This article is written by Mayank Bansal, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from Lawsikho.com. Here he discusses “What legal action you can take when your website is Hacked?”.
With the evolution of technology and the cheap data rates, India has become the second-largest internet user’s country in the world, with around 451 million monthly active users in the year 201811. Further, it is also expected that internet users will grow as much as 666.4 million by the year 2023. Although, with this appalling rise in the internet users, the internet-based crime is also increasing, due to which the tech giants are under constant fear of data breaches. According to a report of Computer Emergency Response Team (CERT), there has been 292% hike in the hacking cases in India from 2015 to 201822. Further relying upon which the joint study by PwC India and Data security council of India (DSCI) suggested that the cybersecurity market in India will grow from $1.97 Billion in 2019 to $3.05 Billion by 2022. These reports in end impose a great question, what Legal action should a person take who is a victim of hacking?
What is hacking and who is a hacker and how is it different from cracking?
In a simple word, hacking is a skill of identifying a weakness in network security, through which a hacker could get unauthorized access to personal data. Although with the term “Hackers” there are general misconceptions among the people, that the hackers are the bad people, who act illegally in order to gain unauthorized access to personal information of the individual. However, in actual, there are three types of hackers -white, black and grey hackers and depending on the type of hacker there are categorized as a good or bad hacker.
White Hat Hackers
White hat hackers are considered to be good hackers, who are generally employed by the tech organizations in order to strengthen the security of their systems. These hackers have prior permission to exploit the organization’s security networks and look for the loopholes in their system. These hackers intimate the organization about the loopholes in their security so that it can be fixed.
Black Hat Hackers
Black Hat hackers are considered to be bad hackers, who attempt to gain unauthorized entry to the personal information of the individuals and exploits them for malicious reasons. This kind of hackers tries to inflict damage on the organizations by compromising their system, altering functions of the websites or shutting down their whole systems.
Grey Hat Hackers
Grey Hat Hackers, tries to exploit the networks in a very similar way as the black hat hackers do, but the Grey hat hackers exploit the networks without any kind of malicious intent, as they disclose the loopholes in the networks to the administrators or the intelligence agencies. These people generally also offer to fix the vulnerabilities by charging a nominal fee from the network owner.
So, Hacking could be considered as a process of gaining access to computer systems without any authorization, for either good or bad purposes. However, it is not necessary that the hackers are behind all the cyber-attacks in societies. We’ll truth is that our media uses the term “Hacking” in a derogatory sense to describe all the cyber-attacks. In fact, the Majority of cyber-attacks fall under the definition of “Cracking”.
The basic difference behind the “Hacking” and “Cracking” is that Hackers work towards building the security of the network, whereas the Cracker work towards breaking it. Crackers also gain unauthorized access to a computer system, but with a criminal intention. In other words, they act as Black Hat hackers, by stealing personal information of users or by destroying important files, disclosing crucial information’s or by selling sensitive data of individuals for personal gains.
Laws against Black Hat Hackers/Crackers
In India, the Information Technology act, 2008 tries to protect every individual from the Black hat Hackers i.e. bad hackers/crackers. Section 43 (penalty and compensation for damage to computer, computer system, etc) of the act, specifies almost every kind of hacking/cracking offence from illegal access, extraction of data, contamination of data, network disruption, denial of access, manipulation of data, destruction, removal or alteration of data to data theft, illegal concealment of data, etc. Further, this section imposes a penalty on a hacker/Cracker, to compensate for the damages which are incurred by the victim due to his acts. Adding to this, Section 66 (computer-related offences) of the act further punishes the individual, who dishonestly or fraudulently does any act referred under Section 43 of the Act, with the punishment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.
Therefore, relying on these provisions, one should rest assured that the Indian law duly supports the innocent people against the act of hacking.
Now, if the website of any organization is hacked then he should firstly stay calm, as he is protected by the law of India. Now as an immediate action, he should take the following steps:
- Take the website offline: as an immediate step the organization shall temporarily shut down the website, while it is fixed and protected. This step is taken to prevent further damage to the clients of the organization.
- Secondly, immediately file a cyber complaint: as an immediate step, file a cyber complaint in the cyber cell of the district in which the registered office of the organization is located. If there is no cyber cell in the district, the organization could also file a complaint online www.cybercrime.gov.in (which also provides an advantage of tracking the complaint, which is otherwise not available)
A cyber complaint is drafted in a very similar way as FIR is drafted. The important thing to remember is that all necessary details of the crime are mentioned in the complaint. Further, with the cyber complaint, some copies of documents are required to be attached, which are generally not attached when the FIR is drafted. Here I am providing the general list of documents which are indicative but not the exhaustive list of documents, to be attached with any cyber complaints:
- Server Logs: A copy of the server log shall be necessarily attached to the complaint. This log file contains details of the activities which are performed on the portal on the day to day basis.
