Recently, the Indian Computer Emergency Response Team (Cert-In) issued an advisory cautioning citizens about a potential wide-scale phishing attack on over 2 million Indians. In a situation where the world is grappling with coronavirus, web users are extremely vulnerable to ‘malicious actors’ who try to exploit the emergency to their advantage. Fraudsters have successfully posed as local authorities in charge of dispensing government-funded Covid-19 support initiatives to retrieve sensitive information from internet users. Before analysing the legal implications of ‘Phishing’, it is pertinent to understand the phenomenon itself.

Phishing is an innovative attempt that engages spoofed email domains and fraudulent websites to trick people into voluntarily surrendering their information to a fraudster. It is a mis-representation made during trade “to induce confusionas to the source and origin of business emails”, causing harm to the parties involved. Traditionally, phishing has led to imposters gaining unauthorised access into a victim’s email account and subsequently tampering with their transaction details to swindle money. However, the rapid growth of phishing attacks in the world has not ignited any response in India. A vast majority of the public is still unaware of the concept called phishing and Indian jurisprudence around this cyber-crime is still at a rudimentary stage. This article attempts to highlight certain case laws that have dealt with phishing in India and seeks to address the pressing concern of ‘Liability Assignment’ in case of a phishing attack.

Judicial Precedents

In IDBI Bank v. Sudhir S. Dhupia, Telecom Disputes Settlement and Appellate Tribunal (TDSAT) directed IDBI bank to pay a penalty of Rs. 1 Lakh for violating provisions of the IT Act. The case was a quintessential phishing attack wherein the victim had received a fraudulent mail from IDBI’s email address. The mail had been sent by an imposter and was intended to manipulate the victim into transferring money into a fraudulent bank account. The court observed that the innocent victim (respondent) could not be blamed for the losses and apportioned the liability towards the bank. Although the court recognised that phishing frauds are beyond the control of any party, it noted that IDBI bank failed to adopt necessary safeguards. Hence, the bank was held guilty for violating. Section 43A of the IT Act which requires “corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’ to implement and maintain ‘reasonable’ security practices.” In case any negligence can be attributed to the failure of security practices, the defecting corporate body would be liable to compensate the affected parties.

The decision of the tribunal in IDBI case was in line with the observation of the Adjudicator of Tamil Nadu, Mr PWC Davidar in the historic case of S.Umashankar v. ICICI Bank. While analysing the jurisprudence of laws relating to phishing in India, Umashankar case becomes extremely pertinent as it is one of the earliest judicial decisions on phishing in India. In this case, the court pronounced that an entity can be held liable if it fails to establish that due diligence was exercised to prevent unauthorized access as mandated by Section 43 of the IT Act. As a result of this observation, ICICI was directed to soak up the liability for violating provisions of the IT Act.

From the above-mentioned precedents, we can identify a palpable pattern that Indian Courts have followed while dealing with phishing attacks. Mostly, the initial victim (the entity whose data has been compromised and whose identity has been falsely represented) is held liable for the losses arising out of the phishing attack. The secondary victim (the entity who has been affected due to the initial phishing attack) is usually let off because of the assumption that a phishing attack is completely unforeseeable. However, times have changed and phishing is no longer a rare occurrence. Data suggests that phishing has emerged as the most common way to steal information. In such a scenario, blindly apportioning liability to the initial victim can vitiate the entire judicial process. It becomes important to scrutinize the actions of the parties involved and make an informed decision.

Approach of Foreign Courts (Liability Assignment)

Foreign Courts have approached the issue of ‘Liability Assignment’ post a phishing attack in a different manner. In St. Lawrence Testing &Inspection Co Ltd v. Lanark Leeds Distribution Ltd, it was held that in case of a phishing attack the secondary victim will be held liable and only under three exceptions can the initial victim be held liable. The first exception is when the parties to a contract have agreed to shift liability for losses resulting from fraudulent payment instructions to the initial victim. The second exception is activated when “there is evidence of wilful misconduct or dishonest” on the initial victim’s part. The third exception is when any negligence can be attributed to the initial victim. Hence, it is quite evident that the liability is initially assumed on the secondary victim but can be transferred if any of the exceptions have been met.

Thus, foreign courts have adopted a measured approach to deal with phishing cases by affording both the parties with a chance to prove their innocence. As opposed to India, there is no blind apportioning of liability. In some cases like St. Lawrence Testing & Inspection Co Ltd v. Lanark Leeds Distribution Ltd, the secondary victim was held liable for the losses and in some other cases like Du v. Jameson Bank, the initial victim was held liable.

Conclusion: Way Forward

As discussed above, Indian jurisprudence on phishing is still at a nascent stage. Moreover, the approach currently adopted by Indian Courts is extremely arbitrary in nature. More often than not, corporates fall prey to phishing attacks in spite of maintaining sophisticated security systems. Consequently, they are held liable for violating ‘Data Protection’ safeguards in the IT Act and are directed to compensate for allthe losses accrued. However, we have to understand the sophistication behind a phishing attack. It is usually carried out by competent and skilful imposters. When we login to a Gmail or a Facebook account, the reasonable assumption of a normal human being is that the webpage is authentic, but expert hackers can code inch-perfect replicas and use it to manipulate human beings. Hence, it becomes crucial to afford all the parties involved in a phishing attack an opportunity to present their case.

While there are multiple provisions in place to punish the fraudster initiating a phishing attack (Section 66, Section 66A, Section 66C and Section 66D of the IT Act), there is a gaping hole when it comes to the issue of liability assignment after a phishing attack. Another issue is the mis-application of Section 43A in scenarios involving phishing attacks. Section 43A of the IT Act is primarily intended for ‘Data Protection’. Phishing is a completely different phenomenon and warrants a separate provision dealing solely with it. Such a provision can help in formulating a formal process to deal with phishing attacks effectively and prevent misapplication by Courts. Concerns regarding ‘Liability Assignment’ can also be addressed through the new provision.

Covid-19 will inevitably present a lot of problems in the cyber arena. Increased internet usage will definitely lead to a spike in cyber-crimes as well. Countries like India are especially proneto cyber-attacks due to lack of awareness and knowledge regarding things like phishing. Hence, an amendment to the IT Act introducing a separate provision for phishing is imminent for India. In order to meet the urgency of the matter, Courts can also initiate change by adopting a better approach to tackle the issue of assigning liability for the losses arising out of phishing attacks.

This article has been written by Krishnaunni U. Krishnaunni is a third year Law student at NALSAR University of Law, Hyderabad.