Section 43 of Information Technology Act, 2000

Introduction

More often, individuals and businesses face a predicament where they are subjected to certain acts by peers, competitors, ex-employees, and other malicious entities, which do not squarely fall within the ambit of “cyber-crimes”. The end result is a few visits to the police station without any remedy to avail, or worse, a frivolous FIR resulting in an unnecessary waste of time and funds. In reality, the Information Technology Act (hereinafter referred to as ‘the Act’) is well equipped to deal with such “contraventions” under Chapter 9, Section 43 and 43-A, by awarding compensation to the victim, and in certain cases, penalty upon the offenders. These offences require a complaint to be lodged before the adjudicating officer under the Act, and this article explains exactly how to go about the process.

Offences under the Information Technology Act

The acts that comprise offences under Chapter 9 can be classified under 2 major heads, acts by persons/individuals, and acts by a body corporate. The offences by a person are covered under Section 43 of the Act, and they are elaborated in detail hereunder:

1. All such acts must first and foremost be performed without the consent of the owner or person in charge of the computer, computer system, or computer network.
2. Accessing or securing access to a computer, computer system, or computer network (hereinafter collectively referred to as “computer”). The act makes it illegal to just enter a computer by guessing the password or using third-party tools to break the machine’s security. Under section 2(a) of the Act, ‘access’ is defined to include “entry into/instructing or communicating with the logical, arithmetical or memory function resources of a computer”. As a result, even if there is indirect access to the computer’s hard drive or specific files without using traditional methods, it will be considered a violation under this article.
3. Any information/data from a computer, including data saved on removable storage media, can be downloaded, copied, or extracted. Although the term “downloading” is not defined in the Act, it refers to the copying of data from one computer system to another. This involves making a copy of the data without harming/damaging the original data. Any data, including a database of phone numbers, client lists, designs, artwork, photographs, videos, document files, etc. amounts to a violation under this subsection. There is substantial ambiguity over the precise definition of data extraction. It can either be the act of selectively acquiring data from a certain file without copying the entire file, or it can be the process of removing the original data entirely without making a copy. Direct introduction or causing contamination indirectly, of any form of a virus into a computer. This is usually done by directly introducing a virus via an external storage device, or by leaving a link or a file on the computer, which when accessed, releases the virus. Computer Contaminant has been further explained in Section 43 Explanation (i) to include any set of computer instructions that are designed:
   1. “To modify, destroy, record, transmit data or program residing within a computer, computer system or computer network;
   2. by any means to usurp the normal operation of the computer, computer system, or computer network.”

Explanation: Section 43 of Information Technology Act, 2000

1. “Computer Contaminant” means any set of computer instructions that are designed:
   1. to modify, destroy, record, transmit data or program residing within a computer, computer system, or computer network.
   2. by any means to usurp the normal operation of the computer, computer system, or computer network.
2. “Computer Database” means a representation of information, knowledge, facts, concepts, or instructions in text, image, audio, a video that is being prepared or have been prepared in a formalized manner or have been produced by a computer, computer system, or computer network and are intended for use in a computer, computer system or computer network.
3. “Computer Virus” means any computer instruction, information, data, or program that destroys, damages, degrades, or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a program, data, or instruction is executed or some other event takes place in that computer resource.
4. “Damage” means to destroy, alter, delete, add, modify or re-arrange any computer resource by any means.
5. “Computer Source Code” means the listing of programs, computer commands, design and layout, and program analysis of computer resources in any form.

Landmark News and Case Laws

1. Reliance Jio owned by Mukesh Ambani had registered an FIR with the Navi Mumbai police under section 379 (theft) of the IPC and section 43 (2) (data theft – downloads, copies or extracts any data, computer database or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium) and 66 (computer-related offenses) of the Information Technology Act. In this respect, the Maharashtra police have arrested a computer course dropout from Rajasthan for allegedly leaking a database of Reliance Jio customers on a website – Magicapk.com. He will be produced in a court in Rajasthan for transit remand and will then be brought to Navi Mumbai. Also, Forensic analysis is underway to find out if Jio’s database has been leaked and how the accused managed to get his hands on the data.
2. Poona Auto Ancillaries Pvt. Ltd., Pune vs. Punjab National Bank, HO New Delhi & Others: In 2013, in one of the largest compensations awarded in legal adjudication of a cybercrime dispute, Maharashtra’s IT secretary Rajesh Aggarwal had ordered PNB to pay Rs 45 lakh to the Complainant Manmohan Singh Matharu, MD of Pune based firm Poona Auto Ancillaries. A fraudster had transferred Rs 80.10 lakh from Matharu’s Account in PNB, Pune after Matharu responded to a phishing email. The complainant was asked to share the liability since he responded to the phishing mail but the Bank was found negligent due to a lack of proper security checks against fraud accounts opened to defraud the Complainant.

Methods to recover compensation under the Information Technology Act

1. Appointment of Adjudicating Officer:Section 46 of the Act empowers the Central Government to appoint any person not below the rank of Director to the Govt. of India or an equivalent officer of a State Government to be an adjudicating officer under the Act, and such an officer has the powers to hold inquiries and award penalties, to adjudicate any contravention under the Act, rules, regulation, direction or order. This provision enables the government to appoint a quasi-judicial authority to adjudicate upon these contraventions.
2. Jurisdiction:The pecuniary jurisdiction vested upon the adjudicating officer is to the extent of Rs. 5 crores, i.e., the adjudicating officer can order compensation or penalties to the maximum amount of Rs 5 crores. There seems to be some lacuna around the jurisdiction aspect, due to the bar of a civil court’s jurisdiction under Section 61 of the Act, thereby leaving a victim remediless in case he prays for compensation for damages beyond Rs 5 crore in his complaint.

This lacuna can be easily removed by a harmonious interpretation, and in my view, the bar in jurisdiction extends only “to entertain any suit or proceeding in respect of any matter which an adjudicating officer appointed under this Act or the Cyber Appellate Tribunal constituted under this Act is empowered by or under this Act”. As complaints involving a prayer beyond Rs 5 crore are not suits or proceedings that an adjudicating officer or Appellate Tribunal is empowered to adjudicate, the civil court should ordinarily have jurisdiction.