Akanksha Agrahari and Prerna Sengupta
The existing framework fails to provide any preventive measures to generate awareness regarding phishing
“Economic crimes committed via acts like phishing are public wrongs or crimes committed against society and the gravity and the magnitude attached to these offences is concentrated at the public at large.”
–J. Bhanumathi in CBI V. Maninder Singh (2016)
Phishing is defined as an instance where a person pretends to represent a legitimate association such as a bank or an insurance company in order to extract personal data from a user such as access codes, passwords etc., which is then used to his own advantage. This definition was given by the Delhi High Court in the case of NASSCOM v Ajay Sood and Others which was the first case in India wherein phishing was held to be an illegal act.
The legislations invoked in cases of phishing are the Information Technology Act, 2000 and the Information Technology (Amendment) Act, 2008 that deal with phishing under Section 43 which provides penalty and compensation for damage to computer, computer society, etc.; Section 66 which provides punishment for acts done under Section 43; Section 66A which punishes the sending of offensive or false messages through a communication service; and lastly Section 66D which punishes cheating by personation by using a computer resource. Phishing is also punishable under Sections 416 and 419 of the Indian Penal Code which respectively defines and punishes cheating by personation.
This post aims to trace the liability of the main stakeholders in phishing cases in India. It also argues for the urgent need to take proactive measures for increasing awareness since the existing law fails to provide any preventive measures to curtail phishing.
No statute in India defines phishing. However, liability of stakeholders has been determined in the following ways. The main stakeholder in phishing cases is the customer whose sensitive personal data is being exploited. A crucial question which arises here is whether or not the customer’s own negligence resulting in phishing prevents him from obtaining a remedy. RBI answered this question in its notification dated July 6, 2017, wherein it specified that the customer is not at fault if phishing has occurred due to contributory negligence/fraud/deficiency on the part of the bank, irrespective of the customer reporting the concerned transaction. In contrast, the customer bears limited liability when the unauthorised transaction has occurred due to his own negligence (reckless sharing of payment credentials, etc), provided that the customer reports the unauthorised transaction to the bank. The extent of liability of the customer, if he is found to be negligent, is determined through probe and adjudication by a civil suit. However, if the customer does not report the instance of phishing, he bears the entire liability for his negligence , and no loss will be borne by the bank. But, as stated in Tony Enterprises v RBI, the RBI circular just consists of guidelines which indicate the nature of the action to be taken by the bank when a case of unauthorised transaction is recorded. It does not foreclose the remedy which could be availed by the bank if a customer has negligently shared his details with a third party which results in an unauthorised payment transaction. Onus to prove that the customer is liable is on the bank. Otherwise the customer is presumed to have been careful.
Another significant stakeholder is the body corporate (such as a bank, or an insurance company) which possesses and controls sensitive personal data of its customers in a computer resource. The provisions of the IT Act which render a company liable are Section 43A which states the compensation for failure to protect sensitive personal data, and Section 85 which states offences by companies. In many cases, laxity on the part of the body corporate leads to hacking of such sensitive data which is then used by fraudsters for manipulation. Many judicial pronouncements have established this liability on banks.
It was observed that in most cases both parties rely upon conjectures in blaming negligence on the other’s part. This observation was made in the Telecom Disputes Settlement and Appellate Tribunal case ICICI Bank Ltd v Ramdas Pawar, which also stated that banks are required to have secure systems and processes under Section 43A of the IT Act as such secure system and processes would enable it to at least produce logs of the transaction bearing necessary information in case of a reported fraud.
In Umshankar Subramaniam v ICICI Bank, the court held that since the bank was unable to establish that it exercised due diligence in the case of phishing, it was guilty of the section 85 read with section 43 of the IT Act, 2000 and was directed to compensate the loss of the customer. Another example of this could be the case of Poona Auto Ancillaries Pvt. Ltd. v. Punjab National Bank (2013). In this case, the customers were made victims of a massive phishing attack owing to the laxity in the banking system as a result of which the special court of the Information Technology department of Maharashtra directed the Punjab National Bank, Pune to pay Rs. 45 lakhs as compensation to customers. In the case of Smt Leela Bharati v HDFC Bank Limited, the State Consumer Disputes Redressal Commission of Telangana came to a similar judgement where they held the bank liable for deficiency in services for being unable to take necessary steps to help the petitioners recover the lost amount in a phishing scam. Hence, it is settled law that a bank or other body corporate is liable if it fails to exercise due diligence to prevent phishing.
LACK OF AWARENESS REGARDING PHISHING
There is not enough awareness amongst the public regarding phishing. In many cases presented before the Consumers Dispute Redressal Forums, it was noticed that the victims of phishing gave away their personal information to third parties without giving any thought before sharing their credentials. In some cases, the customers were themselves unaware and ignorant of the fact that they might be victims of a phishing attack and merely treated the discrepancies found in their bank account as mere faults in the services of the bank. This goes to show that people themselves are unaware that they are victims of phishing.
A significant point highlighted in the Poona Auto Ancillaries case is the laxity of the police department in dealing with cyber crimes such as phishing, which in this case, led to a loss of over Rs. 45 lakhs. As a result, the court directed the Maharashtra police to organize special training classes for all the personnel posted in cyber crime cells. Media reports show how police officers across various Indian states are increasingly relying on private cyber forensics firms to assist in dealing with cybercrimes in order to efficiently deal with the increasing number of cyber security cases which is a commendable step taken by law enforcement agencies. However, officials have pointed out that entrusting a private firm with sensitive data can be challenging which gives them even more incentive to develop an efficient team of cyber security experts within the law enforcement agency itself.
In terms of initiatives taken up by the Ministry of Electronics and Information Technology to deal with cyber security threats like phishing, a nodal agency has been appointed called the Indian Computer Emergency Response Team (CERT – In). As per their latest annual report, CERT-In handled 208456 cases in 2018 of which there were 454 phishing cases. CERT – In also issued a recent advisory in 2020 regarding a possible phishing attack during the COVID-19 global pandemic. The authors are of the opinion that CERT-In should undertake similar sensitization initiatives on a much more grassroots level to ensure more awareness regarding crimes like phishing. This will go a long way in making people more cautious while sharing their sensitive personal data.
Phishing is becoming a widespread phenomena which has caused grave economic losses to a lot of people. The authors believe that the law is insufficient because it is only working towards determining liability after the crime has occurred – so, there are not enough preventive measures in the law to raise awareness and curtail phishing. Efforts should be made to sensitize the public about this issue instead.
The authors are students at NALSAR University of Law, Hyderabad.