ANALYZING CYBERSECURITY WHISTLEBLOWING LAWS IN INDIA IN LIGHT OF COVID-19 PANDEMIC

Written by: Anish Shahapurkar, Yoshita Gwalani, Janhavi Sawant[1]

This Article is in light of the recent outbreak of the COVID-19 pandemic and the consequent surge in cybersecurity threats in India. The word ‘Cyber Security’ means protecting information, equipment, devices, computers, computer resources, communication devices, and information stored therein from unauthorized access, use, disclosure, disruption, modification, or destruction[2]. With the rise in cyberattacks, this paper aims to explore the existing whistleblowing laws with respect to cybersecurity in India.  The word “Whistleblower” means the one who discloses at great peril to the discloser, serious wrongdoing, misconduct, unethical or fraudulent practices within an organization or a company[3]. The Whistleblowers Protection Act, 2014 deals with whistleblowing in government and public sector enterprises and has laid the foundation for whistleblowing laws in India on which Companies Act, 2013, SEBI, and other Regulations have been based. This article analyses the coverage that these and other laws, like the Protected Disclosure Scheme of RBI, provide to cybersecurity whistleblowers.  This article also sheds light on the upcoming laws and their potential impact on cybersecurity whistleblowing in the non-regulated sector. We seek to establish whether the existing laws in addition to the new laws are sufficient to protect whistleblowers in combating current and future threats to cybersecurity.

Keywords: COVID-19, cyber-attacks, cyber security, Whistleblower Protection

  1. INTRODUCTION

With the outbreak of COVID-19, one of the most harrowing impacts has been shifting from the physical workplace to the online virtual workplace. This happened immediately throughout the world in many organizations as soon as the pandemic grew worse and started affecting daily life.[4] There is currently a massive influx of cybersecurity attacks being launched daily against the general public.[5]The COVID-19 pandemic has forced many companies to convert all or nearly all their employees to remote work in efforts to continue operating[6]. While many companies had remote work capabilities in place before, few had the infrastructure to seamlessly host their entire workforce. This transition is occurring while many of those same companies are taking an enormous economic hit that has forced them to reduce staff to keep their businesses afloat[7].‌

Since the outbreak, there have been reports of scams impersonating public authorities (e.g., WHO) and organizations (e.g., supermarkets, airlines)[8], targeting support platforms, conducting Personal Protection Equipment (PPE) fraud[9] and offering COVID19 cures[10]. These scams target members of the public generally, as well as the millions of individuals working from home. Working at home en-masse has realized a level of cyber security concerns and challenges never faced before by industry and citizenry. The online video conferencing apps such as Zoom, Microsoft Teams, and Google Meet have witnessed an exponential increase in new users signing up daily. However, the use of technology is bringing more issues and threats in terms of cybersecurity.[11] Organizations will have to deal with the growing security demands emerging from the increased risk of cyber-attacks while also being mindful of the difficulties created by the need to continue with the business. Cyber criminals have also engaged in phishing attacks impersonating the WHO to gain access to information in personal computers, in one case distributing a fake “My Health e-book” attachment containing a file with malware.[12]

The term Cyber Security is used to refer to a body of technologies, processes and practices designed  to protect and secure networks, computer systems, various programs and data from cyber-attack, damage all these things or unauthorized access these.[13]Security standards enable organizations to practice safe security techniques to minimize the number of successful cyber  security  attacks  and  prevent their data or  systems.Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment[14]. Cyber security strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment[15].

Cybercriminals are taking advantage of the current situation by spreading Malware, Spywares, and Trojans through embedded interactive coronavirus maps and websites[16]and launching ransomware attacks in health centers,public institutions etc. Since they can’t afford to be locked out of their systems because of the current situation, criminals are optimistic that these organizations can pay the ransom. Therefore, there is a need to realize these cyber threats and privacy concerns, which can lead to unfavorable situations to mitigate or avoid them.

  1. SECURITY MEASURES TAKEN BY COMPANIES

Employees are always given basic training when it comes to cybersecurity as they have to manage confidential data and important documents that can be detrimental if accessed by a third-party. Some of the few cybersecurity measures that employees must ensure include-

a) Usage of effective passwords; b) Knowledge about cyber-attacks and crimes in order to avoid risks; c)Upgraded and up to date security system; d)Locked computers and devices; e)Usage of VPN, BYOD; f) Reporting lost or stolen devices; g)Multi- factor authentication; h)Monitoring third party access;i) Installation of anti-virus software and firewall; j)Performing daily scans and install anti-malware software; k)Creating a backup schedule and so on.

Moreover, companies must ensure that their cyber security measures leave no chance for hackers to gain unauthorized access. They can also undertake extra measures such as biometric security, forming cybersecurity polices, limiting the access of privileged data and always reporting anything even remotely harmful to the IT department so that the risks are minimized.

