More often than not, individuals and businesses face a predicament where they are subjected to certain acts by peers, competitors, ex-employees and other malicious entities, which do not squarely fall within the ambit of “cyber-crimes”. The end result is a few visits to the police station without any remedy to avail, or worse, a frivolous FIR resulting in an unnecessary waste of time and funds. In reality, the Information Technology Act (hereinafter referred to as ‘the Act’) is well equipped to deal with such “contraventions” under Chapter 9, Section 43 and 43-A, by awarding compensation to the victim, and in certain cases, penalty upon the offenders. These offences require a complaint to be lodged before the adjudicating officer under the Act, and this article explains exactly how to go about the process.
Offences under the Information Technology Act
The acts that comprise of offences under Chapter 9 can be classified under 2 major heads, acts by persons/individuals, and acts by a body corporate. The offences by a person are covered under Section 43 of the Act, and they are elaborated in detail hereunder:
- The first and foremost pre-requisite of all such acts is that they should be without the permission of the owner, or the person in charge of a computer, computer system, or computer network.
- Accessing or securing access to a computer, computer system or computer network (hereinafter collectively referred to as “computer”). The mere entry into a computer, either by guessing the password or by using third-party tools to compromise the security of the computer, is an offence under the act. Under section 2(a) of the Act, ‘access’ is defined to include “entry into/instructing or communicating with the logical, arithmetical or memory function resources of a computer”. Therefore, even if there is an indirect access of the hard drive of the computer, or certain files, without accessing the computer through conventional means, it will amount to a violation under this subsection.
- Downloading, copying, extraction, of any information/data from a computer, including data that is stored in a removable storage device. Downloading, although not defined in the Act, its technical meaning encompasses copying of data from one computer system to another. This involves making a copy of the data without harming/damaging the original data. Any and all data, including a database of phone numbers, client lists, designs, artwork, photographs, videos, document files etc. amounts to a violation under this subsection. There is some lack of clarity on the exact definition of extracting data. It can either include taking out the original data altogether without making a copy or the act of selectively procuring data from a particular file, without copying the whole file.
- Direct introduction or causing a contamination indirectly, of any form of a virus into a computer. This is usually done by directly introducing a virus via an external storage device, or by leaving a link or a file on the computer, which when accessed, releases the virus. Computer Contaminant has been further explained in Section 43 Explanation (i) to include any set of computer instructions that are designed:
- “to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or
- by any means to usurp the normal operation of the computer, computer system or computer network.”
The foresight of the legislature has made it possible to include the increasing number of contaminants that are created every day. For ex: if not for Explanation(i)(b), the recent Ransomware attacks would not have been included under the definition of a computer contaminant, as they do not in any way modify, destroy or transmit any data or programme, but simply block the access to a computer, till a certain amount of ransom is paid. But thanks to the 43(i)(b), taking control of the normal operation of a computer is also an offence, thereby including such attacks.
- Damaging or causes to be damaged any computer, or any programme within the computer. This damage can be a physical damage to the hard-drive of the computer, or software damage by introducing a malicious element into the computer such as virus, malware, botnets, etc.
- Disruption or causes disruption of any computer. This would involve any activity that would cause hindrance in the normal functioning of a computer. This provision has a wide ambit, allowing for unforeseen acts, or new forms of contaminants that do not clearly fall within the other provisions to be included as an offence if the interpretation allows so.
- Denies or causes denial of access to any person authorized to access any computer. This provision is specifically inserted to make DOS and DDOS attacks, a distinct offence under the Act. There are various ways to deny access to a computer, including physically locking the computer, detaching certain parts of a computer, or simply changing the password, but the most common and malicious of them all is Denial of Service or Distributed Denial of Service, in which specifically a computer or a computer network is targeted.
