TDSAT | IDBI Bank found guilty of violation of S. 43-A IT Act; held, corporate entity dealing with personal sensitive information/data has obligation without any exception

Telecom Disputes Settlement and Appellate Tribunal (TDSAT): The Coram of Justice Shiva Kirti Singh (Chairperson) and A.K. Bhargava (Member) while disallowing this Cyber Appeal directed the appellant to pay Rs 1 lakh to the respondent within 30 days from the date of the order pronounced.

In this instant matter, respondent/complainant operated savings bank account with the appellant. The respondent lost about Rs 81,700 due to unauthorized transaction after he had clicked a link provided in an e-mail alleged to have been sent by the appellant bank. The respondent provided confidential information through that link. Thereafter, the respondent filed a complaint whereby which the appellant froze two accounts in its bank. By this time, the money had already been withdrawn from these two accounts. Pursuant to this, an internal inquiry was held and afterwards a formal police complaint was lodged by the appellant.

Not satisfied with the recourse taken by the appellant, the respondent filed a complaint before the Adjudicating Officer. The Adjudicating Officer awarded total compensation of Rs 1 lakh to the respondent. Aggrieved by the order of the Adjudicating Officer, the appellant preferred this instant appeal.

Sumnesh Kumar, Counsel for the appellant submitted that the Adjudicating Officer failed to consider the gross negligence of the respondent. The appellant had taken all possible steps to ensure that no untoward incident like this happens. Appellant claims to have educated its customers on phishing through emails/phones, etc.

Adjudicating Officer relied upon Section 43 read with Section 85 of the IT Act, 2000. Section 43 provides for compensation. Section 43-A deals with Compensation for failure to protect data.

The Court observed that some phishing frauds may be beyond the control of concerned banks. But, the domain name in the alleged e-mail which led the respondent to divulge all his details was idbi.co.in which is one of the registered domain names of the appellant Bank. This could be security lapse or done through connivance. It was further observed that while the appellant failed to provide reasonable security to avert such communication bearing its domain name, it merely passed on the onus to the respondent for being negligent. The Court in agreement with the Adjudicating Officer found the appellant guilty and liable for the violation of Section 43 read with Section 85. In addition to this, the appellant was also found to be guilty of the violation of Section 43-A since it was found that the appellant was negligent in implementing a robust security system.

Moreover, the Court pointed out a similar case of Umashankar Sivasubramanian v. ICICI Bank, Civil Jurisdiction Petition No. 2462 of 2018 having the same decision.[IDBI Bank v. Sudhir S. Dhupia, 2019 SCC OnLine TDSAT 226, decided on 13-08-2019]

Join the discussion

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.