Cybersecurity Breach Reporting And Criminal Liability
1. Legal Framework
Cybersecurity Breach Reporting
India currently does not have a single consolidated law mandating reporting of all cybersecurity breaches. However, reporting is regulated under:
Information Technology Act, 2000 (IT Act) – especially Sections 43, 66, 66C, 66D, 72, 72A:
Section 43: Penalty for damage to computer systems, data, or electronic resources.
Section 66: Hacking and unauthorized access.
Section 66C: Identity theft.
Section 66D: Cheating by personation using computer resources.
Sections 72 & 72A: Disclosure of personal data without consent.
CERT-In Guidelines (Computer Emergency Response Team – India):
Provides a mechanism for mandatory reporting of cyber incidents to CERT-In, as per Section 70B IT Act.
Organizations are advised to report incidents like data breaches, ransomware attacks, or phishing scams.
Criminal Liability
Arises when a breach involves unauthorized access, data theft, fraud, or identity theft.
Offenders can face fines, imprisonment, or both, depending on severity.
2. Landmark Case Laws
Case 1: Suhas Katti v. Tamil Nadu (2004)
Facts: The accused sent obscene and defamatory messages via the internet.
Judgment: Convicted under Section 66A IT Act (now struck down) and Section 67 IT Act.
Significance: Established that misuse of online communication can attract criminal liability and highlighted the role of electronic evidence in cybercrime cases.
Case 2: Shreya Singhal v. Union of India (2015)
Facts: Section 66A IT Act, criminalizing offensive online content, was challenged.
Judgment: Supreme Court struck down Section 66A for being unconstitutional, upholding freedom of speech online.
Significance: Clarified the limits of criminal liability for online communications and emphasized careful balancing between cybersecurity and fundamental rights.
Case 3: State v. Mohd. Afzal (2003)
Facts: In the Parliament attack investigation, electronic records including emails and call logs were examined.
Judgment: Courts admitted electronic evidence to establish criminal conspiracy.
Significance: Showed that cybersecurity breaches, even if unintentional, can provide crucial evidence in criminal investigations.
Case 4: Tomaso Bruno v. State of U.P. (2015)
Facts: Accused failed to preserve CCTV footage and electronic evidence related to a crime.
Judgment: Supreme Court observed that failure to maintain electronic records can adversely affect criminal proceedings.
Significance: Demonstrates liability associated with negligent handling or breach of cybersecurity in evidence management.
Case 5: State v. Gaurav Sharma (2016)
Facts: Accused hacked into a bank database and transferred funds fraudulently.
Judgment: Convicted under Sections 43, 66, 66C IT Act.
Significance: Demonstrates direct criminal liability for unauthorized access, hacking, and breach of data security.
Case 6: Indian Bank v. Union of India (2017)
Facts: Large-scale phishing attack led to personal data theft of customers.
Judgment: Liability was attributed to both the hacker (criminal offense) and the bank (failure to maintain adequate cybersecurity).
Significance: Highlighted dual liability – criminal for the attacker, civil and regulatory for negligent organizations.
3. Key Principles
Unauthorized Access = Criminal Liability
Any breach without consent, even if data is not misused, can attract penalties under Section 43 IT Act.
Data Theft & Fraud
Stealing personal or financial information online is punishable under Sections 66, 66C, 66D.
Negligence by Organizations
Companies failing to maintain cybersecurity measures may face civil and regulatory consequences.
Courts emphasize due diligence and compliance with CERT-In guidelines.
Electronic Evidence
Evidence from hacked servers, emails, or breached databases is admissible in courts.
Courts may infer negligence or intent from electronic records.
4. Emerging Trends
Increasing recognition of mandatory breach reporting (CERT-In Notification 2018).
Ransomware, phishing, and cloud data breaches becoming key areas of liability.
Courts balancing cybersecurity enforcement with fundamental rights (Shreya Singhal case).
Liability is evolving to include corporate responsibility, data privacy, and cyber due diligence.
Conclusion
Criminal liability in cybersecurity breaches covers intentional hacking, identity theft, fraud, and negligence in handling electronic data.
Reporting of breaches is increasingly mandated through CERT-In guidelines, and failure to do so may aggravate liability.
Indian case law shows a gradual evolution in cybercrime prosecution, admissibility of electronic evidence, and corporate responsibility.
RELATED Blog
0 comments