Service in this context means the access to various content, software, data etc, that are available on a website or a computer network. “For example, if you are watching a video on YouTube, you are accessing an HTML file kept on YouTube’s servers which have an embedded video on it. YouTube lets you access and watch it because then YouTube can show you ads. This transaction is thus complete with a win-win situation for YouTube and you. The Service is complete when the Server renders the data to a user, and the user is able to access it successfully.” DOS and DDOS are attacks on a computer’s server, by generating high volumes of content access or service requests, that overwhelms the CPU or memory of the server, causing it to slow down, and if the attack is persistent enough, shut down. The effect be somewhat similar to you trying to run Fortnite, Farcry and GTA 5 on your computer, all at the same time, making your computer slow down and eventually freeze.
DDOS attacks are far more complex, as these attacks come from a distributed network of computers, which are being controlled by using a surreptitious malware infecting these unaware computers at any point of time in the past. Once enough computers are infected, the malware allows the botmaster (the main computer that controls other computers) to generate traffic and divert it to the target computer, in this case, the server. Each hour of downtime causes serious losses to the tune of several millions of dollars to the victim, and at the same time denies legitimate service seekers access to such service.
- Providing any form of assistance to any person, to facilitate an offence or contravention under this Act, rules or regulations made thereunder, also amounts to an offence. This provision is essentially the enabling provision to make abetment of a contravention, a contravention in itself.
In IPC, abetment of an act includes three major elements, instigation, engaging in a conspiracy, or intentionally providing aid to commit an offence. In contrast, by wording it in the form of “providing any form of assistance”, the legislators have kept it open to include a large range of acts that can amount to abetment, which is absolutely necessary given the evolving nature of the cyber law domain.
Charging the services availed of by a person to the account of another person by tampering with or manipulating any computer. This is a common form of an offence referred to in common parlance as “identity theft”, in which a person’s financial and personal information is stolen, in order to avail certain benefits online.
In the cyber world, the concept of identity and identity verification is a huge problem, requiring tons of companies to develop software, protocols and authentication systems to verify the identity of a person. This is because in the cyber world the real identity of a person often gets blurred. I may be purchasing gifts online with my debit card for someone residing in a different city, but at the same time, I may use my father’s Amazon account to do so. As long as the payment get through and the product gets delivered to the intended recipient, everything flows normally. The problem occurs when a third party procures the credit card details of an unaware victim, and uses the same to make purchases online, billing it on the victim’s card. This happens by a number of means such as phishing, pharming, malicious software, or the good old stealing your wallet trick, but it affects every victim in a similar way, causing heavy monetary losses. In most international payments, there is no need for an OTP, and the CVV number acts as the passcode for successfully completing a transaction.
Destroying, deleting, or altering any information residing in a computer resource, or diminishing its value or utility, or affecting it injuriously by other means. A “computer resource” under the Act includes not only a computer, computer system, or a computer network, but also includes data, computer database, or software. This provision encompasses information that is stored on a software or database online, thereby making it illegal to commit any of the aforementioned acts with respect to such data. Thus, if a cloud-based database (the data of which does not reside in a particular computer), is accessed through a computer, and the data residing in the database is destroyed without destroying any data in the computer used for such access, it also amounts to an offence under the Act.
Stealing, concealing, destroying, altering, or causing any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage. To understand this provision better, we first need to understand what is a source code, and its importance in any computer.
A Source code is essentially the first set of codes written for a program. This is written in plain text in any of the programming language, and then processed through either a compiler or an interpreter (depending on the language it is written in) to be converted into machine language or machine code. Machine code is the code machines are capable of understanding, which is basically ones and zeros, or binary.
It is important to incorporate a provision that protects source codes, as software companies spend millions of dollars worth of resources to make commercially marketable products out of these source codes. They want to protect their source code for various reasons, such as- preventing it from falling into the hands of competitors, protecting it from malicious attackers that can make severe modifications to the code and make the program vulnerable, and many other ramifications. There are a lot of source codes that are not kept a secret, and such software are known as open source. Some common examples are Mozilla Firefox, WordPress, VLC, and Linux, which are all open to modification and redistribution.
