By Amrit Behera


This article will mostly focus on how the importance of cybersecurity has increased after the COVID 19 pandemic. The paper will also discuss the major steps that can be taken to ensure a more secure online platform and it will also spread some light on the steps that are taken by the Indian government concerning cybersecurity. And at the end it the paper will also focus on how this pandemic has forced to take steps for the future.


The pandemic has posed a huge dilemma for all businesses across the world the main problem faced by them is regarding how to keep operating even after the closures of facilities and some significant offices. Their long-reliant information technology – data centres, cloud systems, departmental servers, and the digital gadgets their now-remote employees utilised to keep connected to one another and to the company’s data – becomes even more critical. The demands placed on the internet infrastructure have increased dramatically in the last few months.

Cybercriminals see such technology as a far bigger and more valuable target. To avoid a second disaster, cybersecurity operations must be improved, focusing on the digital gadgets and networks that have become vastly more important to the businesses present in recent weeks. To put it another way, “business continuity” has become a must.

Impact of COVID-19 on cybersecurity:

As businesses adapt to a new operating paradigm in which working from home has become the “new normal,” the coronavirus pandemic has presented new obstacles. Businesses are speeding up their digital transformations, and cybersecurity has become a big worry. If cybersecurity concerns are ignored, the consequences for reputation, operations, legality, and compliance could be severe. This article looks at how COVID-19 affects cyber risk and what firms may do to mitigate it.[i]

Cyberattacks on video conferencing services:

The series of cyberattacks on video conferencing services is an example of criminals exploiting cybersecurity holes in remote working. Between February and May 2020, almost half a million people were affected by data breaches in which video conferencing service users’ personal information (such as names, passwords, and email addresses) was stolen and sold on the dark web. Some hackers used a tool called ‘OpenBullet’ to carry out this attack.

Credential stuffing tactics are also used by hackers to get access to employees’ credentials, and the stolen information is then sold to other cybersecurity criminals. One of the effects is that firms that rely significantly on videoconferencing platforms will be severely disrupted. Credential stuffing is a type of cyberattack in which hackers utilise stolen login and password combinations to gain access to other accounts. Because it is fairly usual for people to use the same username and password for many accounts, this is conceivable.[ii]

Unwanted and uninvited members have been observed gaining access to virtual meetings and obtaining personal or sensitive information, which is subsequently sold to a third party or made public to harm the company’s reputation.

Ways to reduce the chances of cyberattack:

Cyberattacks have escalated by an order of magnitude as a result of the growth in communications and the widespread shift to conduct business online. They’ve also created a slew of additional dangers. The perimeter security of organisations is at risk of being penetrated. For breaches at both physical and digital access points, they need continuous surveillance and real-time risk assessments.

Leaders in security and risk management must now protect their businesses on a vast scale, and rapidly. They must make sure that their companies’ online services and digital platforms are secure from cyberattacks.

The IT department is also under a lot of strain. IT workers in some companies must expand remote working capabilities to employees who have never worked from home before. This may include their service providers in some circumstances. Many IT departments are in the process of implementing new collaboration tools. While this is useful for keeping staff in sync (especially in agile teams), it also increases the danger of critical material being hacked because it is now stored in less secure remote locations.

However, it is impossible for IT departments to refuse this request. To conduct operations remotely, company leaders, managers, and their staffs require access to internal services and applications. Security leaders are hesitant to give access without stringent access methods since many firms have not previously made these applications and data available through the Internet or virtual private networks (VPN).[iii]

Few companies, understandably, were prepared for their employees to work remotely in large numbers. They’ve realised that secure remote-access capacity and protected access to company systems has become a significant bottleneck.

It’s tough to enforce enterprise security policies and controls on a remote workforce. The majority of controls have limited scalability and take a long time to set up. We know of several companies that have resorted to let employees to access enterprise applications using their own digital devices because there was no way to enforce security measures. Business continuity plans (BCP) and incident response plans (IRP) are insufficient or non-existent for most organisations when it comes to dealing with pandemics. Security officials have never imagined or practised a large-scale BCP operation.

