Cyber Laws

For

CxO
Be Aware... Be Empowered
April 2010

Editor

Theme
Naavi

www.naavi.org Cyber
Crimes
Publisher

Ujvala Consultants Pvt

Ltd

www.ujvala.com In This Issue

Cyber Crimes are a constant

source of concern for every
Computer user.
Editorial: CSR Initiatives for Cyber Crime Mitigation
We frequently read about
Viruses, Phishing, e-mail Knowledge+: Corporate Polices and Cyber Laws
hacking, web defacements,
denial of service attacks, News Snippets: ICICI Bank Phishing and others
Nigerian mail frauds etc
which make us often wonder
if it is at all safe to use Interviews: R.Srikumar, Former DGP, Bangalore,
Internet and E-Mail. R.Ramamurthy, Chairman, CySi.. Umashankar
Sivasubramanian, Phishing Victim.
This issue explores the
underlying issues involved
with special focus on
Corporate environment. We
explore Whether there are Questions and Answers
adequate laws in India to
tackle the Cyber Crime
incidents?, Whether the Police
and Judiciary are well
prepared?, What exactly is
the impact of Cyber Crimes on
the industry and the society?,
What is the role of the
Corporate sector and the Archived Issues will be available at
Netizens to reduce the adverse http://www.cyberlaws4cxo.com
imapact of Cyber crimes,
etc…
©Naavi Issue 4 1
 Editor’s Note

Dear Readers,

Cyber Crimes have been a subject of discussion in India ever since ITA 2000
became effective since it defined a few offences as part of Chapter XI of the Act
as Cyber Crimes. There has been a debate ever since whether the law of cyber
crimes as indicated in ITA 2000 is adequate or not.

When the ITA 2000 was amended in 2008 (effective from October 27, 2009), several new sections
were added to the Act to cover what was considered as new types of Cyber Crimes required to be
addressed.

I have found it interesting to note that Indian approach to Cyber Crime Law has been quite
effective though the implementation of some of the measures require better attention. I also feel
that the Corporate Sector and the Common Netizen often are not fully aware of their roles in
mitigation of Cyber Crime Risks and hence widespread educational measures are required at all
levels from High School onwards. It is also necessary for us to recognize that if Cyber Crimes are
not adequately controlled, the “Trust” on the Internet as a media of “E-Commerce” and “E-
Governance” gets eroded and the benefits that the Society can expect from technology goes
unrealized.

The growing number of Cyber Crimes, emergence of an underground Cyber Crime Economy that
brings criminals together on a virtual platform and enable them to collaborate, plan and execute
complex attacks, the changing nature of Cyber Crimes and the emergence of Cyber Terrorism and
Cyber Warfare are matters of very serious concern to all those who believe that we are entitled to
a prosperous future through technological innovations.

The industry on the one hand is galloping ahead with introduction of Cloud Computing,
Virtualization of operations, Borderless Existence etc. On the other hand, tech savvy criminals are
taking advantage of the developments and launching more and more “Zero day attacks” to exploit
the technology vulnerabilities before the users are able to settle down.

The Laws and the Law Enforcement therefore have a very tough task of chasing the new
developments in technology.

Both the dignitaries who have given interviews in this issue have emphasized the importance of
“Education” and “Cyber Law Awareness” in the community. Law enforcement however finds it
difficult to source experts and find funds for such activities in the scale at which it is required.

Companies in the private sector therefore have a special role in assisting the efforts of the Law
Enforcement in Cyber Law Education of the community by providing an appropriate focus in their
CSR initiatives and undertake Cyber Law Awareness Campaigns in Schools, and Public Forums
besides within their own corporate environments. Industry organizations may also undertake
initiatives to ensure that individual companies are encouraged and supported to develop Cyber
Law Compliance programs so that Cyber Crime Risks in the society are reduced to the extent
possible.

April 21, 2010

©Naavi Issue 4 2
 Interview of the Month.-1

Sri R Srikumar, IPS, recently retired as the DGP of Karnataka. A B.Tech

from IIT Madras and a Master of Business Law from National Law School
Bangalore, Srikumar was instrumental in starting the Country’s first Cyber
Crime Police Station in Bangalore. Srikumar is now engaged in running a
Trust “Indian Center for Social Transformation” which offers e-Governance
initiatives through appropriate and affordable use of technologies through
Cloud Computing. He also heads the CII (Southern Region)’s task force of
Internal Security.
He has been conferred the prestigious award of a Distinguished Alumnus of IIT Madras and
The Government of India has decorated him with Police Medal for Meritorious Service as
well as the President’s Medal for Distinguished Services.

What in your opinion are the three important steps to be taken in order to reduce the
adverse impact of Cyber Crimes on the society?
Like in Traffic management, Education, Engineering and Enforcement, could help in
reduction of Cyber crimes and their adverse impact on society. While educating, netizens
need to be especially educated about the threats to privacy and mischief and frauds that can
be played upon the unsuspecting by the unscrupulous. For improving Enforcement, we need
empowerment and improvement of the knowledge and skills of the investigating, prosecuting
and judicial officers. Through engineering, we could set up appropriate and adequate
protective shields like fire walls, access controls etc we could prevent or mitigate the
damages in the event of a cyber attacks etc.

