Cyber Laws For CxO
Be Aware... Be Empowered
January 2010
Editor
Naavi
www.naavi.org
Publisher
Ujvala Consultants Pvt Ltd
www.ujvala.com
Contents
Knowledge+
The Compliance Dilemma of an Intermediary
We have seen many cases under various provisions of ITA 2000/8 where Cyber Café owners in India have been pulled up for the misuse of the facilities by their customers. We might have then wondered how the innocent Cyber Café owner can be hauled up for the offence committed by a user of his facility.
In 2004, Indian Corporate world was struck by the realization that even a Corporate CEO can face the same fate as the Cyber Café owner, when a member of baazee.com service uploaded an illegal content to the e-auction site and the CEO of baazee.com was charged with an offence under Section 67 of ITA 2000 which technically exposed the CEO to the risk of imprisonment up to 5 years.
This incident drew the attention of the corporate world for the first time to the vicarious liabilities provisions of ITA 2000 (Information Technology Act 2000) applicable to “Intermediaries”. ITA 2008 (ITA 2000 as amended by Information Technology Amendment Act 2008) has further enhanced the responsibilities of “Intermediaries” and Companies need to take due notice that their responsibilities have also increased correspondingly. In other words, CEOs need to examine under what circumstances, they fit into the definition of “Intermediaries” and face the vicarious liabilities as provided in the Act.
According to Sec 2(w) of ITA 2008,
"Intermediary" with respect to any particular electronic records, means, any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.
This definition includes any organization which handles information on behalf of another person. This means that “Ownership of information handled” is a key issue to determine if an organization is an “Intermediary” or not. By handling information not belonging to oneself, the organization would be exposed to the possibility that such information could be instrumental in contravening any of the provisions of ITA 2008.
Normally, a Company owns all the information generated by itself. However, occasionally, it also handles information that belongs to its clients, as in the case of BPOs or Internet service providers or Mobile service providers or Telecom companies. Companies also handle information belonging to its employees. In such cases, it assumes a role of an “Intermediary”.
At a time when “Cloud Computing” is becoming the order of the day and “Outsourcing” is already established as a model of business, more and more companies offer services to third parties and all of them are open to the risks arising out of handling third party information. Hence the relevance of the definition of “Intermediaries” is felt by many companies.
There are many offences under ITA 2008 that may be committed with the use of data or information in electronic form. It could be connected with obscenity as in the case of baazee.com or with false information hosted on a web page. There could be Phishing, Cyber Stalking, Advance Fee frauds and of course theft of identity information such as Credit Card data. There could be e-mails and SMS messages which may carry terrorist messages. There could be malicious codes bundled with other content and delivered to unsuspecting victims.
Any of these kinds of poisonous information handled by a system owned by the Company could be considered as an “Offence Committed by the Company”. Though the offence is actually committed by a third party, the Company and its officials would have to bear the vicarious liability under Section 85 of ITA 2008 unless they can establish that they have practiced “Due Diligence”.
There is also Section 79 of ITA 2008 which is important to determine if an “Intermediary” is liable for the offences committed with the use of information which it handles in its capacity as an “Intermediary” but does not belong to itself.
During the time the amendments to ITA 2000 were being considered, there was a good debate on the need to provide a safety net for “Intermediaries” such as baazee.com being held liable for the offences committed by the users of their services. Even in ITA 2000, the section 79 provided the escape clause for Intermediaries stating that “An intermediary shall not be liable…” if certain conditions are fulfilled. This section has been slightly modified in ITA 2008 and the section now reads as under.
Exemption from liability of intermediary in certain cases
(1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link hosted by him
(2) The provisions of sub-section (1) shall apply if-
(a) the function of the intermediary is limited to providing access to a communication system over which information made available by third parties is transmitted or temporarily stored; or
(b) the intermediary does not-
l (i) initiate the transmission,
l (ii) select the receiver of the transmission, and
l (iii) select or modify the information contained in the transmission
(c) the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf
(3) The provisions of sub-section (1) shall not apply if-
l (a) the intermediary has conspired or abetted or aided or induced whether by threats or promise or otherwise in the commission of the unlawful act
l (b) upon receiving actual knowledge, or on being notified by the appropriate Government or its agency that any information, data or communication link residing in or connected to a computer resource controlled by the intermediary is being used to commit the unlawful act, the intermediary fails to expeditiously remove or disable access to that material on that resource without vitiating the evidence in any manner
Explanation:- For the purpose of this section, the expression "third party information" means any information dealt with by an intermediary in his capacity as an intermediary
Essential aspects of Section 79 which we may note are,
a) When an intermediary receives knowledge that some unlawful act is being committed with information under his control, he needs to “expeditiously” remove or “disable access”, “without vitiating the evidence in any manner”.
b) The intermediary shall observe “Due Diligence.
Thus both under Section 85 and Section 79, it becomes essential for the Intermediary to establish that it is practicing “Due Diligence”.
Unfortunately, the term “Due Diligence” cannot be easily reduced into a “Check List”. Though ITA 2008 was notified to be effective from October 27, 2009 and all sections including Section 79 of ITA 2008 have become effective from October 27, 2009, Rules under Section 79 have not yet been notified.
Similarly, one more section which has become effective against the Intermediaries but for which the rules are not yet notified is Section 67C which talks about preservation and retention of information. This section states
(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.
(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.
This section when read with Section 79 indicates that information which may form an “Evidence” and any other information that may be specified by the Government at some point of time in future when the rules under Section 67C is notified, need to be retained in an appropriate form for an appropriate time.
This is one of the many compliance obligations that Companies need to follow and document immediately. CxOs need to check if the requirement has been taken care of in their respective organizations. In order to understand all the implications of ITA 2008, it is necessary for the CxO to conduct an ITA 2008 compliance audit and take necessary steps for compliance.
Naavi
A PDF Copy of the News Letter would be sent by e-mail to all persons who subscribe. Subscription is free.