Bring Your Own Device (BYOD) is nowadays encouraged in workplaces to increase productivity as it saves the company from big costs. Employees can access corporate e-mails, calendars and scheduling, documents, applications with their personal devices, either for work or for personal use.[17] On the other hand, VPN (Virtual Private Network) is commonly used by the IT industry to save huge costs ofinfrastructure by using the public  Internet  to establish a secure  communication medium to any remote area. It is pertinent to mention that one way to tackle cyber-attack is to promote and encourage cybersecurity whistleblowing. It will lead to a fall in the rising cases

  1. CYBER ATTACK AND ITS TYPES

A cyber-attack is an intentional exploitation of computer systems, networks, and technology-dependent enterprises. These attacks use malicious code to modify computer code, data, or logic. Culminating into destructive consequences that can compromise your data and promulgate cybercrimes such as information and identity theft[18].

Throughout the various types of possible cyberattacks, four major patterns can be seen. They are:

a) Data Breach and Theft. It occurs when there is an unauthorized entry point into a corporation’s database that allows cyber hackers to access customer data. The purpose of hacking these systems is to use this information for identity theft and fraud purposes.  A malicious cyberattack in 2018 leading to Aadhar Card details of a million being compromised was an instance of data breach. Justdial – a company that provides local search options for different services – suffered a massive data breach in which user data was exposed such as names, email accounts, numbers, addresses and gender.

b) Cyber Financial Fraud. In July 2016 an employee of Union Bank of India received a phishing email that enabled hackers to gain administrator-level access to the bank’s network, execute fund transfers and defraud the bank of $171 million. Some examples of cyber financial fraud are debit/credit card fraud, internet banking frauds, spear phishing.

c) Cyber extortion. It is the act of cyber-criminals demanding payment through the use of or threat of some form of malicious activity against a victim, such as data compromise or denial of service attack[19]. Cyber extortion permeates actions such as ransomware, email ransom campaigns, and distributed denial of service (DDoS) attacks[20]. Ransomware uses an assortment of techniques to block access to the victim’s system or files, usually requiring payment of a ransom to regain access[21] and infects the system via email attachments, links, or through working employees whose credentials are already compromised by exploiting a vulnerability in their systems[22]. Cyber extortion using the Petya Ransomware affected the container handling functions at a terminal operated by AP Moller-Maersk at Mumbai’s Jawaharlal Nehru Port Trust[23].

d)Individual Target Attacks. Cyber criminals target individuals just as easily as they don’t tend to update their cyber security system and it’s much easier to hack into their devices, knowingly or unknowingly via trojans or mobile applications with an intention to extract personal as well as work-related confidential information. There are innumerable ways of cyber-attacking individuals other than the ones mentioned above such as web attacks which include SQL Injection and Cross Site Scripting whereas other cybersecurity threats include DDoS Attack, Password Attack, Eavesdropping Attack, Birthday attack, Insider threats etc.[24].

  1. FOREIGN LAWS WITH RESPECT TO CYBERSECURITY WHISTLEBLOWING

The concept of protecting whistleblowers and encouraging employees to blow the whistle against fraud, malpractice or illegal activities that threaten public interest was first coined by the United Kingdom in the year 1998 by introducing a legislation known as The Public Interest Disclosure Act of 1998 that covered both private as well as public sector[25]. Current UK legislation in relation to protection of whistleblowers was brought in under the Public Interest Disclosure Act 1998(PIDA) and expanded upon with the introduction of the Enterprise and Regulatory Reform Act 2013(ERRA).

Together, they provide the legal framework that governs the circumstances in which employees can lawfully blow the whistle as well as setting out the requirements for legal protection following the event[26]. However, although the private sector is covered under the Act, there is no special legislation when it comes to cyber security whistle blowing or protection of cybersecurity whistleblowers.

Coming to the United States of America, there are a handful of federal statutes and state laws which can provide cybersecurity whistleblowers with a basis for actionable retaliation claims. The availability of such protections, however, varies depending on the facts and circumstances of each case[27]. Some of the statutes that cover whistleblowing areThe False Claim Act, IRS Whistleblower Informant Award, The Occupational Safety and Health Act, State Whistleblower Law, Sarbanes Oxley Act, Whistleblower Protection Act.Sarbanes-Oxley Act of 2002 (SOX) is a law designed to curb corporate and accounting misconduct by publicly traded companies along with retaliation protections for employees of publicly traded companies. The Dodd-Frank Act of 2010 addresses deficiencies in existing financial regulations. In the years since the passage of these two laws, cybersecurity has become a critical issue for publicly traded companies and their primary regulator, the Securities and Exchange Commission (SEC), making cybersecurity disclosures well within the reasonable boundaries of the whistleblower protections provided by these two statutes[28].  Disclosures of cybersecurity issues can fall under the umbrella of SOX Act in myriad ways. For example, a corporation’s failure to disclose cybersecurity issues that create significant risk factors for the corporation or materially affect the corporation’s financial condition and operations could constitute shareholder fraud[29]. In the non-regulatedsector, a new legislation known as Data Accountability and Transparency Act of 2020 was passed that empowers the employees of the private sector to blow the whistle against data privacy and cybersecurity[30].