What in your opinion is the role of Corporate Entities in Cyber Crime mitigation?
Corporate liability is a fact in law. Therefore Corporates have to be aware of the likely threats
and be made responsible to take necessary steps such as introduction of security protocols and
appropriate “security policy” being put in place.

What in your opinion is the role of “Internal Information Security Auditors” in a

company in prevention of data thefts?

Like quality auditors, Information Security Auditors need to be present in an organization.

Presence of Internal auditors shows the awareness of the importance of cyber security
measures in the organization. The need for external auditors is to emphasize the constant
necessity for updating knowledge, systems and procedures within the organization in keeping
with the emerging situations.

©Naavi Issue 4 3
 Interview of the Month-1

What are the measures you think would be necessary for

Companies and Police to cooperate towards building a secure
Cyber Society?

Frequent exchange of views by organizing seminars, workshops,

and formation of forums for exchange of information and
updation of knowledge and periodic review.

R.Srikumar

What in your opinion are the reasons for the low levels of prosecution in Cyber
Crimes?

Firstly there is a reluctance to report a crime. The reporting of a crime calls for further work,
including repeated visits to the investigator’s office in order to assist them in their
investigation. This is considered a waste of time. Less reporting takes place as victims do not
want to exhibit their ignorance or their negligence in respect of adequate security policies not
being put in place.

There are also instances of Police shooing away victims who want to report a crime. There is
a lack of appreciation on the part of the Enforcement officials of the nuances of this new
breed of crimes called cyber crimes. They do not wish to be perceived as poor performers
when such complex crimes remain unsolved. The difficulty of investigating and prosecuting
these crimes (where availability of evidence is uncertain) is also responsible for their lack of
enthusiasm in pursuing cyber crimes.

The last reason for low level of prosecution in cyber crimes is due to vagueness of law and
inability to assess the ultimate economic impact of the crimes

What action plan is required to reduce “Cyber Offences” in Schools?

Children are quick learners. If they are taught the ramifications of the cyber offences and steps
required to be followed to mitigate damages, it will go a long way in creating awareness and a
responsible GenNext.

In view of the speed of explosion of knowledge in the cyber world, it is necessary

that constant skill and knowledge updating be emphasized regularly. Your effort
in this direction is highly commendable and needs to be supported…R.Srikumar

©Naavi Issue 4 4
Interview of the Month…2

R.Ramamurthy: Chairman, Cyber Society of India:

R Ramamurthy, more popularly known as Gemini

Ramamurthy is the Chairman of Cyber Society of India, a Not
for Profit organization headquartered in Chennai.

R Ramamurthy has a background in mass communication and

has been the chief executive officer of Gemini studios group
companies for 25 years. He has also been the senior Vice
President of a major computer company and setup their dealer
network for the entire north India. He has been elected as a
National Council member of Confederation of Indian Industry
(CII) for seven terms.
He has represented CySi in many national and international forums including the World wide
Security Conference held in Brussels, Belgium, in Feb 2009 and again in International
Telecom Union Conference held in Geneva in Oct 2009.

---------------------------------------------------------------------------------------------------------------------------------------

What in your opinion are the three important steps to be taken in order to reduce
the adverse impact of Cyber Crimes on the society?

1. Create Adequate Awareness of the risks

2. Inflict heavy Punishment for Cyber Crimes
3. Convince manufacturers to do some R&D to get an audit train of any such
effort by fraudsters and to automatically shut down the operations and to give
alert.

What in your opinion is the role of Corporate Entities in Cyber

Crime mitigation?

First and Foremost, inform the Cyber Crime Cell without any reservation.

What in your opinion are the reasons for the low levels of
prosecution in Cyber Crimes?

Lack of knowledge and Experience in the Judiciary and the hesitation arising therefrom.

©Naavi Issue 4 5
 Interview of the Month-2

What in your opinion is the role of “Internal

Information Security Auditors” in a
company in prevention of data thefts?

They are responsible for the prevention and

hence play a vital and Primary role.

I also opine that they should all be above borard

if thefts are to be prevented.

R.Ramamurthy

What are the measures you think would be necessary for Companies and Police to
cooperate towards building a secure Cyber Society?

It is a well known fact that the Police are the most corrupt in the country and even if God
goes to a Police Station to file a FIR, he cannot get it done unless he meets the demands
of the Police.

Moreover, the knowledge and awareness of Cyber Crimes is very poor especially among
all the Police cadres except the top. Sorry for my bitter language. But unless this is
rectified, the confidence level of the companies will not embolden them to approach the
Police.

What action plan is required to reduce “Cyber Offences” in Schools?

We Must create an awareness for the School Teachers.

Separate Curriculum to be drawn for Cyber Awareness among School Children.

Some illustrative case studies where the children who indulged in Cyber crimes lost
their friends, recognition and social status etc., must be presented before the children,
as a measure of deterrent.

Institute awards in schools for Cyber Safety conscious children.

©Naavi Issue 4 6
Interview of the Month..3

This is a brief interview with Sri Umashankar Sivasubramanian, complainant in the historic
adjudication case referred elsewhere in this issue.

====================================================================

Indian Banks have made substantial progress in introducing technology for the day to day Banking
requirements. However Banks have been the target of many Cyber Crimes including Phishing. As
a Customer of a Bank, what in your opinion are the security measures required to be taken by the
Bank to safeguard the customers?.