- Hard as well as Soft copy of the defected material: a copy of the material that has been affected by the illegal act of the hacker. This is submitted as evidence in a cyber cell.
- Hard Copy of portal: Hard copy of the original portal and the defaced one shall be attached to the complaint. So, as to show the material defect caused by the hacker.
- Personnel Details: An Organisation shall attach a comprehensive list of the employees with their cyber complaint, who is having access to the source codes of the websites.
- Suspicions: if the organization is suspicious about the hacker, then they shall mention the name of such suspected person, in their cyber complaint. It could help the cyber cell in its investigation.
- Thirdly announce in the public: well reader might find it shocking, Why I am asking the organization about informing the public about their network breach?
Because it is important to understand that poorly handled cyber-attacks, could impact the long-term reputation of any organization, further affecting the customers and investors of the organization for years. Although, I duly accept that declaration of cyber attack in the public would affect the reputation of an organization, but for the short term. However, the early strategical communication about the cyber-attack could prevent further damage to the organization and its clients. Therefore, considering this, a clear and consistent message from the organization, could make a huge difference by minimizing the long-term reputation impact on the organization.
Complications while pursuing legal actions against Hackers/Crackers
- NON-ACCEPTANCE OF COMPLAINT BY POLICE OFFICIALS: While filing a physical complaint in the local police station where the victim is located, or where the offence is committed against the individual, it is often found that cyber cell and police station dispute their jurisdiction, as generally, the crime does not place in the area in which the organization is located. As cybercrimes are considered geography less and borderless.
However, to avoid the harassment of Police station and cyber cell, the government has initiated an online portal (www.cybercrime.gov.in) for filing a cyber complaint. Wherein, a complaint, can easily file their complaint and it will be automatically assigned to the respective cyber cell/Police station. Further, Complainant gets an added advantage of tracking the status of their complaint, if the complaint is lodged through this portal.
- NON-TRACEABILITY OF HACKER/CRACKER: It is often found, that in the majority of cyber complaints, Police are unable to trace the accused person, who is behind the hacking/cracking. The reason behind this is that Hacker/Cracker often use High-Security VPN’s while initiating any crime, which makes them highly untraceable. Further, the cyber cell team or the police officials in India are not trained enough and often lack the appropriate infrastructure to track the accused person. Therefore, the government shall invest in the training and infrastructure need of the cyber cells.
- VERY FEW CYBER-CELLS: India, currently have very few cyber cells and the majority of them are located in the Metro cities. On the other hand, Complaints in other cities are lodged in the Local Police Station. Wherein, Police in charge, often lack the basic information about the use of technology, which makes it rather impossible for them to take any action on the cyber complaints. Although, with the increasing rate of cyber-crimes, the government shall consider a need for establishing at least one cyber cell in every district throughout India.
While ethical and unethical hacking/cracking is old concepts. But many people in the country are not aware of it. People are not aware of the potential harm which could be posed by the act of hacking in their lives and the remedies available against these illegal acts. The reason for this unawareness is the simple reason that the majority of Indians have got access to the internet very recently. But the hackers are the professionals, which had great experience of playing with source codes. They are proficient enough to hack, even the tech giants’ corporations. Majorly bad hackers/crackers usually work by blackmailing the individuals and corporations for fulfilling their demands, this can be seen in the recent popular case, wherein the Crackers got the early access to the episodes of Game of throne, they demanded 10 million dollars from the poplar streamer HBO33. This kind of blackmails bring in a panic in a organizations/individual, and the organizations/individual forgets about their legal remedies and fall under the trap of the Hacker/Cracker by fulfilling their demands. However, the corporations/individual should know that in India the Information Technology act, 2008 under its section 43 allows the victim to recover the damage without any cap on recovery, although before 2008 there was a cap on the recovery of damages, which was limited to one crore Rupees. Since now there is no cap on the recovery of damage, the organization/individual should not fall under the blackmailing traps of the hackers. Rather they should seek a legal remedy, by filing a cyber complaint on the matter. Further, I believe that the government should take appropriate measures in informing about the cybercrimes and the measures for their prevention. Also, I agree the laws against the hacking are stringent, but they are often unenforceable, as the majority of minor hacking/cracking cases are unnoticed, because the victim is unaware of their legal remedies. Therefore, I believe that the government should also promote awareness about the remedies available against cybercrime.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.