Protection of Personal Information & Sensitive personal data or information in India
Meaning of personal information
Personal information means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
Meaning of “Sensitive personal data or information”
As per the law, “Sensitive personal data or information” of a person includes information relating to:
- Passwords;
- Financial information such as bank account or credit card or debit card or other payment instrument details;
- Physical, physiological and mental health condition;
- Sexual orientation;
- Medical records and history;
- Biometric information.
Right to privacy protection in India
The Supreme Court of India has also ruled that the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution. Currently, there is no express legislation governing data protection or privacy. However, a White Paper released by the Government of India on Data Protection framework for India and the law is expected to be formulated soon. Further, the Data (Privacy and Protection) Bill, 2017 was also introduced in the Lok Sabha in July 2017.
Laws governing the issues relating to the misuse of personal data and information in cases of transactions carried out by means of electronic communication in India
The following two acts govern the said issues under the current regime:
- the Information Technology Act, 2000.
- Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.
Laws related to protection has been awarded to “sensitive” personal data and information in India
Whether any specific protection has been awarded to “sensitive” personal data and information handled by companies?
Yes, the law prescribes penalty in case a body corporate which is handling any sensitive personal data or information in a computer resource owned/ operated by it, is negligent in implementing and maintaining reasonable security practices and procedures and thereby, causes wrongful loss or wrongful gain to any person.
Whether any protection is available in cases where a person has secured access to personal information of a person without the person’s consent?
Yes, the law prescribes penalty in such cases where such a person has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned
Whether the government can intercept the information stored in any computer resource?
Yes, the government can intercept any information generated, transmitted, received or stored in any computer resource where it is satisfied that the same is necessary in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States, public order, for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.
Whether the law prescribes any punishment for disclosure of information without consent?
Yes, the law prescribes penalty in cases where any person who has obtained access to any electronic record, book, register, correspondence, information, document or other material with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, without the consent of the person concerned and discloses such information to any other person.
Whether the law prescribes any punishment for disclosure of information in breach of lawful contract?
Yes, the law prescribes penalty for any person, while providing services under the terms of lawful contract, which has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of the lawful contract.
To know more about Cyber laws in India
For more information on laws related to protection of personal information and “sensitive” personal data and information in India, please write to us at: info@ssrana.com.
ADJUSTED GROSS REVENUE (AGR) – PAYABLE BY TELECOM COMPANIES
India has one of the largest markets in the Telecom sector. However, some of the major Telecom giant in India are under huge debt, on account of extremely cheap services offered by their rival, Reliance Jio. While the major chunk of telecom firms were battling against Reliance Jio, another hurdle – Adjusted Gross Revenue (AGR) – came their way.
What is Adjusted Gross Revenue (AGR)?
Adjusted Gross Revenue (AGR) is primarily a form of tax, as the term suggests, collected from two core and basic charges i.e. usage and licensing fee with respect to Telecom services. Whether AGR must include other revenues that are collected from its assets (such as taxes generated from non-core activities and business performed by Telecom Industries) or not, has been an issue and topic of discussion over the years. Due to disputed definition and vague interpretation of the term AGR, since 2005, the Telecom companies have been filing cases urging the Hon’ble Supreme Court to lay down a proper and precise definition of AGR. In a general view, AGR can be defined as, part of revenue collected from telecom service providers by the Government of India as License Fee (8% of REVENUE) and Spectrum Usage Charge (SUC which is between 3 to 5% of the REVENUE). The whole point of debate is on the subject of, what all sources of income must be taxed.
The Government has been adamant in comprising all sorts of revenue grossed by a telecom service provider in AGR. It includes revenue generated from non-core sources too, such as dividend income, sale of fixed assets, rent, corporate deposits etc. While the telecom service providers suggest it shall comprise revenue arising out of only telecom services. On October 24, 2019, the Hon’ble Supreme Court in the case of Union Of India vs Association Of Unified Telecom widened the definition of AGR and supported the Government’s view including all the revenues even arising out of non-core sources.
Consequently, the Hon’ble Supreme Court discarded the definition of AGR as proposed and contended by the telecom companies and ordered them to conform to the demands of Department of Telecom (DoT) i.e., to pay the calculated and proposed AGR of more than Rs 1 lakh crore. The Apex Court decided to include all revenues generated by telecom companies, except for termination fee and roaming charges, within the definition of AGR.
Recent Developments in AGR case
Recently, the Hon’ble Supreme Court In Re: Mandar Deshpande, SMC C Nos. 1/2020 held that it shall not adjudicate further upon objections over re-assessment of AGR with respect to the decision of the Supreme Court passed on October 24th, 2019. The Apex Court ordered insolvency details from Reliance communications, Sistema, Shyam Telesevices and Videocon within a stipulated time. The rationale behind doing so was to ascertain that the provisions under IBC are not being tainted or misrepresented by companies in the wake of escaping legal consequences and thereby liabilities. The Supreme Court, considering the plea by Department of Telecommunications permitted settlement of AGR dues over the period of 20 years in installments (in staggered way). Total amount leading to Rs. 92,642 crore.