Steps taken by the Government:

In the year 2020 the government of India introduced a National Cyber Security Strategy which was formulated by the National Cyber Security Coordinator’s office at the National Security Council Secretariat.

The main aim of the National Cyber Security Strategy 2020[iv] was to improve the cyber awareness and cybersecurity with the help of more strict audits. Empaneled cyber auditors will examine a company’s security features more thoroughly than is now required by law.

Table-top cyber crisis management exercises will be held on a regular basis to emphasise the idea that cyber-attacks can happen at any time. It does, however, ask for a cyber-readiness index and accompanying performance monitoring. It is advised that a distinct budget be set aside for cybersecurity, as well as coordinating the roles and duties of multiple agencies with the necessary domain knowledge.[v]

A New Era for Cybersecurity:

The changes we’ve outlined will have an impact on more than just the IT department. Talent managers will need to reassess their policies to allow for a better work-life balance if remote employees demonstrate that they can work more successfully from home. Meanwhile, personnel with important skills and remote-working requirements must be rapidly and effectively on boarded.

Large enterprises will also face new budgetary restraints. There will be new ways to use finances and invest in the correct offerings. Firms will be more conservative in their resource allocation.

Furthermore, businesses will have the ability to restructure their work processes. Prioritize new at-home work arrangements that were developed during the lockdown and have shown to be successful. Finally, as people, assets, and facilities begin to recover, governments all over the world will establish new policies and regulations based on what they learned during the epidemic.


A new era of cyber security has begun as a result of the epidemic. IT security experts who step up their game and defend their organisations’ people, technology, and data against new or increased threats from more skilled cybercriminals will be critical actors in the economic recovery. And indeed it is a much needed step for the future.

[i] Daniel Lohrmann & Dan Lohrmann, 2020: The Year the COVID-19 Crisis Brought a Cyber Pandemic, Government Technology   (2020), (last visited Jul 16, 2021).

[ii] Impact of COVID-19 on Cybersecurity, (last visited Jul 16, 2021).

[iii] Deo Prashant, Raj Geetali & Santha Subramoni, How Covid-19 is Dramatically Changing Cybersecurity, Tata Consult. Serv. Ltd.,

[iv] National Cyber Security Strategy 2020, , Drishti (2021), (last visited Jul 16, 2021).

[v] 3 ways governments can address cybersecurity right now | World Economic Forum, , World Economic Forum (2020), (last visited Jul 16, 2021).

[vi] Picture: IEEE inovation at work



by Rashi Srivastava


The Government of India on February 25, 2021 enacted Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021[i]. In simple terms, the said rules have the capacity to impact the way the users connect with the social media platforms, search engines, OTT platforms, and the internet too. Thus, these rules aims to resolve the issue of users related to their grievances and complaints which was previously unavailable. In addition to that, these rules were created in order to prevent the abuse of the government on social media.

This begins a new chapter in the life of social media intermediaries in India as there will be new laws and rules to be complied with and for that, there will be several changes to be made for them to function. These rules likewise will direct the boundaries to monitor and mark the content displayed on OTT platforms as well as on digital media platforms.

The new IT Rules, 2021 were to go into effect from May 26, 2021 and all the social media intermediaries had to comply with these rules to keep functioning in India. There was a lot of controversy regarding these rules because the social media intermediaries felt that firstly it will  be controlled by the government which will eventually take away the privacy of millions of users in India.

Main Issue

The new legislation was introduced in India on the 25th of February, 2021 with the objective to provide grievance redressal forums for the users so that they can make a complaint against any violation of the provisions of the said rule. The government provided three months time for the social media intermediaries to comply with the new rules, which if not complied will lose their rights to use provisions under Section 79 of the Indian Information Technology Act[ii], 2011 that grants safer harbour protection to such platforms[iii]. Basically, in the year 2017, the Supreme Court of India had observed that the government of India should frame such important guidelines and rules that could end child pornography, rape, gangrape imageries, video, and such other sites that promote this in content hosting platforms and other applications[iv]. Therefore, in 2020 a committee of the Rajya Sabha laid its report after various studies on the alarming issue of pornography on social media and also its impact on the children and society at large. The government brought the monitoring of the content under the ambit of the Ministry of Information.

