G Gopalakrishna Working Group (GGWG) on Electronic Banking
Comments-1
Role of Adjudicators in Phishing Cases Reiterated
On 12th April 2010, a
landmark judgment
came out of the Office of the Adjudicator of Tamil Nadu.
Mr.P.W.C.Davidar, adjudging ont he complaint filed by one Mr
S.Umashankar against ICICI Bank held that the Bank is guilty under
Section 85 of Information Technology Act 2000 (ITA2000) and is
liable under Section 46 of the Act to compensate the victim of the
Phishing fraud.
This judgment had examined in detail the facts that established "Lack of
Due Diligence" on the part of the Bank regarding the use of
authentication methods in Internet Banking, Use of digital signatures
for e-mail communications, following of KYC norms during opening of
accounts, following of RBI instructions on fraud reporting etc. The
S.R.Mittal Committee report based on which RBI had issued a
comprehensive guideline on Internet Banking in June 2001 was one of the
documents referred to in the case.
This case was tried for an offence which occurred in September 2007 at a
time when ITA 2000 was operative but the amendments leading to the
current version of ITA 2000 (referred to as ITA 2008) was not in place.
Similarly, S.R.Mittal Report was released when ITA 2000 was in place but
the certifying authorities required for issue of digital signatures were
not in place. SR Mittal Report had to therefore make some interim
recommendations which were automatically subject to a revision after the
Certifying Authorities came into being in 2002 and later days. The
judgement in the case of Umashankar Vs ICICI Bank also was decided with
reference to ITA 2000 and not ITA 2008.
The GGWG however has come at a time that ITA 2008 is in place. Also the
digital signatures are firmly in place with mandatory use in many
Government transactions. The Electronic signatures have been enabled in
the Act but they are yet to be introduced.
Also unlike 2000-2001 when S R Mittal Group had to formulate its
recommendations, Banks currently are better equipped with Information
Security know how and hence the Gopalakrishna Working Group
recommendations can be treated as having come out when the information
is mature.
The guidelines of S R Mittal group were conveniently ignored by Banks
for their commercial benefit and it was left to the TN Adjudicator to
wake them up from their slumber. I hope that at least now Banks put in
place appropriate measures to implement the recommendations of the GGWG.
One of the important observations that we need to make is the following
paragraph in page 31 of the report.
"
The IT Act, 2000 as amended, exposes the banks to both
civil and criminal liability. The
civil liability could
consist of exposure to pay damages by way of compensation upto
Rs
5crore
under the amended Information Technology Act before the Adjudicating
Officer and beyond
Rs 5 crore in a
court of competent jurisdiction. The top management of banks could
also suffer exposure to criminal liability given the provisions of
Chapter XI of the amended Information Technology Act and the
exposure to criminal liability could consist of imprisonment for a
term which would extend from three years to life imprisonment, as
also a fine. Further, various computer related offences are
enumerated under various
provisions of the Act. "
Even
after the reasoned judgment given by the TN Adjudicator in the ICICI
Bank phishing case, it is found that in every subsequent case
discussions on whether the Adjudicator has the jurisdiction in case of
Phishing related complaints and whether the liability extends to the
Bank to liabilities and if so does it extend even to criminal
liabilities is often debated as a matter of routine.
The
above paragraph from the GGWG should lay any doubts in this regard to
rest. The fact that the Umashankar Case has been vetted for Jurisdiction
purpose both at the Adjudicator's level as well as the Cyber Appellate
Tribunal Level is also another indication that the matter of
jurisdiction in respect of such cases is a settled fact in law.
Since
at present "Adjudicators" are all officials who are working as IT
Secretaries of different States and Union Territories and are otherwise
pre occupied with their day to day duties of Governance, some of
the Adjudicators would feel an increased pressure of work arising from
the Judicial functions associated with the responsibility of
Adjudication. If more and more such cases land up witht he Adjduicators
as it is expected to be, this may cause a practical problem for the IT
Secretaries. At the same time, if the IT Secretaries refuse to entertain
adjduication applications or receive it and fail to attend to it, there
will be a kind of judicial crisis in the respective state with the sole
judicial authority for such cases becoming non-functional.
There
is therefore a need for Cyber Appellate Tribunal and the Ministry of
Communications and Information Technology , GOI to start a dialogue with
the State Governments to find a proper mechanism by which the IT
Secretaries are provided with infrastructure and manpower support to
handle this additional responsibilities.
Naavi
January 22, 2011
Copy
of Full Report:
Copy of Executive Summary
Comments are Welcome at
naavi@vsnl.com
