cyber crime & corporate liability

Cyber Crime & Corporate Liability

Sagar RahurkarAsian School of Cyber Laws

2002 20032000 2009

17th October, 2000Information Technology Act, 2000 came into force.

17th March, 2003Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 came into force.

21st November, 2002Negotiable Instruments (Amendments and Miscellaneous Provisions) Act, 2002 came into force.

19th September ,2002Minor errors in the Act were rectified by the Information Technology (Removal of Difficulties) Order, 2002 came into force.

27th October, 2009Information Technology (Amendment) Act, 2008 came into force.

Data Privacy & Protection laws

Section 43(A)

• Liability imposed on –• Corporate bodies handling “sensitive personal

information”• Call centers, BPO’s, etc. are under legal scanner to

ensure adoption of reasonable security practices to maintain secrecy of data

• Nadeem Kashmiri’s case (credit card fraud)• Damages - Unlimited

Issues raised

• Section 43 (A)

• Have you defined the various components of “sensitive personal data or information” vis-à-vis users/customers?

• Do you have a security policy? Is it documented?

Sec 72(A) (Criminal offence)• Punishment for Disclosure of information in breach

of lawful contract -• Any person including an intermediary who, while

providing services under a lawful contract, has secured access to any material containing “Personal Information” about another person, discloses such information knowingly or intentionally

• Imprisonment up to 3 years or fine up to 5 lakh or with both (Cognizable but Bailable)

Issues raised

• Section 72(A)

• Do you have an adequate privacy policy?

• Whether you have provided opt-in/opt-out

clause in your privacy policy?

Section 66(B)• Dishonestly receiving stolen computer

resource or communication device

• Covers use of stolen Computers,

mobile phones, SIM Cards, etc.

• Also covers “data theft”

• Punishment – imprisonment upto 3 years

and fine

Here, “Computer resource" means:-

• Computer, computer system, computer network, data, computer data base or software;

Section 66(B)

Tampering with Source CodeWhoever steals, conceals, destroys or alters or causes anyperson to steal, conceal, destroy or alter any computersource code used for a computer resource with an intentionto cause damage,Sec. 65Punishment – Imprisonment – Upto 3 years or fine – UptoRs. 2 Lakh or bothAdditionally provisions of Copyright Act will also apply

Sec. 43 (j) Punishment – Damages by the way of compensation

Access related issues

• Section 43 - Unauthorized Access

• Unlimited damages can be claimed

• Up to Rs. 5 Crore – Adjudicating Officer

• Above Rs. 5 Crore - Civil Court

Hacking & related aspects

Section 66

• Under IT Act, 2008 all the acts referred under

Section 43, are also covered u/Sec. 66 if they

are done “dishonestly” or “fraudulently”

SPAM• Sec. 66 (A)• Sending of offensive or false messages• Any message sent by means of

computer resource or communication device for causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such message

• Punishment – imprisonment upto 3 years and fine

Section 66(A)

• Covers following sent by sms / email:• grossly offensive and menacing message

• false information sent for causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will

• Phishing, E-mail Spoofing, Spam mails, Threat E-mails, etc.

Identity theft• Sec. 66 (C)

• Fraudulently or dishonestly using someone

else’s electronic signature, password or any

other unique identification feature

• Punishment - imprisonment upto 3 years and

fine

Cheating by personation

• Sec. 66 (D)

• Cheating by pretending to be some other person by

using computer resource

• Sec. 415 and 416 IPC relevant to prove “Cheating” and

“Cheating by Personation”

• Punishment – imprisonment upto 3 years and fine

E-Signature

Legal recognition to e – signature

• The IT Act, 2008 introduces the concept of “electronic signatures” in addition to digital signatures

• Electronic signatures is wider term covering digital signatures, biometric authentication, etc

• It has a technology neutral approach and not bound by any specific technology.

• based on the knowledge of the user or the recipient e.g. passwords, personal identification numbers (PINs)

• based on the physical features of the user (e.g. biometrics)

• those based on the possession of an object by the user (e.g. codes or other information stored on a magnetic card)

• scanned handwritten signatures• signature by means of a digital pen• clickable “OK” or “I accept” boxes

Types of electronic signatures

Types of electronic signatures

• Digital signatures within a public key infrastructure (PKI)

• Hybrid solution like combined use of passwords and secure sockets layer (SSL)

Law relating to intermediaries

Preservation of information by intermediaries

• Section 67(C) – new provision

• Intermediary shall preserve and retain information as may be specified for such duration and in such manner and format as the Central Government may prescribe

Issues raised

• Section 67 (C)

• Do you have the electronic record

preservation and retention policy?

Liability of Intermediary

• Section 79

• Intermediary not to be liable for any third party

information, data, or communication link made

available or hosted by him.

Liability of Intermediary• Intermediary need to prove that he didn’t –

• Initiate the transmission,

• Select the receiver of the transmission, and

• Select or modify the information contained in the

transmission and

• Intermediary to observe “due diligence” while

discharging his duties under the Act.

Power of Government

Sec 69

• Power to issue directions for interception or

monitoring or decryption of any information

through any computer resource

• Non – compliance – Upto 7 years

imprisonment

Sec 69(A)

• Power to issue directions for blocking for

public access of any information through any

computer resource

• Non – compliance – Upto 7 years

imprisonment

Sec 69(B)

• Power to authorise to monitor and collect traffic data or information through any computer resource for cyber security

• Govt. can authorise any Govt. agency to do so• Intermediaries to provide all assistance• Non – compliance – Upto 3 years

imprisonment

Issues raised

• Section 69 (B)

• Have you adopted/established any procedure

and safeguard for monitoring and collecting

traffic data or information? Is it documented?

Govt. can issue such directions u/ Sec. 69, 69 (A) &(B)if it is necessary or expedient so to do in theinterest of:-

• sovereignty and integrity of India,

• defence,

• security of the State,

• friendly relations with foreign states or

• public order or

• for preventing incitement to the commission of any cognizable offence

Offences by companies

• Sec. 85• If Company commits any offence u/this Act:-• Directors or• Persons in charge of and were responsible to

the affairs of company • Shall be liable for the contravention &

punishment

CERT - IND

• Section 70(B) Indian Computer Emergency Response Team

(CERT – IND) to serve as national agency

for incident response

Issues raised

• Section 70(B)

• Do you have the documented procedure to

comply with the requests of CERT-IN regarding

cyber security incidents?

Banks and Data Protection Illustrations

• Master Circular on Credit Card operations (as amended up to July 1, 2009):

• Protection of customer rights• Right to privacy• Customer confidentiality• Card issuing bank to maintain a Do Not Call

Registry (DNCR) of customers as well as non-customers

• Banks can be held liable for under Section 66A(c) if

they breach DNRC:-

“any electronic mail or message for the purpose of

causing annoyance or inconvenience”

Banks and Data Protection Illustrations

Banks and Data Protection Illustrations

• The bank should not engage telemarketers, DSAs/DMAs, who do not have a valid registration certificate from DoT.

• Harsh Pathak vs.Union of India & Ors. Hon’ble Supreme Court passed directions in a PIL that “any telemarketer who is not registered with (DoT) should not be permitted to operate the telemarketing services.”

Email: sr@asianlaws.org

Website: www.asianlaws.org

Phone : 09225548605