On August 10 and 14, 2020 the Hon’ble Supreme Court ruled that the Government needs to form a systematic plan on how to recover AGR dues from bankrupt and insolvent telecom service providers. Interestingly, a new issue emerged with respect to spectrum usage of insolvent companies. Looking at the facts of the case, Reliance Communications Limited entered into a spectrum sharing pact with Reliance Jio in the year 2016. Reliance Communications Limited is declared insolvent, leading to another issue, whether Reliance Jio is liable to pay taxes (AGR dues) with regard to spectrum usage of the former, although Reliance Jio has settled its own dues. The Supreme Court has therefore ordered all the telecom companies to furnish details with respect to insolvency and sale of assets if any.
Reportedly, according to hearing held on August 17, 2020[3], the debate is ongoing over the two prime issues i.e. different legal aspects behind sharing and trading of spectrum and if it can be sold. The Learned Solicitor General of India contended that Spectrum being the asset of general public, cannot be sold. Moreover, contended that Insolvency and Bankruptcy Code, 2016 does not include spectrum within the ambit of the definition of asset. Hence, it can be concluded that, the dispute is ongoing on issues pertaining to trading and sharing of spectrum, whether spectrum can be considered as an asset under IBC and thereby sold. Also, the Hon’ble Supreme Court has ordered DoT to furnish details of bifurcation of AGR dues with respect to telecom companies.
Whole AGR Dispute and Timeline of events
S. No | Date of Event | Event | Conclusion and Reasoning |
1. | 1999 | The telecom service providers and operators had to share a part percentage of their AGR with the Government in the name of spectrum usage charges (SUC) and annual license fee (LF). | Under the old customary law Telecos were supposed to pay a fixed annual license fee but they defaulted in payments. Consequently, National Telecom Policy was enacted by the NDA Government providing option to Telecos to either pay annual fixed license fee or 15% of the AGR. Later, the same was reduced to 13% and 8%. |
2. | Before 2003 | The license fee and spectrum usage charges were fixed at 8% and 3-5% of the total AGR respectively | According to the license agreements between Department of Telecommunications(DoT) and Telecom service providers/companies, usage charges were fixed as per the agreement. |
3. | 2003 | Earlier revenue was levied only on Telecom services but DoT claimed the share over total earnings by Telecom companies under AGR. | Subsequently, Telecos objected to such claim made by DoT and filed a suit against it for illicitly altering and modifying the definition of AGR. (dividend, installation cost, insurance claim etc were added) |
4. | 2005 | Cellular Operators Association of India (COAI) objected to the Government’s (DoT) definition of AGR and filed a case against it. | The dispute over definition of AGR led to formation of TRAI (Telecom Regulatory Authority of India) and TDSAT (Telecom Disputes Settlement and Appellate Tribunal). |
5. | 2007 | On August 30, 2007 the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) passed the verdict in favor of Telecom industries narrowing the scope of the definition of AGR and restricting it to revenue to be levied only on Telecom services and not on non-core activities. | DoT appealed to the Supreme Court against the order passed by TDSAT. The appeal was dismissed and sent back to TDSAT for consideration. TDSAT reiterated its earlier verdict.Interestingly, the judgment passed was applicable to only those Telecos or members of AUSPI (Association of Unified Telecom Service Providers of India) who had approached TDSAT.Meanwhile, a review Petition was filed by COAI and AUSPI claiming that the verdict passed on 30th August 2007 by TDSAT, be made applicable to all the registered members of the associations. |
6. | 2011 | The Hon’ble Apex Court on October 11, 2011 set aside the verdict passed by TDSAT. | As per the verdict passed, licensees were permitted to question and thereby challenge any demand before TDSAT, in regard to the merits of claim and decide if it was in accordance with the license agreement and in tune with the AGR definition.Eventually, Telecom companies challenged the verdict so passed questioning the rationale behind license fee demand. |
7. | 2015 | TDSAT passed the verdict in favor of Telecom companies and ruled that the definition of AGR includes all revenues except those extracted or earned out of non-core activities and sources, capital receipts, insurance claim, gain on sale of assets and miscellaneous. | DoT appealed against the judgment passed by TDSAT in the Supreme Court. |
8. | 2019 | On October 24, 2019 the Supreme Court set aside the order passed by TDSAT and upheld the definition of AGR as contended by Department of Telecommunications. | The Hon’ble Supreme Court reserved the judgment so passed by stating that it shall not entertain any objections as to re-assessment of claims and dues. Moreover, considering the plea by Department of Telecommunications, the Supreme Court permitted settlement of AGR dues over the period of 20 years in installments (in staggered way). Total amount leading to Rs. 92,642 crore. |
Read More about Information Technology Laws in India
[1] MANU/SC/1468/2019
[2] https://main.sci.gov.in/supremecourt/2020/7388/7388_2020_33_1_22629_Order_18-Jun-2020.pdf
MANU/SCOR/30650/2020
MANU/SCOR/30055/2020
To know more about Adjusted Gross Revenue (AGR), please write to us at info@ssrana.com
To know more about Cyberlaws in India, read below:
ONLINE SCAMS IN INDIA – LEGAL ACTION
Understanding the cyber crime of Online Scams and online frauds in India and the legal actions that can be taken under Indian laws
Meaning of Online Scam
Online scams or internet frauds in India can be understood as an illegal plan for making money, especially one that involves deceiving, defrauding and tricking people.[1] It is a term used to define any fraudulent business practice or scheme performed by an individual or company so as to obtain money or something valuable illegally. In recent times, the most numbers of scams taking place are internet scams particularly online frauds in Banking. Especially during Covid-19, when almost all activities are taking place online, these scams are increasing with each passing day.
