The Strength of Indian Cyber Laws
The recently reported case of a Bank Fraud in Pune in which
some ex employees of BPO arm of MPhasis Ltd MsourcE, defrauded US
Customers of Citi Bank to the tune of RS 1.5 crores has raised concerns of many
kinds including the role of "Data Protection".
The research agency Forrester has warned that "The alleged
account theft by the employees of an Indian BPO unit coupled with high
call-centre attrition rates would severely dampen BPO growth rate in the next 18
months". It has estimated that the growth of the Indian call centre industry
could drop by as much as 30 per cent following the incident.
"It will also likely lead to calls for more regulation of BPO activities in
the US and Europe, as well as in India," the report said.
It added that India would have to tighten its data protection and privacy
laws, to bolster its offshore credibility."
The Strength of Indian Cyber Laws
In the aftermath of the crime, several questions have been
raised on whether this can be called a "Cyber Crime"?, if so " Is it adequately
dealt with in ITA-2000?" and "What are the liabilities of the BPO and the
Bank?". Questions are also raised on whether there is a need for "Data
Protection Laws" to address this sort of crimes.
The crime was obviously committed using "Unauthorized Access"
to the "Electronic Account Space" of the customers. It is therefore firmly
within the domain of "Cyber Crimes".
ITA-2000 is versatile enough to accommodate the aspects of
crime not covered by ITA-2000 but covered by other statutes since any IPC
offence committed with the use of "Electronic Documents" can be considered as a
crime with the use of a "Written Documents". "Cheating", "Conspiracy", "Breach
of Trust" etc are therefore applicable in the above case in addition to section
in ITA-2000.
Under ITA-2000 the offence is recognized both under Section
66 and Section 43. Accordingly, the persons involved are liable for imprisonment
and fine as well as a liability to pay damage to the victims to the maximum
extent of Rs 1 crore per victim for which the "Adjudication Process" can be
invoked.
The Bank is liable to the Customers for the breach of
security which may result in wrongful dishonour of cheques, as well as for causing
mental agony and financial stress for the customers.
The BPO is liable for lack of security that enabled the
commission of the fraud as well as because of the vicarious responsibility for
the ex-employee's involvement. The process of getting the PIN number was during
the tenure of the persons as "Employees" and hence the organization is
responsible for the crime.
Some of the persons who have assisted others in the
commission of the crime even though they may not be directly involved as
beneficiaries will also be liable under Section 43 of ITA-2000.
The role of the BPO can also be brought under "Assisting in
the contravention of ITA-2000" and hence it is possible to invoke Section 43 on
the BPO.
Under Section 79 and Section 85 of ITA-2000, vicarious
responsibilities are indicated both for the BPO and the Bank on the grounds of
"Lack of Due Diligence".
While the extraction of the PIN by the employees is
prima-facie an indication of "lack of Due Diligence" in a system that did not
take enough precautions for the same (This needs to be evaluated against the
measures of Cyber Law Compliance that have been initiated by the BPO), the fact
that even after a time delay the PIN remained the means of authentication and it
was not changed is a matter of negligence attributable to the Bank.
At the same time, if the crime is investigated in India under
ITA-2000, then the fact that the Bank was not using digital signatures for
authenticating the customer instructions is a matter which would amount to gross
negligence on the part of the Bank. (However, in this particular case since the
victims appear to be US Citizens and the Bank itself is US based, the crime may
come under the jurisdiction of the US courts and not Indian Courts).
Non usage of the Digital Signatures which facilitated the
commission of the crime may however be a defense for the BPO against the
Bank if need be though this is unlikely to be tested in this case.
In summary it can be stated that ITA-2000 has adequate
provisions to punish the offenders of such a case as well as to provide adequate
remedies to the victims. For the intermediary organizations however, ITA-2000
imposes "Due Diligence" requirements.
It is to address such situations that the undersigned has
been advocating " CyLawCom audits" for IT companies which indicate the efforts
taken by the organization to identify the risks involved and the measures
initiated to reduce the risks.
CyLawCom audits address issues which are not addressed by
BS7799 type security models or CMM type quality models and are therefore
considered supplements to other quality and security initiatives.
Obviously CyLawCom audits involve an "Investment" and
the companies have to evaluate the Return on Investment (ROI) of such
investments.
ROI on CyLawCom
The Forrester report indicating "Loss of Business" helps in
answering one important aspect of Cyber Law Compliance, namely the ROI on Cyber
Law Compliance investment. Quite often business owners including the highly
affluent IT industry, fail to invest adequately in Cyber Law Compliance due to
the lack of understanding of the concept of "Return on Investment".
Financial analysts are used to calculating ROI on an income
generating activity. However, calculating ROI on a "Saving generation activity"
and a " Contingent Savings generation activity" is not very easy. CyLawCom
investment is one such activity where an investment is called for to mitigate
the probability of loss occurring due to non compliance of Cyber Laws.
In the instant case Citi Bank as well as Mphasis have to bear
the possible claim for compensation from the affected customers of the Bank.
Additionally, the loss of BPO business as predicted by Forrester is a loss to
the BPO industry and the Indian economy for having neglected CyLawCom.
Potential ROI of CyLawCom investments by the BPO in
cases such as mentioned above is therefore reflected in the opportunity
cost of managing such fraud liabilities.
For the purpose of ROI on CyLawCom, Cyber Law College defines
the revenue generation as the "Probability of Loss due to non compliance of
Cyber Laws arising in a period of 10 years from the year of estimation".
Liability is not the same as Customer's Loss
While assessing the ROI in CyLawCom cases, it must be
remembered that the actual compensation to be paid by the subject is not the
same as the actual amount of fraud. The compensation includes the consequential
losses as well as for the mental agony and suffering associated with it. For
example, if due to the siphoning off of the money say US $ 1000 form Bank
accounts in the above case, a cheque is wrongfully dishonoured and the customer
loses a business deal of a million dollars, then the loss to the Bank/BPO is US
$ one million and not US $ 1000.
Data Protection Laws
Having discussed the various options available under
ITA-2000, it is obvious that need for a separate "Data Protection Law" to handle
cases of this nature appears to be redundant. Except for "Clarifying" the
liability of the BPO and restating that it is responsible to the victims of the
fraud, it appears that data protection law cannot add to what is already
available under ITA-2000.
The only additional dimension that may be added by a separate
Data Protection Law is that the foreign victims may be provided a remedy
in Indian Courts for the breach of Privacy.
Naavi
April,9, 2005
Related Articles:
staffers hack bank A/Cs, steal Rs 1.5 cr..TOI
One girl arrested for sending prank email to Tamil Nadu CM..New Kerala
Gujarat state tops in cyber crimes in India..China view
India Police Arrest 12 in Call Center-Bank Scam..Contact Center
today.
Ex-employees
of MsourcE held for `bank funds transfer'..BL