Because of the strictness of the rules, many of the platforms announced that they have been in compliance with the terms and conditions of the intermediary guidelines. Social media intermediaries like Google, Facebook, Whatsapp, Telegram, Sharechat, Snapchat, Koo and LinkedIn had shared details with the Ministry of Electronics & Information Technology as was required according to the new rules. However, Twitter did not comply with the rules within the stipulated time. It sought an extension of the compliance period and also said that these rules will be in violation of the freedom of expression of the users. Earlier, Whatsapp also felt that complying with the new norms would have an effect on the privacy of the user and thus, it filed a case in the Delhi High Court against the government on the above stated grounds.

The IT rules 2021 have its objectives to entitle the users of the social media platforms and the OTT platforms with a procedure for redressal and convenient resolution for their complaints with the assistance of a Grievance Redressal Officer, residing in India. Also, special importance has been given to the women and children for their protection from sexual offences, fake news and other information on the social media. A Chief Compliance Officer will also be appointed to look into all the compliance with the Act and the Rules. The OTT platforms, online news and digital media units, then again, would have to follow a Code of Ethics. OTT platforms would be called as ‘publishers of online curated content’ under the new laws[v].

These rules came at that duration when there was a lot of chaos among the people if India regarding the safety and sovereignty of the cyber world and obviously, personal data. Social media has majorly become an important aspect of everyone’s lives. Currently, Whatsapp is having a user base of 340 million in India, which accounts for the largest number of subscribers in the world[vi]. Similarly, Facebook is having 290 million users, Twitter accounts for 17 million and so on. Hence, with such a large population being dependent upon the social media intermediaries, the media cannot ignore the new challenges like fake news being circulated around and also excess abuse of the platforms to share fake images which threaten the dignity and security of the individuals.

Observing these obstacles and challenges, the Supreme Court in the year 2018 and in the case of Tehseen S. Poonawalla vs. Union of India[vii], the Supreme Court asked the government to prevent and put a full stop on the circulation of explosive messages and videos on the social media platforms that promotes violence and lynching of any type.

Therefore, in view of the above Supreme Court decisions, the government took a step in developing the new rules. The intermediaries are such that if there is any content that tries to threatens the security or dignity of the individual, then that specific content ought to be disabled or removed within 24 hours of receiving complaints. Such grievances can be filed either by the individual himself/herself or someone on his/her behalf.

Effects of the Intermediary Rules

After the compliance with the new rules, the question arises as how will it affect the social media operations and ultimately what impact will it have on the users. One of the important requirements of these rules is a three-tier process for the digital media and online content, i.e., OTT platforms. It also has a strict policy and grip over the tech giants like Twitter, Facebook, YouTube, which would be necessitated to take down the objectionable content and posts within 36 hours of filing of such complaint[viii]. Other OTT platforms like Netflix, Amazon Prime, and Zee5 will also face a rigid investigation from the government according to the new rules and policies. Accordingly, the government will also set up a committee, which will be called as Inter-Departmental Committee (IDC) that will be consisting of representatives from various ministries, to look into complaints related to online content on social media intermediaries or news portals. In simple words, this committee will be forming the center of the oversight component for social media intermediaries.

The social media intermediaries have to be more responsive to the government now and will have to look into the complaints more thoroughly. This will eventually break the end-to-end encryption rule as well as setting up verification systems which could have an impact on the user’s privacy[ix]. Not only this, the citizens and the users can have a genuine concern as there is no legislative process for these rules. The objective of tracking the first originator, as given under Rule 5(2) has been looked as troublesome and also created worry. It basically helps in reaching the source of any information through significant social media intermediaries that offer messaging services. Thus, it is an effort to stop the circulation of fake news and illegal activity. But, through this idea, the cyber experts have a concern that this will destroy the end-to-end encryption, and hence disrupting the individual’s privacy and a data breach too.

