In this article, Shriji Pandey put forth legal actions to take when someone sends you a ransomware virus. 

Legal actions against Ransomware attacks

• What can you do when someone is not only playing with your privacy but also, infringing various rights of yours and breaking several laws just by using a computer sitting far away in his house?
• Ransomware, a malware, a type of Trojan virus, which like most computer viruses, often arrives in the form of a phishing email, or spam, or a fake software update – which after infecting the computer when the recipient clicks a link or opens an attachment, holds the computer hostage by encrypting data,  demanding ransom payment for decrypting everything.
• WannaCry ransomware cyber attack is the latest worldwide cyber attack which usually attacks Microsoft Windows Operating systems and the payment demanded in less traceable Bitcoin cryptocurrency. Business and Public Institutions have been one of the major targets but the private individuals aren’t untouched now. The illegal activities come under the category of cybercrime.

Cyber crime is broadly divided into two categories based on the usage of computer as

1. Target (example, Hacking, Virus Attack)
2. Weapon (example, cyber terrorism, IPR violations, pornography)

Ransomware attacks attract both Criminal and Civil legal actions depending upon the individual harms suffered, actions of the criminal and illegality of the actions according to the nature of wrong committed.

Ransomware attack is a breach of Right to personal liberty guaranteed under the Indian Constitution

Prima Facie it is an infringement of our Fundamental Right to Privacy covered under Article 21- Right to Life of Constitution of India. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 provides protection to personal information. Prior to these Rules, in India remedies for invasions of privacy existed under tort law and the Supreme Court of India accorded limited constitutional recognition to the right to privacy (under Article 21). These Rules provide the only codified provisions protecting the privacy of individuals and their personal information. Rule 3 of the Rules provides an aggregated definition of sensitive personal data as follows:

Sensitive personal data or information of a person means such personal information which consists of information relating to –

• Password;
• Financial information such as bank account or credit card or debit card or other payment instrument details;
• Physical, physiological and mental health condition;
• Sexual orientation;
• Medical records and history;
• Biometric information;
• Any detail relating to the above clauses as provided to body corporate for providing service; and
• Any of the information received under above clauses by a body corporate for processing, stored or processed under lawful contract or otherwise

Ransomware attack: An act of Extortion under IPC

These malware attacks are a clear case of Extortion. According to Section 383 of IPC, Whoever intentionally puts any person in fear of any injury to that person, or to any other, and thereby dishonestly induces the person so put in fear to deliver to any property or valuable security, or anything signed or sealed which may be converted into a valuable security, commits ‘Extortion’.

Ransomware attack: A tortious lilability

The attack can be covered under Law of Tort under Trespass to Chattel, also known as trespass to goods or trespass to personal property, defined as “an intentional interference with the possession of personal property…proximately causing injury.” Trespass to chattel, does not require a showing of damages. Simply the “intermeddling with or use of…the personal property” of another gives cause of action for trespass. Since CompuServe Inc. v. Cyber Promotions, various courts have applied the principles of trespass to chattel to resolve cases involving unsolicited bulk e-mail and unauthorised server usage as well. Generally, trespass to chattels possesses three elements – Lack of Consent, Actual Harm and Intentionality. In the ransom attack to your computer, these elements constitute the tort covering intangible property like in the case, the computer.

Ransomware attack: Punishment under the IT Act

The present act is also punishable with imprisonment for a term which may extend to three years and with fine under Section 66A of IT Act through 2008 amendment, which states that “Any person who sends, by means of a computer resource or a communication device

• any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,
• any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages shall be punishable with imprisonment for a term which may extend to three years and with fine.”

