|
CHAPTER
IX : PENALTIES AND ADJUDICATION
43.
Penalty
Compensation
for damage to computer, computer system etc.
(1) If any person,
without permission of the owner or of
any other person who is incharge of a computer
resource computer, computer or
computer network,-
(a) accesses or secures access to such
computer resource; computer,
computer system or computer network;
(b) downloads, copies or extracts any data, computer data base or
information from such computer resource,
computer system or computer network
including information or data held or stored in any removable storage
medium;
(c) introduces or causes to be introduced any computer contaminant or
computer virus into any computer resource,
computer system or computer network;
(d) damages or causes to be damaged any computer
resource,
computer system or computer network, data, computer data base
or other programmes residing in such computer
resource, computer system or
computer network;
(e) disrupts or causes disruption or impairment of any computer resource;
computer system or computer network;
(f) denies or causes the denial of access to any person authorised to
access any computer resource,
computer system or computer network by any means ;
(g) provides any assistance to any person to facilitate access to a
computer resource,
computer system or computer network in contravention of the
provisions of this Act, rules or regulations made thereunder ;
(h) charges the services availed of by a person to the account of another
person by tampering with or manipulating any computer
resource,
computer system, or computer network,
he shall be liable
to pay damages by way of compensation not exceeding one crore rupees to
the person so affected.
(2)
If any body corporate, that owns or handles sensitive personal data or
information in a computer resource that it owns or operates, is found to
have been negligent in implementing and maintaining reasonable security
practices and procedures, it shall be liable to pay damages by way of
compensation not exceeding Rs. 1 crore to the person so affected.
Explanation.- For
the purposes of this section,-
(oi)
“body corporate” means any company and includes a firm or other
association of individuals engaged in commercial or professional
activities.
(i) "computer contaminant" means any set of computer instructions that
are
designed-
(a) to modify, destroy, record, transmit data or programme residing within
a computer, computer system or computer network; or
(b) by any means to usurp the normal operation of the computer, computer
system, or computer network;
(ii) "computer data base" means a representation of information,
knowledge, facts, concepts or instructions in text, image, audio, video
that are being prepared or have been prepared in a formalised manner or
have been produced by a computer, computer system or computer network and
are intended for use in a computer, computer system or computer network;
(iii) "computer virus" means any computer instruction, information, data
or programme that destroys, damages, degrades or adversely affects the
performance of a computer resource or attaches itself to another computer
resource and operates when a programme, data or instruction is executed
some other event takes place in that computer resource;
(iv) "damage " means to destroy, alter, delete, add, modify or rearrange
any computer resource by any means.
(v) “Reasonable security practices and procedures” means, in the absence
of a contract between the parties or any special law for this purpose,
such security practices and procedures as appropriate to the nature of the
information to protect that information from unauthorized access, damage,
use, modification, disclosure or impairment, as may be prescribed by the
Central Government in consultation with the self-regulatory bodies of the
industry, if any.
(vi) “Sensitive personal data
or information” means such personal information, which is prescribed as
“sensitive” by the Central Government in consultation with the
self-regulatory bodies of the industry, if any.
(vii)
“Without the permission of the owner” shall include access to information
that exceeds the level of authorized permission to access.
44. Penalty
for failure to furnish information, return, etc.
If any person who
is required under this Act or any rules or regulations made thereunder to-
(a) furnish any document, return or report to the Controller or the
Certifying Authority fails to furnish the same, he shall be liable to a
penalty not exceeding one lakh and fifty thousand rupees for each such
failure;
(b) file any return or furnish any information, books or other documents
within the time specified therefore in the regulations fails to file
return or furnish the same within the time specified therefore in the
regulations, he shall be liable to a penalty not exceeding five thousand
rupees for every day during which such failure continues;
(c) maintain books of account or records, fails to maintain the same, he
shall be liable to a penalty not exceeding ten thousand rupees for every
day during which the failure continues.
45. Residuary
penalty
Whoever
contravenes any rules or regulations made under this Act, for the
contravention of which no penalty has been separately provided, shall be
liable to pay a compensation not exceeding twenty-five thousand rupees to
the person affected by such contravention or a penalty not exceeding
twenty-five thousand rupees.
46. Power to adjudicate regarding compensation
and
penalty
(1)
For the purpose of adjudging
under
this Chapter
whether any person has committed a contravention of any of the provisions
of this Act or of any rule, regulation, direction or order made thereunder
which
renders him liable to pay penalty or compensation,
the Central Government shall, subject to the provisions of sub-section
(3), appoint any officer not below the rank of a Director to the
Government of India or an equivalent officer of a State Government to be
an adjudicating officer for holding an inquiry in the manner prescribed by
the Central Government.
(2) The adjudicating officer shall, after giving the person referred to in
sub-section (1) a reasonable opportunity for making representation in the
matter and if, on such inquiry, he is satisfied that the person has
committed the contravention, he may impose such penalty or award such
compensation as he thinks fit in accordance with the provisions of that
section.
(3) No person shall be appointed as an adjudicating officer unless he
possesses such experience in the field of Information Technology and legal
or judicial experience as may be prescribed by the Central Government.
(4) Where more than one adjudicating officers are appointed, the Central
Government shall specify by order the matters and places with respect to
which such officers shall exercise their jurisdiction.
(5) Every adjudicating officer shall have the powers of a civil court
which are conferred on the Cyber Appellate Tribunal under sub-section (2)
of section 58, and-
(a) all proceedings before it shall be deemed to be judicial proceedings
within the meaning of sections 193 and 228 of the Indian Penal Code;
(b) shall be deemed to be a civil court for the purposes of section 345
and 346 of the Code of Criminal Procedure, 1973.
While adjudging
the quantum of compensation under this Chapter, the adjudicating officer
shall have due regard to the following factors, namely :-
(a) the amount of gain of unfair advantage, wherever quantifiable, made as
a result of the default;
(b) the amount of loss caused to any person as a result of the default;
(c) the repetitive nature of the default.
|