1 CRIMINAL ACTIVITY

1.1 Would any of the following activities constitute a criminal offence in your jurisdiction? If so, please provide details of the offence, the maximum penalties available, and any examples of prosecutions in your jurisdiction:

Hacking (i.e. unauthorised access)

The following acts constitute offences when conducted fraudulently or dishonestly and without the permission of the owner/person in charge of the computer:

  1. accessing/securing unauthorised access to a computer resource (which includes computers, communication devices, computer networks, data, computer databases or software, etc.); and
  2. providing assistance to any person to facilitate such unauthorised access (Sec. 43(a) and (b) Information Technology Act, 2000 ("ITA")).

The above offences are punishable with imprisonment of up to three years or with a fine of up to INR 500,000 or with both (Sec. 66A, ITA). Also see question 1.4 below in respect of cyberterrorism and criminal trespass and question 2.2 below in respect of 'protected system'.

Prosecutions:

  • Kumar v. Whiteley (2009): the accused was sentenced to one year of rigorous imprisonment and a fine of INR 5,000 for hacking a government website, gaining unauthorised access to broadband internet and making alterations to subscriber accounts in the computer database.
  • Call centre employees at Mphasis were prosecuted for securing unauthorised access to PIN codes of customers of Citi Group (a client of their call centre) and using these codes to transfer funds into their accounts (2005).

Denial-of-service attacks

  • Causing disruption or denial of access to any person authorised to access any computer by any means is an offence when conducted fraudulently or dishonestly and without the permission of the owner/person in charge of such computer (Sec. 43(e) and (f), ITA).
  • Punishable with imprisonment of up to three years or with a fine of up to INR 500,000 or with both (Sec. 66A, ITA).
  • Also see question 1.4 below in respect of cyberterrorism.

Phishing

While "phishing" is not expressly defined, the following acts constitute offences:

  1. Identity theft: fraudulent or dishonest use of the electronic signature, password or other unique identification feature of any other person (Sec. 66C, ITA).
  2. Cheating by personation: using a computer/communication device to cheat by pretending/representing to be another person or knowingly substituting one person for another (Sec. 66D, ITA).
    The above offences are punishable with imprisonment of up to three years and with a fine of up to INR 100,000.
  3. Deceptive/misleading emails: sending emails/messages that deceive/mislead the recipient as to the origin of such message (Sec 66A(c), ITA).
    The above is punishable with imprisonment of up to three years and a fine.

Cheating under the IPC may also be invoked (see question 1.4 below).

Prosecutions:

  • Mumbai Cyber Cell registered an offence against a person who circulated misleading emails ostensibly emanating from ICICI Bank to obtain confidential information (including usernames, passwords, debit card numbers, PIN codes, etc.) from the recipient bank's customers.
  • Persons were arrested for circulating emails indicating that the recipient had won a lottery prize and requiring them to deposit courier, VAT and insurance charges prior to the transfer of the 'lottery winnings'.

Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses)

The following acts constitute offences when conducted fraudulently or dishonestly and without the permission of the owner/person in charge of the computer:

  1. introduction of a computer contaminant/virus; and
  2. damage to any computer, computer system or computer network or any data, database or computer program residing therein (Sec. 43(c) and (d), ITA).

The above offences are punishable with imprisonment of up to three years or with a fine of up to INR 500,000 or with both (Sec. 66A, ITA).

Also, see question 1.4 below in respect of cyberterrorism.

Possession or use of hardware, software or other tools used to commit cybercrime (e.g. hacking tools)

Possession of any plate (including negative duplicating equipment, block, mould, etc.) for making infringing copies of copyrighted work is punishable with imprisonment of up to two years and a fine (Sec. 65, Copyright Act).

Dishonestly receiving stolen computer resources or communication devices is punishable with imprisonment of up to three years or a fine of up to INR 100,000 (Sec. 66B, ITA).

Identity theft or identity fraud (e.g. in connection with access devices)

See "Phishing" above.

Publication of electronic signatures: (i) that are fake; or (ii) for fraudulent/unlawful purposes is punishable with imprisonment of up to two years or with a fine of up to INR 100,000 or with both (Sec. 73 and 74, ITA).

Prosecutions:

  • State of Odisha v. Jayanta Das (2017): sentenced to six years' imprisonment and a fine on charges of forgery, identity theft and cyber pornography for creating a fake profile on a pornographic website in the name of the complainant's wife.

Electronic theft (e.g. breach of confidence by a current or former employee, or criminal copyright infringement)

The following acts constitute offences when conducted fraudulently or dishonestly and without the permission of the owner/person in charge of the computer:

  1. downloading, copying or extracting data/information from a computer resource (including any removable storage medium) (Sec. 43(b), ITA); and
  2. charging services availed of by a person to the account of another person by tampering with/manipulating any computer (Sec 43(h), ITA).

The above are punishable with imprisonment of up to three years or with a fine of up to INR 500,000 or with both (Sec. 66A, ITA).

Violation of privacy by intentionally or knowingly publishing/ transmitting a private image of a person without his consent is punishable with imprisonment of up to three years or with a fine of up to INR 200,000 or with both (Sec. 66E, ITA).

Disclosure of personal information obtained while providing contractual services, with the intent/knowledge that wrongful loss/ gain will result, is punishable with imprisonment of up to three years or with a fine of up to INR 500,000 or with both (Sec. 72A, ITA).

Criminal copyright infringement (i.e. with knowledge): knowingly using an infringing copy of a computer program, and infringement and passing off of trademarks, are punishable with imprisonment of up to three years and a fine of up to INR 200,000. In each case, an enhanced penalty is invoked upon subsequent convictions (Sec. 63 and Sec. 63B, Copyright Act and Sec. 104 of Trade Marks Act).

Theft, cheating, fraud, dishonest misappropriation and criminal breach of trust provisions under the IPC may also be invoked (see question 1.4 below).

Prosecutions:

  • Shankar v. State (2010): an employee caused the publication of confidential information which he obtained through unauthorised access of a computer at the office of the Directorate of Vigilance and Anti-Corruption. He was charged with securing unauthorised access to a 'protected system' and breach of confidentiality and privacy.
  • An employee of HSBC's BPO arm in India was arrested on charges of data theft and cyber fraud for producing forged certificates used to illegally embezzle funds (2005).

Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data

The following acts constitute offences when conducted fraudulently or dishonestly and without the permission of the owner/person in charge of the computer:

  1. destroying, deleting, injuring, altering or diminishing the value/utility of information residing in a computer resource; and
  2. stealing, concealing, destroying or altering computer source code (including computer commands, design and layout, program analysis, etc.) with an intention to cause damage (Sec. 43(i) and (j), ITA).

The above are punishable with imprisonment of up to three years or with a fine of up to INR 500,000 or with both (Sec. 66A, ITA). Knowingly or intentionally tampering (concealing, destroying or altering) with computer source documents required to be kept/ maintained by law is punishable with imprisonment of up to three years or with a fine of up to INR 200,000 or with both (Sec. 65, ITA).

Prosecutions:

  • Shankar v. State (2010) (see "Electronic theft" above): a case was also made out that by downloading, copying and causing the publication of confidential information, the accused diminished the value and utility of such information and affected it injuriously.
  • The offence of tampering with computer source documents was held in the following:
    1. Bhim Sen Garg v. State of Rajasthan (2006): fabrication of an electronic record, or committing forgery by way of interpolations in a CD; and
    2. Syed Asifuddin v. State of Andhra Pradesh (2005): Tata Indicom employees were arrested for the manipulation of the electronic 32-bit number (ESN) programmed into cell phones that were exclusively franchised to Reliance Infocomm.

Failure by an organisation to implement cybersecurity measures

This is not applicable in our jurisdiction. See questions 2.10 and 5.1 below for non-penal repercussions.

1.2 Do any of the above-mentioned offences have extraterritorial application?

Yes, provided that the offence committed outside India involves a computer, computer system or computer network located in India (Sec. 75, ITA).

1.3 Are there any actions (e.g. notification) that might mitigate any penalty or otherwise constitute an exception to any of the above-mentioned offences?

Acts under Sec. 43 of the ITA (including hacking, denial-of-service attacks, introduction of virus, etc.) not conducted fraudulently or dishonestly will invoke the civil (and not criminal) liability of compensation of up to INR 10,000,000 for damage caused.

For trademark/copyright infringement, no damages will be payable where the defendant can prove he was unaware, and had no reasonable ground for believing, that the work was trademark/ copyright protected.

1.4 Are there any other criminal offences (not specific to cybersecurity) in your jurisdiction that may arise in relation to cybersecurity or the occurrence of an Incident (e.g. terrorism offences)? Please cite any specific examples of prosecutions of these offences in a cybersecurity context.

The following Incidents will constitute "cyberterrorism", which are punishable with life imprisonment:

  1. unauthorised access, denial of access or introduction of a computer contaminant with the intent to threaten national security and causing (or likely to cause) death, injuries, damage to property or disruption of essential supplies/ services; and
  2. intentionally/knowingly obtaining unauthorised access to restricted information/data which may be used to injure national security, public order, relations with foreign states, defamation, etc. (Sec. 66F, ITA).

Incidents may also invoke:

  1. Criminal offences under the IPC, such as cheating, theft, criminal breach of trust, criminal trespass, forgery of electronic records, dishonest misappropriation, etc.
  2. Penal provisions under specialised legislations which punish publishing or transmitting obscene and sexually explicit materials (such as child pornography or indecent representation of women).

Prosecutions:

  • Sedition charges were pressed against a former scientist for the hacking of an internet service provider and sending emails threatening national security to the Department of Atomic Energy (2001).
  • A criminal case for cheating, theft and criminal conspiracy under the IPC was registered against hackers involved in stealing debit and credit card details using a proxy IP address (2017).
  • Dr. Prakash v. State of Tamil Nadu (2002): sentenced to imprisonment for posting nude pictures of female patients online in contravention of the ITA, IPC and Indecent Representation of Women (Prohibition) Act, 1986.

Click here to continue reading ...

Originally published by The International Comparative Legal Guide to: Cybersecurity 2018.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.