Suggestions and Conclusions

If one look at the step taken by the government, it seems that it is a very progressive step taken and also that protects the safety and dignity of an individual, that too in a world and at that time where privacy is of utmost important to millions of people. Freedom of speech and expression are the two important pillars of democracy. But, as said, no freedom is absolute or unrestricted. The Government has the power to put reasonable restrictions on the freedom whenever necessary. Thus, the IT Rules, 2021 try to address the concerns and the grievances of citizens and that too, without violating their privacy and personal liberty.




[iv]In Re: Prajwala Letter Dated 18.2.2015 Videos of Sexual Violence and Recommendations’, Supreme Court of India, October 23, 2017.


[vi] Mansoor Iqbal, ‘WhatsApp Revenue and Usage Statistics (2021)’, May 13, 2021

[vii]Writ Petition (Civil) No. 754 of 2016’ Supreme Court of India, July 17, 2018.

[viii] How India’s IT Rules Impact Social Media Operations


[x] Picture Credit:


by Agrim Jain


How many times have we in our lives have shared our personal details such as our age, mobile number, e-mail address, home address, date of birth and more similar details which enable people to personally identify us? This sharing of information by us on feedback forms provided to us by malls, restaurants among other places is what leads to infringement of our right to privacy and to the thought of future risks is frightening at least. It is noteworthy that despite of the fact that the initial bloom in India could be traced back to Companies Act, 2013, which required maintenance of copies of books of account in electronic form in computer systems located in India and also that the honorable Supreme Court of India has declared the Right to Privacy as a fundamental right for Indian citizens under Article 21, in its ruling on 24th August, 2017, in the case of K.S. Puttaswamy Vs Union of Indiaand others,there is still not a single effective legal framework to protect data of individuals’. The need to categorize right to privacy as a fundamental right a part from the fact of keeping up pace with technological innovations was also felt as the organisations had been enacting new modes of collecting, processing and dealing with our personal data as the rapid digitization of the economy has led the organizations and authorities to believe that the data plays a crucial role in the advancement of the economy. In India apart from the exception of Information Technology Act, 2000, which also only merely dealt with problems associated with Data Protection has proved to be in effective and as such there have been steps taken from 2018 onwards to deal with and rectify this problem. The first step in this regard was establishment of Justice BN Srikrishna Committee, which was established on 27th July, 2018, which in its report had suggested the “Personal Data Protection Bill, 2018”. This bill is considered as the stepping stone of the “Personal Data Protection Bill, 2019”, which was introduced in lower house of Indian Parliament on 11th December, 2019, for the purpose of purpose of bringing about legislative changes surrounding and safeguarding of data and personal information. Along with this another legislation by the name of “Digital Information Security”, was published in the Ministry of Healthcare Act was also brought forward by the Ministry of Health and Welfare. Furthermore, another was the mandate which was regarding Localized Data was published by the Reserve Bank of India. These all steps taken together can be termed as “Data Protection Framework”, these all depict the strong intention of the Government of India to protect National as well as Individual privacy along with providing security to the both ends as well.

The concept of Data Localization is considered as a relatively new concept in India. So, the basic question that arises is what do we mean by the term Data Localization?

Data Localization

It may be understood as a process through which citizens’ data is localized to one’s home country home country for its processing, storage and collection before it goes through the process of being transferred to the international level. It is done with the objective of subjecting it to one’s local data protection and privacy laws. It is based on the concept of sovereignty[i]. Thus in Indian context it may be referred to as act of companies collecting data about consumers with the intention to store and process the data within the boundaries of India. It is considered that the localization would make it easier for the country’s authority to have better domestic surveillance over its citizens apart from the fact that it would also make better exercise of privacy rights by the citizens against any form of unauthorized access to data even including foreign interference within its scope[ii]. But overall, the degree of protection accorded to data is dependent upon the applicable data protection regime.

