INFORMATION TECHNOLOGY LAW

UNDERSTANDING IDENTITY THEFT AND LEGISLATIVE POTENTIAL TO

TACKLE THE SAME.
 TABLE OF CONTENTS
Abstract.................................................................................................................3

Introduction...........................................................................................................3

Research Objective...............................................................................................4

Research Methodology.........................................................................................5

Literature review...................................................................................................5

Identity Fraud – Digital Transactions...................................................................6

Analysis on Atm Skimming and Its Legislation in It Law...................................7

Drawbacks and Need of change in Information Technology Act & Data

Protection Bill 2019..............................................................................................8

Conclusion and Suggestions...............................................................................12

References...........................................................................................................12

2|Page
 ABSTRACT

The concept of data protection and information technology laws in the light of data theft and
its basic forms, such as ATM skimming,offer a barrier underneath the today's digital
legislation' strict supervision. Data protection lawsevidently, has major limitations in India as
compared to other countries IT laws, where there are just two laws: TheInformation
Technology Act, 2000, and the Penal Code, 1860. Although the number of legislations
covering such technologically advanced criminal actions is alarming, endeavours have been
undertaken in the National Cyber Security Policy 2013 and the Data Protection Bill 2019.
When comparing the future of legislation, data protection countermeasure, and initiative for
personal data security by financial institutes in the United Kingdom to India, it is clear that
crime specific rules are required. The amount of laws that cover such technologically
advanced offences is frightening, despite initiatives in the National Cyber Security Policy
2013 and the Data Protection Bill 2019.

INTRODUCTION

Technology has reduced our perception of connection and trade barriers, but just like every
cloud, there is a bright spot: technology has opened the road for individuals to take use of its
benefits. The limitless environment, secrecy of internet users, flexible e-commerce, and rapid
incorporation of software in enterprises and organisations, particularly in the financial sector,
is a barrier to the enforcement of traditional cyber regulations. As a result, there is an urgent
necessity online transaction security in order to prevent criminal developers from suffering
negative repercussions as a result of their widespread involvement in e-commerce.1
Financial institutions are broadening their utilities from "walk in office" to "available online"
in seeking a competitive advantage in is perhaps the most tech-savvy. These tools services
expose customer personal data, making them vulnerable to hacking, theft of data, phishing,
and spoofing for gaining unauthorised data to make illegal profits. Such activities may not
seem to be criminal in and of themselves, but they may echo across cyberspace, posing a
significant risk to consumers who are left to bear the repercussions. Initiatives aimed at
safeguarding banking assets involve monitoring of both physical and virtual assets. More
1
National Cyber Security Policy, 2013, Ministry of Electronic and Information Technology, (Jan, 13, 2020, 10 : 00
a.m), https://meity.gov.in/sites/upload_files/dit/files/National%20Cyber%20Security%20Policy
%20%281%29.pdf

3|Page
institutions are preparing to repel the attacks, and more criminals are arming themselves with
cutting-edge technology to guarantee that the banks remain operational in order to secure
their assets.2
As a result, in effort to stop violations of the right to personal privacy, lawmakers
implemented the Information Technology Act of 2000, that had the the exclusive purpose of
providing legal acknowledgment to electrical activities carried out in the virtual medium
known as cyberspace, as well as ensuring its legitimate use. The primary intent behind the
implementation of the Information Technology Act, 2000 (IT Act, 2000) was to eliminate the
ambivalence encompassing the use of computer system to establish, convey, and record
transactions in digital mode rather than conventional paper documents, per the declaration
of object and motives. Information saved in digital mode has several advantages, including
being less expensive, easier to keep and retrieve, and faster to convey. This hesitant
behaviour is caused by a lack of an acceptable legal framework.3

As per the National Crime Record Bureau [NCRB], the total number of ATM and internet
banking scams recorded in India in 2017 was around 1543 and 804, respectively. In 2017, the
overall recorded cybercrime in India was around 21796.4 Not only are ATM scams a menace
to the virtual environment, but so are malicious cyber assaults like "WANNACRY."5