  • WHAT IS WHISTLEBLOWING?

The phrase blow the whistle, which is used in a more metaphorical fashion, is defined as “to call public or official attention to something (such as a wrongdoing) kept secret[31].” Lots of people blew whistles; hunters were said to ‘whistle down the wind‘ when they let their falcons loose to fly. Sailors, when needing a wind to free a becalmed ship, would ‘whistle for it’. The first profession to be labelled as ‘whistleblowers’ were the US police, who blew whistles to attract attention to wrongdoing[32].

In the words of “Near and Miceli, 1985” whistleblowing is defined as disclosure by organization members (former or current) of illegal, immoral or illegitimate practices under the control of their employees, to persons or organizations that may be able to effect action[33]. For any country to build on corporate governance, whistleblowing mechanism must be given the highest priority[34]. Corporate governance refers to ensuring the interests of all the stakeholders and taking efficient strategic decisions. Whistle-blowing mechanism is essential for proper administration and working of companies.

Whistleblowing mechanism ensures that the corporates do not take a personal, beneficial (to a selected few) decision at the expense of other stakeholders or the customers[35].Whistle blowing also helps in curbing corruption, irregularities whilst maintaining transparency in the government as well as the private sector. However, the employees fear retaliation in the form of job termination,being blacklisted, facing backlash or their complaint being concealed and hence, they do not feel encouraged to report any misconduct.[36]Therefore,it’s very important that protection to whistleblowers shall be given primary importance in order to have an effective corporate governance.

  • LAWS COVERING CYBERSECURITY WHISTLEBLOWING IN INDIA

For the longest time, India did not have any official mechanism to enable whistleblowing and protect whistleblowers. It was after the horrific murder of Satyendra Dubey, who exposed serious financial irregularities that galvanized the government.[37]

What followed was the Public Interest Disclosure and Protection of Informers Resolution (PIDPIR) in 2004. Its purpose was to provide a mechanism to receive written complaints or disclosure on any allegation of corruption or the misuse of office by any employee of the government or of any corporation or agency controlled by the government. However, the law was insufficient and was filled with shortcomings leading to a new legislation being introduced named The Whistleblower’s Protection Act of 2014.

Whistleblowing laws in India are spread over a number of schemes and acts, including the Whistleblowers Protection Act, 2014 (“Whistleblowers Act”), the Companies Act, 2013 (the “Companies Act”), the Companies (Meeting of Board and its Powers) Rules, 2014 (“Companies Rules”), and sector-specific regulations issued by regulators such as the Reserve Bank of India (RBI), the Insurance Regulatory and Development Authority of India Act, 1999 (IRDA)and the Securities Exchange Board of India (SEBI), which mandate cybersecurity standards to be maintained by their regulated entities, such as banks, insurance companies, telecoms service providers and listed entities.

Whistleblower Protection Act, 2014

India has enacted the Whistle Blowers Protection Act, 2014 (“Whistle Blowers Act”), which is applicable only to public servants. It was enacted with the intent to establish a mechanism:

  • To receive complaints relating to disclosure of any allegation of corruption, willful misuse of power/discretion against any public servant;
  • to inquire or cause an inquiry into such disclosure; and
  • to provide adequate safeguards against victimization of the person making such complaint.[38]

The Whistle Blowers Act may be utilized by any person to make a public interest disclosure.[39] An amendment to the aforementioned Act was proposed in the form of the Whistleblowers Protection (Amendment) Bill, 2015 (“Amendment Bill”).[40] The Amendment Bill sought to, inter alia, incorporate necessary safeguards against disclosures which may prejudicially affect the sovereignty and integrity of the country, security of the State, etc.[41] However, the Amendment Bill was not passed by the Rajya Sabha and consequently, it lapsed.[42] Despite the Act not being operationalized, it laid the foundation for whistleblowers protection in India. Since the introduction of the bill in 2011, the ethos of this Act got embodied in the Companies Act, 2013 and is till date being incorporated in existing and new laws.

The Companies Act, 2013

The Companies Act, 2013, and rules thereunder, provide that a) All the listed companies, b) Companies which accept deposits from the public and c) Companies which have borrowed money from Banks and PFI in excess of Rs.50 crores should establish a ‘vigil mechanism’ to report genuine concerns.[43] Further, the Companies Act states that such mechanism should be accompanied by adequate safeguards against the victimization of persons who use the mechanism and also provide for direct access to the head of the mechanism(Chairperson of the Audit Committee) in exceptional cases. There is an additional requirement of publishing the details of the mechanism on the company’s website and in the report of the board of directors.[44]In case of repeated frivolous complaints being filed by a director or an employee, the audit committee or the director nominated to play the role of audit committee may take suitable action against the director or the employee including reprimand.[45]The Companies (Auditor’s Report) Order, 2020 was issued (“CARO 2020”) by the Ministry of Corporate Affairs, in line with its objective of strengthening the corporate governance framework under the Companies Act, 2013. The revisions have also put greater onus on companies to share information with the auditors, especially on whistleblower complaints received during the course of the year, for the consideration of the auditor, who usually then seeks to know the manner in which the company has dealt with such complaints, including nature of complaint and quantum involved.[46] Therefore, the directors and employees can, under this mechanism, blow the whistle on illegal or unethical practices in their organization. With respect to cybersecurity, the Companies (Management and Administration) Rules 2014 framed under the Companies Act 2013, requires companies to ensure that electronic records and security systems are secure from unauthorized access and tampering.[47] Concerns of non-compliance to this regulation or any other cybersecurity concern can be raised with the vigil mechanism.

