Let's Build a Responsible Cyber Society



The Strength of Indian Cyber Laws

The recently reported case of a Bank Fraud in Pune in which some ex employees of  BPO arm of MPhasis Ltd MsourcE, defrauded US Customers of Citi Bank to the tune of RS 1.5 crores has raised concerns of many kinds including the role of "Data Protection".

The research agency Forrester has warned that "The alleged account theft by the employees of an Indian BPO unit coupled with high call-centre attrition rates would severely dampen BPO growth rate in the next 18 months". It has estimated that the growth of the Indian call centre industry could drop by as much as 30 per cent following the incident.

"It will also likely lead to calls for more regulation of BPO activities in the US and Europe, as well as in India," the report said.

It added that India would have to tighten its data protection and privacy laws, to bolster its offshore credibility."

The Strength of Indian Cyber Laws

In the aftermath of the crime, several questions have been raised on whether this can be called a "Cyber Crime"?, if so " Is it adequately dealt with in ITA-2000?" and "What are the liabilities of the BPO and the Bank?". Questions are also raised on whether there is a need for "Data Protection Laws" to address this sort of crimes.

The crime was obviously committed using "Unauthorized Access" to the "Electronic Account Space" of the customers. It is therefore firmly within the domain of "Cyber Crimes".

ITA-2000 is versatile enough to accommodate the aspects of crime not covered by ITA-2000 but covered by other statutes since any IPC offence committed with the use of "Electronic Documents" can be considered as a crime with the use of a "Written Documents". "Cheating", "Conspiracy", "Breach of Trust" etc are therefore applicable in the above case in addition to section in ITA-2000.

Under ITA-2000 the offence is recognized both under Section 66 and Section 43. Accordingly, the persons involved are liable for imprisonment and fine as well as a liability to pay damage to the victims to the maximum extent of Rs 1 crore per victim for which the "Adjudication Process" can be invoked.

The Bank is liable to the Customers for the breach of security which may result in wrongful dishonour of cheques, as well as for causing mental agony and financial stress for the customers.

The BPO is liable for lack of security that enabled the commission of the fraud as well as because of the vicarious responsibility for the ex-employee's involvement. The process of getting the PIN number was during the tenure of the persons as "Employees" and hence the organization is responsible for the crime.

Some of the persons who have assisted others in the commission of the crime even though they may not be directly involved as beneficiaries will also be liable under Section 43 of ITA-2000.

The role of the BPO can also be brought under "Assisting in the contravention of ITA-2000" and hence it is possible to invoke Section 43 on the BPO.

Under Section 79 and Section 85 of ITA-2000, vicarious responsibilities are indicated both for the BPO and the Bank on the grounds of "Lack of Due Diligence".

While the extraction of the PIN by the employees is prima-facie an indication of "lack of Due Diligence" in a system that did not take enough precautions for the same (This needs to be evaluated against the measures of Cyber Law Compliance that have been initiated by the BPO), the fact that even after a time delay the PIN remained the means of authentication and it was not changed is a matter of negligence attributable to the Bank.

At the same time, if the crime is investigated in India under ITA-2000, then the fact that the Bank was not using digital signatures for authenticating the customer instructions is a matter which would amount to gross negligence on the part of the Bank. (However, in this particular case since the victims appear to be US Citizens and the Bank itself is US based, the crime may come under the jurisdiction of the US courts and not Indian Courts).

Non usage of the Digital Signatures which facilitated the commission of the crime may  however be a defense for the BPO against the Bank if need be though this is unlikely to be tested in this case.

In summary it can be stated that ITA-2000 has adequate provisions to punish the offenders of such a case as well as to provide adequate remedies to the victims. For the intermediary organizations however, ITA-2000 imposes "Due Diligence" requirements.

It is to address such situations that the undersigned has been advocating " CyLawCom audits" for IT companies which indicate the efforts taken by the organization to identify the risks involved and the measures initiated to reduce the risks.

CyLawCom audits address issues which are not addressed by BS7799 type security models or CMM type quality models and are therefore considered supplements to other quality and security initiatives.

Obviously CyLawCom audits  involve an "Investment" and the companies have to evaluate the Return on Investment (ROI) of such investments.

ROI on CyLawCom

The Forrester report indicating "Loss of Business" helps in answering one important aspect of Cyber Law Compliance, namely the ROI on Cyber Law Compliance investment. Quite often business owners including the highly affluent IT industry, fail to invest adequately in Cyber Law Compliance due to the lack of understanding of the concept of "Return on Investment".

Financial analysts are used to calculating ROI on an income generating activity. However, calculating ROI on a "Saving generation activity" and a " Contingent Savings generation activity" is not very easy. CyLawCom investment is one such activity where an investment is called for to mitigate the probability of loss occurring due to non compliance of Cyber Laws.

In the instant case Citi Bank as well as Mphasis have to bear the possible claim for compensation from the affected customers of the Bank. Additionally, the loss of BPO business as predicted by Forrester is a loss to the BPO industry and the Indian economy for having neglected CyLawCom.

Potential ROI of  CyLawCom investments by the BPO in  cases such as mentioned above  is therefore reflected in the opportunity cost of managing such fraud liabilities.

For the purpose of ROI on CyLawCom, Cyber Law College defines the revenue generation as the "Probability of Loss due to non compliance of Cyber Laws arising in a period of 10 years from the year of estimation".

Liability is  not the same as Customer's Loss

While assessing the ROI in CyLawCom cases, it must be remembered that the actual compensation to be paid by the subject is not the same as the actual amount of fraud. The compensation includes the consequential losses as well as for the mental agony and suffering associated with it. For example, if due to the siphoning off of the money say US $ 1000 form Bank accounts in the above case, a cheque is wrongfully dishonoured and the customer loses a business deal of a million dollars, then the loss to the Bank/BPO is US $ one million and not US $ 1000.

Data Protection Laws

Having discussed the various options available under ITA-2000, it is obvious that need for a separate "Data Protection Law" to handle cases of this nature appears to be redundant. Except for "Clarifying" the liability of the BPO and restating that it is responsible to the victims of the fraud, it appears that  data protection law cannot add to what is already available under ITA-2000.

The only additional dimension that may be added by a separate Data Protection Law is that the foreign victims  may be provided a remedy in Indian Courts for the breach of Privacy.


April,9, 2005

Related Articles:

staffers hack bank A/Cs, steal Rs 1.5 cr..TOI

One girl arrested for sending prank email to Tamil Nadu CM..New Kerala

Gujarat state tops in cyber crimes in India..China view

India Police Arrest 12 in Call Center-Bank Scam..Contact Center today.

 Ex-employees of MsourcE held for `bank funds transfer'..BL

For Structured Online Courses in Cyber laws, Visit Cyber Law College.com


Back To Naavi.org