The offences by a body corporate, specifically, a company, firm, sole proprietorship, or any other commercial association, is covered under Section 43-A of the Act. This section has the following essentials:
- A body corporate, must be in possession, dealing or handling any sensitive personal data or information in a computer resource
- Such a computer resource must be owned, controlled or operated by the body corporate.
- The body corporate must be negligent in implementing and maintaining reasonable security practices and procedures for such data or information.
- Thereby causing wrongful loss or wrongful gain to any person.
Reasonable security practices and procedures have been explained in the provision as: “security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit”.
This provision for reasonable security practices is a stringent one, as it clearly places a burden on the body corporates to handle sensitive personal data with a high degree of protection, but at the same time allows leniency to the extent that it allows the parties to agree upon the practices and procedures for such protection of data. Thus, the provision has an essential element of balance, without being excessively rigid since the inception, but keeping the option open to tightening the leash whenever required.
Further, the provision was elaborated by clearly defining what is included in the definition of “sensitive personal data or information”, by The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules which were notified by the government in 2011.
Under Section 3 of the Rules, “Sensitive personal data or information of a person means such personal information which consists of information relating to;—
- financial information such as Bank account or credit card or debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- Biometric information;
- any detail relating to the above clauses as provided to body corporate for providing service; and
- any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:
provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules”.
In the same rules, Reasonable Security Practices and Procedure have been prescribed to include “such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business”. The International Standard IS/ISO/IEC 27001 on “Information Technology – Information Security Management System- Requirements” is one of the approved standards under these Rules.
There have been innumerable instances wherein lakhs of rupees have been siphoned off from numerous bank accounts, either due to some lapse on the bank’s end or by making a duplicate sim card which provides the OTP or other 2nd Factor Authentication messages, causing overnight transfer of money into various dormant bank accounts. When the police are informed about this, they often find that these bank accounts are owned by illiterate folk having little to no knowledge about such transaction taking place in their account. In such scenarios, it is mostly a lapse in the “reasonable security practices and procedure” by the bank or the telecom service provider, resulting in such transfers. In numerous cases before the Adjudicating Officer, it has been found that upon issuance of a duplicate sim card, Telecom Service Providers do not shut down the Messaging services for 24 hours, which is the normal protocol to avoid any OTP or 2-Factor Authentication messages to fall into the hands of malicious entities. In a lot of cases, there have been no policies or measures in place to ensure that the person who has put in a duplicate sim card request, is the legitimate owner of the sim card.
Body corporates in today’s day and age have an immense amount of information on any individual, to the extent that the individual can be monetarily or personally harmed if such information is compromised in any manner. Yet lax security protocols lead to various cyber-crimes being committed almost every day. It is an obvious fact that we cannot survive without Telecom Services, Banking facilities, or for that matter Social Networking Websites these days; but when such a large amount of trust is being placed in the hands of a corporation, the burden of maintaining that trust by ensuring effective security protocols for our personal data is an absolute necessity, allowing for no compromise whatsoever.
Section 45 is a residuary penalty provision, which provides that in case there is a contravention under these rules and regulations, for which no penalty has been stipulated, the penalty to be paid would be to the tune of Rs. 25,000 to the person so affected by the contravention.
How to recover compensation under the Information Technology Act
APPOINTMENT OF ADJUDICATING OFFICER
Section 46 of the Act empowers the Central Government to appoint any person not below the rank of Director to the Govt. of India or an equivalent officer of a State Government to be an adjudicating officer under the Act, and such an officer has the powers to hold inquiries and award penalties, for the purpose of adjudicating any contravention under the Act, rules, regulation, direction or order. This provision enables the government to appoint a quasi-judicial authority to adjudicate upon these contraventions.
The pecuniary jurisdiction vested upon the adjudicating officer is to the extent of Rs. 5 crores, i.e. the adjudicating officer can order compensation or penalties to the maximum amount of Rs 5 crores. There seems to be some lacuna around the jurisdiction aspect, due to the bar of a civil court’s jurisdiction under Section 61 of the Act, thereby leaving a victim remediless in case he prays for compensation for damages beyond Rs 5 crore in his complaint.
