Embed Size (px)
Citation preview
Cyber Crime & Corporate Liability
Sagar RahurkarAsian School of Cyber Laws
2002 20032000 2009
17th October, 2000Information Technology Act, 2000 came into force.
17th March, 2003Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 came into force.
21st November, 2002Negotiable Instruments (Amendments and Miscellaneous Provisions) Act, 2002 came into force.
19th September ,2002Minor errors in the Act were rectified by the Information Technology (Removal of Difficulties) Order, 2002 came into force.
27th October, 2009Information Technology (Amendment) Act, 2008 came into force.
Data Privacy & Protection laws
Section 43(A)
• Liability imposed on –• Corporate bodies handling “sensitive personal
information”• Call centers, BPO’s, etc. are under legal scanner to
ensure adoption of reasonable security practices to maintain secrecy of data
• Nadeem Kashmiri’s case (credit card fraud)• Damages - Unlimited
Issues raised
• Section 43 (A)
• Have you defined the various components of “sensitive personal data or information” vis-à-vis users/customers?
• Do you have a security policy? Is it documented?
Sec 72(A) (Criminal offence)• Punishment for Disclosure of information in breach
of lawful contract -• Any person including an intermediary who, while
providing services under a lawful contract, has secured access to any material containing “Personal Information” about another person, discloses such information knowingly or intentionally
• Imprisonment up to 3 years or fine up to 5 lakh or with both (Cognizable but Bailable)
Issues raised
• Section 72(A)
• Do you have an adequate privacy policy?
• Whether you have provided opt-in/opt-out
clause in your privacy policy?
Section 66(B)• Dishonestly receiving stolen computer
resource or communication device
• Covers use of stolen Computers,
mobile phones, SIM Cards, etc.
• Also covers “data theft”
• Punishment – imprisonment upto 3 years
and fine
Here, “Computer resource" means:-
• Computer, computer system, computer network, data, computer data base or software;
Section 66(B)
Tampering with Source CodeWhoever steals, conceals, destroys or alters or causes anyperson to steal, conceal, destroy or alter any computersource code used for a computer resource with an intentionto cause damage,Sec. 65Punishment – Imprisonment – Upto 3 years or fine – UptoRs. 2 Lakh or bothAdditionally provisions of Copyright Act will also apply
Sec. 43 (j) Punishment – Damages by the way of compensation
Access related issues
• Section 43 - Unauthorized Access
• Unlimited damages can be claimed
• Up to Rs. 5 Crore – Adjudicating Officer
• Above Rs. 5 Crore - Civil Court
Hacking & related aspects
Section 66
• Under IT Act, 2008 all the acts referred under
Section 43, are also covered u/Sec. 66 if they
are done “dishonestly” or “fraudulently”
SPAM• Sec. 66 (A)• Sending of offensive or false messages• Any message sent by means of
computer resource or communication device for causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such message
• Punishment – imprisonment upto 3 years and fine
Section 66(A)
• Covers following sent by sms / email:• grossly offensive and menacing message
• false information sent for causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will
• Phishing, E-mail Spoofing, Spam mails, Threat E-mails, etc.
Identity theft• Sec. 66 (C)
• Fraudulently or dishonestly using someone
else’s electronic signature, password or any
other unique identification feature
• Punishment - imprisonment upto 3 years and
fine
Cheating by personation
• Sec. 66 (D)
• Cheating by pretending to be some other person by
using computer resource
• Sec. 415 and 416 IPC relevant to prove “Cheating” and
“Cheating by Personation”
• Punishment – imprisonment upto 3 years and fine
E-Signature
Legal recognition to e – signature
• The IT Act, 2008 introduces the concept of “electronic signatures” in addition to digital signatures
• Electronic signatures is wider term covering digital signatures, biometric authentication, etc
• It has a technology neutral approach and not bound by any specific technology.
• based on the knowledge of the user or the recipient e.g. passwords, personal identification numbers (PINs)
• based on the physical features of the user (e.g. biometrics)
• those based on the possession of an object by the user (e.g. codes or other information stored on a magnetic card)
• scanned handwritten signatures• signature by means of a digital pen• clickable “OK” or “I accept” boxes
Types of electronic signatures
Types of electronic signatures
• Digital signatures within a public key infrastructure (PKI)
• Hybrid solution like combined use of passwords and secure sockets layer (SSL)
Law relating to intermediaries
Preservation of information by intermediaries
• Section 67(C) – new provision
• Intermediary shall preserve and retain information as may be specified for such duration and in such manner and format as the Central Government may prescribe
Issues raised
• Section 67 (C)
• Do you have the electronic record
preservation and retention policy?
Liability of Intermediary
• Section 79
• Intermediary not to be liable for any third party
information, data, or communication link made
available or hosted by him.
Liability of Intermediary• Intermediary need to prove that he didn’t –
• Initiate the transmission,
• Select the receiver of the transmission, and
• Select or modify the information contained in the
transmission and
• Intermediary to observe “due diligence” while
discharging his duties under the Act.
Power of Government
Sec 69
• Power to issue directions for interception or
monitoring or decryption of any information
through any computer resource
• Non – compliance – Upto 7 years
imprisonment
Sec 69(A)
• Power to issue directions for blocking for
public access of any information through any
computer resource
• Non – compliance – Upto 7 years
imprisonment
Sec 69(B)
• Power to authorise to monitor and collect traffic data or information through any computer resource for cyber security
• Govt. can authorise any Govt. agency to do so• Intermediaries to provide all assistance• Non – compliance – Upto 3 years
imprisonment
Issues raised
• Section 69 (B)
• Have you adopted/established any procedure
and safeguard for monitoring and collecting
traffic data or information? Is it documented?
Govt. can issue such directions u/ Sec. 69, 69 (A) &(B)if it is necessary or expedient so to do in theinterest of:-
• sovereignty and integrity of India,
• defence,
• security of the State,
• friendly relations with foreign states or
• public order or
• for preventing incitement to the commission of any cognizable offence
Offences by companies
• Sec. 85• If Company commits any offence u/this Act:-• Directors or• Persons in charge of and were responsible to
the affairs of company • Shall be liable for the contravention &
punishment
CERT - IND
• Section 70(B) Indian Computer Emergency Response Team
(CERT – IND) to serve as national agency
for incident response
Issues raised
• Section 70(B)
• Do you have the documented procedure to
comply with the requests of CERT-IN regarding
cyber security incidents?
Banks and Data Protection Illustrations
• Master Circular on Credit Card operations (as amended up to July 1, 2009):
• Protection of customer rights• Right to privacy• Customer confidentiality• Card issuing bank to maintain a Do Not Call
Registry (DNCR) of customers as well as non-customers
• Banks can be held liable for under Section 66A(c) if
they breach DNRC:-
“any electronic mail or message for the purpose of
causing annoyance or inconvenience”
Banks and Data Protection Illustrations
Banks and Data Protection Illustrations
• The bank should not engage telemarketers, DSAs/DMAs, who do not have a valid registration certificate from DoT.
• Harsh Pathak vs.Union of India & Ors. Hon’ble Supreme Court passed directions in a PIL that “any telemarketer who is not registered with (DoT) should not be permitted to operate the telemarketing services.”
