CA INTERMEDIATE

CHAPTER 6

INFORMATION
TECHNOLOGY ACT, 2000
CA-INTER | Ch. 6 – IT Act, 2000

CHAPTER 6
INFORMATION TECHNOLOGY ACT, 2000
This Act aims to provide the legal infrastructure for e-commerce in India. And the cyber
laws have a major impact for e-businesses and the new economy in India. So, it is
important to understand what are the various perspectives of the IT Act, 2000 (as amended
in 2008) and what it offers.

The Act also aims to provide for

i. the legal framework so that legal sanctity is accorded to all electronic records and
other activities carried out by electronic means.
ii. The Act states that unless otherwise agreed, an acceptance of contract may be
expressed by electronic means of communication and the same shall have legal
validity and enforceability.
Advantages of Cyber Laws
The IT Act 2000 attempts to change outdated laws and provides ways to deal with cyber-
crimes. We need such laws so that people can perform purchase transactions over the Net
without fear of misuse. The Act offers the much-needed legal framework so that
information is not denied legal effect, validity or enforceability, solely on the ground that
it is in the form of electronic records.

From the perspective of e-commerce in India, the IT Act 2000 and its provisions
contain many positive aspects which are as follows:

i. IT Act gave legal recognition to Digital Signature as a method of authentication.

ii. It recognizes Book keeping in e-forms.
iii. It has granted legal recognition for transactions carried out through electronic
commerce.
iv. It gives legal sanction to Electronic Fund Transfer between banks and financial
institutions.
v. It facilitates electronic storage of data.
vi. The implications for the e-businesses would be that email would now be a valid and
legal form of communication in India that can be duly produced and approved in a
court of law.
vii. To facilitate E-filing with government department
viii. The Act now allows Government to issue notification on the web thus heralding e-
governance.
ix. The IT Act also addresses the important issues of security, which are so critical to
the success of electronic transactions.

209

CA CS PAVAN S. GAHUKAR | 9766699203

CA-INTER | Ch. 6 – IT Act, 2000

PRIVACY
The main principles on data protection & privacy enumerated under the IT Act, 2000 are:
i. creating civil liability if any person accesses or secures access to computer,
computer system or computer network
ii. creating criminal liability if any person accesses or secures access to computer,
computer system or computer network
iii. declaring any computer, computer system as a protected system
iv. imposing penalty for breach of confidentiality and privacy
v. setting up of hierarchy of regulatory authorities, namely adjudicating officers, the
Cyber Regulations Appellate Tribunal etc.

INFORMATION TECHNOLOGY ACT, 2000

[from the perspective of Banking Sector]
The Information Technology Act was passed in 2000 and amended in 2008. The ITA Rules were
passed in 2011. The Act provides legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication, commonly referred to
as "electronic commerce’ which involve the use of alternatives to paper-based methods of
communication and storage of information, to facilitate electronic filing of documents with the
Government. The Act provides the legal framework for electronic governance by giving
recognition to electronic records and digital signatures. It also deals with cyber-crime and
facilitates electronic commerce. It also defined cyber-crimes and prescribed penalties for them.
The Amendment Act 2008 provides stronger privacy data protection measures as well as
implementing reasonable information security by implementing ISO27001 or equivalent
certifiable standards to protect against cyber-crimes.

For the banks, the Act exposes them to both civil and criminal liability.
- The civil liability could consist of exposure to pay damages by way of compensation up
to 5 crores.
- There may also be exposure to criminal liability to the top management of the banks
and exposure to criminal liability could consist of imprisonment for a term which would
extend from three years to life imprisonment and also fine.

