Penalties, Compensation and Procedure of Adjudication under IT Act, 2000

Introduction:

The Information Technology Act, 2000 was implemented on 17 May 2000 to provide legal recognition for electronic transactions and to promote e-commerce. It was subsequently amended with the passage of the Information Technology (Amendment) Act, 2008.

The following are the important objectives of The Information Technology Act, 2000:

1. Grant legal recognition for e-transactions.
2. Provide legal recognition of Digital Authentication Signatures.
3. Facilitate e-Data and information filing.
4. Enable Electronic data storage.
5. Grant acknowledgment for the preservation of books of accounts in electronic form.

Section 43 of The Information Technology Act, 2000

Penalty and compensation for damages to device, computer system (CS), or computer network (CNW) under Section 43.[1] This section states that if an individual executes any of the following prohibited actions, he shall be liable for the damages to the party concerned by paying compensation not exceeding 1 crore:

1. Access without authority: If access to or secures access to such a device, computer system, or computer network.
2. Downloading, copying, or extracting any data without authority: If any data, computer database, or information is downloaded, copied, or extracted from any computer, computer system, or computer network.
3. Injection of computer contaminant/virus: If any computer contaminant or computer virus is imported or caused to be introduced into any computer, computer system, or computer network, even information or data stored or stored in any removable memory device.
4. Damages to a computer database: If it damages or causes damage to any computer, computer system, or computer network, records, computer database, or other programs within that computer, computer system, or computer network.
5. Disjuncture of the computer, computer system, or computer network: If any disruption is caused to the specified computer resources.
6. Denial of access: If it refuses or triggers denial of access by any means to any person authorized to access any device, computer system, or computer network.
7. Providing aid to facilitate access: If any support is given to any person to enable access to a device, computer system, or computer network in violation of the provisions of this Act, the rules or regulations thereunder shall apply.
8. Charging services to another person’s account: If they charge a person’s services to another person’s account through tampering with or manipulating some CS or CNW device.
9. Destruction, deletion, or modification of information: If it damages, deletes, or changes any information that exists in a computer resource or devalues its value or usefulness or affects it injuriously through any means whatsoever.
10. Stealing, concealing, or damaging computer source code: If it exploits, hides, damages or alters, or allows another person to steal, hide, damage, or modify any computer source code used for a computer resource intended to cause harm. [Inserted vide ITAA, 2008].

Explanation of the words used in compliance with section 43[2]

1. “Computer Contaminant” means any variety of computer instructions which are designed (a) to alter, delete, capture, transmit data or program within a computer, a computer system, or a computer network; or (b) to capture illegally by any means the regular activity of a computer or a CNW.
2. “Computer Database” means the representation of data, information, facts, concepts, or instructions in text, images, audio, video that are prepared or prepared in a formalized manner or generated by a computer, computer system, or a computer network and intended for use in a computer, a CS or a CNW.[3]
3. “Computer Virus” means any computer instruction, information, data, or software that damages, destroys and diminishes, or adversely affects the output of a computer resource or attaches itself to another computer resource and operates when a program, data, or instruction is executed or any other event occurs in that computer resource.
4. “Damage” means the degradation, alteration, elimination, addition, modification, or reorganization of any computer resource by any means.
5. “Computer Source Code” means the listing in some type of programs, computer functions, design and layout, and software analysis of computer resources.

Compensation for failure to protect data [43A, Inserted vide ITAA, 2008]

This section provides that if an entity is negligent in carrying out and maintaining fair security practices and procedures, processing, handling, or handling any confidential personal data or information in a computer resource that it owns, manages, or operates, and thereby causes wrongful loss or benefit to any person, that entity shall be liable for damages by way of compensation.[4]

Explanation of the words used in Section 43A

1. “Body Corporate” means any company and involvement in a company, sole proprietorship, or other groups of individuals engaged in commercial or professional activities.
2. “Reasonable Security Practices and Procedures” means security practices and procedures designed to protect such information from unauthorized access, harm, usage, alteration, exposure, or disruption as may be provided for in an agreement between the parties or as may be provided for in any law for the time being in effect and in the absence of any agreement or any law, such reasonable security as may be provided for in an agreement between the parties.[5]
3. “Sensitive Personal Data or Information” means confidential information as may be recommended by the Central Government in collaboration with such professional bodies or organizations as it may deem necessary.[6]

Penalty for failure to provide information, return or report (Section 44)

This section provides for the following penalties to be imposed on a person who has to comply with certain legal obligations under this Act, the rules or regulations made thereunder:

1. Punishment for failure to include any paper, return or report to CCA or CA. For each such loss, he shall be liable to a penalty not exceeding 1,50,000.
2. Penalty for failure to return or furnish records, books, or other documents within a defined time period. He shall be liable for a penalty not exceeding 5,000 for each day on which such failure continues.
3. Penalty for failure to maintain books of accounts or documents. He shall be liable for a penalty not exceeding 10,000 for each day on which the failure continues.

