MANU/TD/0001/2019

IN THE TELECOM DISPUTES SETTLEMENT AND APPELLATE TRIBUNAL

NEW DELHI
Cyber Appeal No. 1 of 2010
Decided On: 10.01.2019
Appellants: ICICI Bank
Vs.
Respondent: Umashankar Sivasubramanian and Ors.
Hon'ble Judges/Coram:
Shiva Kirti Singh, J. (Chairperson) and A.K. Bhargava, Member
Counsels:
For Appellant/Petitioner/Plaintiff: Vikas Mehta, Yugam Taneja, Vasanth Bharani and
Adith Nair, Advocates
For Respondents/Defendant: N.A. Vijayashankar, A.R.
ORDER
Shiva Kirti Singh, J. (Chairperson)
1 . This appeal under Section 57 of Information Technology, 2002 (IT Act 2002) is
directed against order dated 12.04.2010 passed by Mr. P.W.C. Davidar, IAS,
Adjudicating Officer (A.O.) under the IT Act 2002 at Chennai in Petition No. 2462 of
2008. The petition arose from an application filed by the petitioner/respondent No. 1
herein, under Section 43 read with Section 46 of the IT Act, 2002. Under the
impugned order the appellant has been directed to pay to the petitioner/respondent
No. 1 a compensation of Rs. 12,85,000/- on the basis of findings recorded in the
order against the appellant. The appeal was preferred before the then Cyber Appellate
Tribunal in the year 2010. Since that Tribunal remained largely non-functional, no
judgment was delivered although the matter was heard in 2011. Ultimately it has
been placed under the jurisdiction of this Tribunal on account of the provisions in the
Finance Act, 2017.
2. On notice to the appellant and respondents, only respondent No. 1 has appeared
and has been heard afresh. Respondent No. 1/petitioner has relied upon documents
filed earlier including written submissions whereas learned counsel for the appellant
has advanced detailed submissions.
3. The respondents Nos. 2, 3 and 4 are in fact officers of the appellant, ICICI Bank
and have no interest other than that of the appellant. Respondent No. 5, M/s. Uday
Enterprises is an account holder in one of the branches of the appellant Bank at
Mumbai and admittedly the money wrongfully withdrawn from the account of
respondent No. 1 was transferred to the account of respondent No. 5. The total
fraudulent debit was of Rs. 6,46,000/- which was transferred to the account of
respondent No. 5, M/s. Uday Enterprises. Out of that, only Rs. 1,50,171/- was re-
credited to the account of respondent No. 1 by the Bank. A large amount of Rs.
4,60,000/- was withdrawn on behalf of respondent No. 5 as cash across the counter
and a sum of Rs. 35,000/- was adjusted by the Bank itself against the overdraft dues
of respondent No. 5. Thus, the net financial loss to respondent No. 1 in this case is

