The twenty-first century is known for its development in technology and now that all the data is digitized doing identity theft has become very easy. Various developed countries have strict laws against identity theft and the people who actively commit such crimes are strictly punished. Generally hacking of email id, credit card number, phishing, ATM skimming/carding, Vishing are used as a tool to commit identity theft in India. The main problem occurs when innocent people have to pay for the frauds done by these identity thieves. People not only face financial losses but also suffer from mental stress due to the consequences of identity theft they are facing.
This article mainly aims to bring out legal provisions from Bhartiya Nyaya Samhita, 2023, Digital Personal Data Protection Act, 2023 and Information and Technology Act, 2000 that deals with identity theft. Through this article the author aims to analyze existing legal provisions in India on identity theft. The loopholes which exist in these provisions and the steps that can be taken to strengthen the existing laws so that strict action can be taken against people committing identity theft.
Types of identity theft
There are four major types of identity theft through which a large number of people are affected. India tops the list where most of the people suffer from the problem of identity theft. Lack of knowledge of legal provisions further increases this problem and in most of the cases there are delays in getting justice.
Financial Identity Theft- Financial identity theft occurs when someone uses another’s identity to gain unauthorized access to credit cards of that person. The other monetary accounts can also be hacked due to which the original account holder suffers various financial losses. His account details can be used by hackers to take loans or do any other unauthorized transactions.
- Criminal Identity Theft- Criminal identity theft occurs when a person is arrested or cited for a criminal offense which is not committed by him. Such arrests can cause mental stress to the victims.
- Medical Identity Theft- Medical identity theft involves using another’s identity to obtain healthcare benefits, such as prescription drugs or expensive medical procedures.
- Social Security Identity Theft- Social Security identity theft is when another’s Social Security Number (SSN) is used to create a false identity. The false identity is then used to commit fraud, often to open a new line of credit or to get a loan. SSNs can be purchased on the dark web or found in personal documents incautiously thrown out.
Legal provisions in India on identity theft
The Section 66C of Information Technology Act, 2000 mentions the punishment for identity theft. Whoever, fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.[1]
Identity theft is currently a cognizable, bailable, and compoundable offense under the IT Act. Section 77A states that an offense committed under section 66C is a compoundable offense.[2]
In Bhartiya Nyaya Samhita there are various sections which mention forgery and frauds which are a result of identity theft.[3]
Section 335 – Making a false document
A person is said to make a false document or false electronic record— (A) Who dishonestly or fraudulently—
(i) makes, signs, seals or executes a document or part of a document;
(ii) makes or transmits any electronic record or part of any electronic record;
(iii) affixes any electronic signature on any electronic record;
(iv) makes any mark denoting the execution of a document or the authenticity of the electronic signature, with the intention of causing it to be believed that such document or part of document, electronic record or electronic signature was made, signed, sealed, executed, transmitted or affixed by or by the authority of a person by whom or by whose authority he knows that it was not made, signed, sealed, executed or affixed; or
(B) Who without lawful authority, dishonestly or fraudulently, by cancellation or otherwise, alters a document or an electronic record in any material part thereof, after it has been made, executed or affixed with electronic signature either by himself or by any other person, whether such person be living or dead at the time of such alteration; or
(C) Who dishonestly or fraudulently causes any person to sign, seal, execute or alter a document or an electronic record or to affix his electronic signature on any electronic record knowing that such person by reason of unsoundness of mind or intoxication cannot, or that by reason of deception practiced upon him, he does not know the contents of the document or electronic record or the nature of the alteration.
Section 336. Forgery
(1) Whoever makes any false document or false electronic record or part of a document or electronic record, with intent to cause damage or injury, to the public or to any person, or to support any claim or title, or to cause any person to part with property, or to enter into any express orimpliedcontract, or with intent to commit fraud or that fraud may be committed, commits forgery.
(2) Whoever commits forgery shall be punished with imprisonment of either description for a term which may extend to two years, or with fine, or with both.
(3) Whoever commits forgery, intending that the document or electronic record forged shall be used for the purpose of cheating, shall be punished with imprisonment of either description for a term whichmay extend to seven years, and shall also be liable to fine.
(4) Whoever commits forgery, intending that the document or electronic record forged shall harm the reputation of any party, or knowing that it is likely to be used for that purpose, shall be punished with imprisonment of either description for a term which may extend to three years, and shall alsobe liable tofine.
Section 340. Forged document or electronic record and using it as genuine
(1) A false document or electronic record made wholly or in part by forgery is designated a forged document or electronic record.
(2) Whoever fraudulently or dishonestly uses as genuine any document or electronic record which he knows or has reason to believe to be a forged document or electronic record, shall be punished in the same manner as if he had forged such document or electronic record.
Section 344. Falsification of accounts
Whoever, being a clerk, officer or servant, or employed or acting in the capacity of a clerk, officer or servant, wilfully, and with intent to defraud, destroys, alters, mutilates or falsifies any book, electronic record, paper, writing, valuable security or account which belongs to or is in the possession of his employer, or has been received by him for or on behalf of his employer, or wilfully, and with intent to defraud, makes or abets the making of any false entry in, or omits or alters or abets the omission or alteration of any material particular from or in, any such book, electronic record, paper, writing, valuable security or account, shall be punished with imprisonment of either description for a term which may extend to seven years, or with fine, or with both.
Recently, the Digital Personal Data Protection Act, 2023 was passed by the Indian Government which came into effect on September 1, 2023. This Act also aims to protect personal data of Indian Citizens. The Act proposed penalties for data privacy breach such as[4]:
- The major penalties include the Data Protection Board has the power to issue penalties up to INR 250 crore.