I. Cyber Crimes
Cybercrime also known as computer crime is a crime that involves use of a computer and a
network. The computer may have been used in committing a crime, or it may be the target.
Cybercrimes is defined as: “Offences that are committed against individuals or groups of
individuals with a criminal motive to intentionally harm the reputation of the victim or cause
physical or mental harm, or loss, to the victim directly or indirectly, using modern
telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and
mobile phones.
210

CA CS PAVAN S. GAHUKAR | 9766699203

CA-INTER | Ch. 6 – IT Act, 2000

The United Nations Manual on the Prevention and Control of Computer Related Crime classifies
such crimes into following categories:
- Committing of a fraud by manipulation of the input, output, or throughput of a computer
based system.
- Computer forgery, which involves changing images or data stored in computers,
- Deliberate damage caused to computer data or programs through virus or logic bombs,
- Unauthorized access to computers by 'hacking' into systems or stealing passwords, and,
- Unauthorized reproduction of computer programs or software piracy.
- Cybercrimes have grown big with some countries promoting it to attack another country's
security and financial health.

Banking sector is prone to high risks by cyber criminals as banks deal with money and using
technology, frauds can be committed across geographical boundaries without leaving a trace.
Hence, CBS and banking software is expected to have high level of controls covering all aspects
of cyber security.

II. Computer related offences

Section 43 provides for Penalty and compensation for damage to computer, computer
system, etc.
If any person without permission of the owner or any other person who is in-charge of a computer,
computer system or computer network, or computer resource:
- Accesses or secures access to such computer, computer system or computer network;
- Downloads, copies or extracts any data, computer database or information from such
computer, computer system or computer network including information or data held or
stored in any removable storage medium;
- Introduces or causes to be introduced any computer contaminant or computer virus into
any computer, computer system or computer network;
- Damages or causes to be damaged any computer, computer system or computer network,
data, computer database or any other programs residing in such computer, computer
system or computer network;
- Disrupts or causes disruption of any computer, computer system or computer network;
- Destroys, deletes or alters any information residing in a computer resource or diminishes
its value or utility or affects it injuriously by any means;
- Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter
any computer source code used for a computer resource with an intention to cause damage;

Some examples of offences in IT Act which could impact banks are as follows:

Section 65: Tampering with Computer Source Documents

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly
causes another to conceal, destroy or alter any computer source code used for a computer,
computer program, computer system or computer network, when the computer source code is
211

CA CS PAVAN S. GAHUKAR | 9766699203

CA-INTER | Ch. 6 – IT Act, 2000

required to be kept or maintained by law for the time being in force, shall be punishable with
imprisonment up to three years, or with fine which may extend up to 2 lakh rupees, or both.
[upto 3 years or fine upto 2 Lacs or BOTH]

Section 66: Computer Related Offences

If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be
punishable with imprisonment for a term which may extend to three years or with fine which may
extend to 5 lakh rupees or with both.

Section 66-B:Punishment for dishonestly receiving stolen computer resource or

communication device
Whoever dishonestly receives or retains any stolen computer resource or communication device
knowing or having reason to believe the same to be stolen computer resource or communication
device, shall be punished with imprisonment of either description for a term which may extend to
three years or with fine which may extend to rupees one lakh or with both.
[upto 3 years or fine upto 1 Lac or BOTH]

Section 66-C: Punishment for identity theft

Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other
unique identification feature of any other person, shall be punished with imprisonment of either
description for a term which may extend to three years and shall also be liable to fine which may
extend to rupees one lakh.
[upto 3 years AND fine upto 1 Lac]

Section 66-D: Punishment for cheating by personation by using computer resource

Whoever, by means of any communication device or computer resource cheats by personation,
shall be punished with imprisonment of either description for a term which may extend to three
years and shall also be liable to fine which may extend to one lakh rupees.
[upto 3 years AND fine upto 1 Lac]

Section 66-E: Punishment for violation of privacy

Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area
of any person without his or her consent, under circumstances violating the privacy of that person,
shall be punished with imprisonment which may extend to three years or with fine not exceeding
two lakh rupees, or with both
[3 years or fine upto 2 Lacs or BOTH]

212

CA CS PAVAN S. GAHUKAR | 9766699203

CA-INTER | Ch. 6 – IT Act, 2000

COMPUTER RELATED OFFENCES

Common Cyber-crime scenarios

Let us look at some common cyber-crime scenarios which can attract prosecution
as per the penalties and offences prescribed in IT Act 2000 Act.