First and foremost thing to safe guard customer of Indian Banks is to adopt digital signatures
in transactions involving money transfer/payments. Even though this is mandatory as per I.T
Act 2000 no banker is heeding to this provisions and the Supreme body of banks(RBI) is also
a mute spectator to this. This is the only solution to safeguard Customers.

You recently passed through the rigors of taking up an adjudication complaint against a major
Bank. Can you summarize the practical difficulties you faced in the process and suggest any
measures for improvement of the system?

In my opinion, once an offence under I.T. Act is established, only the respondent of the case
i.e. the Bank must be questioned by Adjudicator and the onus of proving not guilty of the
offence rest with the Bank. Adjudicator himself play the role of complainant in as much as
he is convinced of violation of I.T.Act. Only in very rare occasion the complainant
should called for hearing. This will save the complainant from
unnecessary expenditure. Further there should be only 2 hearings at the most and the
adjudication should be settled within 6 months. In my case, besides travel and
accommodation expenses, I had to take a leave with loss of pay. At one stage considering the
above difficulties, I authorized my aged father who was 700 Kms away from Chennai to
attend the hearings and also an expert in cyber law consultant to represent me.

In your opinion, is there adequate awareness in India and the customers of the Indian Bank about
the remedies available to them for frauds in Banks and if not what measures are to be taken in this
regard?

The customers of Indian Banks are only aware of Banking Ombudsman and Consumer
redressal forum for remedy which are of no use in phising cases. They are least aware of
remedy under I.T Act.
Other Remarks:
The customers are always told by the Banks in phising cases that it is their negligence in
divulging vital information to third parties that has resulted in frauds and they are in no way
responsible. They also took shelter under the cover of undertaking signed by the customer at
the time of availing Internet Banking facilities which is arbitrary in nature and cannot
withstand judicial review. The Banks never accept the shortfalls in their systems and software
adopted. As customer education on internet banking the Banks should display in their business
premises, the options available under I.T.Act provisions to mitigate their genuine sufferings.

Umashankar Sivasubramanian

©Naavi Issue 4 7
 Cyber Law News for CxOs

Suspect Business Models

ICICI Bank Held Liable for Phishing
Phishing is a very common type of Cyber Crime
occurring in India. On April 12th 2010, the
adjudicator of Tamil Nadu, Sri PWC Davidar
pronounced a landmark judgment in respect of a
complaint lodged with him under ITA 2000 by a
customer of ICICI Bank who had lost Rs 6.46 lakhs
through Phishing. The award directed the Bank to
pay the customer the amount fraudulently
transferred in the Phishing transaction along with
expenses and interest amounting to a total of Rs
12.85 lakhs.
It was interesting to note that the Adjudicator
amongst other things pointed out that ICICI Bank
did not use Digital Signature for its normal e-mail
communications with the Customers as required
under ITA 2000 and RBI guidelines.
The adjudicator also pointed out that the amount
was transferred from the Victim’s account to the
fraudster’s account which was also kept in the same
Bank and later Bank found that the fraudster had
provided false address at the time of opening of the
account and had become untraceable indicating
further negligence in following the KYC guidelines
under the Anti Money Laundering Act.
The Adjudicator found the Bank liable under
Section 85 of ITA 2000 for lack of “Due
Diligence”.
This was the first such award given by any
Adjudicator in India and could be a forerunner to a
overhauling of the Information Security policies
and procedures in Banks.
The judgment also highlights the need for Banks
and other organizations to assess Section 85 Risks
through appropriate ITA 2008 compliance audit
and initiate necessary Risk Mitigation steps.
(Copy of judgment is available at www.naavi.org)
In recent days several innovative business
propositions are being introduced in the Internet in
India which has raised certain issues of legality.
One such model is the “Penny Auction” where bids
are invited on an expensive product in paise units or
fractions of paisa with the assurance that the lowest
unique bidder would win the bid. Successful bids are
announced “ Black Berry Mobile successfully bid at
Rs 1.26” etc. Attracted by the lure of winning bids
at ridiculous rates, new members join the scheme.
Firstly the members find out that when they bid say
Rs 1.20 for a TV costing Rs 60,000 and re-bid at
1.19 or 1.18 etc, each such bid costs them a
membership currency which may be Rs 7,8 or 9 per
bid. When a person makes 10 or 12 bids , he would
have already spent more than 100 rupees.
Finally the software is so manipulated that fake bids
are put in and no genuine bidder wins.
Recently one such site admitted to an unsuccessful
bidder that there was a bug in the software and
offered to repay the amount used by him in the bid.
However hundreds of other bidders would have
already lost money and the site would have enriched
itself with what they have admitted as a software
bug.
Similarly, there are sites which assure 3% per day
return for viewing ads or invest in Foreign exchange
etc which are mostly scams built on technically
feasible business models.
Such scams were more prevalent abroad and are
slowly percolating to India.
Sooner the regulators wake up and initiate action on
such websites, better it is for the community.

Copyright Act Amendment Bill Introduced

Government of India has introduced a Bill to amend Indian Copyright Act 1957 in the Rajya Sabha. Earlier in 2006, a
Bill for the same purpose had been introduced but it lapsed without being passed.

The present Bill is expected to address issues of Digital Copyright such as Digital Rights Management, Contributory
Infringement, Liability of Websites facilitating Copyright Infringement etc.

