Naavi.org

The adjudication complaint of S Umashankar Vs ICICI Bank was a historic case in which the Adjudicator of Tamil Nadu, Mr PWC Davidar held that ICICI Bank is liable for negligence despite the phishing mail having been answered by the innocent victim.

This decision of the Adjudicator was challenged by ICICI Bank in the Cyber Appellate Tribunal and on 10th January 2019, the TDSAT to which the Cyber Appellate Tribunal was merged into in 2017 delivered it’s judgement upholding the Adjudicator’s verdict and rejecting the appeal of ICICI Bank.

Now in yet another case, TDSAT has upheld the Gujarat Adjudicator’s decision to hold the Bank responsible to pay compensation.

Refer the judgement here: Cyber Appeal 7 of 2013 IDBI Bank Vs Sudhir S Dhupia

This was an ex-parte order

It was interesting to note that the hearing was ex-parte and the victim got justice despite his inability to be present during the hearings . The TDSAT must be specially commended for this decision since justice was upheld without the necessity for the victim to explain to the Court that he was a victim and needs justice. If all Courts adopt this sort of stand, the Judicial system in India will come to be respected far more than at present.

Some Courts which swear on formalities need to take a fresh look at their procedures and make justice more easily accessible to the common man.

The Judgement quotes the precedence of Umashankar Vs ICICI Bank

It was interesting to note that the judgement made a reference to the Umashankar Vs ICICI Bank case both the adjudication verdict and the TDSAT’s own verdict. (Cyber Appeal 1/2010).

Other Banks should take note of such judgements and withdraw their cases against the hapless customers who cannot pursue expensive litigation to fight for their justice. Banks have public money and they are wasting their money on continuing the litigation. Banks are also ignoring the RBI guideline that RBI has given that they need to  have Cyber Insurance cover and use it such cases of third party frauds.

While looking at the negligence under Section 43 and 43A, we need to also draw the attention of the public on the Kerala High Court judgement in the case of SBI vs P V George which has been discussed earlier here where the Court has held that even not responding to the SMS alert cannot be held against the customer for denying reimbursement for such frauds.

We can also draw the attention to the following news report which reports a fraud in

Mangalore, Karnataka, where the customer has lost money even without sharing OTP or answering the Phishing mail. This highlights the fact that such frauds occur because of an inherent security flaw in the Banking system which includes the insider involvement in the frauds.

Hence Courts should take note of the increased level of security expectation on the Banks and ensure that customers who are victims of the insecure banking practices are not made to suffer the loss.

I request the Finance Minister Mrs Nirmala Sitharaman and the RBI Governor to advice the Banks to withdraw all cases of similar nature in which they are continuing to litigate with the use of public funds.

I also request shareholders of these Banks such as ICICI Bank, SBI, HDFC Bank, PNB, IDBI Bank etc., to question the boards as to why they are continuing the litigation and not settling the victim’s claims immediately.

Naavi

The Supreme Court of India is now debating on the “Legality” of the “Powers of the RBI to bar the Banks from dealing with Bitcoins and other Crypto Currencies” vis a vis the freedom of Crypto Currency exchanges and miners to mine, trade in and exchange legacy currency of INR into the anonymous currency which is Bitcoin and nearly 2000 other crypto currencies with which it is fungible.

If we go by what Bitcoin supporters are saying, the Judges during the hearing have already decided to rule the case against RBI.

In one of the publications, it is highlighted that the Judge asked RBI, “How are you concerned with Consumer Protection? It is the concern of the Government not yours”.

I am not sure if this is a correct representation of what the Judge said or intended to say. “Consumer Protection” is a matter of public interest. It is not only the Government which should be concerned, but I, you, the Supreme Court judge and all.

Can the Supreme Court say that “Fundamental rights” or “Cyber Crimes” is the concern of the Government and not that of a responsible regulator who is supposed to regulate the finances of the country?

I therefore consider that the publication has either mis-quoted the judge or misrepresented what the Judge wanted to know.

This criminal way of thinking comes naturally to the Bitcoin eco system because the Bitcoin system itself is a system by criminals, for criminals and of criminals.  It is born for the purpose of tax avoidance.

Tax avoidance is cheating the honest citizens who pay tax because we all live in a society governed by some accepted principles of Governance.