In India prior to the announcement of Reserve Bank of India which mandated localization of the data, the data which was not stored within the country till the month of September as prior to the announcement, rather it was stored on a cloud database situated outside of India.

Purpose of Localization

While the Indian Government has moved towards the policy of LPG since the year 1991, it has been even taken forward by the Narendra Modi Government, by coupling the localization and promotion of the domestic market. It has been felt that apart from the two main colossal pillars in form of Start Up and Make in India, the topic of Data can be the third colossal pillar in India in the coming years. Apart from this there can be three main reasons for imposing stringent data localization norms. These can be stated as the following:

  1. Sovereignty and Governmental functions;
  2. The second argument in favor of localization is that it would result in accrual of economic benefits to the local industry, it can be noticed in terms of creation of local infrastructure, employment and also contributions to the Artificial Intelligence Ecosystems.
  3. Protection of Civil liberties, i.e. the local hosting of data would enhance privacy and security of Indian citizens by ensuring that the Indian laws applies to the data and through it the users can also access the local data[iii].

How is privacy of individual protected through data localization?

It was in the year 2018 that the National Institute of Public Finance and Policy in a working paper had brought forward the fallacies brought forward by the misleading assumption that the data localization will necessarily lead to better privacy protections. It was stated that the security of data is to be determined more by technical measures, skills, cybersecurity protocols and other established mechanisms put in place rather than through mere use of location of the data. In India the laws related to data protection come under three main categories:

  1. Information Technology Act, 2000 and rules framed thereunder;
  2. Indian Penal Code, 1860;
  3. Other Sectoral Regulations.

But for this paper, we are going to refer only to the Personal Data Protection Bill, 2018 and the Personal Data Protection Bill, 2019.

Personal Data Protection Bill, 2018

The enactment of the Personal Data Protection Bill, 2018 can be traced back mainly to the efforts of the Srikrishna Committee and then it is along with the Personal Data Protection Bill, 2018 and Personal Data Protection Bill, 2019 that India has joined a list of host countries that demand data localization. Data Localization implies that entities collecting or processing data should store such data or a copy of the same on local servers within the territorial jurisdiction of the country as well as permit the transfer of such data outside the country, subject to a reasonable level of protection being accorded to the same irrespective of where it is being transferred[iv]. The Srikrishna Committee also recommended that personal data determined to be critical will be subject to the requirement of being processed only in India and the Central Government was to determine categories of sensitive personal data which are to be considered critical.

Personal Data Protection Bill, 2019

This bill has received severe criticism from all spheres of the society probably because of the fact that its provisions have provided government access to the personal data of the individuals. This bill has also been referred to as dangerous and capable of turning the state into an Orwellian state as well. But, despite of the limitations and criticism, it cannot be discarded entirely as it is responsible for categorizing the personal data into two categories:

  1. Sensitive Personal Data;
  2. Critical Personal Data.

It is noteworthy that the sensitive personal data has been defined explicitly and clearly under the Act while on the other hand the Critical Personal Data has been defined as personal data as notified by the Central Government. It is also responsible for relaxing the data localization restrictions and also makes them applicable only upon the two types of personal data[v].

This bill has also mandated that though the sensitive personal data can be transferred outside India, but still it needs to be stored within India as well. The data can be transferred to outside India only upon the fulfilment of certain conditions, such as the:

  • Obtaining explicit consent from the data principal;
  • Pursuance to a contract or an intra- group scheme that safeguards the data principal rights;
  • Ensuring liability on data processor if harm does occur.

Meanwhile on the other hand the exporting of critical personal data has been prohibited under the act specifically, though it may be permitted to a person or entity engaged in provision of health or emergency services in specified situations and also even to any country or entity or class of entity approved by the central government on fulfilment of certain conditions. It is possible only in the situation that the Central Government is of the opinion that it does not prejudicially affect the security and strategic interest of India.

Intermediary Liability

An intermediary according to section 2(w) of the IT Act means as any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, web housing service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes[vi].