Music industry had been lobbying for some amendments to protect their interests which are expected to be addressed
specially in the Bill.
(Copy of the amendment Bill available at www.naavi.org)

©Naavi Issue 4 8
 Cyber Law News for CxOs..2

Cyber Crime Awareness Program in Nasik

CCITO, a private organization based in Nasik has undertaken a program for conducting Cyber Crime awareness
programs through out the State of Maharashtra. The organization launched its activities at Nasik with a two day
program for senior Police Officers on April 9th and 10th.

Naavi along with several other professionals participated in the program which is expected to be a forerunner for a
series of such programs to be conducted in several cities of Maharashtra.

Botnets in India

Over 13 million PCs in 190 countries were reported to have been part of a major Botnet identified as “Mariposa”
which was dismantled recently. India along with Mexico, Brazil, Korea and Columbia was amongst the top 4
countries involved in the Botnet.

Botnet is essentially a computer which is capable of being operated remotely by some body who has installed a
malicious code in the computer or is able to exploit a vulnerability in any of the software running in the computer.
Botnets are created by crime syndicates to launch denial of service attacks or steal data. The extent of loss likely
to have been caused by Mariposa is difficult to estimate and may cross several millions of dollars.

The malware was designed to spread through USB drives, instant messenger programs and on peer-to-peer (P2P)
networks. In addition, the malware attempted to spread on Microsoft's Internet Explorer (IE) 6 browser.

One way attackers spread the malware was by sending out malicious links in instant messages on MSN
Messenger. When a user clicked on the link, it brought up a page that appeared to be an update for Adobe Flash
Player. If that page was viewed using IE 6, the malware would be automatically installed via drive-by download,
requiring no user interaction.

Botnets could be serious hazards since it may use the innocent user as an attacker and commit grave offences
including Cyber Terrorsim or Cyber Warfare.

Users need to safeguard against their computers being part of a Botnet by using effective Trojan removal tools and
also reduce its malicious use by not keeping the computer connected to Internet at all times.

2010 State of Enterprise Security in India

Cyber crimes and attacks cost Indian companies Rs 58 lakh in revenue in 2009 and affected over 66% of Indian
enterprises, according to a study by internet security providers, Symantec Corp.

According to the findings over and above these revenue losses, Indian enterprises also lost an average of Rs 94.56
lakh in organisation, customer and employee data, and an average of Rs 84.57 lakh in productivity costs last year.

The study further found that close to half of the of Indian Enterprises saw cyber security as their top issue, rating it
above threats from natural disasters, terrorism and traditional crime combined.

©Naavi Issue 4 9
 Knowledge +

,
Corporate Policies and Cyber Laws

Indian economy has a huge stake in the development of the IT Sector. Information Technology has
already absorbed the Communication Technology and developed into a larger segment of industry
recognized as Infocomm industry. India has an opportunity to be one of the leading countries in the
world in the Infocomm sector and hence it is critical that we nurse this industry towards prosperity
through various means.

While India has the necessary manpower and skill-sets to be a global leader, the one factor that often
threatens the growth of Infocomm is the adverse effects of the emerging Cyber Crime scenario. The
National Policies of India since the 80’s has therefore been to encourage the growth of Infocomm sector
by providing the industry with a strong legal foundation.

It was this “Policy” to encourage “E-Commerce” that first led to the drafting of Cyber Laws in our
country in the form of ITA 2000. In the last decade it was observed that the risks in Cyber Space were
growing more and more menacing and therefore the National Policies for development of the Infocomm
sector further dictated substantial amendments to ITA 2000 and the new version of ITA 2000 referred to
as ITA 2008 became effective from October 27, 2009.

We may therefore recognize that the Policy of using Infocomm as a development tool for India and
“Security” as a critical necessity for this development that has given birth to the Cyber Laws in India
now in the form of ITA 2008.

Citizens and Companies are bound by these laws and hence Laws of the Land become the backbone of
the corporate policies that drive the day to day activities of a Company. It is in this context that Cyber
Laws become the foundation for determining Corporate Policies in any given Company.

Since ITA 2008 applies to all Companies which use Electronic Documents, Computers and Other similar
electronic devices as part of their business infrastructure, the incidence of ITA 2008 runs through every
fabric of corporate policy.

“Clause 49” of the Listing Requirements introduced by SEBI is an initiative to ensure that Shareholders
are appropriately assured by the Corporate Managements that their Company is a Law Compliant entity
and any liability that may arise due to non compliance has been adequately insured against.

…Contd

©Naavi Issue 4 10
 Knowledge +..

ITA 2008 in combination with Clause 49 has now become a lethal combination that has
stirred a hornet’s nest in every Corporate Board Room.

Cautious Company managements are now asking themselves, “Are We Compliant with ITA
2008?” If not, “Are we right in providing Clause 49 certification in our next annual report?”
But as is the true spirit of the Indian psyche, some feel “Chalta Hai!” and many comfort
themselves that “All Iz Well”.

But any Company committed to high standards of Corporate Governance needs to sit up and
take notice..

