top of page

Cyber Laws in India: Understanding Online Security and Data Privacy

Updated: Apr 23

Cyber law governs the internet, computer systems, and related technology, covering contract, privacy, and intellectual property laws. It recognises e-documents, facilitating electronic commerce, and addressing cybercrimes like identity theft and cyber terrorism. With the rise of internet usage and electronic commerce, stringent regulations are necessary to combat cybercrimes and ensure cybersecurity. What is Cybercrime ? Cybercrime encompasses various illicit activities conducted through computers, networked devices, or related technology. Perpetrators seek financial gain through tactics like ransomware, fraud, or unauthorized data access. Exploiting vulnerabilities in digital systems, cybercriminals disseminate illegal content, steal sensitive data, and engage in identity theft. This poses severe repercussions for individuals and organisations.

In India, cybercrime legislation is primarily governed by the Information Technology Act of 2000 and the Bharatiya Nyay Sanhita of 2023. The Information Technology Act addresses cybercrime and electronic commerce issues, with subsequent amendments refining definitions and penalties. Over the years, the Act has evolved to encompass a broad spectrum of cyber offenses, reflecting the dynamic nature of digital threats.

Types of Cyber Crimes:

Cybercrime takes many forms, each posing serious risks to individuals and society.

  • Child Sexual Abuse Material involves sharing explicit images of minors. 

  • Cyberbullying and cyberstalking use electronic platforms to harass victims, causing fear or shame. 

  • Cyber grooming manipulates teenagers online into sexual acts, while online job fraud preys on job seekers with false promises.

  • Online sextortion blackmails victims with threats to expose sensitive material unless they comply with demands. 

  • Phishing tricks people into revealing personal information through fake emails, while vishing and smishing use phone calls and texts to deceive and extract data. 

  • Credit card and debit card fraud involve unauthorized transactions, often from stolen card details obtained through data breaches. 

  • Impersonation and identity theft add to the risks, with criminals using stolen identifiers for financial crimes.

Prevention of Cyber Crimes

As per the International Maritime Organization (IMO), addressing cyber-attack risks involves several steps:

1. Define roles and responsibilities for cyber risk management.

2. Identify critical systems, assets, and data.

3. Implement risk-control processes and contingency plans to protect operations.

4. Develop measures for early detection of cyber-attacks.

5. Prepare plans to restore critical systems and ensure operational resilience.

6. Implement measures for backing up and restoring affected systems.

Importance of Cyber Crime Laws

  • Cyber laws aim to prosecute individuals engaging in illegal activities online, such as cyber abuse, website assaults, data theft, and workflow disruptions. 

  • Efforts are made to locate and prosecute offenders based on their involvement and location.

  • Prosecuting hackers is crucial as many cyber crimes don't fit traditional felony classifications. 

  • Cyber laws also address security concerns, aiming to protect businesses and users from unauthorized access and malicious attacks. 

Filing a cybercrime complaint in India

  • The first thing a victim of cybercrime must do is register a written complaint with any cybercrime cell across India. The Information Technology Act declares cybercrime a part of global jurisdiction so one can approach any cybercrime cell.

  • One can file a cyber crime complaint online at or offline. You can also call the dedicated cybercrime complaint number announced by the Ministry of Home Affairs at 155260 on a working day from 9:00 a.m. to 6:00 p.m.

  • The cybercrime application letter needs to be addressed to the Head of the Cybercrime cell and must clearly state details such as name, email I.D., address, and phone number.

  • Depending on the nature of the cybercrime, certain documents are required to file the complaint. This requirement varies based on the crime and acts as substantiating proof to support a case.

  • If your city does not have a cybercrime cell, then you can register an FIR at their local police station. If they do not accept the complaint, the Commissioner or the Judicial Magistrate of the city should be approached.

Steps to file the cyber crime complaint online:

If you decide to file a cyber crime complaint online, you can follow this:

  1. Go to the webpage- and click the ‘File a complaint’ button.

  2. After the terms and conditions on the next page are accepted, proceed to the ‘Report other cybercrime’ button.

  3. Select the ‘citizen login’ option and enter the important details.

  4. Enter the OTP, fill in the captcha and click the submit button.

  5. On the next page, enter details in the form. This section is divided into four parts, preview the information filled in and then submit it.

  6. You will then be directed to an incident details page. Mention the details and supporting evidence of the crime. Click on ‘Save and Next’.