Liability of intermediary in case of data and privacy of data

Liability under Information Technology Act, 2000

Data as per definition provided by the Section 2(1)(o) of information Technology Act, 2000 refers to a representative form of knowledge, facts, information, instructions and so on, prepared or being prepared and processed in a computer system or similar network, which could be in any form or even stored in memory of the computer[vii].

It is Section 79 of IT Act which is considered as a safe harbor as it provides conditional immunity to intermediaries from the liability of the third party acts in terms of any third party information, data or communication link made available to or hosted by them. This has been made subservient to the provisions of section 79(2) and section 79(3) of the act. Section 79(2) of the act essentially covers the cases where the activity is undertaken by the intermediary is of a technical, automatic and passive nature. Further, section 79(3) of the act has envisaged a notice and take down regime, in the situations that the intermediary is required to take down unlawful content upon receiving actual knowledge of its existence.

Liability under Personal Data Protection Bill, 2019

The Bill through its sections 7 and 11 has casted a responsibility upon a data fiduciary (including a social media intermediary), to obtain consent for collection of data and also consent for processing of data respectively. It has also been mandated that while seeking consent, the intermediary needs to communicate the purpose for collection of data and also the parties with whom the data would be shared by them to the data principal.

Thus, thus law is responsible for ruling out the opaque unilateral sharing of personal data by the intermediary without the consent of the data principal and also data principal must be made aware about the sharing of any personal data with a third party through a notice under Section 7(1)(g) of the act.

Furthermore, the section 31 of 2019 Bill, the data fiduciary is required to enter into a contract with the data processor to engage it for processing personal data and then the data processor when receives such personal data under a contract from a data fiduciary may process such data only in accordance with the instructions of the data fiduciary and is further prohibited from sub- contracting with another data processor under Section 31(2), unless is permitted by the data principal expressly. The personal data shared must also be kept confidential by the data processor in whose possession is the data received.

Downside to Data Localization

The concern of privacy of individuals has gained prominence in India in aftermath of theK.S. Puttaswamy vs Union of Indiaand others[viii], judgment of the Supreme Court, especially in terms of the concept ofprotection of personal and private data of the individuals. Along with this to meet the requirements ofthe data localization bill, the organizations would have to spend massive amounts of money to set up the servers locally among the other infrastructure costs which need to be incurred by the organization as well. It is these huge costs which prove to be of huge burden upon theexisting organizations and prove of deterrence to the new coming organizations. Finally, one more defect of data localization is that as the importance of data is recognized by the governments, individuals and delinquents alike, the country runs the risk of being honeypot of personal data making it susceptible to data security threats and scandals and it is also responsible for removing the stipulation which required mandatory recording of personal data in the country.


The policy of the Indian government regarding the data localization has gained attention due to its controversial nature, possibly due to the fact that while the government has received strong support from domestic strong warts like the Reliance Group, the policy on the other hand has also received criticism from the companies such as Facebook, Amazon, Microsoft and MasterCard. The data localization has to be also to be read in association with the fundamental right to privacy as secured to citizens by the Puttaswamy judgment of the year 2017, as while sharing of the persona data there are some serious concerns raised relating to infringement of privacy of the individuals in society. It is in these respect that India needs a strong legislation to deal with this matter be it the Information Technology Act, 2000 or the Personal Data Protection Bill, 2019, which despite being 2 years in making is sparkling several charged debates across the country. The bill was sought to be reviewed by the Joint Parliamentary Committee in January 2020, after which it is going to be tabled before Lok Sabha, then Rajya Sabha and then will be sent to the President for assent. In India in terms of Data Localization, Privacy and Concerns and resultant liability of the intermediary would be dependent upon the result of how the act is framed finally after consultations.

[i]Data Protection or Data Localization in India- Privacy- Mondaq

[ii]How would Data Localization benefit India




[vi]Section 2(w) of IT Act,2000

[vii]Section 2(1)(o) of IT Act, 2000

[viii] (2017) 10 SCC 1

[ix] Picture Credit: Financial Express