The dangers that the addiction to Bitcoin can bring to the world recently surfaced in a more dangerous form in Ukraine where there was a radiation leak from a nuclear reactor. It is now revealed in an investigation that the radiation leak was caused by “Crypto Miners” in the nuclear plant who tried to use the computing facilities in the plant to mine crypto currencies. Several employees have been arrested in this connection. Crypto mining equipments have been seized

The incident also indicates a massive Information Security failure as computers not required for the plant entered the system and were connected to the network. Basically it is the failure of the “Human Element of Information Security” caused by the fundamental attitude of Bitcoin miners who are “Anti-Establishment” in their basic attitude.

I wish the Supreme Court examines this angle of what is the  psychological profile of a Crypto supporter ( in the current context where the debate is whether a private Crypto currency is a currency of criminals and has to be banned or not) and whether he is more friendly with anti national forces or is loyal to the country.

We the people of India will keep watching even the  Supreme Court and how loyal is our judiciary to the principles of natural justice to the country.  There should be no attempt to  hide behind some technicalities and give an ambiguous ruling to oblige the petitioners of this case which we know has the ability to shower their appreciation on the Judges in many forms if they are made happy.

I also hope the media does not twist the statements of Judges during the trial and spread speculative views to mislead the public.

Naavi

India celebrates for the first time Independence day  with the participation of Kashmir. Let us look forward to better days for India with Kashmir.

Naavi

GDPR is a regulation meant to protect the privacy rights of an individual. Principally it is meant to protect the right of a citizen of EU and tries to exercise control over the personal data collection activities in the jurisdictional boundaries of  EU. UK as a faithful servant of the EU and reeling under the repentance of Brexit wants to be more loyal than the King and has pursued the UP Data Protection Act 2018 to extend GDPR to its jurisdiction.

The objectives of GDPR are laudable and extends the concern the EU legislators always had on the protection of human rights.

Having dealt with dictators like Hitler, Mussolini and Napoleon and lived a life of pirates and conquerors for generations, (of which we the Indians have centuries of experience), the population of EU has developed a culture which appear to have made them suspicious with every body else and over sensitive to some issues related to Privacy. 

This is indicative in an interesting case reported below, details of which are available here.

This article “My GDPR Complaint Against Tinder (MTCH Technology Services)” is an interesting case study of how one person has painstakingly pursued his complaint with the company over a long period using the good intentions of GDPR to his advantage and in the process consuming days of effort and money of the company.

This is a typical indication of how the law can be misused by some persons for their own reasons. 

To briefly explain the incident, immediately after the GDPR came into operation on 25th May 2018, on 2nd June 2018, a website PersonalData.IO submitted a request on behalf of a customer requesting the company MTCH Technology Services Ltd, to provide “all of the information collected on me”. Since then, the complainant is pursuing the complaint expressing his dis-satisfaction about the information that has been provided. The complaint has been originated with ICO in UK and later transferred to the supervisory authority in Ireland. The matter appears to be resting with the detailed reply given by the company on 29th May 2019 but the complainant is still not satisfied and is following up.

During this entire exercise, the company has patiently been replying to the complainant and it is evident that it has spent enormous corporate time with its technical team, compliance team, the legal advisors etc to draft a satisfactory reply.

We must pause at this stage and reflect whether the cost forced by the complainant on the company has been productive and whether the complainant has been  inflicting unjustified losses on the shareholders of the company who are also individuals like the complainant himself.

GDPR has provided a “Right” to the data subject to request for information from a company whether personal data of himself is being processed and if so how is it being processed. The purpose of Articles 13 and related Articles of GDPR is to enable a data subject to ensure that the company adheres to the principle of collecting an informed consent and using the data only as agreed upon and not make a fraudulent or unethical and dishonest use of the personal data.

The complainant in this case on the other hand appears to have pursued his complaint dishonestly with the sole purpose of harassing the company through a series of e-mails and making a “Disproportionate request”. There is no “Data Breach” reported in this instance and the request is a fishing exercise of the complainant to find out a cause for further harassment of the company.

This complaint reflects a sadistic tendency on the part of the complaint who seem to have lot of time at his disposal to keep sending request after request and not be satisfied with any reply received.