Some internet fraud examples taking place are as follows:
- Donation scams/Fake charities– Some people often claim that they need financial assistance for some medical reasons or even for basic necessities, many of these claims can be real but this has also become a way of scamming people by creating fake accounts on donation sites to collect money. Scammers impersonate genuine charity organizations and ask for donations.
- Auction Scam– Some scammers might claim to sell fake tickets for a match or a concert on online auction sites but actually the tickets might not be authentic.
- Fake prizes– A scammer claims that the victim has won a non-existent price, takes personal details from the victim by convincing the victims that such details need to be shared to claim the prize.
- Phishing– This is the most common type of scam which is being used widely lately. Scammers use deceptive e-mails and websites as a weapon to gather personal information. The aim is to trick the email recipient into accepting that the mail received is regarding something they want or need. Phishing is basically a cyber attack which steals user data, including login credentials, passwords and credit card numbers as soon as a trusted entity deceives a victim in opening the mail, instant message, text message or any spiteful link attached with these messages, it can lead to the installation of malware, the freezing of the system or the revealing of sensitive information.
- Fake Shopping websites– Scammers may create websites that look genuine or that replicate existing retailer websites. These fake websites might offer deals that are too good to be true, the deals appeal the customers to fall prey and they purchase the fake items.
- Threat Scam– A scammer might threaten the victim to embarrass o injure him or his family members unless a certain amount of money is paid. The scammers might gather personal details from social media websites.
Legal Provisions & Combating Online Scams in India
Types of Online Frauds in India
The Information Technology Act, 2000[2].
- Section 66D– Punishment for cheating by personation by using computer resource: “Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.” When an attacker by means of any computer resource or communication device cheats by personation, the abovementioned section will be attracted. The maximum punishment under this section is imprisonment of up to three years and fine up to Rupees One Lakh. For example- Phishing.
- Section 43– Penalty and compensation for damage to computer, computer system, etc: “If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network steal, conceal, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage shall be liable to pay damages by way of compensation to the person so affected.” This section provides that if any attacker accesses a computer system without the permission of the owner and conceals or destroys any data or important information in order to make financial gains, then the attacker shall be liable to pay damages by way of compensation to the person so affected.
- Section 74– Publication for fraudulent purpose: “Whoever knowingly creates, publishes or otherwise makes available a [electronic signature] Certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.” If any person creates, publishes or makes an electronic signature certificate available for any fraudulent or unlawful purposes which can result in wrongful financial loss, then that person shall be punished with imprisonment of up to two years or with fine up to Rupees One Lakh.
The Companies Act, 2013[3]
- Section 36– Punishment for fraudulently inducing persons to invest money: “Any person who, either knowingly or recklessly makes any statement, promise or forecast which is false, deceptive or misleading, or deliberately conceals any material facts, to induce another person to enter into, or to offer to enter into,— (a) any agreement for, or with a view to, acquiring, disposing of, subscribing for, or underwriting securities; or (b) any agreement, the purpose or the pretended purpose of which is to secure a profit to any of the parties from the yield of securities or by reference to fluctuations in the value of securities; or (c) any agreement for, or with a view to obtaining credit facilities from any bank or financial institution, shall be liable for action under section 447.” Investment Scam is a type of financial fraud and is very common in today’s time. When an attacker makes any false or deceptive statement or promise with the motive of convincing the victim to investment, this section will be attracted. The maximum punishment for frauds as specified in Section 447 is imprisonment for a term which shall not be less than six months but which may extend to ten years and fine which shall not be less than the amount involved in the fraud but may extend to three times the amount involved in fraud. If the fraud is in anyway related to public interest, the term of imprisonment will not be less than three years. For example – Auction Scam etc.
- Section 448– Punishment for false statement: “Save as otherwise provided in this Act, if in any return, report, certificate, financial statement, prospectus, statement or other document required by, or for, the purposes of any of the provisions of this Act or the rules made thereunder, any person makes a statement,— (a) which is false in any material particulars, knowing it to be false; or (b) which omits any material fact, knowing it to be material, he shall be liable under section 447.” If in any return, report, certificate, financial statement, prospectus, statement or other document, the attacker makes any statement which is false in any material particulars or omits any material fact, he or she will be liable under section 447. Such false statement can lead to financial loss of the victim. For example- fake donation scam, etc.
The Indian Penal Code, 1860[4]
- Section 405- Criminal breach of trust: “Whoever, being in any manner entrusted with property, or with any dominion over property, dishonestly misappropriates or converts to his own use that property, or dishonestly uses or disposes of that property in violation of any direction of law prescribing the mode in which such trust is to be discharged, or of any legal contract, express or implied, which he has made touching the discharge of such trust, or wilfully suffers any other person so to do, commits “criminal breach of trust.” When a person who is entrusted with property or any dominion over property, fraudulently converts that property into his own use so as to gain wrongful profit at the cost of making the victim suffer will be liable for criminal breach of trust. For example- if an executor of will who is supposed to divide the property in accordance with the will appropriates the will to his own use in order to get wrongful financial gains. The punishment for criminal breach of trust is imprisonment of up to three years or with fine or both, as prescribed under Section 406.
