a copyright.
Once someone creates an original work of authorship (OWA), the author automatically owns the
copyright. But, registering with the U.S. Copyright Office gives owners a head-start in the legal
system.
4. Trade Secrets
Trade secrets are a company’s intellectual property that isn’t public, has economic value, and
carries information. They may be a formula, recipe, or process used to gain a competitive
advantage.
To qualify as a trade secret, companies must work to protect proprietary information actively.
Once the information is public knowledge, then it’s no longer protected under trade secrets laws.
According to 18 USC § 1839(3), assets may be tangible or intangible, and a trade secret can
involve information that’s:
 Business
 Financial
 Technical
 Economic
 Scientific
 Engineering
Two well-known examples include the recipe for Coca-Cola and Google’s search algorithm.
Although a patent is public, trade secrets remain unavailable to anyone but the owner.
What Are Some Examples of Violations of Intellectual Property?
The significant violations of intellectual property consist of infringement, counterfeiting, and
misappropriation of trade secrets. Violations of intellectual property include:
 Creating a logo or name meant to confuse buyers into thinking they’re buying the original brand
 Recording video or music without authorization or copying copyrighted materials (yes, even on a
photocopier, for private use)
 Copying another person’s patent and marketing it as a new patent
 Manufacturing patented goods without a license to do so
Since intellectual property can be bought, sold, or leased out, it offers many protections equal to
real property ownership. Likewise, similar remedies exist. A dispute may end with property
confiscation, an order of monetary damages, or cease and desist orders.
What Does an Intellectual Property Lawyer Do?
 Like many areas of law, intellectual property attorneys’ responsibilities differ according to their
niche. Lawyers may cover licensing, acquisitions, or creation. Some create and oversee strategies
to protect intellectual property internationally and domestically. However, there are three main
components of IP law: counseling, protection, and enforcement.
1. Client Counseling
Lawyers who counsel clients find the best way to guard intellectual property and help their
clients license and use it. For example, executives enlist attorneys to research the availability of
trademarks. If a similar mark already exists, lawyers help leaders determine whether to alter their
design or drop it altogether.
In the field of patent counseling, attorneys with a technical background assess the client’s patent
to determine the possibility of patent infringement and its validity. Patent lawyers usually must
have a background in science, including an undergraduate degree in a scientific field, to qualify.
2. Intellectual Property Protection
Lawyers involved in the protection of intellectual property complete the processes associated
with securing the highest available rights. Doing so involves preparing and transmitting an
application with the U.S. Patent and Trademark Office (PTO). Attorneys will also respond to
issues or requests by the agency until the patent or trademark clears and is issued
3. Enforcement of Intellectual Property Rights
Lawyers who enforce intellectual property rights do so by guarding the owner against
infringement. Litigation against violators in federal court includes criminal prosecution and
enforcement for intellectual property rights. International enforcement is much more complicated
and can involve local politics in the country where the infringement occurred.
What Skills Help Intellectual Property Lawyers?
Law firms hire attorneys for work in the licensing, trademark, and copyright fields if they have a
science or litigation background. There are rarely separate departments for each area at firms.
However, patent attorneys may also complete copyright and trademark work related to their field
of specialty. The most desired skills in intellectual property law include:
 Well-versed in business transactions
 Ability to work alongside other legal representatives
 Strong written and oral communication skills
 Negotiation capabilities
 An understanding of international and domestic considerations
 Lateral thinking skills
 Attention to detail
Does a Patent Attorney Require Different Skills?
Typically, firms look for patent lawyers with a technical undergraduate degree. Patent litigators
don’t have any special requirements, whereas patent prosecutors need to pass the U.S. Patent and
Trademark Office’s Patent Bar Exam.
Patent litigators oversee disputes, develop enforcement strategies, and defend companies accused
of patent violations. Patent prosecutors establish patent rights by advising clients, drafting
applications, and creating protection strategies.
However, patent prosecutors must fully understand how an invention works, differs from others,
and is original, and argue these points. Lawyers in patent law do well with a bachelor’s degree in
engineering or science fields, such as:
 Physics
 Life sciences
 Material science
 Medical devices
 Electrical engineering
 Pharmaceutical and chemistry
 Mechanical engineering
 Computer science