IDBI Bank v. Sudhir S. Dhupia
In the Telecom Disputes Settlement and Appellate Tribunal
Cyber Appeal No. 7/2013
Before Mr. Shiva Kirti Singh, Chairperson and Mr. A.K. Bhargava. Member
Decided on August 13, 2019

Relevancy of the case: Compensation in a case involving phishing and bank fraud

Statutes & Provisions Involved

• The Information Technology Act, 2000 (Section 43(g), 43(j), 43A, 85)

Relevant Facts of the Case

• The respondent received an email from the applicant bank asking him to provide confidential information. This information included the respondent’s net banking ID and password.
• The applicant bank’s routine weekly statement issued to the respondent showed that some unauthorised transactions had taken place amounting to a total of Rs 81,700 (Rs 50,000 and Rs 31,700).
• The amounts were transferred from the respondent’s bank account to another account being maintained by the applicant’s bank.
• The bank accounts to which these amounts were transferred were frozen by the applicant bank. But by this time the money had already been withdrawn by the respective account holders. The applicant bank conducted an internal inquiry and lodged a police complaint.
• Adjudicating Officer passed an order dated 28.3.2013 awarding total compensation of Rs. 1,00,000 to the respondent stating that the applicant bank had failed to establish due diligence in order to prevent such contravention as laid out in Section 43 of the Information Technology Act, 2000. Adequate checks and safeguards had not been planned to investigate and track the fraudsters.
• Aggrieved by the order of the adjudicating officer, the appellant has filed an appeal.

Prominent Arguments by the Advocates

Mr Sumnesh Kumar, Counsel for the appellant:

• The adjudicating officer had failed to consider the gross negligence of the respondent. The appellant bank had taken all the steps to educate or alert the respondent. Thus, no responsibility should be attached to the appellant bank as it had sent emails and SMS alerts to the respondent to be careful against phishing emails/phone calls. The appellant further mentions that the alleged emails were retrieved by the complainant from the trash box instead of the inbox and he did not call the customer care of the bank to check the legitimacy of such mail.

Opinion of the Bench

• The appellant is not at fault for not educating the customers. Educating and keeping customers aware is a good practice and does help in reducing frauds. The email which asked the complainant for his sensitive personal information was sent from the registered domain of the complainant bank’s website.
• This could have happened because of a security loophole in appellant’s IT system. The appellant has not offered any explanation. Thus, the bank has been faulted for not implementing good security practices and procedures which led to the occurrence of the fraud. A secure net banking system in place would have prevented the occurrence of such fraud.
• The appellant bank has been penalized under Section 43 read together with Section 85 of the Information Technology Act, 2000. Section 85 refers to offences by companies and provides that in case of contravention of the Act, the other persons as described in the section may also be held liable. In the case of Section 43, penalty and compensations vary in a wide range of situations. Section 43A is more relevant with regard to the obligation of the body corporate (such as the appellant bank) while dealing with sensitive personal data or information in a computer resource which it owns.

Final Decision

• The appellant was held liable for not implementing good security practices that could have avoided such fraud from taking place. The Cyber Appeal 7/2013 was disallowed to the appellant.
• The appellant bank was ordered to pay Rs 1,00,000 to the respondent within 30 days from the date of the judgement.

This case summary has been prepared by Aditya Nair, a postgraduate student at NLIU, Bhopal, during his internship with The Cyber Blog India in June 2020.