- Section 415- Cheating: “Whoever, by deceiving any person, fraudulently or dishonestly induces the person so deceived to deliver any property to any person, or to consent that any person shall retain any property, or intentionally induces the person so deceived to do or omit to do anything which he would not do or omit if he were not so deceived, and which act or omission causes or is likely to cause damage or harm to that person in body, mind, reputation or property, is said to “cheat”. To attract this section, the attacker must deceive the victim and the victim should be induced to deliver any property to any person. The victim must be deceived to omit or to do anything which he would have not done otherwise and this act is likely to cause damage or harm to the body, mind, reputation or property of the victim. For example- the attacker puts a counterfeit mark on an item and convinces the victim that the item is of a reputed brand and fraudulently induces the victim to pay for the article and wrongfully gain financial profit from the victim(fake website scam). The punishment for cheating is imprisonment of up to one year or fine or both, as prescribed under Section 417.
- Section 416: Cheating by personation—“A person is said to “cheat by personation” if he cheats by pretending to be some other person, or by knowingly substituting one person for or another, or representing that he or any other person is a person other than he or such other person really is.” Most of the scams take place by using personation as a weapon. The attacker pretends to be the victim in order to gain wrongful profit. For example- A cheats by pretending to be a certain rich banker of the same name. A cheats by personation. The punishment for cheating by personation is imprisonment of up to three years or fine or both, as prescribed under Section 419.
- Section 418- Cheating with knowledge that wrongful loss may ensue to person whose interest offender is bound to protect: “Whoever cheats with the knowledge that he is likely thereby to cause wrongful loss to a person whose interest in the transaction to which the cheating relates, he was bound, either by law, or by a legal contract, to protect, shall be punished with imprisonment of either description for a term which may extend to three years, or with fine, or with both.” This section states that whoever cheats with the knowledge that he is likely to cause wrongful loss to such a person whose interest in the transaction to which the cheating relates, he was bound to protect shall be punished with imprisonment of up to three years or with fine or both.
- Section 420- Cheating and dishonestly inducing delivery of property: “Whoever cheats and thereby dishonestly induces the person deceived to deliver any property to any person, or to make, alter or destroy the whole or any part of a valuable security, or anything which is signed or sealed, and which is capable of being converted into a valuable security, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.” This section talks about the offence which is committed by the person who cheats another person and thereby induces the deceived to deliver any property or to make, alter or destroy any valuable security or anything which is sealed or is capable of being converted into a valuable security by falsely representing something so that the person is deceived. The maximum punishment under this section is imprisonment of up to seven years and fine.
Safeguards against Online Scams
As the number of scams are increasing, it is very important to stay aware and vigilant. As in most cases people are easily getting tricked because of the lack of knowledge and awareness among people. In order to protect oneself from becoming a prey to such online scams, it is very important to keep certain basic things in mind like one should always keep his/her personal details secure, the passwords and pins must not be shared with anyone, the personal information shared on social media sites must be limited. It is important to keep two factor authentication on all the ID’s. One should also beware of online shopping and should check the authenticity of the product and the site properly before purchasing. One should be careful before opening any suspicious texts, pop-up windows or click on links or attachments in emails.
[1] https://dictionary.cambridge.org/dictionary/english/scam
[2] The Information Technology Act, 2000; https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf
[3] The Companies Act, 2013; https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf
[4] The Indian Penal Code, 1860; https://www.iitk.ac.in/wc/data/IPC_186045.pdf
For further information on Cyber Laws in India, please write to us at info@ssrana.com.
To know more about Information technology law in India, read below:
FINANCIAL FRAUDS IN INDIA – LEGAL ACTION
Understanding the cyber crime of financial frauds in India and the legal actions that can be taken under Indian laws
Understanding Frauds
Fraud is a crime, but for penalisation it must be committed wilfully. Any sort of negligence or incompetency in managing a business that may lead to the unintentional loss of a company’s assets do not normally constitute fraud.[1]
According to Section 447 of the Companies Act, 2013, fraud in relation to affairs of a company or any body corporate, includes any act, omission, concealment of any fact or abuse of position committed by any person or any other person with the connivance in any manner, with intent to deceive, to gain undue advantage from, or to injure the interests of, the company or its shareholders or its creditors or any other person, whether or not there is any wrongful gain or wrongful loss.[2]
Meaning of Financial Fraud
Financial fraud can be broadly defined as an intentional act of deception involving financial transactions for purpose of personal gain.[3] Financial fraud is an act of deceptively or unlawfully depriving someone of their money, capital or attacking their financial health. Financial fraud is a form of crime wherein a person or an entity illegally takes money or property and uses it in an illicit manner, with the motive of gaining a benefit or profit out of it.
In a globalised and liberalised business environment, the growth of financial frauds is unprecedented. Financial fraud is big business, contributing to an estimated 20 billion USD in direct losses annually. Industry experts suspect that this figure is actually much higher, as firms cannot accurately identify and measure losses due to fraud. The worst effect of financial frauds is on FDI inflows into India.[4]Some examples of financial frauds that are taking place are:
- Bribery and Corruption: These illegal acts adversely impact trust in institutions. The former is usually given to someone to influence their behaviour whereas the latter is an act of gaining advantages through illegal means.