02-08-2021 (Page 1 of 7) www.manupatra.com Chambers of Soham Kumar

Rs. 4,95,829/- debited from his account on 06.09.2007. The Adjudicating Officer has
granted 12% simple interest per annum (i.e. minimum bank interest rates for loans)
till the date of judgment and has also allowed compensation for cost and expenses.
4. The facts relating to respondent No. 1 and his averments in the petition have been
recorded in detail in paragraphs 2 to 7 of the impugned judgment. From those facts it
is evident that respondent No. 1 as a customer of the Bank had approached the
Banking Ombudsman and has also filed a complaint at Tuticorin Police Station and
the Cyber Crime Police Station registered an FIR under Section 66 of the IT Act 2002.
According to petitioner/respondent No. 1, the fraud was on account of failure of the
Bank to have proper security procedures so that nobody should have been able to use
the official website of the Bank or its exact copy without timely detection and action.
In other words, the Bank failed to have an alert system by way of precaution in
respect of its official website and it was for that reason that respondent No. 1 was
misled to treat the Email of the fraudster as genuine Email from the Bank for the
purposes of security update and hence he complied with the request and disclosed
the confidential information such as password. Respondent No. 1 has also alleged
negligence on the part of the Bank in allowing respondent No. 5 or its representative
to withdraw a large amount in cash from a dormant deficit account. The failure of the
Bank to file a criminal complaint after it detected the fraud on the next day which was
confirmed by respondent No. 1 in response to a phone call from the Bank is also
evident. In fact, respondent No. 1 has gone to the extent of alleging that some
employee of the Bank may be acting under the cover of respondent No. 5 because no
criminal case was filed by the Bank and on the plea of 'in-house investigation', the
Bank allowed the CCTV footage to be erased by causing a delay of one month on
such pretext.
5 . The appellant on the other hand has denied the allegations of negligence or
connivance. It has pleaded that at the time of opening of account with Internet
Banking Services, the customer agrees to various conditions imposed by the Bank
which include an undertaking to keep the User ID confidential and in case of failure
to do so the Bank shall not be liable for any unauthorised transaction. According to
the Bank, it is the complainant/respondent No. 1 who was negligent in disclosing the
confidential information such as the password and thereby it has fallen prey to a
phishing fraud. According to the Bank it has adopted good practices by educating and
informing the customers and also has proper security policies and guidelines for
safeguarding the interest of its customers. It has denied the allegation that it did not
comply with KYC requirement while permitting respondent No. 5 to open an account
with the Bank. It has justified the adjustment of Rs. 35,000/- from respondent No. 5
on account of an outstanding credit facility. The Bank also denied that they use the
password as the only source for authentication and asserted that they have other
sources of authentication such as mobile alerts, SMS confirmation etc. The Bank also
took the stand that the occurrence involved a criminal offence which was under
investigation of the Police and therefore, the Adjudicating Officer has no jurisdiction
under the IT Act 2002.
6 . The Adjudicating Officer has considered the stand of the parties and rival
submissions from paragraph 15 onwards in the impugned order and found that it has
jurisdiction to decide the claim in view of Sections 43 and 85 of the IT Act 2002. On
account of appellant this finding has been challenged on the basis of provisions in
the aforesaid two Sections of the IT Act, 2002. It was submitted that Section 43
creates liability only upon the person who does any of the acts described in clauses
(a) to (j) and if the charges are proved, such person alone is liable to pay damages

02-08-2021 (Page 2 of 7) www.manupatra.com Chambers of Soham Kumar

by way of compensation to the person so affected. It was further pointed out that
clauses (i) and (j) have been inserted through a subsequent amendment of 2009 and
therefore, relevant clauses in this connection for the purpose of present case are
clauses (a) to clause (h). His submission is that the appellant Bank has not even been
charged with any of the misdeeds described in clause(a) to (h) nor there is any
finding to that effect and therefore, there was no scope or ground available for the
Adjudicating Officer to impose penalty on the appellant Bank as compensation to
respondent No. 1. Section 85 has been referred to and it has been commented that
that this Section comes into play only when it has been found that contravention of
any of the provisions of the Act or any rule etc. has been committed by a company.
On such finding any person who was in-charge of and was responsible for the
conduct of the business of the company as well as the company shall be deemed to
be guilty of contravention and shall be proceeded against and punished accordingly.
Of course, the person charged can take the defence and escape the liability by
proving that he had no knowledge of the contravention or that he exercised all due
diligence to prevent such contravention. Even the Directors, Managers, Secretary or
other officers of the company shall be deemed to be guilty of the contravention made
by the company if it is proved that it was with their consent and connivance or
attributable to any negligence on their part. It has been rightly submitted that this
provision is not attracted until the factum of contravention of the provisions of the
Act etc. by a company is established. Only, thereafter, not only the company but
other persons described in Section 85 may also be held liable for such contravention.
7 . In the present matter the Adjudicating Officer has not held any natural person
guilty of contravention with the aid of Section 85. The primary issue in this matter is
whether there is any allegation and material to prove that the Bank has violated any
of the clauses of Section 43 and whether the Adjudicating Officer has at all given
such a finding after discussing the case of the parties and the materials available on
record. The arguments require a close scrutiny of Section 43 of the IT Act.
8 . In the facts and circumstances of the present case, admittedly the only clause
which can fasten the liability on the Bank under Section 43 is clause (g). It reads as
under:
"provides any assistance to any person to facilitate access to a computer,
computer system or computer network in contravention of the provisions of
this Act, rules or regulations made thereunder."
The other contraventions covered by various other clauses of Section 43 are definitely
not attracted against the Bank either on the basis of case of the petitioner/respondent
No. 1 as made before the Adjudicating Officer or even from the other materials
including the FIR of the criminal case. The Bank, in the facts of the case, can only be
charged for having provided assistance to the fraudster so as to facilitate access to
the computer system related to the banking transaction and that such access by the
assistance of the Bank was in contravention of the IT Act, 2002, rules or regulations
made thereunder.
9. Learned counsel for the appellant has, at the outset, referred to Section 43A which
provides for compensation for failure to protect data and has pointed out that this
Section was inserted in the Act with effect from 27.10.2009 only when many cases of
present nature came to the notice of the concerned authorities, but at the time of the
occurrence or the incident there was no such provision providing for compensation if
the Bank failed to maintain reasonable security practices and procedures leading to