1. Harassment via fake public profile on social networking site

A fake profile of a person is created on a social networking site with the correct
address, residential information or contact details but he/she is labelled as
'prostitute'. This leads to harassment of the victim.
2. Email Account Hacking
If victim's email account is hacked and obscene emails are sent to people in victim's
address book.
3. Credit Card Fraud
Unsuspecting victims would use infected computers to make online transactions.
4. Web Defacement
The homepage of a website is replaced with a pornographic or defamatory page.
Government sites generally face the wrath of hackers on symbolic days.
5. Introducing Viruses, Worms, Backdoors, Trojans, Bugs
All of the above are some sort of malicious programs which are used to destroy or
gain access to some electronic information.
6. Cyber Terrorism
Many terrorists use virtual (Drive, FTP sites) and physical storage media (USB hard
drives) for hiding information and records of their illicit business.
7. Online sale of illegal Articles
Where sale of narcotics, drugs weapons and wildlife is facilitated by the Internet.
8. Cyber Pornography
Among the largest businesses on Internet, pornography may not be illegal in many
countries, but child pornography is.
9. Phishing and Email Scams
Phishing involves fraudulently acquiring sensitive information through
masquerading a site as a trusted entity (e.g. Passwords, credit card information).
10. Theft of Confidential Information
Many business organizations store their confidential information in computer
systems. This information is targeted by rivals, criminals and disgruntled
employees.
11. Source Code Theft
A Source code generally is the most coveted and important "crown jewel" asset of
a company.
213

CA CS PAVAN S. GAHUKAR | 9766699203

CA-INTER | Ch. 6 – IT Act, 2000

SENSITIVE PERSONAL DATA INFORMATION(SPDI)

Reasonable Security Practices and Procedures and Sensitive Personal Data or Information
Rules 2011 formed under section 43A of the Information Technology Act 2000 define a
data protection framework for the processing of digital data by Body Corporate.

Definition of Personal and Sensitive Personal data: Rule 2(i) defines personal
information as "information that relates to a natural person which either directly or
indirectly, in combination with other information available or likely to be available with a
body corporate, is capable of identifying such person."

Rule 3 defines sensitive personal information as:

- Passwords
- Financial information
- Physical/physiological/mental health condition
- Sexual orientation
- Medical records and history; and
- Biometric information

The present definition of personal data hinges on the factor of identification (data that is
capable of identifying a person).
By listing specific categories of sensitive personal information, the Rules do not account
for additional types of sensitive personal information that might be generated or correlated
through the use of Big Data analytics.

Importantly, the definitions of sensitive personal information or personal information do

not address how personal or sensitive personal information - when anonymized or
aggregated — should be treated.
Consent: Rule 5(1) requires that Body Corporate should, prior to collection, obtain consent
in writing through letter or fax or email from the provider of sensitive personal data
regarding the use of that data.

Definitions
2(a) "Access" with its grammatical variations and cognate expressions means gaining
entry into, instructing or communicating with the logical, arithmetical, or memory function
resources of a computer, computer system or computer network;

(i) "Computer" means any electronic, magnetic, optical or other high-speed data
processing device or system which performs logical, arithmetic, and memory functions
by manipulations of electronic, magnetic or optical impulses, and includes all input,
output, processing, storage, computer software, or communication facilities which are
connected or related to the computer in a computer system or computer network;

2(j)"Computer Network" means the interconnection of one or more Computers or

Computer systems or Communication device through-
214

CA CS PAVAN S. GAHUKAR | 9766699203

CA-INTER | Ch. 6 – IT Act, 2000

(i) the use of satellite, microwave, terrestrial line, wire, wireless or other
communication media; and
(ii) terminals or a complex consisting of two or more interconnected computers or
communication device whether or not the interconnection is continuously
maintained;

2(o) "Data" means a representation of information, knowledge, facts, concepts or

instructions which are being prepared or have been prepared in a formalized manner, and
is intended to be processed, is being processed or has been processed in a computer system
or computer network and may be in any form (including computer printouts magnetic or
optical storage media, punched cards, punched tapes) or stored internally in the memory
of the computer;