- Investment Fraud: It basically means to falsify the financial information in order to mislead or misguide the investors. It also includes omitting or hiding information that is important to know for an investor before investing.
- Identity Theft: As the name suggests, identity theft means stealing someone’s identity, basically it means to impersonate. The attacker uses the victim’s personal information (e.g. credit card number, social security number, bank account number) to make fraudulent withdrawals
- Phishing: Phishing is a type of fraud which uses deceptive e-mails and websites as a weapon to gather personal information. The aim is to trick the email recipient into accepting that the mail received is regarding something they want or need. Phishing is basically a cyber attack which steals user data, including login credentials, passwords and credit card numbers as soon as a trusted entity deceives a victim in opening the mail, instant message, text message or any spiteful link attached with these messages, it can lead to the installation of malware, the freezing of the system or the revealing of sensitive information.
- Skimming: Skimming is a credit card theft. When a credit card or debit card is swiped through a skimmer, the device captures and stores all the details stored in the card’s magnetic stripe. Fraudsters then use this stored information for online purchases or to reproduce the card.
- Mass Marketing Fraud: The fraud is committed through mass or spam mails, telephone calls etc. They can also take place in the way of fake prizes, charities, or lotteries etc. These modes are used to steal personal financial information or to raise contributions to fraudulent organisations.
- Siphoning of funds: It means to illegally or dishonestly take money from a person or an organization and use it for a purpose for which it was not intended.
- Theft of valuables: Fraudsters open bank lockers to take key impressions of other lockers and then use duplicate keys to steal assets.
LEGAL PROVISIONS
Provisions which can be attracted in case of financial frauds are as follows:
The Information Technology Act, 2000[5]
Section 66C- Punishment for identity theft: “Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.” When an attacker impersonates the victim by using the victim’s personally identifiable information to make fraudulent withdrawals, the abovementioned section will be attracted. For example- when an attacker accesses the victim’s bank account by stealing his debit card information or PIN, he will be liable under this section. The maximum punishment under this section is imprisonment of up to three years and fine up to Rupees One Lakh.
Section 66D- Punishment for cheating by personation by using computer resource: “Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.” When an attacker by means of any computer resource or communication device cheats by personation, the abovementioned section will be attracted. The maximum punishment under this section is imprisonment of up to three years and fine up to Rupees One Lakh.
Section 43– Penalty and compensation for damage to computer, computer system, etc: “If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network steal, conceal, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage shall be liable to pay damages by way of compensation to the person so affected.” This section provides that if any attacker accesses a computer system without the permission of the owner and conceals or destroys any data or important information in order to make financial gains, then the attacker shall be liable to pay damages by way of compensation to the person so affected.
Section 43A– Compensation for failure to protect data: “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.” This deals with the Civil liability which arises out of failure to protect sensitive or personal information as specified under Central Government’s notification dated 11th April, 2011 which classifies the details which are corporates are under legal duty to protect like bank account details, passwords etc. This provision was added by the amendment act of 2008 and emphasised the Corporate responsibility in data protection and mandates that corporates have to enforce reasonable and responsible measures to protect data of the general public. This section is usually attracted when a company fails to use adequate security procedures to protect personal information and this results in wrongful financial loss to the victim.
Section 72A– Punishment for disclosure of information in breach of lawful contract : “Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.” While performing a contract, when a service provider discloses any personal information of victim without his or her permission despite knowing the fact that such disclosure can cause wrongful loss to the victim, the service provider shall be liable to imprisonment of up to three years, a fine up to Rupees Five Lakh or both.
Section 74– Publication for fraudulent purpose: “Whoever knowingly creates, publishes or otherwise makes available a [electronic signature] Certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.” If any person creates, publishes or makes an electronic signature certificate available for any fraudulent or unlawful purposes which can result in wrongful financial loss, then that person shall be punished with imprisonment of up to two years or with fine up to Rupees One Lakh.
The Companies Act, 2013[6]
Section 36– Punishment for fraudulently inducing persons to invest money: “Any person who, either knowingly or recklessly makes any statement, promise or forecast which is false, deceptive or misleading, or deliberately conceals any material facts, to induce another person to enter into, or to offer to enter into,— (a) any agreement for, or with a view to, acquiring, disposing of, subscribing for, or underwriting securities; or (b) any agreement, the purpose or the pretended purpose of which is to secure a profit to any of the parties from the yield of securities or by reference to fluctuations in the value of securities; or (c) any agreement for, or with a view to obtaining credit facilities from any bank or financial institution, shall be liable for action under section 447.” Investment Frauds are one of the most common types of frauds in the present time. When an attacker makes any false or deceptive statement or promise with the motive of convincing the victim to investment, this section will be attracted. The maximum punishment for frauds as specified in Section 447 is imprisonment for a term which shall not be less than six months but which may extend to ten years and fine which shall not be less than the amount involved in the fraud but may extend to three times the amount involved in fraud. If the fraud is in anyway related to public interest, the term of imprisonment will not be less than three years.