02-08-2021 (Page 3 of 7) www.manupatra.com Chambers of Soham Kumar

wrongful loss or wrongful gain. The submission is that in absence of such provision
at the relevant time the finding of the Adjudicating Officer must be tested only on the
rigours of Section 43(g) and according to learned counsel in this case the finding is,
at best of 'negligence' by the Bank and not of any assistance to the fraudster.
According to learned counsel, assistance would require some positive act and an
intention to cause unlawful harm to the respondent/petitioner and unlawful gain to
the fraudster.
10. Learned counsel for the appellant is correct in submitting that Section 43A has
been inserted in the Act at a later date and therefore, appellant cannot be held liable
for paying damages by way of compensation only for failure to protect any sensitive
personal data or information available in appellant's computer resource. With the aid
of Section 43A such failure alone is sufficient for imposition of liability to pay
damages provided it is found that the concerned body corporate has been negligent
in implementing and maintaining security practices and procedures of reasonable
standards and that has caused wrongful loss or wrongful gain. The relevant terms, for
the purposes of Section 43A, have been defined through the Explanation and
therefore, "reasonable security practices and procedures" and "sensitive personal data
or information" have a definite defined meaning. For the purpose of Section 43(g),
there is no help available through Explanation because the word "assistance" is not
explained. Hence, it will have to be understood in its natural sense as per dictionary
meaning and the context. Literally, the provision treats all such assistance to be a
misfeasance which is rendered by the charged person without permission of the
owner or in-charge of the computer, computer system or computer network, to any
person so as to facilitate access to such gadgets "in contravention of the provisions
of this Act, rules or regulations made thereunder".(Emphasis added). Read with the
emphasis attached to some of the terms noted above the word "assistance" gets
sufficiently qualified. Lack of permission of the owner or any other person who is in-
charge clearly means that the person guilty of the charge of assistance has indulged
in certain acts or omissions without permission or authorization. When such
unauthorized action or omission amounts to providing assistance to another person
so as to facilitate access and that too in contravention of the provisions of the Act,
rules or regulations, the charge under Section 43(g) would stand proved so as to
attract the liability to pay damages as compensation to the affected person.
1 1 . Learned counsel for the appellant has attempted to add to the provision by
insisting that there must be an added element of "mens rea" in providing such
assistance and unless there be such element of intention to facilitate access in
contravention of the provisions of the Act, rules or regulations, no liability should be
fastened so as to attract the penalty of damages by way of compensation. This
contention has to be rejected because the provision does not suffer from any infirmity
or vagueness so as to require clarification/addition. The power to adjudicate vested
in the Adjudicating Officer is a quasi-judicial power to hold an inquiry in a summary
manner for which the Adjudicating Officer has been vested with some of the powers
of civil court under the Code of Civil Procedure (CPC) available while trying a suit.
The criminal intent for mens rea if found to exist in the action of person charged
under Section 43 may make such person guilty of some offences which are covered
by Chapter XI of the Act which has to be investigated by a Police Officer not below
the rank of Inspector as provided under Section 78. The power of the criminal courts
has not been taken away or affected by any of the provisions of the Act. On the other
hand, the jurisdiction of the Adjudicating Officer has been given an overriding status.
As per Section 61 of the Act, Civil Court will not have jurisdiction of entertaining any
suit or proceeding in respect of any matter which an Adjudicating Officer is