Penalty for contravention of rules or regulations (Section 45)

This section provides that if a person contravenes any of the rules or regulations imposed pursuant to this Act for which no penalty has been levied, the person concerned shall be liable to pay compensation not exceeding 25,000 to the affected person.[7]

Power to adjudicate (Section 46 in The Information Technology Act, 2000)

1. In order to decide, in accordance with this Chapter, whether a person has committed an infringement of any provision of this Act or of any law, regulation or order made thereunder which makes him liable to pay penalty or compensation, the Central Government shall, subject to the provisions of subsection (3), appoint any officer not less than the Director of the Government of India or an equivalent officer of the Government of the State to be an adjudicator for the conduct of an investigation in the manner specified by the Central Government.[8]
   [(1A) The adjudicating officer named pursuant to subsection (1) shall exercise jurisdiction to adjudicate matters in which the claim for injury or damage does not exceed five crores: given that the jurisdiction in respect of the claim for injury or damage exceeding five crores is with the competent court.]
2. The adjudicator shall, after providing the person referred to in subsection (1) a fair opportunity to make representations in the matter and if he is satisfied, on such an examination, that the person has committed the violation, impose such penalty or grant such compensation as he considers necessary in accordance with the provisions of that section.[9]
3. No individual shall be authorized as an adjudicator unless he has such experience in the field of information technology and legal or judicial experience as may be prescribed by the Central Government.
4. Where more than one adjudicating officer is authorized, the Central Government shall by regulation, determine the matters and places in respect of which those officers shall exercise their jurisdiction.
5. Each adjudicator shall have the powers of a civil court bestowed on the Cyber Appellate Tribunal pursuant to subsection (2) of section 58, and-
   • (a) any proceedings until it shall be considered to be judicial proceedings within the scope of sections 193 and 228 of the Indian Penal Code (45 of 1860);
   • (b) shall be deemed to be a civil court for the purposes of sections 345 and 346 of the Code of Criminal Procedure, 1973 (2 of 1974);
   • [(c) shall be considered to be a civil court for the purposes of Order XXI of the Code of Civil Procedure, 1908 (5 of 1908).

Section 47 in The Information Technology Act, 2000

Factors to be taken into account by the adjudicating officer. -While determining the amount of compensation referred to in this Section, the adjudicating officer shall take due account of the following factors, namely:

1. the amount of unfair advantage obtained, wherever quantifiable, as a result of the default;
2. the sum of damages sustained by any individual as a result of the default;
3. the repetitive aspect of the default.[10]

Conclusion

Information Technology (Reasonable Security Practices and Procedures and Confidential Personal Data or Information) Regulations have since been notified by the Government of India, Department of IT. Any corporate body or individual on its behalf shall be deemed to have complied with acceptable security practices and procedures, provided that certain security practices and standards have been enforced and that a detailed recorded information security policy and information security policies including management, technological, operational, and physical security controls have been implemented in compliance with those requirements.

In the event of an information security violation, the corporate body or an individual on its behalf must show, if and when called upon to do so by an agency authorized under the statute, that they have adopted security control measures in compliance with their documented information security program and information security policies. Law for penalties, compensation, and adjudication is ruled under the IT act for the better functioning of the Electronic contract.

---

References:

[1] Penalties compensation and adjudication. Retrieved from https://www.bananaip.com/the-it-act/chapter-ix-penalties-compensation-and-adjudication/ .

[2] Aditi. (2020). Penalties and adjudication. Retrieved from http://aditi.du.ac.in/uploads/econtent/16_april.pdf .

[3] Pathlegal (2020). Penalties and Adjudication in IT Act 2000. Retrieved from https://www.pathlegal.in/Penalties-and-Adjudication-in-IT-ACT-2000-blog-1831947 .

[4] Anderson, M. C., Banker, R. D., & Ravindran, S. (2000). Executive compensation in the information technology industry. Management Science, 46(4), 530-547.

[5] How to recover compensation under the Information Technology Act. Retrieved from How to recover compensation under the Information Technology Act .

[6] Pradnya. Offences & Penalties under the Information Technology Act, 2000. Retrieved from http://www.legalservicesindia.com/article/439/Offences-&-Penalties-under-the-IT-Act,-2000.html .

[7] Government of India Ministry of Power. https://powermin.nic.in/en/content/offences-and-penalties .

[8] Ankit. (2019). Penalties, Compensation and Adjudication under Information Technology Act, 2000. Retrieved from https://www.q10.com/p/48988/penalties-compensation-and-adjudication-under-in-1/ .

[9] Information Technology Act, 2000. http://www.bareactslive.com/ACA/ACT632.HTM .

[10] Nikhil. (2018). Cyber crime and Information Technology act. Retrieved from http://mja.gov.in/Site/Upload/GR/Title%20NO.13(As%20Per%20Workshop%20List%20title%20no13%20pdf).pdf .