Section 448– Punishment for false statement: “Save as otherwise provided in this Act, if in any return, report, certificate, financial statement, prospectus, statement or other document required by, or for, the purposes of any of the provisions of this Act or the rules made thereunder, any person makes a statement,— (a) which is false in any material particulars, knowing it to be false; or (b) which omits any material fact, knowing it to be material, he shall be liable under section 447.” If in any return, report, certificate, financial statement, prospectus, statement or other document, the attacker makes any statement which is false in any material particulars or omits any material fact, he or she will be liable under section 447. Such false statement can lead to financial loss of the victim.
The Indian Penal Code, 1860[7]
Section 405– Criminal breach of trust: “Whoever, being in any manner entrusted with property, or with any dominion over property, dishonestly misappropriates or converts to his own use that property, or dishonestly uses or disposes of that property in violation of any direction of law prescribing the mode in which such trust is to be discharged, or of any legal contract, express or implied, which he has made touching the discharge of such trust, or wilfully suffers any other person so to do, commits “criminal breach of trust.” When a person who is entrusted with property or any dominion over property, fraudulently converts that property into his own use so as to gain wrongful profit at the cost of making the victim suffer will be liable for criminal breach of trust. For example- if an executor of will who is supposed to divide the property in accordance with the will appropriates the will to his own use in order to get wrongful financial gains. The punishment for criminal breach of trust is imprisonment of up to three years or with fine or both, as prescribed under Section 406.
Section 409– Criminal breach of trust by public servant, or by banker, merchant or agent: “Whoever, being in any manner entrusted with property, or with any dominion over property in his capacity of a public servant or in the way of his business as a banker, merchant, factor, broker, attorney or agent, commits criminal breach of trust in respect of that property, shall be punished with 1 [imprisonment for life], or with imprisonment of either description for a term which may extend to ten years, and shall also be liable to fine.” If a person entrusted with property in his capacity of a public servant, banker, merchant, broker attorney etc, misuses his power in order to gain personal wrongful gains, will be liable under this section. For example – If a banker uses the victim’s bank account information and withdraws money without the knowledge of the victim, he or she will be liable under this section. The punishment prescribed under this section is imprisonment for life or imprisonment of up to ten years and fine.
Section 415– Cheating: “Whoever, by deceiving any person, fraudulently or dishonestly induces the person so deceived to deliver any property to any person, or to consent that any person shall retain any property, or intentionally induces the person so deceived to do or omit to do anything which he would not do or omit if he were not so deceived, and which act or omission causes or is likely to cause damage or harm to that person in body, mind, reputation or property, is said to “cheat”. To attract this section, the attacker must deceive the victim and the victim should be induced to deliver any property to any person. The victim must be deceived to omit or to do anything which he would have not done otherwise and this act is likely to cause damage or harm to the body, mind, reputation or property of the victim. For example- the attacker puts a counterfeit mark on an item and convinces the victim that the item is of a reputed brand and fraudulently induces the victim to pay for the article and wrongfully gain financial profit from the victim. The punishment for cheating is imprisonment of up to one year or fine or both, as prescribed under Section 417.
Section 416: Cheating by personation: “A person is said to “cheat by personation” if he cheats by pretending to be some other person, or by knowingly substituting one person for or another, or representing that he or any other person is a person other than he or such other person really is.” Most of the financial frauds take place by using personation as a weapon. The attacker pretends to be the victim in order to gain wrongful profit. For example- A cheats by pretending to be a certain rich banker of the same name. A cheats by personation. The punishment for cheating by personation is imprisonment of up to three years or fine or both, as prescribed under Section 419.
Section 418– Cheating with knowledge that wrongful loss may ensue to person whose interest offender is bound to protect: “Whoever cheats with the knowledge that he is likely thereby to cause wrongful loss to a person whose interest in the transaction to which the cheating relates, he was bound, either by law, or by a legal contract, to protect, shall be punished with imprisonment of either description for a term which may extend to three years, or with fine, or with both”. This section states that whoever cheats with the knowledge that he is likely to cause wrongful loss to such a person whose interest in the transaction to which the cheating relates, he was bound to protect shall be punished with imprisonment of up to three years or with fine or both.
Section 420– Cheating and dishonestly inducing delivery of property: “Whoever cheats and thereby dishonestly induces the person deceived to deliver any property to any person, or to make, alter or destroy the whole or any part of a valuable security, or anything which is signed or sealed, and which is capable of being converted into a valuable security, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.” This section talks about the offence which is committed by the person who cheats another person and thereby induces the deceived to deliver any property or to make, alter or destroy any valuable security or anything which is sealed or is capable of being converted into a valuable security by falsely representing something so that the person is deceived. The maximum punishment under this section is imprisonment of up to seven years and fine.
Section 468– Forgery for purpose of cheating: “Whoever commits forgery, intending that the [document or electronic record forged] shall be used for the purpose of cheating, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.” Forgery consists of a false document, signature, or other imitation of an object which is of value used with the intention of deceiving the victim. Those who commit forgery are often charged with the crime of fraud. For example- the attacker can photocopy the victim’s signature and then place it on a document without the victim’s consent in order to gain wrongful profit. The punishment for forgery is imprisonment of up to two years or fine or both, as prescribed under Section 465.
