It could well be termed the country’s first legal adjudication of a dispute raised by a victim of a cyber crime. In a verdict in the first case filed under the Information Technology Act, Tamil Nadu IT secretary on Monday directed ICICI Bank to pay Rs 12.85 lakh to an Abu Dhabi-based NRI within 60 days for the loss suffered by him due to a phishing fraud. Phishing is an internet fraud through which sensitive information such as usernames, passwords and credit card details are obtained by masquerading as a trustworthy entity.
The compensation includes the loss suffered by the petitioner, the travel expenses and the financial loss incurred on account of “complete lack of involvement of the respondent bank,” said TN IT secretary PWC Davidar in his order. The order came on a petition filed by Umashankar Sivasubramaniam, who claimed he received an email in September 2007 from ICICI, asking him to reply with his internet banking username and password or else his account would become non-existent.
Though he replied, he found Rs 6.46 lakh transferred from his account to that of a company, which withdrew Rs 4.6 lakh from an ICICI branch in Mumbai and retained the balance in its account.
In his application for adjudication filed under the IT Act to the state IT secretary on June 26, 2008, he held the bank responsible for the loss.
But ICICI Bank claimed that the petitioner had negligently disclosed the confidential information such as password and had fallen prey to a phishing fraud. “Customers are fully apprised on security aspects of internet banking through various channels. We reassure that our security systems are continuously audited and neither the security nor our processes have been breached,” said a bank spokeperson.
The bank said it will appeal the order. “ICICI Bank endeavours to offer world-class service to its customers. Today, we have hundreds types of transactions, which can be completed online without having to walk into a branch. We strive for convenience and safety of our customers and uninterrupted availability of our services through self-service channels. We also continuously upgrade our systems and technology to ensure that our customers get the best experience and a safe environment while transacting online,” the spokesperson added.
Techno-legal consultant Na Vijayashankar, who appeared for the petitioner, said while the order may lead to tightening of cyber laws in the country, the judgement reflects the lack of accountability of using internet banking. “Phishing fraud is very common but banks are not accepting the liabilities. Such a ruling will set a good precedent.”
Though there are 300-odd phishing cases recorded or contended within the country, they have not been pursued under proper legal framework, he said noting that some such cases were filed at consumer courts.