“here is a new legislatory provision that has come into existence during this financial
year…” ..”We have seen some Corporate CEOs facing criminal charges under the Act
for vicarious liabilities…” “We have seen many Banks being asked to pay
compensation for frauds committed by somebody else…”’We have seen at least one
major IT company losing Rs 20 crores of shareholder’s money attributable to
negligence in security of the info systems…”

If this is the scenario, it is necessary for such responsible companies to review the internal
controls specifically from the point of view of ITA 2008 and its compliance requirements. If
not, it would be unethical to sign this year’s annual report with an inaccurate Clause 49
certification and expose the CEO and the Directors to a possible charge of deliberately
misleading the shareholders.

It is necessary for the Companies to recognize that ITA 2008 expects that “If any Cyber
Crime occurs with the use of Company assets, it may be attributed to the Company itself
besides the person who actually misused the systems. Once the Company is attributed of a
Crime, the Directors and Officials have to prove that they have not been negligent in
implementation of any provisions expected of them in ITA 2008 or else face the wrath of the
law as if they had committed the offence with a malicious intention.

Even if criminal charges are avoided, the financial liabilities that fall on the Company and
attributable to the neglect of the Company officials could be adversely affecting the financial
position of the Company.

It is therefore necessary for the Corporate CxOs to appraise themselves with the ITA 2008
liability risks and undertake appropriate action to counter them.

If a Company undertakes an ITA 2008 Compliance Gap analysis, they would find that there
are many areas under which the Company may find itself short of the expectations of law.

For example, under section 70B, CERT IN has certain powers to demand information from a
Company. Similarly, under 69,69A and 69B, CERT IN can give certain directions to
Companies. Failure to meet these requests is punishable with imprisonment and fine.

Likewise there are various responsibilities which ITA 2008 casts on a Company, and risk
associated with the non compliance of each of these responsibilities could result in either
civil penalties or criminal punishments.

©Naavi Issue 4 11
 Knowledge +…

ITA 2008 Risk Assessment Domains

The diagram above represents different steps in risk assessment and risk mitigation which a Company
has to pass through before the Company can be reasonably confident that it has fulfilled the due
diligence responsibilities envisaged in the ITA 2008.

The road ahead for Indian Companies particularly those which are required to comply with Corporate
Governance requirements is to start an ITA 2008 audit to identify the compliance gaps and then
proceed to implement them with a reasonable schedule.

Since ITA 2008 is already effective from October 27, 2009, there is no option for Companies but to
admit that they are non- compliant as of 31st March 2010 but have initiated steps to identify the ITA
2008 compliance requirements and make such a statement as part of the Director’s Report in the
annual report.
Naavi

©Naavi Issue 4 12
 Knowledge +…

Cyber Crimes in a Corporate Environment

Companies face two kinds of Cyber Crimes ...one in which the Company or its assets are the target and
the other in which Company’s assets is used as tools for a Cyber Crime either by its employees or
others.

Protecting Company’s assets from being targeted is a part of the Information Security function of the
Company. When a Company’s assets are adversely impacted by any Cyber Crime, the cause of action
for initiating legal proceedings lie primarily with the Company. Even when the Company is not keen
on pursuing damages caused by a cyber crime, the Shareholders of the Company would be interested
in ensuring that the Company does not end up losing money on account of the Crime. Regulators such
as SEBI or RBI should also be interested in ensuring that the Company does not for its own reasons
ignore taking required legal steps to recover the losses.

If a Company is properly insured against losses caused by Cyber Crimes, the Insurance Company
would be interested in pursuing the recovery of loss.

For example, recently WIPRO lost Rs 20 crores due to an employee fraud. According to available
reports, the Company went into a compromise and wrote off nearly 50% of the loss. The directors of
the company may however have to get this write off endorsed by the shareholders.

A second example is the case of Umashankar Vs ICICI Bank reported elsewhere in this news letter
where ICICI Bank decided not to pursue its legal options against the fraudster though the fraud came
to light within 24 hours of the fraud money going out of the control of the Bank. Here also there could
be a Public Interest for which RBI or the share holders of ICICI Bank may question why the Bank
pursues the policy of not taking legal action against fraudster-customers who use the Bank resources to
defraud other fellow customers.

ITA 2008 provides certain security guidelines by prescribing “Reasonable Security Practices” under
Section 43A, “Due Diligence” under sections 79 and 85 and contractual obligations under Section
72A.

The second type of Cyber Crimes that affect companies are any offence under ITA 2008 committed
with the use of the Company’s resources. This could include even personal crimes such as sending of
obscene messages by an employee to some body else which may not have anything to do with the
business of the Company. In such cases the need for the Company to exercise “Due Diligence” under
Section 85 may come under debate.

Thus in both types of crimes indicated above, there is a need for Companies to exercise “Due
Diligence” and the step to achieve due diligence is through an ITA 2008 compliance audit. This
therefore is the focus of Corporate Information Security requirements in the year 2010.

..contd

©Naavi Issue 4 13
 Knowledge +…

In a recent survey released by PWC, an interesting analysis emerged on the security practices
followed by Indian Companies. Amongst the companies surveyed, 73 % of the companies had an
overall information security strategy and over 80% were inclined to increase there is spending in the
coming year.

38% of the participants surveyed were practicing half yearly risk assessments and over 59% said
they do conduct employee awareness programmes.

Symantec also came out with a study which notes that Indian enterprises lost an average of Rs 94.56
lakh in organisation, customer and employee data, and an average of Rs 84.57 lakh in productivity
costs in 2009.