In 2012, the Central Bureau of Investigation (CBI) announced that it is developing a Bank Case Information System (BCIS) to curb banking frauds.[8] This database contains the names of accused persons, borrowers and public servants compiled from the past records. Even RBI has released a new guideline to check loan frauds wherein it gives red flag to the defaulters and defaulters shall have no access to further banking finance. RBI is also planning to set up a Central Fraud Registry which can be accessed by all Indian banks.[9]
CONCLUSION The need of the hour is to equip businesses against fraud risks and to spread awareness among public warning them against the increasing number of financial frauds. There should be transparency in organizations for better management. There should be a separate team or department in every organization comprising of qualified staff to ensure that efficient technological solutions are implemented. Financial institutions should duly enhance their
[1] http://www.businessdictionary.com/definition/fraud.html
[2] The Companies Act, 2013; https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf
[3] http://fraudalert.bnm.gov.my/01_what.htm
[4] https://www.pwc.in/assets/pdfs/publications/2015/current-fraud-trends-in-the-financial-sector.pdf
[5] The Information Technology Act, 2000; https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf
[6] The Companies Act, 2013; https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf
[7] The Indian Penal Code, 1860; https://www.iitk.ac.in/wc/data/IPC_186045.pdf
[8] https://www.pwc.in/assets/pdfs/publications/2015/current-fraud-trends-in-the-financial-sector.pdf
[9] Ibid
For further information on Cyber Laws in India, please write to us at info@ssrana.com.
To know more about Information technology law in India, read below:
WEBSITE HACKING IN INDIA – LEGAL ACTION
Understanding the cyber crime of website hacking in India and the legal actions that can be taken under Indian laws
Understanding Hacking
Hacking today, is an over eager villain of corporates, legal firms, start-ups and website-based businesses. Hacking has become a serious crime in the contemporary times, it can be said that today in the online world every individual is a potential victim. Today, the hackers are able to control any website, CCTV camera, personal computers etc. All this amounts to a serious espionage of privacy and personal space, on top of this, there are many other ways as well which a hacker can employ while committing the hacking.
However, as they say every coin has two sides, there is another side to hacking called ‘Ethical hacking’. ‘Ethical hacking’ takes place where the hacker has the legal permission to manipulate or break the security lines of a website or online network, ethical hacking thus, derives legality from the explicit consent/ authorization from an institution or person and therefore, we are able to deduce that the part of hacking which is involuntary or devoid of consent makes out an offence of criminal hacking.[1]
TYPES OF HACKING
Hackers are usually of three types-
- A White hat hacker: A White hat hacker is a person who has been employed by an organization to look for loopholes in their security systems and patch the vulnerabilities of the system, before a security breach happens. White hat hackers are often behind the scenes, thwarting attacks in real time, or proactively exposing weakness to try to help keep services running and data protected.[2]
- A Black hat hacker: A Black hat hacker is an individual who is tries to break into a website or security networks of an organization, unauthorized and with malicious intentions. Their primary motivation is usually for personal or financial gain, but they can also be involved in cyber espionage, protest or perhaps are just addicted to the thrill of cybercrime.[3]
- A Grey hat hacker: Grey hat hackers are a blend of both black hat and white hat activities.[4] Grey hats exploit networks and computer systems in the way that black hats do, but do so without any malicious intent, disclosing all loopholes and vulnerabilities to law enforcement agencies or intelligence agencies.[5] Grey hats may also extort the hacked, offering to correct the defect for a nominal fee.
Law in India
‘Unethical Hacking’ in India is looked as a serious offence in India and is also a threat to national security as well. It is a punishable offence in India under:
- Indian Penal Code, 1860 [6]
- Section 408 – Criminal breach of trust by clerk or servant: “whoever, being a clerk or servant or employed as a clerk or servant, and being in any manner entrusted in such capacity with property, or with any dominion over property, commits criminal breach of trust in respect of that property, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine“. This deals with the breach of trust by any clerk or servant. This breach of interest is committed against the property which is interested to him. For example- If the employees working in IT Department of law firms or MNCs leak any personal or secretive information of the company they are likely to commit criminal breach of trust and will be liable under this section. The maximum punishment under section 408 is imprisonment of up to seven years and a fine.
- Section 424 – Dishonest or fraudulent removal or concealment of property:“whoever dishonestly or fraudulently conceals or removes any property of himself or any other person, or dishonestly or fraudulently assists in the concealment or removal thereof, or dishonestly releases any demand or claim to which he is entitled, shall be punished with imprisonment of either description, for a term which may extend to two years, or with fine, or with both.” This aforementioned section will also apply to data theft. When an important or secret piece of information is concealed, collected or removed by a hacker dishonestly or fraudulently from a website after hacking it, the hacker will be liable under this section. The maximum punishment under section 424 is imprisonment of up to two years or a fine or both.
- Section 378 – Theft of movable property will apply to the theft of any data, online or otherwise, since section 22 of the IPC states that the words “movable property” are intended to include corporeal property of every description, except land and things attached to the earth or permanently fastened to anything which is attached to the earth. Therefore if a hacker steals or collects any information from a website by gaining wrongful access he/she is likely to commit theft. The maximum punishment for theft under section 378 of the IPC is imprisonment of up to three years or a fine or both.