RESEARCH OBJECTIVE

The pertinent question raised in this article is whether and to what extent the Indian
legislations are sufficient to cater to the present requirement of tackling the issue of identity
theft as whole and in instances of the ATM Skimming. Further, the implementation of the laws
has been analysed to understand whether it is in synch with it. The researcher would go into
the intricacies of the crime of identity theft committed through electronic resources specially
computer and internet. Emphasis has been laid down on the crime of identity theft though
2
V. Rajendran, Banking on IT's Security, 89; The Journal of Indian Institute of Banking and Finance 13 (2018)
3
Statement of Object and Reasons : Information Technology Bill 2000, Telecom Dispute Settlement and
AppellantTribunal,(Jan 13, 2020, 10 : 00),
http://www.tdsat.gov.in/admin/introduction/uploads/INFORMATION% 20T ECHNOLOGY%20ACT.pdf
4
Ministry of Home Affairs, Government of India, National Crime Record Bureau Report, National Crime Record
Bureau (Jan, 13, 2020 10 : 25 am), http://ncrb.gov.in/StatPublications/CII/CII2017/pdfs/CII2017-Full.pdf.
5
Ashok Koujalagi, Shweta Patil & Praveen Akkimaradi, The Wannacry Ransomware : A Mega Cyber Attack and
Their Consequences on the Modern India, 6 International Journal of Management Information Technology and
Engineering 4 (2018)

4|Page
ATM skimming. The country of study would be India and the researcher would analyse
various legal provisions primarily in the Information Technology (Amendment) Act, 2008
and the Indian Penal Code, 1860, to understand the civil and criminal liability of the
identity thief and remedies available to the victim. The shortcoming would be exposed and
certain reform measures would be suggested.

RESEARCH METHODOLOGY

Given the depth of the research issue, historical and empirical legal research methodologies
were adopted. A vast number of study material is necessary to conduct authorised research on
the topic. To get a birds-eye view on how the frauds have been conducted various case
studies have been referred to. The essential information was acquired from secondary sources
including research articles, journals, newspaper articles etc. The legislations such as the IT
Act, 2000 and the draft bills introduced such as the Personal Data Protection Bill were
thoroughly studied and analysed in order to understand the fallacies in its applications. The
major platforms relied for sources are SCC, JStore, and other journal reviews and media
platforms.

LITERATURE REVIEW

Identify Theft: Extent and Applicability of Data Protection Laws by Abhishek Kushwaha
and Aditi Palit6
The author emphasis on the grey area created by the cyber space which facilitates the high-
end technical crimes such identity theft through ATM skimming. Further, the author attempts
to study the existing the laws and regulations and identifies the fallacies in its application
when it comes to such crimes due to the lack of inclusion of the same in the provisions,
absence of wider definitions and lack of clarity on who shall be accountable for the act
because of which the customer borne the losses. However, the author has not explained the
crime of ATM skimming in length, describing the modus operandi of the same through case
studies and has also not provided an effective way to improve the status quo.
ATM Frauds – Detection and Prevention by Shubhra Jain7

6
ILR (2020) 134
7
International Journal of Advances in Electronics and Computer Science, ISSN: 2393-2835

5|Page
In this paper, the author has given a complete overview of the vulnerabilities and possible
frauds in ATM transactions in an attempt to create awareness of the same among users. The
exponentially growing ATM market of India have been analysed giving the scope of
increased instances of frauds through dispenser trapping. Further the author has also provided
security and preventive measures such as foreign object detection technology, encrypted pin
pad technology etc. But the author has only provided measures to be followed by the
customers and financial institution, and has failed to cover the aspects of accountability and
liability relating to such type of frauds. The application and fallacies in the legislation has
also not been discussed.
Identify Theft in India: A security concern, by Shaurya Jain and Muskan Sharma8
This is paper aims to extensively explain the meaning and ambit of ‘Identify theft’ and also
shed light on its various types. The author has also attempted to describe the provisions of
legislations which can possible cover the crime. However, the author has not identified the
fallacies in the implementations of the laws owing to the high-end crimes committed and
provide suggestions to better the position of law.

IDENTITY FRAUD – DIGITAL TRANSACTIONS

ATMskimming - Skimming gadgets are used by tech enthusiasts to conduct larceny. These
fresh criminals can utilise undetectable gadgets such as a skimmer and a fake numeric
keyboard overlay to duplicate all of the personal data held on a chip and capture the PIN
number in accessing all of a person's hard-earned cash. 9 Furthermore, this private details may
be utilised to create unauthorised copies of cards used in such compromised card insertion
slots; this is referred as ATM skimming 10. Data breaches is simply the beginning; when it
spreads to other kinds of crime, the entire sequence can result in financial damages.