  7. The next page requires information about the alleged suspect if you have any.

  8. Once you have filled in all details, verify it and click submit.

Top Cybersecurity Regulations in India: Efforts to combat cybercrime require a multifaceted approach, including legislative measures, law enforcement initiatives, and cybersecurity best practices. Collaborative efforts between government agencies, law enforcement bodies, and private sector stakeholders are essential to effectively address the evolving landscape of cyber threats and safeguard digital infrastructure. By staying vigilant and implementing robust security measures, individuals and organisations can mitigate the risks posed by cybercrime and protect themselves from its damaging effects. Below are the current legislations regarding cybersecurity used in India today:

1. The Information Technology Act, 2000

The Information Technology Act of 2000 was India's first significant cyber law. The Indian Parliament passed the IT Act of 2000, which is overseen by the Indian Computer Emergency Response Team (CERT-In) to steer Indian cybersecurity laws, implement data protection rules, and regulate cybercrime. It also safeguards e-governance, e-banking, e-commerce, and the private sector, among other things.

While India does not have a single, comprehensive cybersecurity law, it does promote cybersecurity standards through the IT Act and a number of other sector-specific regulations. It also provides a legal framework for India's essential information infrastructure.

For example, Section 43A of the IT Act requires Indian enterprises and organizations to have "reasonable security practices and procedures" in place to prevent sensitive information from being compromised, damaged, exposed, or abused. Under Section 72A of the IT Act, any intermediaries or individuals who release personal data without the owner's authorization (with ill intent and inflicting damages) are subject to imprisonment for up to three years, a fine of up to Rs500,000, or both.

2. Information Technology (Amendment) Act 2008

The Information Technology Amendment Act 2008 (IT Act 2008) was passed in October 2008 and came into effect the following year as a substantial addition to the IT Act of 2000. These amendments helped improve the original bill, which originally failed to pave the way for further IT-related development. It was hailed as an innovative and long-awaited step towards an improved cybersecurity framework in India. IT Act 2008 added updated and redefined terms for current use, expanding the definition of cybercrime and the validation of electronic signatures. It also strongly encourages companies to implement better data security practices and makes them liable for data breaches.

The IT Act of 2008 applies to any individual, company, or organization (intermediaries) that uses computer resources, computer networks, or other information technology in India. It also includes service providers of web hosting, internet, network, and telecom. It also includes foreign organisations that have a presence in India and businesses outside of the country that have operations in India.

Covering important information security practices for cybercrime and data protection with over nine chapters and 117 sections, the new Information Technology Amendment Act of 2008 includes the following responsibilities:

  • Enhancing cybersecurity measures and forensic capabilities.

  • Mandating intermediaries and corporations to report cybersecurity incidents to CERT-In.

  • Preventing unauthorized or unlawful access to computer systems.

  • Safeguarding private data from cyber terrorism, DDoS attacks, phishing, malware, and identity theft.

  • Providing legal acknowledgment of organizations' cybersecurity efforts.

  • Ensuring the security of e-payments and electronic transactions, including monitoring and decrypting electronic records.

  • Creating a legal structure for digital signatures.

  • Acknowledging and regulating intermediaries.

It is vital to highlight that Subsection 69 of the IT Act 2008 is the most problematic, as it allows the Indian government to intercept, monitor, decrypt, block, and erase data and content at its discretion, raising severe privacy concerns. Penalties for violating the IT Act range from a fine to three years in prison, with more serious offenses including cyber crimes punishable by up to ten years in prison.

3. Information Technology Rules, 2011

Under the IT Act, another important segment of the cybersecurity legislation is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Privacy Rules). The most significant amendments include provisions for the regulation of intermediaries, updated penalties and violation fees for cybercrime, cheating, slander, and nonconsensual publishing of private images, as well as censoring/restriction of certain speech. Both the Information Technology Act (ITA) and the IT Rules are important for governing how Indian entities and organizations process sensitive info, data protection, data retention, and collection of personal data and other sensitive information. Other Indian sectors, like banking, insurance, telecom, and healthcare, also include data privacy provisions as part of their separate statutes.

4. Indian SPDI Rules, 2011 for Reasonable Security Practices

Indian companies aren’t obligated — but are highly advised — to implement these standards, which can help meet the “reasonable security practices” under Indian jurisdiction. The rules can also give individuals the right to correct their information and impose restrictions on disclosure, data transfer, and security measures. They only apply to corporate entities, but they aren’t responsible for the authenticity of sensitive personal data (SPD) like sexual orientation, medical records and history, biometric information, and passwords.

5. National Cyber Security Policy, 2013

In 2013, the Department of Electronics and Information Technology (DeitY) released the National Cyber Security Policy 2013 as a security framework for public and private organizations to better protect themselves from cyber attacks.

The goal behind the National Cyber Security Policy is to create and develop more dynamic policies to improve the protection of India’s cyber ecosystem. The policy aims to create a workforce of over 500,000 expert IT professionals over the following five years through skill development and training. 

The NSCP aims to achieve the following objectives:

  • Establishing a robust and secure online environment for individuals, businesses, and government entities.