- Section 425 – Mischief : “whoever with intent to cause, or knowing that he is likely to cause, wrongful loss or damage to the public or to any person, causes the destruction of any property, or any such change in any property or in the situation thereof as destroys or diminishes its value or utility, or affects it injuriously, commits mischief”. The main motive of the hacker is to cause wrongful loss or destruction of the information available on websites by wrongfully editing them in order to destroy or diminish the value by wrongfully representing things. Damaging computer systems and even denying access to a computer system will fall within the aforesaid section 425 of the IPC. The maximum punishment for mischief as per section 426 of the IPC is imprisonment of up to three months or a fine or both.
- Information Technology Act, 2000 (IT Act) :[7]
- Section 43 –Penalty and compensation for damage to computer, computer system, etc. and Section 43A –Compensation for failure to protect data: Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.” This deals with the Civil liability which arises out of failure to protect sensitive or personal information as specified under Central Government’s notification dated 11th April, 2011 which classifies the details which are corporates are under legal duty to protect like bank account details, passwords etc. This provision was added by the amendment act of 2008 and emphasised the Corporate responsibility in data protection and mandates that corporates have to enforce reasonable and responsible measures to protect data of the general public.
- Section 66B- Punishment for dishonestly receiving stolen computer resource or communication device: “whoever dishonestly receives or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.” The abovementioned section prescribes penalty for receiving stolen information and provides for imprisonment upto three years or fine of Rs 1 lakh or both. Mens rea is a crucial requisite to engage liability under this section, further destruction, deletion, alternation or diminishing value orutility of the data are also factors for attracting liability.
- Section 66F –Punishment for cyber terrorism provides:
(1) Whoever,– (A) with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in the people or any section of the people by– (i) denying or cause the denial of access to any person authorised to access computer resource; or (ii) attempting to penetrate or access a computer resource without authorisation or exceeding authorised access; or (iii) introducing or causing to introduce any computer contaminant, and by means of such conduct causes or is likely to cause death or injuries to persons or damage to or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70; or (B) knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer data base that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer data base, with reasons to believe that such information, data or computer data base so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism. (2) Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life. Cyber Terrorism is one of the greatest threats to the society. Cyber terrorism basically means to do illegal things via internet or cyber space. It is usually done for political purposes such as provoking a group of people against the government or against the sovereignty, unity, or integrity of a country. The hackers can gain access to restricted information or computer database by network damage, data theft, by gaining unauthorized access, by privacy breach and attract liability under this section.
What happens when similar offences are brought under IPC and IT Act?
In Sharat Babu Digumarti v Government of NCT of Delhi[8], the contention relating to IPC and the IT Act came to surface. In this case, on November 27, 2004, an illicit video was uploaded for sale on Baazee.com and the listing was made under “Books and Magazine”, to avoid detection by the Baazee team. The video was successfully sold a few times from the platform, however, when Delhi Police began the investigation, they prepared a charge sheet against Mr. Avinash Bajaj (MD at Bazzee) and Sharat Digumarti (Manager), however, the company was not arraigned as an accused and therefore, the charges (Section 292 of IPC and 67 of IT Act) against Avinash Bajaj were dropped. Later on charges under Section 294 IPC and Section 67 of IT Act were dropped against Sharat. The Supreme Court held that in any case which involves electronic record, the provisions of IT Act will be applied alone as that’s the legislative intention and under section 81 of the IT Act, the provisions of the IT Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force. It is a settled principle of interpretation that special laws would prevail over general laws and latter laws would prevail over prior legislation.
In Gagan Harsh Sharma v The State of Maharashtra[9], The petitioners were charged under sections 408 and 420 of IPC, 1860, supplemented by charges under sections 43,65 and 66 of the IT Act, 200. The offences under section 408 and 420 are non-bailable, while the offences which the individuals were charged with under IT Act are bailable. The petitioners stated before the Hon’ble Bombay High Court that charges against them under IPC should be dropped and the court should only pursue the charges framed under the IT Act. The Hon’ble court relying on the Supreme Court’s judgement in the Sharat Babu Digumarti case dropped the charges framed under IPC.
CONCLUSION
The most cost effective manner to prevent account hackings is to let people know how to create a strong password. The business entities should invest in technology and IT sphere, in collaboration with the government to deal with the common enemy. Data encryption could be looked as an alternative, however, it has its own backlashes and therefore should be effectively regulated.
The best option is to have a collaborative effort of website and software development to prevent hacking attacks. Websites are prone to hacking and therefore, it’s important to create a security network which is well equipped to deal with cyber-attacks. Additionally, legislations are also required to be more specialised in terms of strictness and privacy, to deal with the today’s everyday changing technology.
[2] https://www.safebreach.com/blog/what-is-a-white-hat-hacker/
[3] https://us.norton.com/blog/emerging-threats/black-white-and-gray-hat-hackers
[4] https://us.norton.com/blog/emerging-threats/black-white-and-gray-hat-hackers
[5] https://blog.eccouncil.org/types-of-hackers-and-what-they-do-white-black-and-grey/
[6] The Indian Penal Code, 1860; https://www.iitk.ac.in/wc/data/IPC_186045.pdf
[7] The Information Technology Act, 2000; https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf
[8] 2 SCC 18 SC (2017).
[9] SCC Bom. High Court, 13046 (2018).
For further information on Cyber Laws in India, please write to us at info@ssrana.com.
To know more about Information technology law in India, read below: