Penalties and Adjudication

• According to Sec 43, a person shall be liable to pay

damages by way of compensation not exceeding one
crore rupees to the affected (aggrieved) person if
without permission of the owner or any other person
who is in-charge of a computer, computer system or
computer network:
• Accesses or secures access to such computer,
computer system or computer network.
• Downloads, copies or extracts any data, computer
data base or information from such computer,
computer system or computer network
including information or data held or stored in any
removable storage medium.
• Introduces or causes to be introduced any computer
contaminant or computer virus into any computer,
computer system or computer network.
• Damages or causes to be damaged any computer, computer
system or computer network, data, computer data base or
any other programmes residing in such computer, computer
system or computer network.
• Disrupts or causes disruption of any computer, computer
system or computer network.
• Denies or causes the denial of access to any person
authorized to access any computer, computer system or
computer network by any means.
• Provides any assistance to any person to facilitate access to
a computer, computer system or computer network in
contravention of the provisions of this Act, rules or
regulations made there under.
• Charges the services availed of by a person to the account
of another person by tampering with or manipulating any
computer, computer system, or computer network,
 Umashankar Sivasubramanian
V
•
ICICI Bank, 2010
The petitioner (complainant) is a non-resident Indian and is
employed as a Process Engineer, Dept: SUFEMS, ZAKUM
Development Company in Abu Dhabi and is currently
residing in Abu Dhabi. The petitioner maintains a savings
bank account (NRE) with ICICI Bank, V.E. Road, Tuticorin.
The Bank has activated an Internet Banking facility for the
account. Every month, the Bank NRI Services Team would
send a statement of account to the petitioner of this case
from an email id. The URL of which is
customercareicicibank.com. At the end of August 2007, the
balance in the petitioner's account was Rs.6,20,846 and on
4th September the ICICI Bank credited an interest
component of Rs.25,200 which then increased the
petitioner's credit balance to Rs.6,46,046.
• The entire incident begins when the customer had received
a security update from [email protected] for
updation and assuming it to be a routine mail from the
Bank that had sent similar mails earlier, the customer had
complied with the request consequent to which he was
shocked to find that his account had been debited to the
extent already mentioned. According to the petitioner, he
received a telephone call from Bank on September 7th ,
2007 when a representative from ICICI Bank, Mumbai
telephoned at 1800 hours (UAE time) and requested for
confirmation whether money transfer from the petitioners
account had been made to 'Uday Enterprises', Mumbai
through Internet banking on 6th and 7th September 2007.
The petitioner denied any transfer being made as suggested
by the Mumbai branch.
• The Branch accordingly instructed the petitioner that a
complaint be filed within 24 how's to Customer Care,
ICICI Bank Mumbai which was done by the petitioner
and a reference number given as SR37195467.
Following this, the petitioner faxed and emailed a
complaint to the ICICI Bank Tuticorin and the NRI
services center, Mumbai. Following this, an email was
received from the Customer Service Quality
department of the International Banking Division of
ICICI Bank that the matter was being investigated and
that within a month's time they would revert with a
resolution. The petitioner then receives a mail on
October 20,2007 (43 days after the loss of money from
his account) from one Mr.Shankar representing the
respondent bank on the immediate results of the
investigation. This mail from ICICI was sent by a
personal email id on a Gmail account and not on the
official ICICI email id.
• The details of investigation as reported in the mail
indicate the following: a) that the incident appears to
be a case of Actual Infinity Phishing Fraud b) that the
petitioner's account has been debited to the tune of
Rs.6,46,OOO and that the funds were transferred to
Uday Enterprises c) that Uday enterprises was a
current account and a partnership account with ICICI
Mumbai and d) that the account was in debit balance
since 23-04-2007 and e) that an amount of
Rs.4,60,OOO was withdrawn by Self Cheque across the
counter from the Uday Enterprises account. f) The
report further indicates that the address of Uday
enterprises was visited and the door was locked and
the residents there indicated that Uday Enterprises
had shifted two years earlier.
• Further verification reveals to the Bank that the firm is
a proprietorship firm and the proprietor’s name is
M'ohd Zulfqar Hasim Khan apart from the documents
submitted for proof to the bank and that the firm had
been in existence at the same address until two years
ago. The investigation report comments that as the
immediate case refers to a phishing case, the blame of
negligence lies with the customer and that the
customer would need to file the FIR. The observations
in the investigation report states that the customer
should file the FIR and then the case can be closed. An
observation is also made that the 'beneficiary' (namely
Uday enterprises) account has still a balance of Rs.
l,50,171 /- and which needs to reversed. This amount
of Rs. l,50,171 /- was subsequently reversed on 17th
July 2008 into the petitioner's customer's account.
• The petitioner filed a complaint before the Superintendent of
Police in Tuticorin detailing all the events and indicated the
possibility of the Bank or some of its staff being behind the
fraud. The petitioner requests the police to 'initiate action
against the ICICl Bank and retrieve the money. This petition
was subsequently transferred to the Cyber Crime Police
Station at Chennai. On the 6th February, 2008, the petitioner
lodged a fresh complaint with the Cyber Crime Cell, CCB at
Chennai. Finally, the petitioner has concluded in his
application that ICICI is primarily responsible for the loss and
that Uday Enterprises may be a benami of the bank or any of
its staff members. He has alleged that due diligence has not
been made by the bank in the entire case and in the case of
Uday Enterprises particularly when the account had actually
been in overdraft and suddenly to have been into a high
transaction. Further, he has stated that such a large
transaction by way of a self-cheque over the counter without
adhering to banking norms is indicative of negligence on the
part of the Bank.
• The immediate adjustment of the overdraft of Uday
Enterprises by the money so transferred has also been
questioned. The failure of the Bank to file a criminal complaint
on the matter in Mumbai even after the fraud has come to
light, failure to retain a record of the cctv clippings, failure of
the Bank to adequately adhere to the KYC (Know your
customer) norms, failure to part with the IP addresses
immediately after the incident that had led to the fraudulent
transfer and lack of maintenance of record of the same in
violation of RBI instructions, failure to use digital signatures in
official communication, lack of adequate controls by the Bank
to ensure information security, that Sections 11, 66, 43, 85 of
the IT Act have to be considered in the light of all the facts and
they have a bearing on the gross negligence of the Bank in
causing loss to the petitioner and all of these together have to
be considered in dealing with the petition made by the
petitioner under Section 43 and Section 46 of the IT Act of
2000.
• The petitioner in the course of the hearing filed an additional reply
to the initial counter affidavit filed by ICICI bank. He has stated in
addition to his earlier statement that there is due justification in
having approached the adjudicator as he is the main avenue for
redressal of the issue on account of the fraud propitiated on him
and it being within the purview of the Information Technology Act
of 2000. Approaching the banking ombudsman was for the
redressal of the customer complaint and not replacement of any
other remedy and the complaint at Tuticorin Police Station was on
account of this being a cognizable offence. The cyber crime Police
Station registering an FIR under Section 66 of IT Act 2000 of the
initial investigation confirmed this. The petitioner has expressed
his disappointment on the failure of the respondent bank to file a
complaint in Mumbai even after being aware that the final
beneficiary of this IT fraud was also their customer. Also, the
petitioner has recorded his opinion with regard to the
jurisdictional relevance of the adjudicator and the powers therein
to try this case according to the IT Act, 2000.
• In response to the complaint filed by the petitioner, the
respondent submitted the following: That the respondent
bank provides net banking services to customers among
other services and that the internet banking services includes
transfer of funds, respondent enquiries about details in the
transactions of his account, statement of account etc.
Accordingly, at the time of opening of the account by a
customer, the customer agrees to the conditions imposed by
the bank and unconditionally undertakes to have the user ID
provided by ICICI bank changed and ensured that the scheme
is kept confidential and not to let any unauthorized person to
have access to the same and neither IC1CI bank nor its
affiliates shall be liable for any unauthorized transactions
occurring through internet banking and the user then fully
indemnifies and holds ICICI bank harmless against any
actions, suit proceeded against it. According to the
respondent, the complainant has negligently disclosed the
confidential information such as password and thereby had
fallen prey to a phishing fraud.
• Section 43 read with section 85 of the Act clearly highlight
that this case falls within the jurisdiction of this office as the
offence made out is within the purview of the IT Act of
2000. The petitioner has placed his trust in the services
offered by the Respondent Bank (a Banking company) in
providing a secure environment for his finances and has
operated an account in the respondent Bank Branch. In
furtherance of this trust, and reliability offered by the
respondent bank in providing secure transactions over the
Internet, and due to fact that he was working in another
country several thousand miles away, the petitioner has
extended his trust into operating his Bank account in the
Respondent's Bank Branch in Tuticorin through the Internet.
In this process, due to a transaction that he assumed as
genuine, he has suffered financial loss which he would not
have suffered had he stayed away from operating an
Internet Account. A prima facie case of the matter attracting
the relevant provisions of the Information and Technology
Act is made out.
• The court said “that the Respondent Bank namely ICICI has
failed to establish that due diligence was exercised to
prevent the contravention of the nature of unauthorised
access as laid out in Section 43 of the Information
Technology Act of 2000, I find the petitioner justified in the
instant case. The Respondent Bank has failed to put in place
a foolproof Internet Banking systern with adequate levels of
authentication and validation which would have prevented
the type of unauthorised access in the instant case that has
led to a serious financial loss to the petitioner customer. The
basic loophole in ensuring that a customer recognizes an
email as from the bank was a glaring error on the
respondent's part that would have prevented this incident.
The degree of connivance or complicity may be debated
upon but the neglect of the personnel of the Respondent
Bank both immediately prior to and immediately after the
loss in protecting the interests of the customer are clearly
evident.
• The petitioner has been made to run around in search of
justice and retribution following the incident without any
support from the bank. The Respondent Bank is found
guilty of the offences made out in Section 85 read with
relevant clauses of Section 43 of the Information
Technology Act of 2000. As regards, the quantum of
compensation, attention is drawn to section 47 (b) of the
Information Teclmology Act of 2000 which is in reference to
the same and states that due regard shall be had to the
quantum of loss suffered as a result of the default. Thus,
the respondent bank namely ICICI in the instant case is
directed to pay a total sum of Rs.l2,85,OOO/ - (Rupees
Twelve Lakhs Eight five Thousand only) to the petitioner
within 60 days from the date of issue of this judgment
against the financial loss of Rs 4,95,829, the total fee that
had been paid by the petitioner as applicable statutorily for
adjudication on account of the incident was Rs.27,850, all
the travel and incidental expenses computed on a lumpsum
basis as Rs 6,00,000 with an interest of Rs 12% per annum.
 Residuary Penalty
• As stated in sec 45, whosoever contravenes
any rules or regulations made under this Act,
for the contravention of which no penalty has
been separately provided, shall be liable to
pay compensation not exceeding twenty-five
thousand rupees to the person affected by
such contravention or a penalty not exceeding
twenty-five thousand rupees.
 Penalty for Failure to
Furnish Information and Return
According to Sec 44, for failure to furnish information and return
under this Act, a person shall be liable to a penalty not exceeding ten
thousand rupees for every day during which the failure continues, if
he is required under this Act or any rules or regulations made there
under to
• (a) Furnish any document, return or report to the Controller or the
Certifying Authority fails to furnish the same, he shall be liable to a
penalty not exceeding one lakh and fifty thousand rupees for each
such failure.
• (b) File any return or furnish any information, books or other
documents within the time specified therefore in the regulations
fails to file return or furnish the same within the time specified
therefore in the regulations, he shall be liable to a penalty not
exceeding five thousand rupees for every day during which such
failure continues.
• (c) Maintain books of account or records, fails to maintain the
same,
 Appellate Tribunal
• Establishment of Cyber Appellate Tribunal
• Composition of Cyber Appellate Tribunal
• Qualifications for Appointment as Presiding
Officer of the Cyber Appellate Tribunal
• Term of Office
• Salary, Allowances And Other Terms And
Conditions Of Service Of Presiding Officer
• Filling Up of Vacancies
 Offences and Penalties
• Computer Related Offences: As per Sec 66, if
any person, dishonestly or fraudulently, does
any act referred to in section 43, he shall be
punishable with imprisonment for a term,
which may extend to three years or with fine,
which may extend to five lakh rupees or with
both.
• Tampering With Computer Source Documents:
According to Sec 65, whoever knowingly or
intentionally conceals, destroys or alters or
intentionally or knowingly causes another to
conceal, destroy, or alter any computer source
code used for a computer, computer programme,
computer system or computer network, when the
computer source code is required to be kept or
maintained by law for the time being in force,
shall be punishable with imprisonment up to
three years, or with fine which may extend up to
two lakh rupees, or with both.
 Syed Asifuddin and Ors.
V
The State of Andhra Pradesh & Anr.
2005CriLJ4314
• Under a sale scheme launched by the Reliance
Infocomm, the subscriber was given a digital handset
worth Rs. 10,500 as well as service bundle for 3 years
with an initial payment of Rs. 3350 and monthly
outflow of Rs. 600. The subscriber was also provided a
1 year warranty and 3 year insurance on the handset.
The handset was technologically locked so that it only
works with the Reliance Infocomm services. If the
customer wanted to leave Reliance services, he would
have to pay some charges including the true price of
the handset. Since the handset was of a high quality,
the market response to the scheme was exceptional.
• Unidentified persons contacted Reliance customers
with an offer to change to a lower priced Tata Indicom
scheme. As part of the deal, their phone would be
technologically “unlocked” so that the exclusive
Reliance handsets could be used for the Tata Indicom
service. Reliance officials came to know about this
“unlocking” by Tata employees and lodged a First
Information Report (FIR) under various provisions of
the Indian Penal Code, Information Technology Act
and the Copyright Act. The police then raided some
offices of Tata Indicom in Andhra Pradesh and arrested
a few Tata Tele Services Limited officials for
reprogramming the Reliance handsets.
• These arrested persons approached the High Court
requesting the court to quash the FIR on the grounds
that their acts did not violate the said legal
provisions. They argued that it is always open for the
subscriber to change from one service provider to
the other service provider. The subscriber who wants
to change from Tata Indicom always takes his
handset, to other service providers to get service
connected and to give up Tata services. The handsets
brought to Tata by Reliance subscribers are capable
of accommodating two separate lines and can be
activated on principal assignment mobile (NAM 1 or
NAM 2). The mere activation of NAM 1 or NAM 2 by
Tata in relation to a handset brought to it by a
Reliance subscriber does not amount to any crime.
• Further, a telephone handset is neither a
computer nor a computer system containing a
computer programme and there is no law in force
which requires the maintenance of "computer
source code". Hence section 65 of the Information
Technology Act does not apply. The Court found
that as per section 2 of the Information
Technology Act, any electronic, magnetic or optical
device used for storage of information received
through satellite, microwave or other
communication media and the devices which are
programmable and capable of retrieving any
information by manipulations of electronic,
magnetic or optical impulses is a computer which
can be used as computer system in a computer
network.
• The instructions or programme given to computer in a
language known to the computer are not seen by the users
of the computer/consumers of computer functions. This is
known as source code in computer parlance. Further, a city
can be divided into several cells. A person using a phone in
one cell will be plugged to the central transmitter of the
telecom provider. This central transmitter will receive the
signals and then divert them to the relevant phones. When
the person moves from one cell to another cell in the same
city, the system i.e., Mobile Telephone Switching Office
(MTSO) automatically transfers signals from tower to tower.
All cell phone service providers have special codes
dedicated to them and these are intended to identify the
phone, the phone's owner and the service provider.
Moreover, System Identification Code (SID) is a unique 5-
digit number that is assigned to each carrier by the licensor.
• Every cell phone operator is required to obtain SID
from the Government of India. SID is programmed
into a phone when one purchases a service plan
and has the phone activated. Electronic Serial
Number (ESN) is a unique 32-bit number
programmed into the phone when it is
manufactured by the instrument manufacturer.
ESN is a permanent part of the phone. Mobile
Identification Number (MIN) is a 10-digit number
derived from cell phone number given to a
subscriber. MIN is programmed into a phone when
one purchases a service plan. When the cell phone
is switched on, it listens for a SID on the control
channel, which is a special frequency used by the
phone and base station to talk to one another
about things like call set-up and channel changing.
• If the phone cannot find any control channels to listen to,
the cell phone displays "no service" message as it is out of
range. When cell phone receives SID, it compares it to the
SID programmed into the phone and if these code numbers
match, cell knows that it is communicating with its home
system. Along with the SID, the phone also transmits
registration request and MTSO which keeps track of the
phone's location in a database, knows which cell phone you
are using and gives a ring. So as to match with the system of
the cell phone provider, every cell phone contains a circuit
board, which is the brain of the phone. It is a combination
of several computer chips programmed to convert analog to
digital and digital to analog conversion and translation of
the outgoing audio signals and incoming signals. This is a
micro processor similar to the one generally used in the
compact disk of a desktop computer.
• Without the circuit board, cell phone
instrument cannot function. When a Reliance
customer opts for its services, the MIN and SID
are programmed into the handset. If someone
manipulates and alters ESN, handsets which are
exclusively used by them become usable by
other service providers like TATA Indicom. Held,
a cell phone is a computer as envisaged under
the Information Technology Act. ESN and SID
come within the definition of “computer source
code” under section 65 of the Information
Technology Act.
• When ESN is altered, the offence under Section 65
of Information Technology Act is attracted
because every service provider has to maintain its
own SID code and also give a customer specific
number to each instrument used to avail the
services provided. Whether a cell phone operator
is maintaining computer source code, is a matter
of evidence. In Section 65 of Information
Technology Act the disjunctive word "or" is used
in between the two phrases "when the computer
source code is required to be kept" or
"maintained by law for the time being in force”
• Hacking with Computer System: As per Sec 66
(1), whoever with the intent to cause or
knowing that he is likely to cause wrongful loss
or damage to the public or any person
destroys or deletes or alters
any information residing in a computer
resource or diminishes its value or utility or
affects it injuriously by any means, commits
hacking, shall be punished with imprisonment
up to three years, or with fine, which may
extend upto two lakh rupees, or with both
• Compounding of Offences:- According to 77A
of the Information Technology (Amendment)
Act, 2008, a court of competent jurisdiction
may compound offences, other than offences
for which the punishment for life or
imprisonment for a term exceeding three
years has been provided, under this Act.
Provided that the court shall not compound
such offence where the accused is, by reason
of his previous conviction, liable to either
enhanced punishment or to a punishment of a
different kind
• Offences with Three Years Imprisonment to
Be Bailable: As per sec 77B, notwithstanding
anything contained in the Code of Criminal
Procedure, 1973, the offence punishable with
imprisonment of three years and above shall
be cognizable and the offence punishable with
imprisonment of three years shall be bailable