Umashankar Judgement upheld by TDSAT

S Umashankar Vs ICICI Bank was a historic adjudication decision of the Adjudicator of Tamil Nadu in decided in 2010 (Complaint filed in 2008). The award had held ICICI Bank liable to pay compensation to the customer because the Bank was negligent and caused the loss despite the incident also involving a phishing element.

The Bank had appealed against the order  with Cyber Appellate Tribunal (CyAT). Unfortunately, just before the judgement to be given in CyAT, the then Chairman attained superannuation in June 2011 and the operations of CyAT stopped completely. Two successive Governments could not find a replacement for the chairman until in 2017, CyAT was merged with TDSAT.

TDSAT reopened the proceedings on 31st July 2018 and yesterday the 10th January 2019, pronounced the judgement upholding the Adjudication order though it reduced a part of the compensation granted by the AO on expenses account.

With this a 10 year fight for justice of a Cyber Crime victim appears to have reached a decisive stage though the mop up operations by way of execution of the decree need to be completed.

Naavi

 

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

Virtual Cards for Credit Cards also

RBI has issued  guidelines on tokenisation for debit / credit / prepaid card transactions as a part of its s endeavour to enhance the safety and security of the payment systems in the country.  Accordingly RBI will permit  authorised card payment networks to offer card tokenisation services to any token requestor (i.e., third party app provider), subject to certain conditions.

This permission extends to all use cases / channels [e.g., Near Field Communication (NFC) / Magnetic Secure Transmission (MST) based contactless transactions, in-app payments, QR code-based payments, etc.] or token storage mechanisms (cloud, secure element, trusted execution environment, etc.). For the present, this facility shall be offered through mobile phones / tablets only. Its extension to other devices will be examined later based on experience gained.

 All extant instructions of Reserve Bank on safety and security of card transactions, including the mandate for Additional Factor of Authentication (AFA) / PIN entry shall be applicable for tokenised card transactions also.

All other instructions related to card transactions will continue to be  applicable.  for tokenised card transactions as well.

The ultimate responsibility for the card tokenisation services rendered rests with the authorised card networks.

No charges should be recovered from the customer for availing this service.

Before providing card tokenisation services, authorised card payment networks shall put in place a mechanism for periodic system (including security) audit at frequent intervals, at least annually, of all entities involved in providing card tokenisation services to customers.

This system audit shall be undertaken by empanelled auditors of Indian Computer Emergency Response Team (CERT-In) and all related instructions of Reserve Bank in respect of system audits shall also be adhered to.

A copy of this audit report shall be furnished to the Reserve Bank, with comments of auditors on deviations.

The move is welcome since it is expected to enhance the security from the consumer’s point of view.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , | Leave a comment

Limited Liability also for Cyber crimes in PPI

The Reserve Bank of India has issued a circular “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Payment Transactions in Prepaid Payment Instruments (PPIs) issued by Authorised Non-banks” on January 4, 2019.

This is similar to the circular earlier issued for Banks and cooperative Banks

Accordingly, if the victim of a Cyber Crime informs the PPI issuer within 3 days, there shall be no liability.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

An innovative way of implementing the Intermediary Guidelines under Section 79

We are all aware of UDRP or INDRP which is a Dispute Resolution Policy adopted by all Domain Name Registrars for resolving disputes arising out of conflicting domain name registrations. The policy is embedded into all domain name registration contracts and resolved through an Arbitration process.

This procedure  which has been in existence since August 1999  and has been in use across not only the GTLDs but also the other TLDs and CCTLDs. The domain name registrations of these different TLDs are under several complicated covenants built into the domain name contracts and disputes arising thereof are resolved through mediation and arbitration.

A similar procedure appears to be also good for imposing the “Due Diligence” requirements under the Intermediary Guidelines under Section 79. Since the Government is now considering some modifications in the Intermediary guidelines, it is a good time to think about introducing this IDRP (Intermediary Dispute Resolution Policy) procedures as explained briefly below.

