New penalties inadequate to control identity theft

By Priti Suri and Ashutosh Chandola, PSA, Legal Counsellors

With the advent of the internet, a new environment became available for communication and commerce. Unfortunately, this environment also swiftly gave rise to several new species of offences of which identity theft has emerged as one of the worst. As the name suggests, the offence involves stealing the identity of another person and making use of it for wrongful gain.

However, the term “identity theft” has not been defined under the recently amended Information Technology Act, 2000, or under the Indian Penal Code (IPC), 1860. The Department of Justice of the United States (the country with the largest number of reported incidences) defines identity theft as wrongfully obtaining and using another person’s personal data in some way that involves fraud or deception, typically for economic gain. In India, identity theft can range from credit card fraud to fraudulently using another person’s PAN card number, election card number, bank account details and e-mail passwords.

Priti Suri Proprietor PSA Legal Counsellors
Priti Suri
Legal Counsellors

Identity theft concerns

The business process outsourcing (BPO) sector in India is particularly susceptible to identity theft. There has been concern over the integrity of operations outsourced to India, especially those that involve sensitive personal or financial data. Increasingly frequent instances of credit card fraud by BPO employees in the early 2000s revealed the inadequacies of the IT Act.

In the absence of suitable provisions within the IT Act, two highly publicized cases (Arif Azim in 2002 and Mphasis in 2006) were pursued under the IPC leading to convictions. In these cases, BPO employees had fraudulently transferred funds from offshore clients of the BPO. The total sum of money involved was approximately US$400,000.

The various Indian enforcement agencies began to discuss the need for provisions under the IT Act to deal specifically with identity theft. A report on cyber fraud by the Indian Computer Emergency Response Team 2009 revealed that 85% of identity theft cases pertain to bank websites and 15% to e-commerce websites. This clearly shows that perpetrators target websites where individuals are likely to disclose sensitive financial information.

In line with the above discussions, the IT Act was recently amended to include section 66C, which makes identity theft a punishable offence.

Provisions and inadequacies

Section 66C provides that a person who fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person will be liable for imprisonment for up to three years and a fine of up to Rs100,000 (US$2,000).

Notably, mens rea is a key requirement for constituting an offence under this provision. Also, the potential term of imprisonment for identity theft is similar to that for the offences of “theft” and “cheating by personation” under the IPC. However, the IT Act caps the fine at a meagre US$2,000 whereas the IPC provides no limit on the fine that may be imposed.

By this, the IT Act has effectively reduced the magnitude of the punishment for identity theft. It is difficult to imagine that this section will act as a deterrent facilitating data protection, as a perpetrator may have wrongfully gained millions by identity theft, his or her liability will be limited to US$ 200. It is unclear why an offence that has the potential to result in substantial gain for the offender has been treated so lightly. Further, in the absence of a definition of identify theft under the IT Act, it will be difficult for enforcement agencies to charge perpetrators with the offence in all cases.

As this is a recent provision and there is a lack of jurisprudence, it is difficult to predict the likely full impact of the extent of punishment provided, or the manner in which the judiciary may interpret the section.

Ashutosh Chandola Associate PSA Legal Counsellors
Ashutosh Chandola
Legal Counsellors

However, the legislature should consider the likely adverse consequences of the nominal fine imposed under Section 66C, and rectify it. Firstly, the low fine will have serious consequences for internet vendors which are liable to reverse transactions carried out with stolen credit card information and will not have adequate recourse against perpetrators.

Further, foreign firms need to be reassured that it is safe to deal with partners or vendors in India. A significantly higher fine would create some level of fear amongst perpetrators and give meaningful support to the BPO industry whose reputation and business relationships bear the brunt of damage when instances of identity theft occur.

However, the ability to impose even a substantial fine is not necessarily the best defence against the misuse of private and confidential data. There is a great and ongoing need for Indian firms to maintain internal control measures and ensure that the sensitive financial information of their clients is not misused.

Priti Suri is the proprietor of PSA where Ashutosh Chandola is an associate.



Legal Counsellors

14A & 14B Hansalaya, 15 Barakhamba Road

New Delhi – 110001, India

Tel: +91 11 4350 0500

Fax: +91 11 4350 0502