Multinational Companies

Multinational companies and especially their subsidiaries have incorporated a whistleblower policy as part of extending their global policies which includes individual employees or group of employees and in some cases even third parties.[48] Further, companies that are listed on foreign stock exchanges are required to comply with the requirements of those respective laws. For instance, Indian MNC’s which are listed on US stock exchanges, are required to comply with the requirements of the Sarbanes Oxley Act, 2002.[49]

  • SECTOR SPECIFIC REGULATIONS

Banking Sector

The Reserve Bank of India (RBI) governs both public and private sector banks. The Protected Disclosures Scheme for Private Sector and Foreign Banks would cover all private sector and foreign banks operating in India as  the Public Sector Banks and RBI (since it is an entity established under Central Statute) have already been brought under the purview of Government of India scheme.[50] RBI will be the Nodal Agency to receive complaints under the Scheme[51]. Employees of these banks, customers, stake holders, NGOs and members of public can lodge complaints. The complaints under the Scheme would cover the areas such as corruption, misuse of office, criminal offences, suspected / actual fraud, failure to comply with existing rules and regulations such as Reserve Bank of India Act, 1934, Banking Regulation Act 1949, etc. and acts resulting in financial loss / operational risk, loss of reputation, etc. detrimental to depositors’ interest / public interest.[52] If the complaint is found out to be vexatious, either the institution or RBI can take appropriate actions.[53] RBI shall take anti-retaliatory steps if the complainant or witnesses are at risk of being victimized.[54]

The RBI has been one of the first bodies to acknowledge the importance of cybersecurity and has issued various guidelines for ensuring cybersecurity and the handling of cyber fraud within the banking sector.  They include: a) Cyber Security Framework in Banks, prescribing standards to be followed by banks for securing themselves against cybercrimes; b) Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs), prescribing certain basic cybersecurity controls for primary urban cooperative banks; c) Sharing of Information Technology Resources by Banks – Guidelines, ensuring that privacy, confidentiality, security and business continuity are fully met; d) Information Technology Framework for the NBFC Sector, 2017, focusing on IT policy, IT governance information and cybersecurity; and e) Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, prescribing IT policy and outsourcing guidelines and recommendations. These guidelines prescribe that the RBI can request an inspection any time of any of the banks’ cyber-resilience. The RBI has set up a Cyber Security and Information Technology Examination (CSITE) Cell under the Department of Banking Supervision, to periodically assess the progress made by banks in the implementation of the cybersecurity framework (CSF), and other regulatory instructions and advisories through on-site examinations and off-site submissions. The RBI has an internal ombudsman scheme for commercial banks with more than ten branches as a redressal forum, and has proposed to set up an online portal to investigate and address cybersecurity concerns and complaints.[55] It has also released the Guidelines for Payment Gateways and Payment Aggregators, and has directed the payment aggregators to put in place adequate information and data security infrastructure and systems for prevention and detection of frauds, and has specifically recommended implementation of data security standards including logical access controls to data, systems, application software, utilities, telecommunication lines, libraries and system software; using the proxy server type of firewall; using secured socket layer (SSL) for server authentication; and encrypting sensitive data, such as passwords, in transit within the enterprise itself. The RBI specifically mandates that connectivity between the gateway of the bank and the computer system of the member bank should be achieved using a leased line network (and not through the internet) with an appropriate data encryption standard and that 128-bit SSL encryption must be used as a minimum level of security.[56] The banks need to report any cybersecurity incident within 2-6 hours. Delay in reporting these or flagging loan frauds could result in heavy penalties and bankers being charged for abetting the criminal offences.[57] RBI has also obtained ISO 27001 Certification in August 2019 for three of its data centers to ensure administration and protection of key ICT infrastructure in consonance with globally accepted norms and mandate banks to follow the ISO/IEC 27001 and ISO/IEC 27002 standards for ensuring adequate protection of critical functions and processes.[58] RBI regularly conducts audits and enquiries into the banks’ security frameworks. For instance, RBI has recently imposed monetary penalties of INR3 crore (approximately USD421,000) on SBM Bank (India) Ltd., INR1 crore (approximately USD140,000) on the Corporation Bank and INR1 crore (approximately USD140,000) on the Union Bank of India, for non-compliance of certain RBI directions including non-compliance of cybersecurity framework in banks.[59] As it is evident, RBI has a strong cybersecurity framework which is helping ensure cybersecurity in the banking sector even with the ever-growing cyberthreats in the country. The disclosures of any non-compliances of regulations relating to cybersecurity are very significant for this cybersecurity framework to remain strong and RBI has rightly encouraged them under the Protected Disclosure Scheme.

