By Anmol Sinha, Symbiosis Law School
Everything in this world evolves. The rule and regulations governing the society has changed down the centuries, so has the mode of commission of crimes. Cyber crime is an example of it. With the advent of internet and information technology, the commission of digital crimes is the new form which is increasing at an alarming rate. Almost all the companies nowadays provided their goods and services online which further makes digital arena a lucrative place for commission of an offence.
Following is the IRAC analysis of a case, where bizarrely the person responsible for the cyber security of a company ends up being the one violating it.
CASE DETAILS
Court – High Court of Punjab and Haryana
Case index – CRR No. 65 of 2013 (O&M)
CORAM – Honorable Justice Paramjeet Singh
Date of Decision – January 10, 2013
- Present criminal revision has been preferred by the petitioner against judgment dated 21.08.2012 passed by the learned Sessions Judge, Faridabad, whereby an appeal preferred by the petitioner has been dismissed and judgment of conviction dated 01.09.2011 and order of sentence dated 03.09.2011 passed by learned Judicial Magistrate FirstClass, Faridabad, has been upheld, vide which the petitioner has been convicted for offences punishable under Sections 420, 467, 468, 471 of the Indian Penal Code and Sections 65 and 66 of the Information & Technology Act, 2000 and sentenced to undergo rigorous imprisonment
- Branch Manager, Bank of Baroda, Faridabad moved a complaint dated 17.02.2003 before the Police stating that the petitioner was deputed by M/s Virmati Software and Telecommunication Ltd. to maintain the Software System supplied by them to the bank. He was also looking Software System of certain other banks. In connection with rendering such services, the petitioner was having access to their accounting system which was computerized and was also in a position to enter into ledgers and various other accounts. While condensing the files, certain discrepancies were pointed out by the officials of the bank
- in that process, it was revealed that the accused-petitioner, who was having SB Account No. 16202 in his personal name in their bank, manipulated the entries by forging and fabricating certain entries from one account to another, in the computer system by handling the software and got the entries pertaining to the amount of the bank in his favor and knowingly and intentionally withdrew the amount from the bank.
- As per enquiry, it has been revealed that the accused by carrying out forgery, fabricating the entries in the computer system of the bank, illegally and wrongfully, withdrew the amount of Rs.3,20,000 the accused confessed and admitted his guilt in writing on 07.02.2003 and requested the bank authorities not to initiate further action in this regard
- In an associated case having similar facts, CRR No. 66 of 2013 (O&M) 1 a total amount of Rs. 17,67,409/- was withdrawn from Vijay Bank by the accused.
- The accused was charged under various provisions of Indian Penal Code and Information Technology Act. He was charged of three years of rigorous imprisonment (punishment under various sections running concurrently) and was charged a fine of Rs. 7000/-
- In the revision petition, the Honorable High Court upheld the judgment
Indian Penal Code
- Section 420 – Cheating and dishonestly inducing delivery of property
“Whoever cheats and thereby dishonestly induces the person deceived to deliver any property to any person, or to make, alter or destroy the whole or any part of a valuable security, or anything which is signed or sealed, and which is capable of being converted into a valuable security, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine”
- Section 468 – Forgery for purpose of cheating
“Whoever commits forgery, intending that the document forged shall be used for the purpose of cheating, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine”
- Section 471 – Using as genuine a forged document
“Whoever fraudulently or dishonestly uses as genuine any document which he knows or has reason to believe to be a forged document, shall be punished in the same manner as if he had forged such document”
- Section 65 – Tampering with computer source documents
“Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy or alter any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.”
- Section 66 – Hacking with computer system
“(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hack
(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend upto two lakh rupees, or with both”
The revision petition was rejected by the High Court and the sentence passed was upheld.
The counsel on behalf of the accused relied on two main contentions. First being that one of the prosecution witness Ravinder Kumar Gupta said that no password was allotted to Sanjay, hence no direct nexus can be drawn that the crime has been committed by him. Second contention which was raised that the amount which was deposited in the bank account of the accused has been withdrawn and deposited to the bank again and hence, there is no actual loss to the bank.
Both the contentions were rejected by the High Court. The first contention was rejected citing the rationale that although no specific password was provided by the security company to the accused, the employee of the bank for maintenance purpose used to feed the password and allow the accused to operate the software and in this manner accused used to have access to all those files to which only the employee of the bank could have. Moreover, as the amount was deposited in the account of accused and he has withdrawn it, therefore, the argument stands nullified. The second contention was also rejected by the High Court. The High Court ruled that though no actual loss resulted to the bank, the commission of the offence cannot be neglected. For an offence to be committed two elements are necessary, Mens Rea and Actus Rea. In the present case both the elements are fulfilled. The mental intention part is satisfied as the accused deposited the amount in his personal account after having access to the accounts of the bank. The second element is satisfied as soon as the amount was withdrawn by the accused. He deposited it to the bank again, is something which cannot be considered as there was an equal chance that he could have used that money for some other purpose. No actual loss to the bank is a matter of chance in this case. If this fact is considered in the present case, it would serve as a bad precedent. Moreover, the accused himself confessed in writing that he manipulated the bank accounts.
The Court found out that, the elements of the offences under section 65 and 66 of the IT Act were satisfied. Offence was committed under section 65 as the accused intentionally tampered the computer system of the bank, of which he was under a responsibility to maintain. Offence was committed under section 66, that is ‘Hacking’ was committed as the accused intentionally altered the information stored in the computer resource of the bank and used it to cause wrongful loss to the bank. However, although accused was having secured assess to electrical record of the bank and he forged the entries and cheated to cause wrongful gain to himself but there is no such breach of confidentiality by disclosing the information to any other person and as such he is acquitted of offence under Section 72 (Penalty for breach of Confidentiality and Privacy) of the IT Act.
The High Court concurred with the Trial court’s view that counsel on behalf of respondent was successful is establishing the chain of events which lead to the commission of offence.
In my opinion, the Honorable High Court was justified in upholding the decision of the Trial Court.
However, the occurrence of such incident brings us face to face with a new question. Till now the general criminals who were hacking the accounts of a company, were not connected to it. The sole intention of hacking was to utilize it as a means to an end. In the present case, the person who hacked the computer system of the bank was one responsible to maintain it. He was the member of the security company which was under an obligation to make it safe and secure.
Even though we have a provision under IT Act for the breach of such confidentiality, under section 72
“Save as otherwise provided in this Act or any other law for the time being in force, any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book. register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.”
The present provision did not apply. The above provision consists of three elements.
- The person should have access to the records
- Without the consent of person concerned
- Disclosure of the information to the third party.
The offence was not committed under this section as the second and third elements were not satisfied. So what should be done in such situations?
The second element cannot be satisfied in the most of the cases, as the person committing the offence already has the access to the electronic records of another person. It would be impossible for the entity whose electronic records are accessed to know about commission of such offence, until at a later point of point.
The third element is also flawed as what should be done in the situations where the person having the access utilizes it for his own purpose?
Hence, in my opinion legislature should take steps to incorporate such crimes also where even though there is no breach of trust in literal sense of interpretation.
Also, the court was also right in not taking into consideration the return of the amount as a mitigating factor otherwise it would have served as a bad precedent and resulted into array of cases relying on it.