ATM cloning is still not described officially, although ATM "Skimming" is an unlawful
practise that entails installing a gadget, typically undetected by ATM users, that discreetly
collects bank account credentials whenever the person enters an ATM card into the terminal.

8
Volume 11, July 2020 ISSN 2581-5504
9
Dr. Bharat Pancha, De-mystifying payment system challenges : Pragmatic Approach, 84 (3) The Journal of
Indian Institute of Banking & Finance 18-19, (2013)
10
Ibid

6|Page
The encrypted information can then be encoded onto a dummy card and used to commit fraud
from the user's savings account.11

ANALYSIS ON ATM SKIMMING AND ITS LEGISLATION IN IT LAW

The appropriateness of regulation and responsibility for these rising nasty crimes must also
be examined when investigating ATM skimming. The Information Technology Act of
2000, together with the Information Technology (Amendment) Act of 2008, are the only
laws and regulations that can deal with offences linked to ATM skimming to a certain extent.
Consideration must be attracted to the significance of PCs given under the IT act
"Computer" signifies any electronic attractive, optical or other highspeed information
handling gadget or framework which performs coherent, number juggling, and memory
capacities by controls of electronic, attractive or optical motivations, and incorporates all
information, yield, handling, capacity, PC programming, or correspondence offices which are
associated or connected with the Computer in a PC framework or Computer network.12

Contrasting the instrument of ATMs they incorporate information, yield information too
comprise of projects to empower cash allotment. With everything taken into account, the
importance and working of ATMs was logically made sense of on account of Diebold
Systems Pvt Ltd v. Chief of Commercial Taxes 13 where the court expressed that ATM has
an information terminal with two information and four result gadgets. The ATM interfaces
with and speaks with a host processor that is similar to an Internet Service supplier. Then, at
that point, the Machine is associated through the host processor through what is known as a
four-wire, highlight point, devoted phone line. The ATM docs not have many parts, there is a
card peruser, which catches an individual's record information that is put away on the
attractive strip situated on the rear of the ATM/debit card. This information is utilized by the
host processor in directing the exchange to the fitting bank. Then in has a 'Key cushion',
which is utilized by the cardholder to let the machine know sort of exchange required. It has
an 'electric eye' that is utilized for cash administering component. In addition to the eye, the

11
Raymond W. Kelly, Crime Prevention Section Awareness Alert, Skimming at ATM Machines, Community
Affairs Bureau and Police Department of New York City, (Jan, 13, 2020, 10 : 00 am),
http://www.nyc.gov/html/nypd/downloads/pdf/crime_prevention/ATMskimmingtip.pdf
12
Information Technology Act, 2000, § 2.
13
Diebold Systems Pvt Ltd v. Commissioner of Commercial Taxes, ILR (2005) KAR 2210.

7|Page
ATM has a 'sensor' that is fit for assessing the thickness of every one of the bills being
dispensed.14 more or less computers as well as all gadgets which are fit for inputs, yields
through electronic, attractive motivations containing computer programs performing
legitimate, arithmetical, correspondence control and different capacities are computers, ATMs
are not computer fundamentally however are associated with different computers framing a
computer organization or framework are covered under the Information Technology Act,
2000.

Likewise, on landmark case of Commissioner of Income Tax-III v. NCR Corporation Pvt

Ltd15it was expressed by the court that ATMs are under the purview of digital correctional
regulations as computer is essential piece of ATM machine and based on information handled
by the computer in ATM machine just, the mechanical capacity of the agreement of money or
deposit of money is done16. Accordingly, ATMs can come under computers definition within
the review of the information technology act, 2000.