02-08-2021 (Page 4 of 7) www.manupatra.com Chambers of Soham Kumar

empowered by or under this Act to determine. No injunction can be granted by any
court or other authority when the Adjudicating Officer is entitled to take an action in
pursuance of any power conferred by or under the Act. Hence, Section 43(g) does not
require a separate charge or proof as to mens rea because criminal offence is not
within the jurisdiction of the Adjudicating Officer and is not the subject matter of
Section 43 or other proceedings under Chapter IX.
1 2 . Although the respondent has submitted that the Bank was under a legal
obligation to insist on digital signature of its customers for all E-banking
transactions, in our considered view there is no such obligation arising under any
law. The only obligation upon the Bank is to have a safe, secure and foolproof system
which may consist of various security layers including provisions for user ID,
passwords and CVV in addition to the basic details like customer ID, registered
mobile number, Email ID etc. These features must be supplemented by a general
responsibility upon the Bank to have a reasonably reliable security system so that its
computer system and network cannot be accessed unauthorisedly and may not be
misused so as to deceive the customers. Terms and conditions governing Internet
Banking appearing on the website of the Bank in fine prints cannot absolve the Bank
from its liability of providing adequate security measures so that requirements of the
Act, the rules and regulations made thereunder are met satisfactorily and the
customers' interests are well protected. The bargaining powers of the Bank and the
customer are not equal. Liabilities created by the statute may be compounded during
the course of legal proceedings through permissible means but the Bank cannot get
over such statutory liabilities by relying upon standard terms and conditions of a so-
called agreement and moreso on clauses which are one sided and take away rights of
customers without any justification or any consideration worth the name.
13. On behalf of the appellant, it has been repeatedly submitted that the appellant
Bank was not negligent, rather it was diligent in taking required safety measures both
pre-fraud and post-fraud periods. It had provided PIN as well as password for
transactions through internet banking and the respondent had acted negligently in
disclosing of the security credentials. The Bank had placed a limit of Rs. 5 lakhs per
day as a security measure to avoid fraudulent transactions. It has also claimed that in
2007, the Bank was using a secured server for Email transmission which did not
allow any third party to use its domain. After the instant incident was confirmed due
to Bank contacting the respondent on 07.09.2007, the Bank froze the account of
respondent No. 5 to prevent further withdrawal of money. It also completed an
inquiry within a month and on that basis respondent could file a police complaint
against respondent No. 5. According to learned counsel for the appellant, the
respondent is clearly guilty of at least contributory negligence and hence the Bank
should not be burdened with the entire loss of respondent. Further, as noted earlier,
the stand of the Bank is also that mere negligence, as found by the Adjudicating
Officer, cannot amount to "assistance" unless there be some positive acts showing
positive assistance.
14. No doubt the finding is only of negligence but in Para 25 of the order passed by
the Adjudicating Officer, it is recorded further - "The respondent Bank has failed to
put in place a foolproof internet banking system with adequate levels of
authentications and validation which would have prevented the type of unauthorized
access in the instant case that has led to a serious financial loss to the petitioner
customer." The detailed discussion of relevant facts as to Bank's Emails sent regularly
through internet contained in Para 19 justifies the finding in Para 25 that "the basic
loophole in ensuring that a customer recognizes an Email as from the Bank was a