There is a need to put an end to the development of such trend which will be detrimental to the industry. If this goes unchecked, any body and everybody may keep sending out e-mails just to make the life of the companies difficult. It may provide a sense of satisfaction to the complainant that he has achieved something great in his life by dragging the company into an endless conversation.

The responsibility to put an end to such an attempt lies with the supervisory authority which has to exercise a judicial discretion to separate a real complaint from a complaint designed as a fishing exercise where the complainant has no prima facie case of having been adversely affected.

The supervisory authorities in such cases should politely refuse the complaint and close the case so that the company can go ahead and attend it its other activities. This requires a sense of maturity for the officers who have the responsibility to uphold the real values reflected by GDPR.

Unfortunately the drafting of GDPR and more so the UK Data Protection Act 2018 is not good enough to avoid dishonest complaints being made against companies without valid and prima facie reasons. It is also not possible to avoid all inconsistencies when a law is drafted and it is the duty of the judiciary and other authorities implementing the law to read down the different provisions and ensure that the real spirit of the law is upheld.

If the supervisory authorities fail to respond properly to prevent such harassment, the Companies will also start disrespecting the authorities and we will end up with litigations all round. This will impose an unreasonable cost on the society and render the regulation an unproductive burden.

I therefore advise the complainant to be satisfied with whatever information has been provided. She has made not only this company but many others realize how GDPR can be make the life of the DPO miserable and tighten up their compliance. I suppose her genuine purpose of making Companies more responsible has been served. 

She deserves a pat on the back.

But if the complainant  pursues the complaint further, her intentions would be suspect and  it would be proper for the Company to demand payment of costs for providing the information. Let this incident not be a lesson on how people can harass a company using the provisions of GDPR.

According to Article 12(5),

...Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

It appears that this is a fit case to test the provisions of this Article and how the supervisory authority of Ireland interprets this complaint.

Naavi

The Arbitration and Amendment Act 2019 was received the Presidential assent on 9th August 2019.

The copy is available here.

The major part of the amendment is to introduce part IA  related to the Arbitration Council of India. Consequential amendments have been made in the rest of the Act.

The Eighth schedule inserted in the Act deals with the qualifications and experience of the Arbitrator.

The Copy of Arbitration Act in www.odrglobal.in has been updated. (Updated Version)

Naavi

ICICI bank which has been a leading Bank in India adopting to innovative Cyber Banking in India is also in the forefront of incidents in which customers have lost money because of the negligent manner in which security of the systems is maintained as well as the fraudulent involvement of its employees.

Recently in two cases the TDSAT passed adverse orders against ICICI Bank. In the S.Umashankar Vs ICICI Bank case, ICICI Bank was held to have assisted the fraudster in commission of the crime. Though clinching evidence of criminal complicity of ICICI Bank had been adduced in the Adjudication and Tribunal in this case, since these forums were not criminal Courts, they stopped at passing adverse remarks in the orders. Had they been criminal Courts, we could have considered that ICICI Bank had been indicted of criminal offences under Sections 66 and 65 of ITA 2000/8.

In another case of Rajendra Yadav Vs ICICI Bank, an earlier order dismissing the complaint by the Adjudicator of Karnataka (in 2011) on the ground that “Section 43 was applicable only to individuals and not to Companies” has also been dismissed with costs on ICICI Bank.

ICICI Bank  enjoying the power of public money however is not accepting the decisions and is challenging the decisions in higher Courts in the belief that the victims of Cyber crimes who have brought these litigation on the Bank will not have resources to continue their legal battle in higher courts for both the expenses and time involved.

Both these cases are cases which have been in litigation since 2008 and 2010.

In the latest attempt, ICICI Bank wants to get itself exempted from being liable under Section 43 by raising a bogey that the word “Person” used in the section applies only to an individual and no action can be brought against the Bank. The exemption claimed under Section 43 is also an exemption claimed under Section 66 since the two are interlinked.

This means that ICICI Bank is claiming that if it commits any offence under Section 66 which includes unauthorized access, denial of access, diminishing the value of information residing inside a computer etc., it has to be protected because it is a “Company”.

It would be interesting to see if the Courts admit such petitions or dismiss it at the first place.

Naavi has already pointed out in the judicial forums why this claim is ridiculous and cause different anomalies in law. We shall elaborate this some time later.

Naavi

Refer: TDSAT order