2(v) "Information" includes data, message, text, images, sound, voice, codes, computer
programmes, software and databases or micro film or computer generated micro fiche;

In a cyber-crime, computer or the data are the target or the object of offence or a tool in
committing some other offence. The definition of term computer elaborates that computer
is not only the computer or laptop on our tables, as per the definition computer means any
electronic, magnetic, optical or other high speed data processing devise of system which
performs logical, arithmetic and memory function by manipulations of electronic,
magnetic or optical impulses, and includes all input, output, processing, storage, computer
software or communication facilities which are connected or related to the computer in a
computer system or computer network. Thus, the definition is much wider to include
mobile phones, automatic washing machines, micro wave ovens etc.

215

CA CS PAVAN S. GAHUKAR | 9766699203

CA-INTER | Ch. 6 – IT Act, 2000

Multiple Choice Questions

1. The positive aspects of The Information which would extend from three years
Technology Act, 2000 are: to life imprisonment
a. IT Act gave legal recognition to c. Either ‘a’ or ‘b’
Digital Signature as a method of d. Both ‘a’ and ‘b’
authentication.
b. It recognizes Book keeping in e- 5. Under which section of The IT Act,
forms. 2000 is a person punished for ‘Identity
c. Email would now be a valid and Theft’ the punishment for which the
legal form of communication in offender shall be punished with
India that can be duly produced and imprisonment of either description for a
approved in a court of law. term which may extend to three years
d. All of the above and shall also be liable to fine which
may extend to rupees one lakh?
2. The main principles on data protection a. Section 66-C
and privacy enumerated under The IT b. Section 66-D
Act, 2000 are: c. Section 65
a. Creating civil and criminal liability d. Section 66
if any person accesses or secures
access to computer, computer system 6. According to Section 66-D: Punishment
or computer network. for cheating by personation by using
b. Imposing imprisonment for breach computer resource, the offender shall be
of confidentiality and privacy punished with
c. Both ‘a’ and ‘b’ a. Imprisonment of either description
d. None of the above for a term which may extend to three
years
3. Which section of the IT Act, 2000 b. Shall be liable to fine which may
provides the legal framework for extend to one lakh rupees
electronic governance by giving c. Either ‘a’ or ‘b’
recognition to electronic records. d. Both ‘a’ and ‘b’
a. Sec 2
b. Sec 5 7. Whoever knowingly or intentionally
c. Sec 4 conceals, destroys or alters or
d. None of the above intentionally or knowingly causes
another to conceal, destroy or alter any
4. The IT Act, 2000 exposes the banks to computer source code used for a
a. Civil liability which could consist of computer, computer program, computer
exposure to pay damages by way of system or computer network, when the
compensation up to 5 crores. computer source code is required to be
b. Criminal liability to the top kept or maintained by law for the time
management of the banks and being in force, shall be punishable with
exposure to criminal liability could a. Imprisonment up to three years
consist of imprisonment for a term 216

CA CS PAVAN S. GAHUKAR | 9766699203

CA-INTER | Ch. 6 – IT Act, 2000

b. Fine which may extend up to 2 lakh 9. Rule 3 defines sensitive personal

rupees information as:
c. Either ‘a’ or ‘b’ a. Passwords
d. Either ‘a’ or ‘b’ or both ‘a’ and ‘b’ b. Financial information
c. Sexual orientation
8. ‘Personal and Sensitive Personal Data’ d. All of the above
is defined under
a. Rule 4 10. The common cyber- crime scenarios
b. Rule 2(i) include
c. Rule 3 a. Email account Hacking
d. Rule 5 b. Cyber terrorism
c. Both ‘a’ and ‘b’
d. Subversive attacks

ANSWERS
1 2 3 4 5
(d) (a) (c) (d) (a)
6 7 8 9 10
(d) (d) (b) (d) (c)

217

CA CS PAVAN S. GAHUKAR | 9766699203

CA-INTER | Ch. 6 – IT Act, 2000

218

CA CS PAVAN S. GAHUKAR | 9766699203