DRAWBACKS AND NEED OF CHANGE IN INFORMATION TECHNOLOGY ACT &

DATA PROTECTION BILL 2019

I. With just modest bunch of acts the current reality of digital regulation in India are
apparent. The functioning regulations are just starting to expose what's underneath as
opposed to diving profound into the thought of security and accountability for such
genuine wrongdoings. Laws which manage the offense of ATM skimming under the
Information Technology Act, 2000 are S.43, 66, though S. 43A, 66C, 66D added after
the amendment in 2008 alongside that different arrangements, for example, S.420 of
the Penal Code, 1860. S.43 of the Information Technology Act, 2000 portrays
common liability of an outsider, where any individual without the authorization of the
proprietor or the individual responsible for access, downloads, duplicates, defilement
of infection, harms, disturbance or causing interference, disavowal of access, gives

14
Henry Campbell Black, Black's Law Dictionary, pg. 443, (9 ed. Thomson Reuters : Minneapolis-St. Paul 2001).
15
The High court of Karnataka, Commissioner of Income Tax-Iii v. NCR Corporation Pvt Ltd, The High court of
Karnataka (July 30, 2020, 10 : 00
http://judgmenthck.kar.nic.in/judgmentsdsp/bitstream/123456789/333491/1/ITA242-11-16-06-2020.pdf
16
Ibid

8|Page
 admittance to any individual who is unapproved in agreement to the demonstration,
charges the administrations profited of by any individual to the record of another 17.
The provisions under this part are acclimated with S. 63 to 74.

II. Though conditions (I) and (j) manage more genuine wrongdoings connected with
altering of computer source code, modification, harm or obliterating of any
information dwelling in the gadgets resource18. In any case, the segment just
furnishes with the liability of outsider rather than information processor or
information regulator.
III. These additional laws and regulations might appear to be sufficient from a 10,000
foot perspective yet as opposed to the glaring number of skimming done in ATMs,
they seem, by all accounts, to be more open finished relying more upon
understanding. Words like 'damagingly by any means' 19 and 'damage'20 are subject to
the translation of Court instead of expressively consolidating skimming done by
outsider, by genuinely modifying the machines through addition of unfamiliar
hardware causing monetary misfortunes deserving of punishment. Despite the fact
that endeavour have been made in the new Data Protection Bill 2019 to characterize
the harm and the norm on which such fraudsters can be expected to take
responsibility. The Data Protection bill 2019 doesn't characterize harm or injury yet
makes sense of "harm"21 which expressively incorporates in essence or mental injury,
misfortune, bending, burglary of identity and monetary misfortunes or loss of
property thus distinguishing the grade on which such guilty parties can be punished
which is more comprehensive of a few critical parts of ATM skimming.22

IV. Drawbacks for information in data protection bill and liability of the body corporate
can be conceivably set apart in S.43A23 where a body corporate having, managing or
dealing with any 'sensitive individual information' is careless in carrying out or
keeping up with 'sensible security practices and strategy' causing unjust misfortune or
17
Information Technology Act, 2000, § 43.
18
Information Technology Act, 2000, [Amendment 2008], § 43.
19
Information Technology Act, 2000, § 43.
20
Ibid
21
Ministry of Electronic and Information Technology, Data Protection Bill 2019, MEITY (Jan, 13, 2020, 10 : 00
am) https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf.
22
Ibid
23
Information Technology Act, 2000, [Amendment 2008], § 43.

9|Page
 illegitimate increase will be at risk to pay to the individual so damage compensation.
Sensible security practices and method as referenced in the clarification might emerge
via enactment, any regulation in force or as endorsed by the focal government in
consonance to committee guidelines, such clarification just furnishes with a concise
layout of what can constitute as sensible practice and technique as opposed to giving
an exhaustive importance to it.

V. Also a wide power and caution have been given to the government on furnishing with
a suitable significance to sensitive individual information as well as private
information which have not been at this point characterized in the Act. However, a
work has been made in the Data protection bill 2019 to give significance to 'individual
information' and 'sensitive individual information' while omitting S. 43A totally and
dividing the liability of body corporate into liability of information processor and
information fiduciary24. Individual information incorporates trait, qualities,
characteristic or some other information of a characteristic individual about the
identity of such individual whether on the web or disconnected additionally may
incorporate any information or information from which an induction can be drawn
with the end goal of profiling. An all the more a contemporary methodology have
been taken while characterizing sensitive individual information, which not just
incorporate biometric, monetary, wellbeing, sexual coexistence, rank or clan, yet
additionally incorporate transsexual status, intersex status and sexual orientation.
Concerning what can be considered as private information or sensitive individual
information the bill likewise incorporates a clarification, that assuming exposure of
such information might actually hurt or on the other hand assuming there is an
assumption for confidentiality such can be grouped and endorsed as sensitive
individual information by the authority under the bill.