  • Monitoring and protecting cyber infrastructure and information, mitigating vulnerabilities, and enhancing defenses against cyber attacks.

  • Developing frameworks, capabilities, and strategies for managing vulnerabilities, promptly preventing or responding to cyber incidents and threats.

  • Promoting the adoption of cybersecurity policies by organizations that are in line with strategic objectives, operational workflows, and industry best practices.

  • Establishing institutional structures, implementing effective processes, leveraging technology, and fostering collaboration to minimize the impact of cybercrime.

6. IT Rules, 2021

On February 25, 2021, the Ministry of Electronics and Information Technology issued the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, which replaced the IT Rules, 2011. A little more than a year later, on June 6, 2022, the Indian MeitY (Ministry of Electronics and IT) announced newly updated draft changes to strengthen the IT Act in response to the difficulties of the ever-changing digital ecosystem.

The proposed revisions aim to allow regular users of digital platforms to seek compensation for their grievances, demand responsibility when their rights are violated, and impose greater due diligence on corporations.

IT Rules, 2021 further distinguishes between smaller and larger social media intermediaries based on user numbers and imposes a significantly higher duty on larger social media intermediaries in terms of personal data security.

Furthermore, there are improvements in the privacy and transparency obligations of intermediates, such as

  • Requiring intermediaries to notify users about rules and regulations, privacy policies, and terms and conditions for using their services.

  • Intermediaries must designate a grievance officer who may address and resolve user concerns about violations of IT Rules.

7. National Cyber Security Strategy 2020

The National Cyber Security Strategy of 2020 was the Indian government's long-awaited follow-up strategy to strengthen cybersecurity measures. While the strategy is still being developed and reviewed by the National Security Council Secretariat, its primary purpose is to serve as formal guidance for stakeholders, policymakers, and corporate leaders in preventing cyber mishaps, cyber terrorism, and espionage in cyberspace.

The plan intends to increase the quality of cybersecurity audits, allowing firms to perform more thorough examinations of their cybersecurity architecture and understanding. The expectation is that once the regulation is adopted, cyber auditors will enhance their security standards, encouraging firms to strengthen their security processes.

8. KYC (Know Your Customer)

KYC (Know Your Customer) protocols are globally recognized standards and practices imposed by the Reserve Bank of India. KYC is the tracking and monitoring of client data security to strengthen protection against fraud and payment credential theft. Banks, insurance firms, and other digital payment organizations that conduct financial transactions must authenticate and identify all of their customers.

For effective KYC compliance and adherence to financial regulations, businesses should undertake the following cybersecurity measures:

  • Conducting knowledge-based questionnaire tests to authenticate customer identities.

  • Employing pre-screening KYC verification techniques such as email and phone verification, Device ID intelligence, and reputational data analysis.

  • Utilizing AI and machine learning for document and government-issued ID verification.

  • Employing biometric authentication methods like fingerprinting and facial recognition.

  • Keeping a customer database for verification purposes.

KYC rules ensure that businesses have the necessary compliance management and anti-fraud solutions in place to protect their customers' digital identities and payment transactions. KYC Compliance provides Indian merchants with peace of mind by ensuring safe and secure payment processing, complying with SEBI laws, and developing confidence with customers. Banks, enterprises, and organizations that fail to follow KYC guidelines may risk a monetary penalty of ₹2 lakh (₹200,000).

9. Reserve Bank of India Act 2018

The Reserve Bank of India issued the RBI Act in 2018, which outlines cybersecurity standards and regulations for UCBs (urban co-operative banks) and payment operators.

The RBI Act of 2018 aims to:

  • Standardize security frameworks across banks and payment operators to adapt to new technologies and digitalization.

  • Require banks to develop and present cyber crisis management plans.

  • Mandate banks to adopt board-approved information security policies to ensure cybersecurity readiness.

  • Implement mandatory breach notifications, with UCBs required to promptly detect and report cybersecurity incidents to the RBI within 2-6 hours of discovery.

  • Encourage banks to conduct regular threat assessment audits.

  • Assist banks in setting up their own email domains with anti-phishing and anti-malware technology, along with enforcing DMARC security controls.

All Indian banks must adhere to these rules in order to harmonize payment processing cybersecurity frameworks and battle the growing number of business challenges in a digital environment. The RBI Act of 2018 imposes sanctions on banks and the financial sector that fail to comply with cybersecurity regulations. Penalties might reach up to ₹10 lakh (1,000,000).

10. The Digital Personal Data Protection Act of 2023 (DPDP)

On August 11, 2023, the Indian Central Government passed the much-anticipated Digital Personal Data Protection Act (DPDP). The act takes its wide definition of personal data from the EU's General Data Protection Regulation (GDPR) and seeks to preserve data principles while restricting the activities of data fiduciaries. 