  1. The IDRP process would envisage that all intermediaries in their terms and conditions add one clause that the provision of the service and dispute resolution arising there of will be subject to IDRP.
  2. IDRP will be drafted by the Accredited IDRP Management Centers(like the WIPO arbitration center in case of domain names). These IDRP management Centers would be like “Accredited Arbitration Councils” and will adopt a well developed system of “Providing an Ombudsman”, “Mediation” and “Arbitration” as per the arbitration act of India.
  3. These IDRP s will incorporate all the Due Diligence Clauses which are included in the Intermediary Guidelines and hence without the entire list of clauses being repeated in all the terms and policy documents across websites and Apps the single clause of IDRP adoption will adopt the entire due diligence requirements.
  4. The Intermediaries should then be required to register themselves with the Government. Since according to the newly proposed guidelines, large Intermediaries need to have an establishment in India and those handling personal information will be subject to data localization, registration of significant and guardian fiduciaries etc., this proposal to get registered so that the Government has an inventory of such intermediaries is not difficult. Apart from the voluntary registration from the intermediaries, the IDRP Resolution Centers may be tasked at ensuring that an awareness is created and all identifiable intermediaries are registered and undertake to add the IDRP clause in their terms.
  5. In case any intermediary does not want to register and add IDRP clause, it will still be subject to the intermediary guidelines which they need to adopt and comply with but without the benefit of the ADR process.
  6. The IDRP process should be made entirely online and ODR mechanism (See www.odrglobal.in for more information) should be adopted. [P.S: Adoption of ODR mechanism in this process will provide a leadership status for India in adoption of this emerging best practice in dispute resolution and reduce the burden on the Indian Courts.]
  7.  The terms and conditions that the intermediaries will be required to handle after adoption of this practice will consist of only the business related issues and the intermediaries will find it convenient to ensure that the burden of drafting a compliance related terms and conditions by availing the services of a Cyber Law expert  is fully eliminated.
  8. The IDRP Resolution Center will be a new business opportunity for interested firms specializing in Cyber Laws applicable to intermediaries.
  9. By using the expertise available with the IDRP Resolution Centers, the terms can be well drafted not only to include the ITA 2000/8 requirements but also the IPR requirements, the PDPA requirements, the GDPR requirements and other laws that may have impact on the Intermediary-user relationship.

I therefore suggest that this idea can be incorporated in the proposed amendment to the Intermediary guidelines 2018.

(Comments welcome)

Naavi

 

Previous Articles:

Shreya Singhal is Back again!

New Intermediary Guidelines… Legitimate and Well within the rights of the Government: 
Proactive technology tools to identify violation..new intermediary rules: 
New Intermediary Guidelines.. Intermediaries need to have Indian Subsidiaries..: 
Intermediary Guidelines.. Who is and who is not an intermediary?: 
Draft Intermediary Guidelines 2018… Public Comments invited:
Copy of the guidelines: 

P.S: The last date for submission of comments extended upto 31st January 2019. The comments would be put up on the website on 4th February and counter comments accepted upto 14th February 2019… http://meity.gov.in/writereaddata/files/Extention_Guidelines_2018.pdf

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | Leave a comment

Why Pull Up Central Government when the mistake lies with the State Governments?

The Supreme Court of India is hearing a petition filed by the Internet Freedom Foundation on an allegation that 22 people have been arrested under Section 66A of ITA 2000/8 which has been scrapped by the Supreme Court in the Shreya Singhal case in 2015. (Refer article here).

A bench consisting of Justice Rohinton F Nariman (who was also the author of the Shreya Singhal judgement) has reportedly made angry comments at the time of admission such as … “We are Shocked”, “We will jail the officials”…etc.,  and ended up sending a notice to the Central Government to file a reply.

Obviously it appeared as if the Supreme Court has come to a conclusion that a grave mistake has been done by the Central Government.