VI. Criminal liability for ATM skimming is shrouded comparable to different offenses
under S.66, makes sense of that any offense covered under S.43 25 is culpable with
detainment for a term of 3 years or with fine which might reach out to five lakh
rupees or both26. Though S.66C and 66D27 arrangements with discipline for identity
24
Supra, 18
25
Information Technology, Act, 2000, § 43.
26
Information Technology, Act, 2000, § 66.
27
Information Technology, 2000, § 66D, § 66C.

10 | P a g e
 burglary and cheating by pantomime by utilizing computer asset. The accessible
arrangements are still are not comprehensive of ATM skimming or skimming overall
as a particular offense.

VII. The idea of 'no fault liability' 28 of the saves money concerning ATM related scam
particularly skimming was considered in the warning of (hold bank of India) RBI in
July 6, 2017. The RBI separated the liability of the client into following fragments:

A. First is the 'Zero liability', a client is entitled no causality in the event that where the
exchange happened because of carelessness of the banks though in the event that
where the misrepresentation is happened neither because of the issue of banks nor the
client yet lies somewhere else in the framework then, on the off chance that the client
tells the bank within 3 working days, the client would be entitled to zero casualty.29
B. Furthermore the idea of limited liability of clients in situations where the misfortune
is because of carelessness by a client, for example, where he has shared the instalment
certifications. All things considered the client will bear the whole misfortune until he
reports the unapproved exchange to the bank. Any misfortune happening after the
revealed unapproved exchange will be borne by the bank.30
C. In situations where the responsibility for the unapproved electronic financial exchange
lies neither with the bank nor with the client, yet lies somewhere else in the
framework and when there is a postponement with respect to the client in informing
the bank about the unapproved exchange, the per exchange liability of the client will
be limited to the exchange esteem or the sum referenced in the notice, whichever is
lower.31

28
Vidyawanti v. State Bank of India Iii, CPJ 2015 NC 245.
29
Reserve Bank of India, Customer Protection - Limiting Liability of Customers in Unauthorised Electronic
Banking, Reserve Bank of India (Jan, 13, 2020, 11 : 43 am), Rbi/2017-18/15 Dbr. No. Leg.Bc.78/09.07.005/2017-
18.
30
Ibid
31
Ibid

11 | P a g e
 CONCLUSIONAND SUGGESTIONS

As a result, Indian laws lag behind when it helps to protect an individual's data, leaving
plenty of space for advancement in legislation and rules designed to combat identity theft.
Insufficiency in certain laws serves as a breeding ground for such deceitful crimes, which
have been increasingly widespread in the previous .  Indian cyber law falls short in terms of
basic execution and the necessary competence to combat identity theft, ATM skimming. To
maintain the application of current laws, a suitable framework with an appropriate level of
authority is required. Jurisdiction clashing should be avoided, and appropriate compassionate
employees should be engaged.

Three-pronged methodology will be useful to banks in fighting ATM cheats:

i. Representatives' schooling/preparing.
ii. Clients' schooling/preparing.
iii. Strategies and systems; and tests to measure
iv. adherence to strategies.
Preparing ought to zero in on the nature and dangers related with ATM fakes alongside the
guide to outline the danger and openness. It additionally ought to cover available resources to
oppose the assaults to make the right sort of careful mentalities. At last, banks should have a
data security strategy set up that lets the insiders know what they are generally anticipated to
do and not to do, as well as the response to any breaks.
New advancements, for example, video observation, distant ATM the executives and Foreign
article identification joined with presence of mind the board rehearses pointed toward
hindering wrongdoing are giving makers an edge in the battle against extortion and keeping
oneself administrations industry no less than one stage a top of the lawbreakers.

REFERENCES

[1] Miss Dua Aarti ( 2003 ) , “ Understanding ATMs” , www. Harmonyindia.org.

[2] “EMV (Euro pay, Master Card and Visa) is a standard for chip-embedded cards, often
referred to as smart card to reduce the frauds.”
[3] Diebold Inc. ( 2006) , “ATM Fraud and Security”, White paper , www.diebold.com, pp. 2

12 | P a g e
[4] Report of Retail Banking Research (2008), “Global ATM Market and Forecasts to 2013”,
December 2008.
[5] Agrawal S.K. and Lakshman M.V. (2003), “ATM : Secure Your Any Time Money”, I.T.
Forum, Vol. VI, Issue III, October-December 2003, pp. 15

13 | P a g e