Insurance Sector

The Insurance Regulatory and Development Authority (IRDA) is the nodal agency for governance and regulation of the insurance sector in India.[60] The Corporate Governance Guidelines of 2016 of IRDA provides that all insurance companies put in place a “Whistle Blower” policy, whereby mechanisms exist for employees to raise concerns internally about possible irregularities, governance, weaknesses, financial reporting issues or other such matters. An employee through this mechanism brings that information or report that information to the management or third party.[61] The policy is needed to ensure handling of the reports received confidentially, for independent assessment, investigation and where necessary for taking appropriate follow-up actions and a robust anti-retaliation policy to protect employees who make reports in good faith.[62] The appointed actuary and the statutory/internal auditors have the duty to ‘whistle blow’, i.e., to report in a timely manner to the IRDAI if they are aware that the insurance company has failed to take appropriate steps to rectify a matter which has a material adverse effect on its financial condition. This would enable the IRDAI to take prompt action before policyholders’ interests are undermined.[63]

IRDA has recognized cybersecurity as a growing concern and laid various regulations under which insurers are required to a) maintain total confidentiality of policyholder information, unless it is legally necessary to disclose the same to statutory authorities[64],  b) ensure that: (i) the system in which the policy and claim records are maintained has adequate security features; and (ii) the records pertaining to policies issued and claims made in India (including the records held in electronic form) are held in data centers located and maintained in India.[65] c) ensure that the: (i) outsourcing service provider has adequate security policies to protect the confidentiality and security of policyholder information; (ii) information and data parted to outsourcing service providers remain confidential; and (iii) customer data is retrieved with no further use of the same by the service provider once the outsourcing agreement is terminated.[66]

If an action is to be taken against an insurance company for non-compliance with the above-mentioned regulations or any other regulations in the interest of cybersecurity and data security, the whistle blower mechanism should protect whistle blowers.

Securities

SEBI provides under SEBI Listing Obligations and Disclosure Requirements) Regulations 2015 that the listed entity shall derives an effective whistle blower mechanism enabling stakeholder, including individual employees and their representative bodies, to freely communicate their concern about illegal or unethical practices.[67] The listed entity shall further disseminate the details of establishment of Vigil Mechanism / Whistle-blower Policy information on website.[68] Audit Committee shall review the functioning of the Vigil Mechanism / Whistle-blower Policy of the Company.[69] Schedule V of the Corporate Governance Report provides that the Annual Report should contain a separate section on Corporate Governance Disclosure. The Corporate Governance Report should make a specific disclosure with regard to the details of establishment of Vigil Mechanism/ Whistle-blower Policy, and affirmation that no personnel has been denied access to the Audit Committee.[70] SEBI requires stock exchanges, depositories and clearing corporations to follow standards, such as ISO/IEC 27001, ISO/IEC 27002 and COBIT 5.[71] Whistleblowing relating to cybersecurity compliances under these Standards and other compliances of importance to cybersecurity can be done by listed entities under this vigil mechanism.

Non-regulated Sectors

The Personal Data Protection Bill, introduced in India’s parliament in December 2019, sets rules for how personal data should be processed and stored and proposes to create an independent new Indian regulatory authority, the Data Protection Authority (DPA), to carry out this law. Almost all businesses across India’s economy will have to meet the bill’s hefty new compliance requirements. This will include not just e-commerce, social media, and IT companies, but also brick-and-mortar shops, real estate companies, hospitals, and pharmaceutical companies. The only exceptions will be “small entities” (businesses like small retailers that collect information manually and meet other conditions to be specified by the DPA). The bill allows consumers to transfer their data, including any inferences made by businesses based on such data, to other businesses. All companies would have to develop ways for consumers to do this.[72] Meeting these compliances means the businesses will have to ensure cybersecurity of this data with regulations similar to what are existent in the country. Whistleblowing regulations is one such necessary policy requirement for these businesses to cope with the sudden intensification of cybersecurity standards.

  • COMBATING CURRENT AND FUTURE CHALLENGES

The most recent challenges that have posed to be a problem globally are the sudden increase in cyber threats post the pandemic. The current cybersecurity laws, which seem adequate today might lack durability to sustain the ever-evolving nature of cyber-attacks.It’s time for the government to build a holistic cybersecurity policy and establish cyber defense organizations to ensure and lead the country to a safe, secure, and resilient digital future and place it in the highest echelons of cyber leadership.[73] To combat these inconsistencies, it is the need of the hour to promote whistleblowing. While whistleblowing laws cover most of the cybersecurity concerns and compliances as of today, there is a need of having a comprehensive law specifically for cybersecurity whistleblowing. RBI has been active and ensured robust measures to keep the cybersecurity of financial institutions in compliance with the technological advances. It is vital for other sectors to emulate the initiative of RBI and strike the balance for a conducive atmosphere for whistleblowing and strict compliance of regulations. 

