Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber crime & corporate liability


Published on

  • Be the first to comment

Cyber crime & corporate liability

  1. 1. Cyber Crime & Corporate Liability Sagar Rahurkar Asian School of Cyber Laws
  2. 2. 17 th October, 2000 Information Technology Act, 2000 came into force. 17 th March, 2003 Information Technology (Qualification and Experience of Adjudicating Officers and Manner of Holding Enquiry) Rules, 2003 came into force. 21 st November, 2002 Negotiable Instruments (Amendments and Miscellaneous Provisions) Act, 2002 came into force. 19 th September ,2002 Minor errors in the Act were rectified by the Information Technology (Removal of Difficulties) Order, 2002 came into force. 27 th October, 2009 Information Technology (Amendment) Act, 2008 came into force. 2002 2003 2000 2009
  3. 3. Data Privacy & Protection laws
  4. 4. Section 43(A) <ul><li>Liability imposed on – </li></ul><ul><ul><li>Corporate bodies handling “ sensitive personal information” </li></ul></ul><ul><ul><li>Call centers, BPO’s, etc. are under legal scanner to ensure adoption of reasonable security practices to maintain secrecy of data </li></ul></ul><ul><ul><li>Nadeem Kashmiri’s case (credit card fraud) </li></ul></ul><ul><ul><li>Damages - Unlimited </li></ul></ul>
  5. 5. Issues raised <ul><li>Section 43 (A) </li></ul><ul><li>Have you defined the various components of “sensitive personal data or information” vis-à-vis users/customers? </li></ul><ul><li>Do you have a security policy? Is it documented? </li></ul>
  6. 6. Sec 72(A) (Criminal offence) <ul><li>Punishment for Disclosure of information in breach of lawful contract - </li></ul><ul><li>Any person including an intermediary who, while providing services under a lawful contract, has secured access to any material containing “ Personal Information ” about another person, discloses such information knowingly or intentionally </li></ul><ul><li>Imprisonment up to 3 years or fine up to 5 lakh or with both (Cognizable but Bailable) </li></ul>
  7. 7. Issues raised <ul><li>Section 72(A) </li></ul><ul><li>Do you have an adequate privacy policy? </li></ul><ul><li>Whether you have provided opt-in/opt-out clause in your privacy policy? </li></ul>
  8. 8. Section 66(B) <ul><li>Dishonestly receiving stolen computer </li></ul><ul><li>resource or communication device </li></ul><ul><li>Covers use of stolen Computers, </li></ul><ul><li>mobile phones, SIM Cards, etc. </li></ul><ul><li>Also covers “data theft” </li></ul><ul><li>Punishment – imprisonment upto 3 years </li></ul><ul><li>and fine </li></ul>
  9. 9. <ul><li>Here, “Computer resource&quot; means:- </li></ul><ul><li>Computer, computer system, computer network, data, computer data base or software; </li></ul>Section 66(B)
  10. 10. <ul><ul><li>Whoever steals, conceals, destroys or alters or causes any </li></ul></ul><ul><ul><li>person to steal, conceal, destroy or alter any computer </li></ul></ul><ul><ul><li>source code used for a computer resource with an intention </li></ul></ul><ul><ul><li>to cause damage, </li></ul></ul><ul><ul><li>Sec. 65 </li></ul></ul><ul><ul><li>Punishment – Imprisonment – Upto 3 years or fine – Upto </li></ul></ul><ul><ul><li>Rs. 2 Lakh or both </li></ul></ul><ul><ul><li>Additionally provisions of Copyright Act will also apply </li></ul></ul><ul><li> Sec. 43 ( j) </li></ul><ul><li> Punishment – Damages by the way of compensation </li></ul>Tampering with Source Code
  11. 11. Access related issues
  12. 12. <ul><li>Section 43 - Unauthorized Access </li></ul><ul><li>Unlimited damages can be claimed </li></ul><ul><li>Up to Rs. 5 Crore – Adjudicating Officer </li></ul><ul><li>Above Rs. 5 Crore - Civil Court </li></ul>
  13. 14. Hacking & related aspects
  14. 15. Section 66 <ul><li>Under IT Act, 2008 all the acts referred under Section 43, are also covered u/Sec. 66 if they are done “dishonestly” or “fraudulently” </li></ul>
  15. 16. SPAM <ul><li>Sec. 66 (A) </li></ul><ul><li>Sending of offensive or false messages </li></ul><ul><li>Any message sent by means of computer resource or communication device for causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such message </li></ul><ul><li>Punishment – imprisonment upto 3 years and fine </li></ul>
  16. 17. Section 66(A) <ul><li>Covers following sent by sms / email: </li></ul><ul><ul><li>grossly offensive and menacing message </li></ul></ul><ul><ul><li>false information sent for causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will </li></ul></ul><ul><ul><li>Phishing, E-mail Spoofing, Spam mails, Threat E-mails, etc. </li></ul></ul>
  17. 18. Identity theft <ul><li>Sec. 66 (C) </li></ul><ul><li>Fraudulently or dishonestly using someone else’s electronic signature, password or any other unique identification feature </li></ul><ul><li>Punishment - imprisonment upto 3 years and fine </li></ul>
  18. 19. Cheating by personation <ul><li>Sec. 66 (D) </li></ul><ul><li>Cheating by pretending to be some other person by </li></ul><ul><li>using computer resource </li></ul><ul><li>Sec. 415 and 416 IPC relevant to prove “Cheating” and </li></ul><ul><li>“ Cheating by Personation” </li></ul><ul><li>Punishment – imprisonment upto 3 years and fine </li></ul>
  19. 20. E-Signature
  20. 21. Legal recognition to e – signature <ul><li>The IT Act, 2008 introduces the concept of “ electronic signatures” in addition to digital signatures </li></ul><ul><li>Electronic signatures is wider term covering digital signatures, biometric authentication, etc </li></ul><ul><li>It has a technology neutral approach and not bound by any specific technology. </li></ul>