- Data fiduciaries are liable to pay a penalty up to INR 250 crore for breach in observing the obligation of a data fiduciary to take reasonable security safeguards to prevent personal data breach.
- Penalty on data principal includes breach in observance of the duties of data principal Non-compliance shall lead to a penalty of INR 10,000.
- Breach in observing the obligation to give the board or affected data principal notice of a personal data breach. Non-compliance in this case shall lead to a penalty of INR 200 crore.
- Breach in observance of additional obligations in relation to children. Non-compliance shall lead to a penalty of INR 200 crore.
- Breach in the observance of the additional obligations of a significant data fiduciary Non-compliance shall lead to a penalty of INR 150 crore.
Cases on identity theft in India
CBI v. Arif Azim (Sony Sambandh case)[5]
A website called www.sony-sambandh.com enabled NRIs to send Sony products to their Indian friends and relatives after online payment for the same. In May 2002, someone logged into the website under the name of Barbara Campa and ordered a Sony Colour TV set along with a cordless telephone for one Arif Azim in Noida. She paid through her credit card and the said order was delivered to Arif Azim. However, the credit card agency informed the company that it was an unauthorized payment as the real owner denied any such purchase.
A complaint was therefore lodged with CBI and further, a case under Sections 418, 419, and 420 of the Indian Penal Code, 1860 was registered. The investigations concluded that Arif Azim while working at a call center in Noida, got access to the credit card details of Barbara Campa which he misused.
The Court convicted Arif Azim but being a young boy and a first-time convict, the Court’s approach was lenient towards him. The Court released the convicted person on probation for 1 year.
Pune Citibank Mphasis Call Center Fraud[6]
According to the case in the year 2005, US $ 3,50,000 were dishonestly transferred from the Citibank accounts of four US customers through the internet to a few bogus accounts. The employees gained the confidence of the customer and obtained their PINs under the impression that they would be a helping hand to those customers to deal with difficult situations. They were not decoding encrypted software or breathing through firewalls, instead, they identified loopholes in the MphasiS system.
The Court observed that the accused in this case are the ex-employees of the MphasiS call center. The employees there are checked whenever they enter or exit. Therefore, it is clear that the employees must have memorized the numbers. The service that was used to transfer the funds was SWIFT i.e. society for worldwide interbank financial telecommunication. The crime was committed using unauthorized access to the electronic accounts of the customers. Therefore this case falls within the domain of ‘cyber crimes”. The IT Act is broad enough to accommodate these aspects of crimes and any offense under the IPC with the use of electronic documents can be put at the same level as the crimes with written documents.
Further the court held that section 43(a) of the IT Act, 2000 is applicable because of the presence of the nature of unauthorized access that is involved to commit transactions. The accused were also charged under section 66 of the IT Act, 2000 and section 420 i.e. cheating, 465, 467 and 471 of The Indian Penal Code, 1860.
Challenges for law enforcement agencies
- Though there are various laws , lack of proper knowledge of significant changes that occur in the form of identity theft create first and foremost challenges for law enforcement agencies.
- Secondly, lack of awareness among the public on the ways in which identity theft is committed is also a major challenge.
- Lack of technological advancement to identify the manners in which identity theft is committed is also a major challenge.
- Delay in identifying and reporting of identity theft cases also create challenges for the investigating agencies in carrying on their investigating procedures.
Suggestions
- Firstly, people should be made aware of the identity theft and the steps such as monitoring their accounts, changing passwords of their credit cards, and reporting the authorized agencies such as bank and police about online frauds if it happens with them.
- Secondly, the Government should regularly monitor their cyber laws so that if any amendment is required it can be done immediately. For making laws, the Government should discuss problems of identity theft and other cyber crime with technical cyber experts.
- Next, Bank officials should also be properly trained so that they can identify financial frauds of customer accounts.
- Various international conferences should be organized where the methods to tackle these online identity theft and other issues are discussed so that developing countries which lack technology to identify these cyber crimes can seek help from developed countries where technologies are very much advanced.
Conclusion
From the above discussion on the problem of identity theft and legal provisions in recently introduced Acts by the Government we can conclude that the Government is undertaking various efforts to resolve the problem of identity theft but still due to lack of technical advancement investigating agencies face a lot of problems.
So, there is a need for collective efforts from the Government and all other responsible technical experts. People can definitely bring change and resolve the problem of identity theft effectively. Hence, all of us should be ready to take steps to be aware of the ways identity theft is committed and take the responsibility to spread awareness among other peoples on the issues of identity theft and what steps can be taken by us to secure our data from identity thieves.
References
- Margaret C. Jasper, Identity Theft and How to Protect Yourself (Legal Almanac Series), second edition, (2007), Oceana Publications.
- https://secureprivacy.ai/blog/india-digital-personal-data-protection-act-2023-guide-protected-data
[1] Section 66C of Information Technology Act, 2000
[2] Section 77A of Information Technology Act, 2000
[3] Section 335, 336, 340 and 344 of Bhartiya Nyaya Samhita, 2023
[4] Section 33 of Digital Personal Data Protection Act, 2023
[5]https://www.indiancybersecurity.com/case_study_sony_sambandh_case.php
[6]https://bnwjournal.com/2020/07/17/pune-citibank-mphasis-call-center-fraud/
Author: Chitra Shukla, Advocate at Tirupati District Court of Andhra Pradesh
