An IT giant’s website was recently hacked and defaced, an Engineer was remanded in jail for wrong IP Address by Intermediary/Service Provider, websites of Pentagon, CBI, Income Tax authorities are being hacked with ease, refund orders of Income Tax are fraudulently being en cashed, employees of organizations around the world are frequently caught exchanging offensive and pornographic emails using the office’s internet facilities.
Cyber crime is the web world’s latest menace and internet misuse by employees at work has cost businesses in India and around the world losses worth millions of dollars. And according to sources, it lightens the industrial purses in America by about two hundred billion dollars every year. Back home, cyber crimes are outside the purview of Labour laws in India and uptill now disciplinary action against employees in India for committing cyber crimes were rare. Price Water House Cooper’s Sixth Global Economic Crime Survey for the year 2011 also dug up some interesting facts hitherto unknown. It stated, inter alia, that –
- Cyber crime ranks as one of the top four types of economic crime in India.
- 58% of the corporates perceived Information Technology department as a high risk department with respect to committing cyber crime.
- 96% of the corporates have said that their organisations monitor internal and external electronic traffic and web-based activity.
- About 2/3rd of the corporates did not have access to forensic technology tools that are useful in combating cyber crime.
- 35% of the corporates did not have any cyber security training in the last 12 months.
- Nearly two-thirds of the corporates found that the perpetrators were among their own staff.
What are these cyber crimes anyway? Are they covered under the Labour Laws in India?
Sections 43, 66A, B, C, D, E, F, 67, 67A, B and C of the Information Technology Act of 2000 cover the various cyber crimes happening today. The chart below illustrates as follows –
|Section 43||If a person without the permission of the owner or anyone in charge of a computer system or network, secures access to such computer, downloads, copies or extracts data stored therein, introduces viruses or contaminants into the system, damages and/or disrupts the computer system, denies access to a person authorised to access the computer, tampers with the computer system, destroys, deletes or alters information in a computer system,||He shall be liable to pay damages by way of compensation to the person so affected.|
|Section 66A||Sending offensive messages.||Up to 3 years imprisonment with fine.|
|Section 66B||Receiving a stolen computer resource.||Up to 3 years imprisonment, fine up to Rs 1 lakh or both.|
|Section 66C||Identity theft.||Up to 3 years imprisonment, fine up to Rs 1 lakh.|
|Section 66D||Cheating by impersonation||Up to 3 years imprisonment, fine up to Rs 1 lakh|
|Section 66E||Violation of privacy, video voyeurism.||up to 3 years imprisonment, fine up to Rs 2 lakhs or both.|
|Section 66F||Cyber Terrorism.||Life Imprisonment.|
|Section 67||Publishing or transmitting obscene material in electronic form.||Up to 5 years imprisonment with fine up to Rs 10 lakhs|
|Section 67A||Publishing material containing ‘sexually explicit act’ etc in electronic form||First Conviction – up to 5 years imprisonment with fine up to Rs 10 lakhs. Second or Subsequent Conviction – up to 7 years imprisonment with fine up to Rs 10 lakhs.|
|Section 67B||To cover child pornography.||First Conviction – up to 5 years imprisonment with fine up to Rs 10 lakhs. Second or Subsequent Conviction – up to 7 years imprisonment with fine up to Rs 10 lakhs.|
|Section 67C||To make intermediaries preserve and retain certain records for a stated period||Imprisonment up to 3 years and fine.|
SECTION 43A – REASONABLE SECURITY PRACTICES –
Section 43A makes it mandatory for protection of ‘Sensitive Personal Information’ of customers/users by implementation of “Reasonable Security Practices & Procedures” by a body corporate. Failing to implement “Reasonable Security Practices & Procedures” by a body corporate shall make it liable to pay damages by way of compensation to the party so affected. As to what these “Reasonable Security Practices & Procedures” are have not been specified by the Act but common industry standards and norms must be adhered to.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 have framed defining Reasonable Security Practices & Procedures that need to be undertaken by body corporates to protect “sensitive personal information and data” (Credit Card information, bank account information, information regarding health, sexual orientation, medical history, biometric information etc have been classified as sensitive personal information and data). Reasonable security practices and procedures include the following –
ISO 27001 standards regarding protection of valuable information are being followed
- Information Security Audits are being carried out
- Gap Analysis is being conducted
- Internet Usage Policies are being formulated
- Robust documentation is being maintained
- Business Continuity and Data Recovery technologies are being implemented
WHAT STEPS MUST A COMPANY TAKE TO CHECK INTERNET MISUSE BY ITS EMPLOYEES & BREACH OF CONFIDENTIALITY?
