Cyber Crime Law in India: Has Law Kept Pace with Emerging Trends? An Empirical Study

• Author: N. S. Nappinai
• Position: nappinai@gmail. com
• Pages: 22-28

This paper was originally published in Kierkegaard, S. (2009) Legal Discourse in Cyberlaw and Trade. IAITL.

Page 22

1. Introduction

The general laws in India were drafted and enacted in the 19 century¹. Whilst each of the general laws have undergone modifications and amendments, the broad and underlying provisions have withstood the test of time, including unimaginable advancements in technology, which speaks to the dynamism of the General laws. The general laws referred to in this Article are the Indian Penal Code, 1860 ("IPC"), which is the general penal law of India and the Indian Evidence Act, 1872 ("Evidence Act"), the general law pertaining to admissibility of evidence in civil and criminal trials. The manner in which trial of criminal cases are to be conducted is dealt with under the Criminal Procedure Code, 1973 ("Cr. P. C").

India got its first codified Act in the Information Technology Act, 2000 ("IT Act), which fell far short of the Industry's requirements to meet global standards. The focus if the IT Act was however recognition of electronic records and facilitation of e -commerce. Barely ten sections were incorporated in the IT Act to deal with Cyber Crime². At the time when the IT Act was passed several acts deemed to be illegal in most jurisdictions including virus attacks, data theft, illegal access to data / accessing and removal of data without the consent of the owner, etc., were listed as civil penalties under the IT Act³. The IT Industry continued to rely on self -regulation and contractual undertakings to appease its global clients, as it had done before the passing of the IT Act. The primary offences under the IT Act were:

* Tampering with source code⁴;

* Deleting, destroying or altering any data on any computer resource with mala fide intent to cause wrongful loss or to diminish its value⁵;

* Publishing or transmitting pornographic material through a computer resource;

* Provisions pertaining to encryption technology, the right of the Government authorities to intercept and decrypt such data and to call upon any entity or individual to decrypt such data were also included in the IT Act. Certain acts affecting the integrity and sovereignty of the nation were classified as offences.

The saving grace of the IT Act were the amendments carried out to the IPC and Evidence Act, which to some extent provided for prosecution of rampant offences like the Nigerian Scams⁶, Phishing and other Banking Page 23 frauds may be prosecuted. Cyber Crime prosecution was however not resorted to in many instances due to lack of awareness (amongst both the victims and the enforcement authorities) about the applicability of such general Laws to cyber crimes (like Phishing). To add to this, administrative delegation of powers treated offences under the IT Act differently to those falling under general laws!

Further, crimes like data theft; illegally accessing / removal of data; virus attacks etc., could not be prosecuted due to the lack of relevant penal provisions. S.66 of the Act misleadingly titled "hacking" is one of the most misused and abused provisions in India. Recently i.e., in September 2009, the Delhi High Court⁷ has quashed the criminal proceedings initiated in or about July 2004, under S.66 of the IT Act by M/s. Parsec Technologies Ltd., against some of its former employees, who left and started their own Company, holding that the continuation of the proceedings would amount to abuse of process of law. Likewise the IT Act did not provide sufficient recourse for women and child victims of cyber crimes like Cyber Stalking and paedophilia.

Controversy has dogged the IT Act from its inception. The Ministry of Information Technology prepared and posted proposed draft amendments to the IT Act in 2004. In 2006, the IT Bill with substantial changes brought about as a result of the objections to the proposed amendments of 2004 was tabled before the Parliament.

In December 2008 as a knee-jerk reaction to the November 2008 terror attacks in Mumbai, India, the Information Technology (Amendments) Act, 2008⁸ ("ITA, 2008") was hastily tabled before the Parliament and was passed hastily and without any debate whatsoever. Unlike the IT Act of 2000, the focus of the new ITA 2008 is clearly on Cyber Terrorism and to a significant extent, Cyber Crime.

This paper deals with some important provisions of ITA, 2008 relating to data protection, privacy, encryption and cyber crime and to what extent it arms one against emerging trends in Cyber Crime.

2. Definitions

Some noteworthy amendments in the definition sections include:

The replacement of the word "Digital" with the word "Electronic", which makes the IT Act more technology neutral and expands its applicability beyond just the digital medium.

* Inclusion of cell phones, personal digital assistants and other such devices in the definition of "Communication Devices" broadens the scope of the statute.

* The modified definition of "Intermediary" includes all service providers in respect of electronic records again broadens the applicability while inclusion of Cyber cafes in the definition of Intermediaries removes the need to interpret the statute.

The extensive definition of "cyber security" as including protection of both data and the equipment from unauthorized access, use, disclosure etc., is another vital inclusion that impacts the new Data Protection provisions included under the ITA, 2008. The relevance of these definitions, where applicable are set out below.

3. Data Protection

The IT industry has been lobbying for a law to protect Data and the new legislation has addressed the industry's demands to a certain extent particularly since Mphasis Limited, a Pune based Company suffered the notoriety of puncturing the Indian BPO fairy tale in April 2004, when some of its employees stole confidential credit card information of clients and used it to siphon substantial amounts. Apart from highlighting the security lapses within the Company, this case also brought to the limelight the lack of suitable Data Protection Laws in India. Several cases have now been reported where former employees are accused of data theft and misuse of Confidential and proprietary Information and data. In one instance⁹, a BPO Company purportedly closed down due to rampant data theft. The Indian Legislature's response to the hue and cry raised is the transposition of certain civil penalties into criminal offences and the addition of one section under civil penalties as set out hereunder: Page 24

The only provision under the IT Act for data protection was S.43¹⁰, which only imposed Civil Penalties in the event of the commission of certain acts without the permission of the owner or person in charge of the computer or computer systems such as: (i) securing access (without permission); (ii) downloading or copying of data stored in a computer or computer system; (iii) introducing computer viruses; (iv) damaging computers and or data stored therein; (v) disrupting computers; (vi) denial of access; (vii) abetting such acts; or (viii) illegal charging for services on another's account.

S.43A has now been added under the ITA 2008 to address the data protection requirements of the Industry. S.43A stipulates that any "Body Corporate¹¹" possessing, dealing with or handling any "sensitive personal data or information¹²" in a computer resource it owns, controls or operates, is liable for negligence, if it fails to maintain "reasonable security practices and procedures¹³" and thereby causes wrongful...