The DPDP mandates that data fiduciaries:

  • Only engage third-party data processors who contractually commit to following DPDP procedures.

  • Verify the accuracy and completeness of personal data before using it for decision-making or transferring it.

  • Establish organizational measures and technical protocols to maintain compliance continuously.

  • Deploy appropriate security measures and conduct audits to safeguard personal data and prevent breaches.

  • Promptly inform affected data principals and the Data Protection Board about any known data breaches.

  • Securely delete personal data when a data principal withdraws consent, unless retention is legally mandated.

Furthermore, the DPDP established the Data Protection Board of India and defined a new category of data fiduciaries. Significant data fiduciaries are organizations that have been identified by the government as posing a heightened risk. Organizations identified as key data fiduciaries must meet additional standards. 

Frequently Asked Questions (FAQs) about Cybercrime in India:

Question 1) What is cybercrime?

Answer) Cybercrime refers to criminal activities carried out using computers or the internet, such as hacking, identity theft, online fraud, and spreading malware.

Question 2) What are the common types of cybercrime in India?

Answer) Common types of cybercrime in India include phishing scams, online financial fraud, hacking, cyberbullying, and spreading fake news.

Question 3) What laws address cybercrime in India?

Answer) The primary law addressing cybercrime in India is the Information Technology Act, 2000, which was amended in 2008 to include provisions related to cyber offenses.

Question 4) How is cybercrime investigated in India?

Answer) Cybercrime in India is investigated by specialized cybercrime units within law enforcement agencies, such as the Cyber Crime Investigation Cell (CCIC) and Cyber Crime Investigation Unit (CCIU).

Question 5) How can individuals protect themselves from cybercrime?

Answer) Individuals can protect themselves from cybercrime by using strong, unique passwords, keeping their software updated, being cautious of suspicious emails and links, and using antivirus software.

Question 6) What is ransomware and how does it affect individuals and businesses?

Answer) Ransomware is a type of malware that encrypts files on a victim's computer and demands payment for their release. It can cause significant financial losses and disrupt business operations.

Question 7) What is identity theft and how can individuals prevent it?

Answer) Identity theft occurs when someone steals another person's personal information, such as their social security number or bank account details, to commit fraud. Individuals can prevent identity theft by safeguarding their personal information and being cautious of sharing it online.

Question 8) What are the risks of using public Wi-Fi networks?

Answer) Risks of using public Wi-Fi networks include the potential for hackers to intercept sensitive information transmitted over the network, such as passwords or credit card numbers.

Question 9) What is cyberbullying and how can it be addressed?

Answer) Cyberbullying involves using digital technology, such as social media or messaging apps, to harass, intimidate, or threaten others. It can be addressed by reporting abusive behavior to the relevant platform and seeking support from trusted individuals or authorities.

Question 10) What is cyber espionage and why is it a concern?

Answer) Cyber espionage involves using technology to gain unauthorized access to sensitive information for political, economic, or military purposes. It is a concern because it can compromise national security and intellectual property.

Question 11) Is watching Cyber Pornography a crime or not?

Answer) Watching cyber pornography in a private area is not a crime. However, watching pornography in public areas is a punishable offense under Section 67 of IT Act, 2000.

Question 12) Where to report ATM fraud?

Answer) Report ATM fraud to the nearest police station or online at the national cybercrime reporting portal. 

Question 13) Is Online Harassment also a Cybercrime?

Answer) Online harassment is a distinct cybercrime. Various kinds of harassment do occur in cyberspace. Harassment can be sexual, racial, religious, or other. Cyber harassment as a crime also brings us to another related area of violation of privacy of netizens. Violation of privacy of online citizens is a Cybercrime of a grave nature. Online harassment is punishable under 67 of IT Act, 2000.

Question 14) What is Vishing?

Answer) Vishing is the criminal practice of using social influence over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to sensitive information such as credit card details from the public. The term is a combination of "Voice" and phishing.

Question 15) What is ID Spoofing?

Answer) It is the practice of using the telephone network to display a number on the recipient's Caller ID display which is not that of the actual originating station.

Question 16) What are Phishing and Pharming?

Answer) Phishing and Pharming are the most common ways to perform identity theft which is a form of cyber crime in which criminals use the internet to steal personal information from others.

Question 17) Where can I file a cyber crime complaint?

Answer) The IT Act of India states that, when a cybercrime has been committed it shall have global jurisdiction. Hence, a complaint can be filed at any cyber cell situated in your city or elsewhere. It is advisable to always approach a cyber cell that is closer to your place for better access.


Looking for a Lawyer, connect with our team:

2 views0 comments


Valutazione 0 stelle su 5.
Non ci sono ancora valutazioni

Aggiungi una valutazione
bottom of page