However it is not clear if the “Information Security” that is being spoken off in the surveys is a
purely technical information security survey or a “Techno Legal Information Security Survey”.

Legal Compliance Risk does not come for assessment in a purely technical information security
survey and hence the possible liability that may arise on a company due to non compliance of ITA
2008 or similar laws is not thrown up in such surveys.

Since the awareness levels on Cyber Laws and their impact on Corporate functioning is still in
nascent stage even in the higher levels of management, it is a reasonable assumption that the levels
of Techno Legal Information Security compliance is likely to be very low.

Perhaps Cyber Laws For CxO should itself conduct a survey amongst the Indian Corporates to find
out the extent of Awareness, Appreciation and Adoption of Techno Legal Compliance and its likely
impact on the Companies.

In India, we donot even have a good statistics of Cyber Crime incidents not only in the Corporate
sector but also in the overall scenario. National Crime Records Bureau (NCRB) does come up with
some statistics about Cyber Crime cases registered with the Police but this also does not capture
even a fraction of the crimes that are likely to be occurring. If after the ITA 2008 coming to effect,
CERT-IN uses its powers under Section 70B, adequate information can be collected from the
corporate sector about Cyber Crime incidents and their financial impact. This information is vital for
future planning of Cyber Crime mitigation strategies.

Probably industry associations also can consider a mechanism where by reliable data can be
collected in a manner which does not hurt the reputation of the reporting organization and collated
for the benefit of all.

It is pertinent to mention here that the trend abroad as indicated by the HITECH Act in USA passed
last year is to make it mandatory for organizations to disclose data breach or cyber crime incidents
and penalize non compliance thereof. India has to take a cue from such legislations and
organizations such as RBI, SEBI and Company Law Board should collect data on security breach
incidents and pass it onto CERT-IN for collation. Alternatively, we need a reliable private sector
initiative to emerge which serves a similar objective.

Naavi

©Naavi Issue 4 14
 Questions and Answers

We intend using this section of the news letter to answer the Cyber Law related queries raised
by our readers. This being a special issue on Digital Signatures we are using this space to
explain some of the basic concept of Digital signatures.

We appreciate if queries are raised by persons indicating their Name, Occupation and Contact
details. We however don’t want to restrain the readers from raising questions without
revealing their identity. Such readers may therefore send the questions as “Anonymous” in
which case even their e-mail ID would not be provided on the news letter.

All questions may however be sent by e-mail to naavi@in.com by e-mail with the subject line
containing “Cyber Laws for CxOs”.

What Constitutes a Cyber Crime?

Defining a Cyber Crime is largely a matter of semantics.

One popular definition of a Cyber Crime is that “It is a crime where a computer is either a
target or a tool of the crime.”.

This definition however needs to be modified in the light of laws that are being legislated
world wide to tackle Cyber Crimes where the target of legislation is not restricted to
offences committed with “Computers” but extending it to any offence committed with the
use of Electronic Documents and devices which are not computers but are capable of
computer like operations such as generating, storing and forwarding of Electronic
Documents. ITA 2000 also adopts this process.

Hence a better definition of Cyber Crime is

“Cyber Crime means any contravention of law where an Electronic Document or

any device that generates, stores or transmits an Electronic Document is either a
tool or target of contravention”.

According to this definition Cyber Crimes are not restricted to offences mentioned in ITA
2000 or ITA 2008 (ITA 2000 as amended by Information Technology Amendment Act
2008). It includes Internet and Non Internet Crimes. It includes Computer, Mobile, ATM
and Credit Card related crimes. It includes crimes against physical electronic assets
including destruction of a computer or a mobile or a CD or a Pen drive. Even IPR offences
against Cyber Properties can be covered as Cyber Crimes under this definition.

This definition also includes offences in which only “Electronic Documents” are involved
even when such electronic document is in “Non Electronic Format” for the time being.

It may be noted that the above is a derived definition suggested by Naavi and is not
incorporated in the current versions of ITA 2008 as such. It however is a direct outcome of
the ITA 2008.

©Naavi Issue 4 15
Questions and Answers

What to do when you spot a potential Cyber Crime

If you observe what you believe as a “Cyber Crime”, first determine if you are a victim or
a passive observer.

Think for a moment about why you think something is a Cyber Crime and try to preserve
the evidence regarding the same.

Contact an expert if required at this stage to understand whether there is a prima-facie

evidence of a Crime or not.

If confirmed, locate the nearest Police Station and lodge a written complaint and obtain
an acknowledgement with time and date.

Most Cyber Crime Police Stations and senior police officers are available on E-Mail and
a complaint can be lodged on the e-mail preferably with digital signature. If required use
the services of a “Certified E-Mail Forwarder” such as Cyber Evidence Archival Center
(www.ceac.in).

If you have suffered any loss on account of a Cyber Crime, approach a Cyber Law expert
in your area or take the assistance of E-NGOs such as Naavi.org.

Which Police Station to Approach

Some State Governments have created specialized Cyber Crime Police Stations in some
Metros. If available contact them since you may find knowledgeable police officers there.

Otherwise approach any Police Station within your area and lodge the complaint. They will
guide you to the appropriate alternate Police Station if any.

In case of difficulty approach the senior Police officers in the area or a suitable advocate.

How To Recover the Monetary Loss?