- A Company must regularly screen the data contained in an employee’s computer and the nature of content being exchanged by him.
- A Company must place suitable firewalls to block access to certain websites.
- Usage of personal emails must be prohibited inside office.
- A company must have suitable internet usage policies, data exchange policies and computer usage policies in place.
- The company may take any other reasonable step it deems fit to check an employee’s internet usage.
WHEN ARE COMPANYS LIABLE –
An employee’s misuse of his company’s internet resources may not be the only reason for the occurrence of Cyber crimes. The negligence on the part of the Company itself and its lapses in observing due diligence also amount to offences, making the concerned company and its decision makers liable.
Section 85 of the IT Act of 2000 states that if there takes place a contravention attributable to the negligence of an employee and/or decision makers of a company, then all the persons responsible for, or in charge of the Company at that relevant time, shall be liable for appropriate punishment. Provided, that if the person liable proves that the contravention took place without his knowledge and that he exercised all due diligence to avoid such contravention, he shall not be held liable under this Act.
In Umashankar Sivasubramaniam V/s ICICI Bank (decided on 12 April 2010) the Tamil Nadu IT Secretary held the Bank liable for “Phishing Fraud” under Section 43 r/w Section 85 and directed it to pay damages of Rs 12.85 lakhs to the petitioner. The Bank was held liable because of, inter alia;
- Lack of due diligence on it’s part
- Failure to determine authenticity of e-mails
- Not providing adequate protection eg: automatic SMS alerts when money is withdrawn
ITA 2008 AUDIT (Gap Analysis)–
When a CEO or CFO of an organization declares in the annual report that the “Company is complying with all regulatory requirements” as per SEBI’s listing requirements under Clause 49, does he also mean that the Company has conducted an ITA 2008 audit or Gap analysis and implemented measures for compliance? It is of utmost importance that listed companies conduct ITA 2008 Audit to identify gaps in compliances and fill such gaps. Non compliance may invoke Section 85 of the IT Act and hold the directors of the Company and its executives liable.
HOW CYBER CRIMES ARE FOUGHT –
Section 80 of The IT Act of 2000 provides the weapons of Investigation, Search & Seizure, Authority to enter public place and make arrests without a warrant by a police officer not below the rank of an Inspector or any other officer under the Central or State Government authorised by Central Government, to fight these crimes with.
Further, Section 46 of the IT Act of 2000 provides for appointment of Adjudicating Officer for speedy disposal of matters within 6 months. Appeals against the order of the Adjudicating Officer shall lie before the Cyber Appellate Tribunal under Section 57 of the IT Act 2000 within 45 days of receipt of copy of order passed by Adjudicating Officer.
CYBER DEFAMATION –
With the advent of social websites and the internet fast turning into a medium of self expression and a platform to make one’s opinion public, rampant misuse is also taking place. Cyber defamation, a gross misuse of the Freedom of Expression imparted to us by the Constitution can tarnish the brand image of a corporate as fast as damage an individual’s matrimonial prospect. Social media defamation has caused individuals to rush to court to obtain suitable orders to have the defamatory material removed from the concerned website, blog etc.
The Cyber world is dynamic and so are the criminals in it. They are highly skilled individuals with an anti-conformist attitude. They seek to make quick money by stealing their way into other’s computers and robbing individuals and corporates alike.
- The Law must keep up with the rapid changes in technology and contraventions, unlike traditional laws, cyber laws will have go through constant evolution.
- There must be a spread of awareness among people regarding their rights and duties (to report crime as a collective duty towards the society)
- Quasi judicial forums should be further activated
- Increased use and involvement of technology in all the 7 stage continuum of a civil/criminal case
- For Corporates Due diligence, Information Security Infrastructure/Compliance/Certification/Audit, System usage policies is the way forward and an absolute must.
- More experts must be involved to address issues of Information Security, data Protections, Firewall, Monitoring etc.
As has been stated above, proactive action must be taken by employers in the form of drafting and circulating cyber policies and internet usage policies. These policies must specifically lay down, in clear and precise terms, the dos and donts that an employee must adhere to while using the Company’s internet connection and computers. That aside, specific clauses must be placed in employment agreements laying down that an employee must not use the Company’s internet connection and computers for purposes other than work. Further, the employment agreement may also stress that data belonging to the Company shall not be carried outside the premises of the Company in any format whatsoever without express permission of the supervisor concerned.
– Ronojoy Basu