  21. 22. <ul><ul><li>based on the knowledge of the user or the recipient e.g. passwords, personal identification numbers (PINs) </li></ul></ul><ul><ul><li>based on the physical features of the user (e.g. biometrics) </li></ul></ul><ul><ul><li>those based on the possession of an object by the user (e.g. codes or other information stored on a magnetic card) </li></ul></ul><ul><ul><li>scanned handwritten signatures </li></ul></ul><ul><ul><li>signature by means of a digital pen </li></ul></ul><ul><ul><li>clickable “OK” or “I accept” boxes </li></ul></ul>Types of electronic signatures
  22. 23. Types of electronic signatures <ul><li>Digital signatures within a public key infrastructure (PKI) </li></ul><ul><li>Hybrid solution like </li></ul><ul><li>combined use of </li></ul><ul><li>passwords and </li></ul><ul><li>secure sockets layer (SSL) </li></ul>
  23. 25. Law relating to intermediaries
  24. 26. Preservation of information by intermediaries <ul><li>Section 67(C) – new provision </li></ul><ul><li>Intermediary shall preserve and </li></ul><ul><li>retain information as may be specified </li></ul><ul><li>for such duration and in such manner and </li></ul><ul><li>format as the Central Government may prescribe </li></ul>
  25. 27. Issues raised <ul><li>Section 67 (C) </li></ul><ul><li>Do you have the electronic record preservation and retention policy? </li></ul>
  26. 28. Liability of Intermediary <ul><li>Section 79 </li></ul><ul><li>Intermediary not to be liable for any third party information, data, or communication link made available or hosted by him. </li></ul>
  27. 29. Liability of Intermediary <ul><li>Intermediary need to prove that he didn’t – </li></ul><ul><ul><li>Initiate the transmission, </li></ul></ul><ul><ul><li>Select the receiver of the transmission, and </li></ul></ul><ul><ul><li>Select or modify the information contained in the transmission and </li></ul></ul><ul><ul><li>Intermediary to observe “due diligence” while discharging his duties under the Act. </li></ul></ul>
  28. 30. Power of Government
  29. 31. Sec 69 <ul><li>Power to issue directions for interception or monitoring or decryption of any information through any computer resource </li></ul><ul><li>Non – compliance – Upto 7 years imprisonment </li></ul>
  30. 32. Sec 69(A) <ul><li>Power to issue directions for blocking for public access of any information through any computer resource </li></ul><ul><li>Non – compliance – Upto 7 years imprisonment </li></ul>
  31. 33. Sec 69(B) <ul><li>Power to authorise to monitor and collect traffic data or information through any computer resource for cyber security </li></ul><ul><li>Govt. can authorise any Govt. agency to do so </li></ul><ul><li>Intermediaries to provide all assistance </li></ul><ul><li>Non – compliance – Upto 3 years imprisonment </li></ul>
  32. 34. Issues raised <ul><li>Section 69 (B) </li></ul><ul><li>Have you adopted/established any procedure and safeguard for monitoring and collecting traffic data or information? Is it documented? </li></ul>
  33. 35. <ul><li>Govt. can issue such directions u/ Sec. 69, 69 (A) & </li></ul><ul><li>(B)if it is necessary or expedient so to do in the </li></ul><ul><li>interest of:- </li></ul><ul><ul><li>sovereignty and integrity of India, </li></ul></ul><ul><ul><li>defence, </li></ul></ul><ul><ul><li>security of the State, </li></ul></ul><ul><ul><li>friendly relations with foreign states or </li></ul></ul><ul><ul><li>public order or </li></ul></ul><ul><ul><li>for preventing incitement to the commission of any cognizable offence </li></ul></ul>
  34. 36. Offences by companies <ul><li>Sec. 85 </li></ul><ul><li>If Company commits any offence u/this Act:- </li></ul><ul><li>Directors or </li></ul><ul><li>Persons in charge of and were responsible to the affairs of company </li></ul><ul><li>Shall be liable for the contravention & punishment </li></ul>
  35. 37. CERT - IND <ul><li>Section 70(B) </li></ul><ul><li>Indian Computer Emergency Response Team </li></ul><ul><li>(CERT – IND) to serve as national agency </li></ul><ul><li>for incident response </li></ul>
  36. 38. Issues raised <ul><li>Section 70(B) </li></ul><ul><li>Do you have the documented procedure to comply with the requests of CERT-IN regarding cyber security incidents? </li></ul>
  37. 39. Banks and Data Protection Illustrations <ul><li>Master Circular on Credit Card operations (as amended up to July 1, 2009): </li></ul><ul><li>Protection of customer rights </li></ul><ul><li>Right to privacy </li></ul><ul><li>Customer confidentiality </li></ul><ul><li>Card issuing bank to maintain a Do Not Call Registry (DNCR) of customers as well as non-customers </li></ul>
  38. 40. <ul><li>Banks can be held liable for under Section 66A(c) if they breach DNRC :- </li></ul><ul><li>“ any electronic mail or message for the purpose of causing annoyance or inconvenience” </li></ul>Banks and Data Protection Illustrations
  39. 41. Banks and Data Protection Illustrations <ul><li>The bank should not engage telemarketers, DSAs/DMAs, who do not have a valid registration certificate from DoT . </li></ul><ul><li>Harsh Pathak vs.Union of India & Ors. Hon’ble Supreme Court passed directions in a PIL that “any telemarketer who is not registered with (DoT) should not be permitted to operate the telemarketing services.” </li></ul>
  40. 43. Email: Website: Phone : 09225548605