In case any monetary loss has arisen due to contravention of any provisions of ITA 2008,
approach the “Adjudicator” of your State.

Please see the March Issue of Cyber Laws For CxOs for more information on the
Adjudication process.

If the contravention is not of ITA 2008, then you may have to approach the alternate
Court/Forum of jurisdiction such as Consumer Forum or a Civil Court etc.

©Naavi Issue 4 16
 Questions and Answers

A Cyber Crime in an Organization

If a Cyber Crime is committed with the use of any resources belonging to a Company, the
executives of the company including the CEO as well as the Directors may be liable both for
civil and criminal liabilities for negligence under ITA 2008 (Sec 85).

Hence immediate steps have to be taken to secure evidence and bring in the Police for
investigation.

Additionally ITA 2008 compliance audit to be initiated if not already done so that “Due
Diligence” requirements under ITA 2008 are fulfilled.

Negligence that facilitates a Crime, Negligence that assists a Criminal, suppression and
erasure of evidence and not taking adequate steps after a Cyber Crime incident may all lead
to enhancing the culpability and liability of the organization.

How Do we Recognize a Cyber Crime?

Following are the ingredients of a Cyber Crime.

1. A Wrongful loss has occurred to some body

2. There is a violation of some legal provision
3. A Computer, Mobile or a similar electronic device or an Electronic Document is
involved in the Crime.
4. At least one device in India has been used in the commission of crime.
5. Victim or the Perpetrator may be either in India or abroad.

Who Has to make a Cyber Crime Complaint?

Preferably the complaint is to be made by a person who has suffered a loss or is likely to
suffer a loss on account of the incident.
A third party may also bring a crime to the notice of the law enforcement in the interest of the
public in general.

Is Theft or Damage of a Computer a Cyber Crime?

Under Section 66B, retaining or using of a stolen device is an offence. Hence stealing
indirectly becomes assistance to commit Sec 66B crime and hence can be considered as a
Cyber crime. Causing damage to a computer is an offence under Section 66 and
contravention under Sec 43. Physical damage of a computer can also therefore be called a
cyber crime.

©Naavi Issue 4 17
Questions and Answers

What Crimes are covered under ITA 2008?

ITA 2008 is a comprehensive legislation that covers many types of Cyber Crimes. The Act
does not use the popular names of Cyber Crimes but describes them through different sections.
If properly interpreted, it covers most of the known cyber crime offences.

Section 66 covers most of the common crimes arising out of “Unauthorised Access”. If any
loss is caused with fraudulent intention by an unauthorized access, it is punishable. The
section includes unauthorized downloading, alteration, deletion etc. It also includes denial of
access and causing damage to computer resources. It also includes assistance to others for
commission of crimes and the common financial frauds in which an electronic resource is used
by one but charged for payment to another. (eg: when some body else’s credit card is used
online by a fraudster).

The most critical part of the section is that “Diminishing the Value or Utility” of information
residing inside a computer is considered as an offence under this section. This clause is
amenable for wide interpretation and is one of the powerful features of ITA 2008.

How are E-Mail Based Crimes Covered under ITA 2008?

Section 66A of ITA 2008 covers offences such as sending offensive and threatening mails as
well as mails sent with a false sender’s address. This section can be invoked in cases of
Phishing. Under certain circumstances this can also be used in cases of “Defamation”. “Cyber
Stalking” by causing harassment through e-mail or SMS messages can also be brought under
this section.

What is the Extent of Punishment for Cyber Crimes?

Most of the Cyber Crimes carry imprisonment of 3 years. The maximum imprisonment is “Life
Imprisonment” under Section 66F for “Cyber Terrorism”. Additionally there could be fines
normally in the range of Rs 1 to 5 lakhs. Damages are also payable to the victim. A full list of
section wise punishments is given separately.

What is the Extent of Civil Liability for Cyber Crimes?

There is no limit for the civil liability under ITA 2008. Liability is for all contraventions under
Chapter IX including Section 43A regarding data protection. Claims upto and inclusive of Rs 5
Crores are within the jurisdiction of the Adjudicator and beyond Rs 5 Crores is within the
jurisdiction of the appropriate Civil Court.

©Naavi Issue 4 18
 Particulars of Offences covered under Chapter XI of ITA 2008

Fine
Imprisonment
Section Description (Rs,
(Yrs)
lakhs)
Tampering of certain Electronic Documents
65 3 2
required to be preserved for certain time
66 Various Computer Related Offences 3 5
66A Sending Offensive Messages 3 USA
66B Receiving Stolen Devices 3 1
66C Identity Theft 3 1
66D Impersonation 3 1
66E Video Voyeurism 3 2
66F Cyber Terrorism Life -
Publishing and Transmission of Obscene 3 5
67 Electronic Documents
Repeat offence 5 5
Publishing and Transmission of Sexually Explicit 5
10
67A Material in Electronic Form
Repeat offence 7 10
Child Pornography.(Includes .publishing, 5
10
67B Transmission, Browsing, Storing, Chatting etc)
Repeat offence 7 10
Preservation and Retention of Information by
67C 3 USA
Intermediaries
Failure to Comply with Controller’s direction
68 (Applicable to Certifying Authorities and their 2 1
employees)
69 Failure to assist in Interception and Monitoring 7 USA
69A Failure to assist in Blocking 7 USA
69B Failure to provide information 3 USA
70 Attempt or Access of Protected System 7 USA
70A Not related to offences
70B Failure to Comply Directions from Nodal Agency 1 1
Misrepresentation for obtaining Digital /Electronic
71 2 1
Signature Certificate
72 Breach of Confidentiality by authorities 2 1
72A Unauthorised Disclosure of Information 3 5
Publishing false Digital/Electronic Signature
73 2 1
Certificate
Publishing Digital/Electronic Signature Certificate
74 2 1
for fraudulent purpose

USA=Unspecified Amount

©Naavi Issue 4 19
 Questions and Answers

What is the punishment of Abetment and Assistance?

