Understanding data protection under cyber laws through the case of Pune Citibank Mphasis call center fraud

October 16, 2021

Image source: https://www.bizjournals.com/bizjournals/how-to/growth-strategies/2017/05/does-your-business-need-cyber-liability-insurance.html

This article has been written by Kezia Shaji pursuing the Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. This article has been edited by Smriti Katiyar (Associate, Lawsikho). 


We live in a world where the internet rules every little action of ours. Although recently, cyber laws have slowly started evolving, the increased human dependence on technology has created an instance where the need to have stricter cyber laws in place has become a dire necessity. If this is not prioritized, people will be subjected to huge risks where their personal and sensitive information might become available to the public. This constitutes cybercrime and many such offences that don’t come to light since the victims don’t file a complaint. This could be due to the fear of character assassination or lack of awareness as to how to go about something of that sort. In this article the author wants to shed some light on data protection under cyber laws through a case law. 

Data protection in Indian context

Data protection is the process that is used to secure the privacy of the users’ personal and sensitive information. Data protection is very vital for organizations that collect or store the personal details of customers. It is also referred to as information privacy or data security. In India, it is estimated that the digital economy will reach a valuation of around $1 trillion by the year 2022. Therefore, the need to create standalone legislation to regulate data protection is more prominent than ever before. This will attract a lot of global entities who also need to comply with the Data Protection Laws that the government intends to implement. However, India has come up with a personal data protection bill that still needs approval from the parliament. 

For understanding Data protection closely, let us refer to case law :

The Pune Citibank Mphasis Call Center Fraud Case


In the year 2005, $3,50,000 were fraudulently transferred from four US citizens who had their account in Citibank into a few bogus accounts also based in the US. The dishonest act was carried forth by a few employees of the call centre. They first made an attempt to win the confidence of the customers by pretending to be redeemers who could help the customers come out of some difficulties and obtain their PIN.  They went on to use these numbers to transfer the money to some bogus accounts committing fraud. This involved three employees of Mphasis (Ivan Thomas, Siddharth Mehta, and Stephen Daniel) and a few other outsiders. They carried on the crime by identifying the loopholes in the Mphasis system.

Legal provisions applicable to the Issue 

The IT Act, 2000 –

  1. Accesses or secures access to such computer, computer system or computer network


This case raised the issue of data protection since it involved unauthorized access to the private electronic account space of the customers. Therefore, it was held that the offence should be tried under various statutes such as the IT Act and IPC since India doesn’t have a separate statute to accommodate data protection but is widely covered under the above-mentioned other statutes. Therefore, the accused were charged with forgery, cheating, conspiracy and breach of trust based on various sections under the IPC and the IT Act. Further, the damages that are to be paid to the customers through which the adjudication process could also be invoked. 

Court’s decision 

The two main issues that were to be addressed in this case were whether this offence constituted a cyber-crime and secondly whether section 43(a) – damage caused to a computer without the consent of the owner, and section 66 – computer-related offence under the It Act, 2000 was applicable.

The court held that since the act involved unauthorized access to the electronic accounts of the customers, it fell under the ambit of cybercrime and was to be dealt with by the IT Act. It was also held that since it involved employees of Mphasis call centre and therefore must have memorized the numbers and that the money was transferred using the society for worldwide interbank financial telecommunication.  The accused was charged under section 43(a) and section 66 of the IT Act, 2000 and also under Sections 420, 465,467 and 471 of the IPC, 1860.

The Pune Citibank Mphasis Call Center Fraud highlighted the importance of having stricter data protection laws in India so that cybercriminals could be dealt with in a stricter manner. The New Personal Data Protection Bill came into existence. 

The New Personal Data Protection Bill and what does it include?

The new PDP includes provisions to seek the prior consent of the individual’s data that are to be processed by the companies and also talks about data localization requirements and also lays down on the requirement of appointing data protection officers within each organization.  Companies that come under the telecom or finance sectors are required to keep the customers’ personal data highly confidential and use them only when required and with the prior knowledge of the customer. The PDP bill, post enactment, would repeal Section 43(a) of the IT Act. However, the act has still not been put into implementation. The bill also talks about creating a data protection authority in India that would work towards the interest of the data users and also work to prevent any data privacy infringement.

The bill also specifies the concept of a data fiduciary and data processor which is the equivalent of the data controller and data processor under the GDPR. Organizations are also required to take adequate measures to restrict any unauthorized access to the confidential data of the customers and they adopt certain data security strategies to curb the menace. 

The New PDP and its role in the future of Indian digital market

In today’s data-regulated environment, privacy is a major issue.  While the government has come up with a PDP bill, it has still not been implemented and therefore India needs an effective plan to deal with data infringement issues. This will only be possible when factors such as people and technology go hand in hand and try their best to do what they can to make the digital world less unsafe.  While the strategy adopted by most companies right now has low scope to protect the customers’ data. It is high time that the companies come up with better strategies and have a higher idea about their data so that they can put to use the relevant data protection rules and by doing so, we are setting ourselves at a competitive advantage over the other countries. 


With the internet bringing in such a huge revolution in the world, India is still not ready to tackle the perils that come with it as a bonus. Data protection in India still requires a lot of improvement. There is no exclusive statute or law that deals with data protection laws. They are covered under other acts such as the Indian Penal Code, The IT Act and the Indian Evidence Act. The Pune Citibank Mphasis Call Center case is considered to be one of the landmark cases in India and raised concerns regarding data protection still being a grey area in India. The case also was an eye-opener in stressing how important it is to run a background check of an individual before hiring them in order to avoid any possible security breaches that might arise later.


  1. www.bnwjournal.com
  2. www.legalservicesindia.com
  3. www.datacenterdynamics.com.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

Exit mobile version