  1. CONCLUSION

Even though the existing Whistleblowing laws are strong and cover cybersecurity to the extent of covering the cybersecurity compliances under various regulatory provisions, these need to be up to date as the times change. There are a couple of areas that need attention starting with making amendments to the IT Act, 2000, organizing a cyber commando force, building a cyber defense infrastructure, providing rigorous training for cyber cadets, spreading awareness and most importantly, welcoming the concept of cybersecurity whistleblowing so as to bring forth unethical cyber criminals and facilitate a smooth functioning in cybersecurity. While India is focusing on eliminating cyber-attacks that are only multiplying due to this pandemic, the bright side is that the Cybersecurity market could prove to be a very lucrative business as it is expected to grow exponentially if reports are to be believed. It is detrimental for the government and companies alike to join force and make stringent, holistic laws in order to prosper and the only way to achieve that is by introducing the concept of and regulations on Cybersecurity Whistleblowing as opposed to the existing laws.‌


[1] University of Mumbai Law Academy

[2] Section 2(1)(nb), Information and Technology Act, 2000.

[3] Thelaw.com law dictionary and Black’s Law Dictionary, 2nd ED.

[4] Accenture, “COVID-19: Managing the human and business impact of coronavirus,” 2020. Accessed at https://www.accenture.com/my-en/about/company/coronavirusbusiness-economic-impact.

[5]BBC News. Coronavirus: Fake News purveyor to help fight misinformation.  Accessed at https://www.bbc.com/news/uk-england-essex51929424.

D Nelson. Thieves Swindle $2M From Coronavirus Preppers with Hand Sanitizer, Face Mask Scams. URL: https://www.coindesk.com/thieves-swindle-2m-from-coronavirus-prepperswith-hand-sanitizer-face-mask-scams

[6]“Cybersecurity Whistleblowing in a Pandemic,” www.securitymagazine.com, accessed August 15, 2020, https://www.securitymagazine.com/articles/92243-cybersecurity-whistleblowing-in-a-pandemic.

[7]ibid

[8]Threat Intelligence Team, “Cybercriminals Impersonate World Health Organization to Distribute Fake Coronavirus E-Book,” Malwarebytes Labs, March 18, 2020, https://blog.malwarebytes.com/social-engineering/2020/03/cybercriminals-impersonate-world-health-organization-to-distribute-fake-coronavirus-e-book/.

[9]Europol, “Pandemic Profiteering: How Criminals Exploit COVID-19 Crisis,” 2020, https://www.europol.europa.eu/publicationsdocuments/pandemic-profiteering-how-criminalsexploit-covid-19-crisis

[10]Norton, “Coronavirus Phishing Emails: How to Protect Against COVID-19 Scams,” 2020, https://us.norton.com/internetsecurity-online-scamscoronavirus-phishing-scams.html

[11] M. Humayun, M. Niazi, N. Z. Jhanjhi, M. Alshayeb, and S. Mahmood, “Cyber Security Threats and Vulnerabilities: A Systematic Mapping Study,” Arab. J. Sci. Eng., pp. 1–19, 2020.

[12]Threat Intelligence Team, “Cybercriminals Impersonate World Health Organization to Distribute Fake Coronavirus E-Book,” Malwarebytes Labs, March 18, 2020, https://blog.malwarebytes.com/social-engineering/2020/03/cybercriminals-impersonate-world-health-organization-to-distribute-fake-coronavirus-e-book/.

[13]Rachna Buch, Dhatri Ganda, Pooja Kalolaet  al. World  of  Cyber  Security and Cybercrime. Recent Trends in Programming Languages. 2017; 4(2): 18–23p.

[14] Rayne Reid,  Johan  Van  Niekerk.  From information security to cyber security cultures.  Information Security for South Africa (ISSA). 2014. IEEE, 2014

[15]“Cybersecurity,” www.itu.int, accessed August 15, 2020, https://www.itu.int/en/ITU-T/studygroups/com17/Pages/cybersecurity.aspx

[16]J. W. Han, O. J. Hoe, J. S. Wing, and S. N. Brohi, “A conceptual security approach with awareness strategy and implementation policy to eliminate ransomware,” in Proceedings of the 2017 International Conference on Computer Science and Artificial Intelligence, 2017, pp. 222–226

[17]E.Boateng&F.Boaten, “Bring your own device: An evaluation of associated risks to corporate information security”, Accessed at https://www.researchgate.net/publication/307904278_Bring-Your-Own-Device_BYOD_An_Evaluation_of_Associated_Risks_to_Corporate_Information_Security