Abetment for any offence will carry a punishment meant for the specific offence.
Assistance for commission of any Crime would be punishable with half the punishment
meant for the specific offence.

Can Company Officials be Arrested for the Offences committed by Employees

Yes. Under Section 85, if the offence is attributable to the Company and negligence can
be attributed to any officer or director, the criminal liability can rest on the officials. An
offence can be attributed to the Company when its resources are used by the employees
to commit a crime.

Cognizability, Bailability and Compoundability

All offences with 3 or more years of imprisonment are considered “Cognizable”

Offences with three years of imprisonment are Bailable. Offences upto and inclusive
of 3 years imprisonment are Compoundable

Are Foreign Companies and Individuals Liable?

Jurisdiction under ITA 2008 extends to persons outside India and Persons who are not
citizens of India provided at least one Computer situated in India has been used in the
commission of the offence.

Are there instances of Company Officials Punished for Vicarious Liabilities?

Proceedings are in progress in the case of Section 67 offence at baazee.com against the
CEO of the Company. The ultimate decision will depend on the Court being either
satisfied or not of the “Due Diligence” exercised by the Company.

P.S: Views expressed here may be considered as suggestive and other experts may have differing opinions.
Answers given here are for academic clarification and debate and do not constitute legal advice.

Be A Part of the ADR Revolution in India

Use online arbitration for lower costs and greater convenience

At
www.arbitration.in

©Naavi Issue 4 20
 Building the Digital Security Consortium in India

With increasing dependence of the society on Cyber Space and Digital Documents,
Digital Security is a matter of concern for all. It is no longer possible for individuals to
conduct Banking or Stock Market activities or even certain Citizen to Government
activities without using the Cyber Environment and exposing oneself to the risks of
Cyber Space.

With the launching of the Unique ID System, every individual in India will soon have
his basic identity linked to the Digital Data called the UID.

In the coming days we will not have exclusive Citizens or exclusive Netizens. Every
one of us would be Cinezens with our UID in cyber space and existence in physical
space. We will have assets both in Physical and Cyber Space and some physical assets
such as Bank funds being held in digital form.

Under these circumstances, it has become critical that the security of digital space is
the key determinant of the society. Lack of digital security would throw the life of
future citizens of the country.

It is therefore considered necessary for all those who are interested in the wellbeing of
the society to come together and work for the common goal of a “Secure Digital
Society”.

Since the task before us requires action on several fronts and in several places,
Naavi.org has undertaken a task to build a “Digital Security Consortium” in India
which proposes to bring together all likeminded organizations working in the Cyber
Security space in India under a common umbrella banner of “Digital Security
Consortium”.

The objectives of the Consortium would be to work towards Digital Security in all its
dimensions.

Naavi invites all interested persons or organizations to come together in this initiative.
Naavi also invites Corporates to join in this initiative as part of their CSR initiatives to
support the activity of creating a “Secure Digital Society” in India.

Interested persons may contact naavi@in.com with necessary information.

Na.Vijayashankar
(Naavi)

©Naavi Issue 4 21
 Disclosure

This is an e-news letter published by Ujvala Consultants Pvt Ltd, No 37,

“Ujvala” 20th Main, B S K Stage I, Bangalore 560050. (Ph: 080 26603490).

Web: www.ujvala.com. E Mail: ujvala@md2.vsnl.net.in

The news letter is being edited by Naavi, Na.Vijayashankar, no 37/5, “Ujvala”,

20th Main, B S K Stage I, Bangalore 560050.

Web: www.naavi.org. E Mail: naavi@in.com

A copy of the news letter is also being hosted on the website

http://www.cyberlaws4cxo.com. In future the news letter may be reproduced in
any other website owned by the same management or its assignees.

The views expressed in the news letter and the hosting website would be
considered as belonging to the respective authors and provided for educative
purpose and are not considered as legal advice. Kindly check with a qualified
advocate if any legal action is contemplated.

Any comments and complaints if any may be sent to the editor at

naavi@in.com for resolution.

Contents of this news letter may be reproduced only on specific permission

from the editor and with due credit.

Copyright in respect of any contributions from authors published in the news

letter will be deemed to have been transferred to the publisher at the time the
article is submitted for publication. In the event an author intends to publish
the same article in any other publication, he shall inform the publisher of
Cyber Laws For CxO the name of such other publication and also add a note
“First submitted for publication with Cyber Laws For CxO” in the other
publication.

Any dispute arising out of the publication shall be settled through arbitration
through the virtual arbitration center http://www.arbitration.in as per the terms
of the Indian Arbitration and Conciliation Act 1996.

For Subscription: Visit www.cyberlaws4cxo.com

©Naavi Issue 4 22