Let's Build a Responsible Cyber Society




G Gopalakrishna Working Group (GGWG) on Electronic Banking


Role of Adjudicators in Phishing Cases Reiterated

On 12th April 2010, a landmark judgment came out of the Office of the Adjudicator of Tamil Nadu. Mr.P.W.C.Davidar, adjudging ont he complaint filed by one Mr S.Umashankar against ICICI Bank held that the Bank is guilty under Section 85 of Information Technology Act 2000 (ITA2000)  and is liable under Section 46 of the Act to compensate the victim of the Phishing fraud.

This judgment had examined in detail the facts that established "Lack of Due Diligence" on the part of the Bank regarding the use of authentication methods in Internet Banking, Use of digital signatures for e-mail communications, following of KYC norms during opening of accounts, following of RBI instructions on fraud reporting etc. The S.R.Mittal Committee report based on which RBI had issued a comprehensive guideline on Internet Banking in June 2001 was one of the documents referred to in the case.

This case was tried for an offence which occurred in September 2007 at a time when ITA 2000 was operative but the amendments leading to the current version of ITA 2000 (referred to as ITA 2008) was not in place. Similarly, S.R.Mittal Report was released when ITA 2000 was in place but the certifying authorities required for issue of digital signatures were not in place.  SR Mittal Report had to therefore make some interim recommendations which were automatically subject to a revision after the Certifying Authorities came into being in 2002 and later days. The judgement in the case of Umashankar Vs ICICI Bank also was decided with reference to ITA 2000 and not ITA 2008.

The GGWG however has come at a time that ITA 2008 is in place. Also the digital signatures are firmly in place with mandatory use in many Government transactions. The Electronic signatures have been enabled in the Act but they are yet to be introduced.

Also unlike 2000-2001 when S R Mittal Group had to formulate its recommendations, Banks currently are better equipped with Information Security know how and hence the Gopalakrishna Working Group recommendations can be treated as having come out when the information is mature.

The guidelines of S R Mittal group were conveniently ignored by Banks for their commercial benefit and it was left to the TN Adjudicator to wake them up from their slumber. I hope that at least now Banks put in place appropriate measures to implement the recommendations of the GGWG.

One of the important observations that we need to make is the following paragraph in page 31 of the report.

"The IT Act, 2000 as amended, exposes the banks to both civil and criminal liability. The civil liability could consist of exposure to pay damages by way of compensation upto Rs 5crore under the amended Information Technology Act before the Adjudicating Officer and beyond  Rs 5 crore in a court of competent jurisdiction. The top management of banks could also suffer exposure to criminal liability given the provisions of Chapter XI of the amended Information Technology Act and the exposure to criminal liability could consist of imprisonment for a term which would extend from three years to life imprisonment, as also a fine. Further, various computer related offences are enumerated under various provisions of the Act. "

Even after the reasoned judgment given by the TN Adjudicator in the ICICI Bank phishing case, it is found that in every subsequent case discussions on whether the Adjudicator has the jurisdiction in case of Phishing related complaints and whether the liability extends to the Bank to liabilities and if so does it extend even to criminal liabilities is often debated as a matter of routine.

The above paragraph from the GGWG should lay any doubts in this regard to rest. The fact that the Umashankar Case has been vetted for Jurisdiction purpose both at the Adjudicator's level as well as the Cyber Appellate Tribunal Level is also another indication that the matter of jurisdiction in respect of such cases is a settled fact in law.

Since at present "Adjudicators" are all officials who are working as IT Secretaries of different States and Union Territories and are otherwise pre occupied with their day to  day duties of Governance, some of the Adjudicators would feel an increased pressure of work arising from the Judicial functions associated with the responsibility of Adjudication. If more and more such cases land up witht he Adjduicators as it is expected to be, this may cause a practical problem for the IT Secretaries. At the same time, if the IT Secretaries refuse to entertain adjduication applications or receive it and fail to attend to it, there will be a kind of judicial crisis in the respective state with the sole judicial authority for such cases becoming non-functional.

There is therefore a need for Cyber Appellate Tribunal and the Ministry of Communications and Information Technology , GOI to start a dialogue with the State Governments to find a proper mechanism by which the IT Secretaries are provided with infrastructure and manpower support to handle this additional responsibilities.


January 22, 2011

Copy of Full Report:

Copy of Executive Summary

 Comments are Welcome at naavi@vsnl.com