02-08-2021 (Page 5 of 7) www.manupatra.com Chambers of Soham Kumar

glaring error on the respondent's part that would have prevented this incident". In
reply to our query as to which server was being used by appellant Bank in 2007 and
how did the Bank ensured that no third party can use its sub-domain and send fake
Emails to its customers, the Bank has replied through written notes that the Bank was
using SMTP Server for mail transfer. It has no doubt asserted thereafter that the Bank
had secured its system against any possible misuse but what was the security
arrangement or apparatus has not been revealed at all. There is no reply that the
alleged Email by the fraudster dated 02.09.2007 was from a sub-domain of
icicibank.com. There is also no reply as to how a web page under its domain name
could be created. The Bank, may be unwittingly, enabled and assisted the entire
transaction of fraud by opting for a Server and a system which permitted, in all
probability, the use of Bank's own domain for fraudulent transactions and as a result
the respondent/petitioner became a victim and suffered unlawful loss of money which
was entrusted to the Bank for safe keeping. Since the respondent was tricked by the
use of a sub-domain of the Bank's web domain, he is not found guilty of contributory
negligence.
15. The argument that something more than mere negligence is required for being
charged with the act of providing "assistance" to the fraudster is, in our view, an
attempt to create a technical issue which does not exist in reality. A watchman can
assist a thief by being "negligently" absent from the place of duty or by switching off
the security light at the time of the occurrence. The word "assistance" has to be
understood in the ordinary sense and does not require any additional prefix or
adjective such as "active" or "positive" assistance. Civil liability by its nature has to
be determined on the basis of preponderance of probability. It would be wrong to
insist for the test of proof beyond reasonable doubt which is required for proving a
criminal charge.
1 6 . Although Section 43A creates a special responsibility to protect sensitive
personal data or information in a computer resource and creates a liability to pay
compensation for certain kind of negligence, the definition of the word "computer"
existing from before in the Act is wide enough to include all input, output processing,
storage.........(emphasis supplied). The Bank's electronic records in a computer are
required to have a safe and secure procedure of access. Under Section 14 it would
fall under the term "secured electronic record" and hence, unauthorised access to
such records should not have been facilitated by the Bank by assistance through
negligence which is also described in detail by the Adjudicating Officer. We find no
good reasons to take a different view. The Bank has failed to show by way of defense
that it had taken all the required precaution and that the SMTP Server which it was
using in 2007 was the most technically advanced Server then available but even then
the Bank failed to secure its Email system against misuse. Hence, we find no good
reasons to reverse or in any way interfere with the finding and order of the
Adjudicating Officer in so far as compensating the respondent for the loss of his
money amounting to Rs. 4,95,829/- (Rupees Four Lakhs Ninety Five Thousand Eight
Hundred and Twenty Nine only) is concerned. The award of further amount of Rs.
1,60,048/- as interest till the date of impugned judgment is also upheld along with
the grant of Rs. 27,850/- which was paid as ad valorem fee and Application Fee.
17. But the cost of Rs. 6,00,000/- (Rupees Six Lakhs only) as incidental expenses
appears to be clearly excessive. We are of the view that a consolidated cost of Rs.
50,000/- would be sufficient. To this extent, the relief granted vide paragraph 26(d)
of the impugned judgment is modified. The appellant Bank would thus be liable to
pay to the respondent only Rs. 7,34,327/- (Rupees Seven Lakhs Thirty Four

02-08-2021 (Page 6 of 7) www.manupatra.com Chambers of Soham Kumar

Thousand Three Hundred and Twenty Seven only). The appeal succeeds only to this
extent and is disposed of accordingly. The modified decretal amount, if not paid,
must be paid by the appellant within a period of two months from today failing which
it shall carry an enhanced interest of 10% per annum with annual rest, from two
months hence and till the date of realization.
© Manupatra Information Solutions Pvt. Ltd.

02-08-2021 (Page 7 of 7) www.manupatra.com Chambers of Soham Kumar