Actually, the arrests have been done by different State Governments and the notices should have been sent to the state Governments and not to the Central Government. Just because the office of Central Government is in Delhi, Supreme Court cannot make it a party to this complaint. The Central Government can only be a postman in this case and forward a circular to the State Governments and get a reply and thereafter file it with the Court. If the Court expected that the Central Government had to take steps to prevent the State Governments in this regard, it is expecting the Central Government to intervene in the law and order decision of the State.

Further if officials are to be jailed, then the Court may have to jail some magistrates and Judges also since they are equally responsible as the Police and not the “Officials” of the Government. The Supreme Court bench appears to have erred seriously in issuing the notice to the Central Government….unless there is some thing in the petition which we donot know.

We should recall that even the earlier decision to scrap Section 66A was done because some state police did not understand Section 66A and applied it wrongly in some cases. Unfortunately even the Courts did not understand that the error was with the Police and instead  of admonishing the Police went on to scrap the section.

The Court is again making the same mistake now and reacting against the Central Government  for mistakes which the state police, state prosecutors as well as the judicial authorities have committed.

We recall here our earlier article in April 2017 where we had referred to the judgement of a Telengana Court sentencing a navy person to two years imprisonment under Section 66A.  (Refer here).

It was pointed out that in that case the cause of action had arose in 2010 much before Section 66A had been scrapped. It is a matter of a separate debate if the Supreme Court judgement actually had retrospective effect or not.

The problem again has to be laid at the doors of the Supreme Court and Judge Rohinton Nariman himself since while delivering the Shreya Singhal judgement there was no clarification if the decision had a  retrospective effect. In such an event all trials and convictions that could have happened earlier should have to be reversed. This is certainly not a desirable option and the precedence in such cases is to always provide prospective effect to such decisions.

In the present instance, it is to be checked if out of the 22 cases being referred now, how may are cases where charge sheets have been filed after the relevant Supreme Court judgement and how many before it.

The Court has no reason to get angry if the cases turn out to be offences committed before the Shreya Singhal judgement.

If not, then it has to question the “continuing education” in the Police and more particularly among the public prosecutors and action has to be initiated on this front.

There is also a possibility that apart from Section 66A, some other section of ITA 2000/8 or IPC might have been included in the chargesheet and the arrest could be attributed to that.

If the defense counsel and a judicial officer has been a party to the decision in addition to the prosecutor and the IO, then the possibility of a reason behind the decision however absurd it appears at first glance is high. Hence the Supreme Court should be patient enough to wait for the replies to be received before jumping to conclusions.

In fact the Supreme Court should send notices to Police academies and Judicial academies to find solutions  besides the State Governments for getting more facts about the cases and not to the Central Government.

Believing the petitioner and expressing anger to make news headlines does not indicate that the Court will look at this case impartially. In fact the reading of the news paper reports suggests that the petition has pointed out that it is the trial Courts and prosecutors who are not implementing the Supreme Court decisions. But instead of pulling up these people, Supreme Court issued a notice to the Center for reasons best known to itself, as if the Central Government is the whipping boy for every petition received.

This reflects an invitation for an unwarranted confrontation with the Central Government. This could also lead to confrontation between Center and the States given the kind of State Governments we have in India which see nothing but politics in every decision.

Central Government in its reply should therefore point  out its objections to the Supreme Court’s notice being issued to them and request the Court to send notices directly to the concerned State Governments.

We may also recall that when the Shreya Singhal petition was admitted, the bench said “We were waiting why no body had approached us so far…” and hinted that they had already half decided that the petitioner was right and the law was wrong.

The media reporting on such lose comments can create a wrong perception about the neutrality of the Court when a petition is admitted and it is better avoided. In order to ensure that decisions are not biased by the fact that the same judge had given a previous judgement related to the case, the Supreme Court will do well to change the bench hearing this case.

Naavi

Reference Articles

Telegraph

NDTV

 

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , | Leave a comment

Is Bigbrother Watching you?

Here is a link to an article published in India Legal on Sec 69 and Sec 79 ITA 2008 controversies which are doing the rounds.

http://www.indialegallive.com/cyber-security/is-big-brother-watching-59021

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment