Expanding horizons of data protection in cyberspace: Court orders negligent bank and mobile service provider to pay compensation

In September last year, an allegation of fraudulent siphoning of 19 Lakhs was made out via an ICICI current bank account of Sanjay Dhande, a former Director of IIT Kanpur. The account was jointly owned by Dhande and his wife and they were using mobile phone banking, using the services of Vodafone. The sim was registered in his wife's name. Peculiarly the sim had stopped working around the 6^th to 9^th of September, 2013 during which time the fraudulent siphoning of funds via a foreign IP address in Turkey took place. The complaint was made to the mobile service provider on 10^th of September, regarding the non -functioning of the sim. Later the victim received the full horror of the information and immediately asked the bank to freeze his accounts. When Mr. Dhande sent a complaint letter to the Vodafone office regarding illegal sim hacking, he was told that on 6^th of September, a duplicate sim was issued by the Pune Office of the service provider to a third person without proper verification. The cyber cell was able to recover about 3 Lakhs of the siphoned money.

In a very radical twist to the disarray of the information technology laws in India, recent ruling of the Adjudicating Officer, Maharashtra comes as a relief to the sufficiently harassed Professor. The ruling imputes liability both on the Bank and the Mobile Service Provider to pay a compensation of 6 and 12 lakhs each. The court found liability under Section 43A of the Information Techno logy Act, 2000 which provides civil remedy against failure to protect data. In this case, both by the bank and the mobile service provider.

Prima facie the court held that the Bank was in flagrant violation of the Master Circular – Know Your Customer (KYC) norms / Anti-Money Laundering (AML) standards/ Combating of Financing of Terrorism (CFT)/Obligation of banks under PMLA, 2002" dated 2nd July 2012 issued by the Reserve Bank of India and the "Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds" issued by RBI on 29/04/2011. The bank did not verify the sudden and inconsistent nature of these transactions, being routed through a foreign country IP address. The banks did not maintain proper CCTV footage of the ATM or cash withdrawal transactions. Some of the addresses of their customers were bogus, including the suspect's. The bank did not respond to any of the queries or letter sent to by the victim in this case, thereby displaying their insincere attitude towards customers.

The court found the mobile service provider also to be in blatant non compliance of the verification standards as required to be observed by the service providers and as observed by the Hon' Supreme Court in Avishek Goenka Vs. Union of India & Anr. case the decision of which was delivered on April 27, 2012. The Supreme Court in that case took note of the fact the SIM cards are provided without any proper verification, which causes serious security threat as well as encourages malpractices in the telecom sector. The service provider issued a duplicate sim to a third party without proper verification. What is more astonishing or absurd as in this case , is that a duplicate sim was issued with the scanned photo id of DNK leader Dayanidhi Maran, when the sim was registered in the victim's wife name and photo id in the first place. The service provider did not verify the details in their online File Net system which as claimed by them was not working at that moment. The provider even reissued the One Time Password, which finally completed the chain of events that lead to this conniving episode. Even a mere phone call to the complainant's mobile phone number by them later could have avoided this incident.

The court not only did adequately rationalize the victim's helplessness and his non contribution to the crime but also appropriately pinned down liability where it belonged.Cyber law expert Advocate Prashant Mali appeared for the complainant.

The bank and the mobile service provider in their submissions made their best attempt to evade liability by manipulating the usage of technical and legal jargon to bury the substance of the argument. Both of them blankly maintained that they had done everything that was covered under the standards terms and conditions of the Customer Relationship form and the Corporate Internet Banking and Mobile Facility agreement. This was a rather obtuse argument considering that both of them failed to observe the very basic standards of care of verification and monitoring prescribed while adding a new customer or the renewing the details of a former customer.

In fact the very attempt by Vodafone to escape liability by stating that information that was being handled by them namely the call recorded data was not sensitive information prompted the court to expand the scope of section 43a of the information technology act which covers cases of date protection and fraud. The court simply stated that considering the extent of information that is handled by the service providers like the calls from various helplines, people's personal details in messages etc, it was hard to believe that the nature of information they handled was not sensitive or not subject to exploitation. The court in its obiter cushioned the sentiment of helplessness faced by customers because of internet frauds. The court said that in countries like USA the banks while promoting mobile phone banking etc and various other technological advancements also insured their customers from the risk of cyber frauds. And maybe it was time that India also adopted such solutions rather than letting the excuse of impossibility of stopping episodes of cyber crimes become an easy defense for escaping liability.

Saumya Dev is Student Reporter at Live Law. She is also a 4th year student of Gujarat National Law University.

Read the Order here