Comments of Naavi on the Amendments Proposed to ITA

Let's Build a Responsible Cyber Society

Rights of Cyber Crime Victims to Claim Damages Under ITAA-(P) 2005

..a law for the privileged, by the privileged and to protect the privileged.

Section 43 of the ITA-2000 had provided that any person who without the permission of the owner or a person in charge of a Computer indulges in certain acts and causes loss to another person shall be liable to pay damages to the extent of Rs 1 Crore. The specified acts which enabled the section to be invoked included mere “Access” to a network as well as “Downloading, Copying, virus introduction, damaging, denial of access” etc. It also included assistance for Contravention and availing a service and charging it to some one else.

Now the proposed new section has some modifications in terms from the previous section which has become the subsection (1). A new subsection (2) has been added to provide protection for “Sensitive Personal Data” in the hands of corporate bodies.

The new section reads as under.

43. ~~Penalty~~ Compensation for damage to computer, computer system etc.

(1) If any person, without permission of the owner or of any other person who is in charge of a computer resource ~~computer, computer or computer network~~,-

(a) accesses or secures access to such computer resource; ~~computer, computer system or computer network;~~

(b) downloads, copies or extracts any data, computer data base or information from such computer resource, ~~computer system or computer network~~ including information or data held or stored in any removable storage medium;

(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer resource~~, computer system or computer network;~~

(d) damages or causes to be damaged any computer resource~~, computer system or computer network~~, data, computer data base or other programmes residing in such computer resource~~, computer system or computer network~~;

(e) disrupts or causes disruption or impairment of any computer resource; ~~computer system or computer network~~;

(f) denies or causes the denial of access to any person authorised to access any computer resource~~, computer system or computer network~~ by any means ;

(g) provides any assistance to any person to facilitate access to a computer resource, ~~computer system or computer network~~ in contravention of the provisions of this Act, rules or regulations made thereunder ;

(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer resource, ~~computer system, or computer network~~,

he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.

43-2(2) If any body corporate, that owns or handles sensitive personal data or information in a computer resource that it owns or operates, is found to have been negligent in implementing and maintaining reasonable security practices and procedures, it shall be liable to pay damages by way of compensation not exceeding Rs. 1 crore to the person so affected.

Explanation.- For the purposes of this section,-

(oi) “body corporate” means any company and includes a firm or other association of individuals engaged in commercial or professional activities.

(i) "computer contaminant" means any set of computer instructions that [1]are designed-

(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer network;

(ii) "computer data base" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;

(iii) "computer virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed some other event takes place in that computer resource;
(iv) "damage " means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.
(v) “Reasonable security practices and procedures” means, in the absence of a contract between the parties or any special law for this purpose, such security practices and procedures as appropriate to the nature of the information to protect that information from unauthorized access, damage, use, modification, disclosure or impairment, as may be prescribed by the Central Government in consultation with the self-regulatory bodies of the industry, if any.
(vi) “Sensitive personal data or information” means such personal information, which is prescribed as “sensitive” by the Central Government in consultation with the self-regulatory bodies of the industry, if any.

(vii) “Without the permission of the owner” shall include access to information that exceeds the level of authorized permission to access.

It is not clear if the change of the term “Penalty” into “Compensation” is intended to have any legal significance or a moral assurance to the person who contravenes a provision. The word “Damage” in the earlier section was meant to convey that what was proposed in the section was only compensation of the actual loss suffered by the victim and he would not be eligible to claim a sum of RS 1 crore for any of the contraventions irrespective of the loss suffered by him. For the time being we can presume that the change of terminology is only meant to clarify this point to the common man.

The material change in the section therefore comes only in sub section 43 (2). This defines a term “Sensitive Personal Data” and “Reasonable Security Practice” and makes a “Corporate Body” found “negligent” in maintaining a “reasonable security practice” shall be liable to pay damages.

It may be noted that the responsibility is cast only on corporate data handlers and the responsibility is only to be “Not Negligent” in observing the “Reasonable Security Practices” which will be notified by the Government along with the definition of what constitutes “Sensitive Personal Information”.

Government bodies who are the largest repositories of sensitive private information have no liability under this provision.

Further until the Government comes out with what is a “reasonable security practice, then the data handler has no liability.

The entire issue of “Providing Privacy Protection” to individuals is therefore restricted to following the set of guidelines which will be issued by the Government in due course and only to one kind of data handlers.

As compared to this, in the earlier provision, without the definition of any “Sensitive Personal Data” and “Reasonable Security Practice”, there was a responsibility cast on all data handlers whether they were corporate bodies or not to pay a compensation of upto RS 1 crore if the victim could prove that he had suffered the damage on account of unauthorized access or other reasons mentioned in the section.

It is therefore reasonable to conclude that “Privacy Protection” has been diluted in the new provisions.

Though some would argue that under the modified Section 66, a criminal offence is specifically defined for all the acts found in Section 43 (1), this cannot be held as an improvement since the earlier section 66 also had similar provisions and did not make the criminal liability conditional to the proving of “Dishonestly” and “Fraudulently”.

Looking at the Victim’s angle therefore the changes proposed could reduce the protection available to the common man against Cyber Crimes. Since most crimes occur from abroad, in the absence of any responsibility for the intermediary in India, Victims will now have a grossly reduced protection against Cyber crimes.

Naavi

September 3, 2005