Cyber crimes can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief, all of which are subject to the Indian Penal Code. Cyber Crimes are broadly covered under –

1. The Information Technology Act:

• Tampering with Computer Source documents – Section 65
• Hacking with Computer Systems, Data alteration – Section 66
• Publishing obscene information – Section 67
• Un-Authorised access to protected system ­­– Section 70
• Breach of Confidentiality and Privacy – Section 72
• Publishing false digital signature certificates – Section 73

2. IPC and Special Laws:

• Sending threatening messages by email – Section 503
• Sending defamatory messages by email – Section 499
• Forgery of electronic records – Section 463
• Bogus websites, cyber frauds – Section 420
• Email spoofing – Section 463
• Web-Jacking – Section 383
• E-mail Abuse – Section 500

3. Some Special Acts:

• Online sale of Drugs under Narcotic Drugs and Psychotropic Substances Act
• Online sale of Arms Act

Ransomware attack and data Theft

Data theft is a misnomer as it is no theft under law. Instead, the valid term is Data Crime/Criminals. Depending on the nature of the relationship between the victim and the criminal, the nature of legal actions may defer. For instance if the criminal is amongst one of the employees provided there is an agreement between the employer and the employee, it can be a ‘Criminal Breach of Trust’ which is punishable under Section 405(data treated as a ‘Property’) and the Punishments are covered under Section 406-409 of Indian Penal Code, 1860.

Here, some provisions of IT Act, 2000 can also be invoked to aforesaid provisions of IPC like Section 43(b) which deals with penalties and compensation regarding unauthorised access to the computer and damages suffered due to this. Data Theft is also covered under Section 2(o) of Copyright Act, 1957 which deals with literary works. It is a Criminal offence under Section 63 Of the act which makes it A cognizable and non-bailable offence under First Schedule of Code of Criminal Procedure (CrPC), 1973 and more than 3 years of imprisonment if proven guilty.

How to file a complaint against Ransomware attack

How to seek justice? Like any other criminal case, the ransomware attack victims need to file a complaint first to seek remedy from the Judicial system of the country. The complaint can be filed in the concerned Police Station as a FIR. To tackle the issue of cyber crimes, CIDs (Criminal Investigation Departments) of various cities opened up Cyber Crime Cells in different cities as well. Chapter 10 and 13 of the IT Act talks about the Offences (and the said penalties awarded under it, if proven) under the Act and the power given to the victims against it and during the procedure of investigation, respectively.

Section 48 of the IT Act, 2002 establishes the Cyber Appellate Tribunals around different places in the country. Section 57 provides Appeal to Cyber Regulations Appellate Tribunal. –

(1) Save as provided in sub-section

(2), any person aggrieved by an order made by the controller or an adjudicating officer under this Act may prefer an appeal to a Cyber Appellate Tribunal having jurisdiction in the matter.

Jurisdictional Challenges In Case Of Foreign Defender

India at present does not have a proper extradition law to deal with crimes that have been committed over the Internet.  To address this issue, India should become a signatory to the Convention of cyber crimes treaty and should ratify it. The Supreme Court of India, in the case of SIL Import v. Exim Aides Silk Importers , has recognised the need for the judiciary to interpret a statute by making allowances for any relevant technological change that have occurred. Until there is specific legislation in regard to the jurisdiction of the Indian Courts with respect to Internet disputes, or unless India is a signatory to an International Treaty under which the jurisdiction of the national courts and the circumstances under which they can be exercised are spelt out, the Indian Courts will have to give a wide interpretation to the existing statutes, for exercising Internet disputes. But some of the legislation currently present, can still be helpful.

Section 75 of the Information Technology Act, 2000  implies that the Act shall apply to an offence or contravention committed outside India by any person if the act or conduct constituting the offence involves a computer, computer system or computer network located in India. While

Section 3 and 4 of the Indian Penal Code, 1860 deals with the extra-jurisdictional power given to the Indian Courts.  Code of Criminal Procedure, 1973, Section 188 provides that even if a citizen of India outside the country commits the offence, the same is subject to the jurisdiction of courts in India. In India, jurisdiction in cyberspace is similar to jurisdiction as that relating to traditional crimes and the concept of subjective territoriality will prevail. Moreover, Section 178 deals with the crime or part of it committed in India and Section 179 deals with the consequences of crime in Indian Territory.

In the present scenario where the cyber crimes are increasing to an alarming extent, the present need of the hour is to have broad-based convention dealing with criminal substantive law matters, criminal procedural questions as well as with international criminal law procedures and agreements. The IT Act, 2000 would be crippled without proper means and ways of implementing it.