Credit Card Fraud and IT Act data protection laws

Needed: a facelift for cyber laws

The absence of legislation governing credit card fraud and data protection, as well as a lack of clarity in applying cyber laws are problems faced by Indian companies, says Sushma Naik

Industry sources estimate that the Indian e-commerce (B2C) segment is worth about Rs 150 crore. To encourage the smooth functioning of this segment, the IT Act 2000 plays a vital role. Unfortunately, somebody forgot to implement it.

Concerns not addressed

Credit card fraud is still not covered under the IT Act, so one has to approach the
crime branch Vishwas Patel Chief Executive Officer, Avenues

We are not aware about the procedures for dealing with cyber crime, though one is familiar with work done by cyber labs. K Vaitheeswaran, Chief Operating Officer, Fabmall

Data protection guidelines, protection from spam, and credit card fraud are absent in the Indian cyber law. Most Indian companies have compliance standards to meet. With the recent credit card fraud perpetrated by Msource employees, a lot of certification-oriented processes have come under scrutiny. Issues of privacy need to be addressed through data protection laws. Says Vishwas Patel, CEO, Avenues, a payment gateway provider for credit cards, “Credit card fraud is still not covered under the IT Act, so one has to approach the crime branch.” This defeats the purpose as the crime branch isn’t IT-savvy.

The law (or the lack of it) has crippled enforcement agencies. The Internet and Online Association interacts with the IT ministry to provide feedback vis-à-vis changes that are urgently needed in the IT Act. Even Nasscom is advocating the case for a stronger, enforceable IT Act.

Banks also are affected considering their thrust on Internet banking. According to RBI guidelines, Indian banks and the RBI have to gear up and meet Basel II norms by end-2006. The actual implementation is scheduled for April 2007. One of the key aspects in this implementation will be to provide greater risk assessment by banks’ internal systems as inputs to capital calculations. It also details a set of minimum requirements that should ensure the integrity of these internal risk assessments.

In making the risk assessment based on the probability of losses arising from cyber crimes, it will be necessary to look for appropriate insurance coverage. However, the insurance premium has to depend on the level of cyber law compliance that organisations undertake, as evidenced by documented evidence of a cyber law compliance audit. In case cyber crime risks are not properly covered and the existing fraud risk insurance fails to cover for the lack of due diligence, risk turns into ‘uncovered exposure’ under the Basel II norms, and therefore require higher capital provision. It is therefore time for banks working on Basel II compliance to simultaneously undertake cyber law compliance audits of their systems.
Pointers for change

* More safeguards and stringent measures for protecting software copyrights and patents
* Penalties for cyber crimes to be made more stringent
* The liability and accountability of ISPs has to be clearly defined
* The Indian cyber law should be brought on par with cyber laws in countries that have comprehensive legislation in this regard
* India should be a signatory to international bodies such as the Information Society of Geneva so that fraudsters can be caught
* There should be a national ethical committee (which they have in Norway) that has the power to engage in summary hearings. This will do away with long, drawn-out court cases especially in the case of smaller crimes
* Data protection laws must come under the ambit of cyber laws
* At present, credit card frauds come under the criminal code as fraud; these should be included in the IT Act
* The IT Ministry should be in a position to make minor alterations to the Act without requiring parliamentary approval
* The provisions of the Criminal Procedure Code should not be blindly applied to the Internet without taking into account its different nature and characteristics

Awareness needed

Says K Vaitheeswaran, Chief Operating Officer of Fabmall, “We are not aware about the procedures for dealing with cyber crime, though one is vaguely familiar with work done by the cyber labs.” Vaitheeswaran’s concern shows an urgent need for the police to step up their resolve to tackle cyber crimes, which affects e-businesses. E-commerce companies also feel that the cyber crime cell should be actively involved in promoting the Internet as a safe medium for trade.

One might argue that the Internet as a medium of trade in India has not yet evolved to the extent that it has in the US or Britain. However, with a few changes, the cyber law might just turn out to be the force behind Indian e-commerce.

sushma@expresscomputeronline.com