[18]“17 Types of Cyber Attacks To Protect Against in 2019,” PhoenixNAP Global IT Services, 2019,.https://phoenixnap.com/blog/cyber-security-attack-types

[19]“Cyber Extortion: An Industry Hot Topic,” CIS, November 23, 2016, Accessed at https://www.cisecurity.org/blog/cyber-extortion-an-industry-hot-topic/

[20]ibid

[21]Interpol, “COVID-19 cyberthreats,” 2020. [Online]. Accessed at https://www.interpol.int/en/Crimes/Cybercrime/COVID-19- cyberthreats

[22]“17 Types of Cyber Attacks To Protect Against in 2019,” Phoenix NAP Global IT Services, 2019,.https://phoenixnap.com/blog/cyber-security-attack-types

[23]‘ Aprajita Rana’, “India-Cybersecurity Comparative Guide”, Accessed at https://www.mondaq.com/india/technology/963026/cybersecurity-comparative-guide

[24]“17 Types of Cyber Attacks To Protect Against in 2019,” Phoenix NAP Global IT Services, 2019,.https://phoenixnap.com/blog/cyber-security-attack-types

[25]‘Sonal Nagpal’ “ Whistleblowing mechanism in India” ISSN 2248-9878 Volume 3, Number 8 (2013), pp. 855-860, Accessed at https://www.ripublication.com/gjmbs_spl/gjmb

[26]‘Erika Collins and Marjorie Culver, Paul Hastings Janofsky& Walker’, “On Rights and protection of whistleblowers”, Accessed at https://uk.practicallaw.thomsonreuters.com/2-203 2258?transitionType=Default&contextData=(sc.Default)&firstPage=true

[27]‘Alexis Ronickher and Matthew LaGarde’, “Cybersecurity Whistleblowing”, Accessed at https://www.kmblegal.com/sites/default/files/cybersecurity-whistleblower-protection-guide.pdf

[28] ibid

[29]‘D. Hammar and J. Zukerman’, “Cybersecurity Whistleblowers “ Accessed at https://www.zuckermanlaw.com/protections-and-rewards-for-cybersecurity-whistleblowers/

[30]‘Dallas Hammar and Jason Zukerman’, “ DATA Act 2020”, Accessed athttps://www.natlawreview.com/article/senate-data-privacy-bill-would-provide-robust-protection-to-data-privacy

[31]Gary Martin, “‘Whistle-Blower’ – the Meaning and Origin of This Phrase,” Phrasefinder, accessed August 15, 2020, https://www.phrases.org.uk/meanings/whistle-blower.html

[32] ibid

[33]‘Sonal Nagpal’ “ Whistleblowing mechanism in India” ISSN 2248-9878 Volume 3, Number 8 (2013), pp. 855-860, Accessed at https://www.ripublication.com/gjmbs_spl/gjmb

[34]Devika, “Whistleblowing in India: The Way Forward,” SCC Blog, September 7, 2019, https://www.scconline.com/blog/post/2019/09/07/whistleblowing-in-india-the-way-forward/

[35]Devika, “Whistleblowing in India: The Way Forward,” SCC Blog, September 7, 2019, https://www.scconline.com/blog/post/2019/09/07/whistleblowing-in-india-the-way-forward/

[36]“An Indian Perspective on Whistleblowing – ACCDocket.Com,” www.accdocket.com, accessed August 16, 2020, Accessed at  https://www.accdocket.com/articles/an-indian-perspective-on-whistleblowing.cfm

[37] ibid

[38] Preamble, Whistle Blowers Protection Act, 2014.

[39] A disclosure is defined as:

(i) an attempt to commit or commission of an offence under the Prevention of Corruption Act, 1988(49 of 1988);

(ii) willful misuse of power or willful misuse of discretion by virtue of which demonstrable loss is caused to the Government or demonstrable wrongful gain accrues to the public servant or to any third party; 

(iii) attempt to commit or commission of a criminal offence by a public servant, made in writing or by electronic mail or electronic mail message, against the public servant and includes public interest disclosure.

[40] The Whistleblowers Protection (Amendment) Bill, 2015.

[41] Statement of Objects and Reasons, The Whistleblowers Protection (Amendment) Bill, 2015.

[42] Bhavana Sunder, Payel Chatterjee and Sahil Kanuga on Whistleblowing in India: Are we there yet? Accessed at: http://www.nishithdesai.com/information/research-and-articles/nda-hotline/nda-hotline-single-view/article/whistleblowing-in-india-are-we-there-yet.html?no_cache=1&cHash=b5747c0cd8db654635cb5ee27689acaa

[43] Section 177(9), The Companies Act, 2013

[44] Section 177(10), The Companies Act, 2013 and Rule 7, The Companies (Meetings of Board and its Powers) Rules, 2014.