This lacuna can be easily removed by a harmonious interpretation, and in my view, the bar in jurisdiction extends only “to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered by or under this Act”. As complaints involving a prayer beyond Rs 5 crore are not suits or proceedings that an adjudicating officer or Appellate Tribunal is empowered to adjudicate, the civil court should ordinarily have jurisdiction.
POWERS OF THE ADJUDICATING OFFICER
The adjudicating officer has the powers of a civil court under the Code of Civil Procedure while trying a suit, for the following matters:
(a) summoning and enforcing the attendance of any person and examining him on oath;
(b) requiring the discovery and production of documents or other electronic records; (c) receiving evidence on affidavits;
(d) issuing commissions for the examination of witnesses or documents;
(e) reviewing its decisions;
(f) dismissing an application for default or deciding it ex parte;
(g) any other matter which may be prescribed.
Further, the adjudicating officer shall also be deemed to be a civil court for the purposes of ORDER XXI of the Civil Procedure Code, which are powers of execution of orders and decrees.
While determining the quantum of compensation under these provisions, the adjudicating officer has to consider the following factors:
(a) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
(b) the amount of loss caused to any person as a result of the default;
(c) the repetitive nature of the default.
The compensation that can be awarded under the act has to be proportionate to the actual losses caused to any person. Further, what needs to be particularly taken care of is the number of times such a contravention is being caused, and in case, even after repeated compensation and penalties the individual/body corporate commits a contravention, a large deterrence setting compensation or penalty can be levied.
WHAT IS THE PROCESS OF REGISTERING A COMPLAINT BEFORE THE ADJUDICATING OFFICER?
Although there are different adjudicating officers appointed in different states, they are usually IAS officers in the Department of Science and Technology (in case of Gujarat) or Department of Information Technology (in case of Maharashtra and Delhi). The application form for lodging a complaint is available on their respective websites, and contains the following particulars that need to be filled by the complainant:
- E-mail address
- Telephone No.
- Address for correspondence
- Digital Signature Certificate, if any I
- E-mail address
- Telephone No.
- Address for correspondence
- Digital Signature Certificate, if any
III Damages claimed Fee deposited Demand Draft No.______ dated __________Branch_______
IV Complaint under Section/Rule/Direction/Order etc.
V Time of Contravention
VI Place of Contravention
VII Cause of action
VIII Brief facts of the case”
The fee for every application made is Rs. 50 and the fee towards damages claimed by way of compensation is calculated on the following basis:
|I. Damages by way of compensation||Fee|
|a. Up to Rs.10,000||10% ad valorem rounded off to the nearest next hundred|
|b. From 10001 to Rs. 50000||Rs. 1000 plus 5% of the amount exceeding Rs. 10,000 rounded off to the nearest next hundred|
|c. From Rs. 50001 to Rs. 100000||Rs. 3000/- plus 4% of the amount exceeding Rs. 50,000 rounded of to nearest next hundred|
d. More than Rs. 100000
Rs.5000/- plus 2% of the amount exceeding Rs. 100,000 rounded of to nearest next hundred
|II. Fee for Every Application||Rs.50/-|
A victim can appear either through their advocate, or party-in-person, and argue their complaint. The time taken to resolve such disputes is usually less than a year, and interim-injunctions passed in the initial stages of the case allows the victim to get their money reverted back to their accounts, if the same have been frozen before being further siphoned off/withdrawn. Along with filing a complaint, the victim should inform all the banks in whose accounts such transactions have taken place, at the earliest, so as to enable the banks to freeze all accounts connected to such contraventions.
 Section 43 of The Information Technology Act, 2000.
 Section 43a of The Information Technology Act, 2000.
 Rule 3 of The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules
 Rule 8 of The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules
 Section 61 of The Information Technology Act, 2000