[45] Rule 7, The Companies (Meetings of Board and its Powers) Rules, 2014

[46]Bhavana Sunder, Payel Chatterjee and Sahil Kanuga on Whistleblowing in India: Are we there yet? Accessed at: http://www.nishithdesai.com/information/research-and-articles/nda-hotline/nda-hotline-single-view/article/whistleblowing-in-india-are-we-there-yet.html?no_cache=1&cHash=b5747c0cd8db654635cb5ee27689acaa

[47] Rule 28, The Companies (Management and Administration) Rules 2014

[48]Bhavana Sunder, Payel Chatterjee and Sahil Kanuga on Whistleblowing in India: Are we there yet?Accessed at: http://www.nishithdesai.com/information/research-and-articles/nda-hotline/nda-hotline-single-view/article/whistleblowing-in-india-are-we-there-yet.html?no_cache=1&cHash=b5747c0cd8db654635cb5ee27689acaa

[49] CS M. Kurthalanathan on Whistle-Blowing/ Vigil Mechanism Under Companies Act, 2013, Accessed at: https://taxguru.in/company-law/whistleblowing-vigil-mechanism-companies-act-2013.html

[50] Para 2.5 Annex, Protected Disclosures Scheme for Private Sector and Foreign Banks, Accessed at: https://rbidocs.rbi.org.in/rdocs/Content/PDFs/76875.pdf

[51]Para 2.2, Annex, Protected Disclosures Scheme for Private Sector and Foreign Banks, Accessed at: https://rbidocs.rbi.org.in/rdocs/Content/PDFs/76875.pdf

[52]ibid

[53] Para 2.6, Annex, Protected Disclosures Scheme for Private Sector and Foreign Banks, Accessed at: https://rbidocs.rbi.org.in/rdocs/Content/PDFs/76875.pdf

[54] Para 3.9, 3.10, Annex, Protected Disclosures Scheme for Private Sector and Foreign Banks, Accessed at: https://rbidocs.rbi.org.in/rdocs/Content/PDFs/76875.pdf

[55] Anoop Narayan, Priyanka Gupta and Shree Mishra on Cybersecurity. 2020, Accessed at: https://practiceguides.chambers.com/practice-guides/cybersecurity-2020/india

[56]Aprajita Rana and Rohan Bagai, AZB Partners on Cybersecurity in India,Accessed at: https://www.lexology.com/library/detail.aspx?g=4cd0bdb1-da7d-4a04-bd9c-30881dd3eadf

[57] Report cyber-attacks in 6 hrs: RBI to banks, Accessed at: http://timesofindia.indiatimes.com/articleshow/56943496.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

[58]Aprajita Rana and Rohan Bagai, AZB Partners on Cybersecurity in India Accessed at: https://www.lexology.com/library/detail.aspx?g=4cd0bdb1-da7d-4a04-bd9c-30881dd3eadf

[59] Anoop Narayan, Priyanka Gupta and Shree Mishra on Cybersecurity. 2020 Accessed at: https://practiceguides.chambers.com/practice-guides/cybersecurity-2020/india

[60] Anoop Narayan, Priyanka Gupta and Shree Mishra on Cybersecurity. 2020 Accessed at: https://practiceguides.chambers.com/practice-guides/cybersecurity-2020/india

[61] CS Deepak Singh on Whistle blower Policy in Insurance Companies, Accessed at: https://taxguru.in/company-law/whistle-blower-policy-insurance-companies.html

[62] Guideline 12.1 Corporate Governance Guidelines for Insurers in India, 2016

[63] Guideline 12.2 Corporate Governance Guidelines for Insurers in India, 2016

[64] Regulation 19(5), IRDAI (Protection of Policyholders’ Interests) Regulations, 2017

[65] Regulation 3(3)(b), 3(9), IRDAI (Maintenance of Insurance Records) Regulations, 2015

[66] Regulation 12, IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017

[67] Regulation 4(2)(d)(iv), SEBI Listing Obligations and Disclosure Requirements) Regulations 2015

[68] Regulation 46(2) (e), SEBI Listing Obligations and Disclosure Requirements) Regulations 2015

[69] Regulation 18(3), SEBI Listing Obligations and Disclosure Requirements) Regulations 2015 read with Part C Role of Audit Committee and Review of Information by the Audit Committee

[70] CS Deepak Singh on Whistle blower Policy in Insurance Companies, Accessed at: https://taxguru.in/company-law/whistle-blower-policy-insurance-companies.html

[71]Aprajita Rana and Rohan Bagai, AZB Partners on Cybersecurity in India,Accessed at: https://www.lexology.com/library/detail.aspx?g=4cd0bdb1-da7d-4a04-bd9c-30881dd3eadf

[72] Anirudh Burman and Suyash Rai on What Is in India’s Sweeping Personal Data Protection Bill? Available at: https://carnegieindia.org/2020/03/09/what-is-in-india-s-sweeping-personal-data-protection-bill-pub-80985

[73]Author TelanganaToday Braj Mohan Chaturvedi, “Bring Robust Cybersecurity Policy,” Telangana Today, accessed August 15, 2020, https://telanganatoday.com/bring-robust-cybersecurity-policy.