Â Phishing attacks are a common form of risks in today’s Internet based Banking. Banks have been largely bulldozing the customers into believing that the liability for Phishing should be boarne by the customers because they were negligent in responding to the Phishing mail.
However, the legal position can be different. Phishing is a result of multiple contraventions of ITA 2000 particularly after the amendments of 2008. It results in wrongful loss to the customer. The contravention therefore attracts provisions of Section 43 for adjudication.
Already, several complaints have been registered on Banks under Section 66 and 66A of ITA 2000/ITA 2008 in Bangalore, Chennai and Hyderabad.
The Banks are basically being held liable under the age old Banking law that “Forgery cannot be held against the customer, however clever or undetectable the forgery is”.
In this connection we may referÂ to the Supreme Court decision in the Canara Bank Vs Canara Sales Corporation AIR 1987 SC 1603 II) in which Supreme Court held that bank can escape liability only if it could establish that the client knew of the forgery.
Â This principle has been used time and again in Banking Cases such as the following.
Â a) Â Citizen Co-opertive Bank Ltd Vs Ritesh Mittal,-2004 CTJ 211 (Jammu and Kashmir High Court)
b) N. Venkanna Vs Andhra Bank, National Disputes Redressal Commission, 11th January, 2005
c) Bhagwandas Vs Creet (1903)31, Cal.249
d) L. Pirbhu Dayal Vs Jwala bank, AIR 1958 All. 374
e) Dawood Vs Firm Pereinan Chetty, AIR 1924 Rang.264
The fact that using the stolen password of the customer amounts to forgery and unauthorized access needs no special explanation. Hence in all Phishing cases, Banks are liable.
Additionally, Banks are ignoring the law of the land through IAT 2000 as well as the Internet Guidelines of RBI and not using digital signatures for authentication of Internet transactions. This renders them negligent (lack of due diligence) under Sections 79 and 85 making them liable for any offence attributable to a computer belonging to the Bank.
This principle has also been followed by the German Court Amtsgerichts Wiesloch -Az4C57/08). Â The Danish Law also provides that banks are required to compensate private account holders everything but a 1200 kroner deduction if their accounts are hacked. Recently, a new provision has extended the same guarantee to small businesses which is expected to coverÂ 90 percent of the countryâ€™s companies.
In the light of the above, it is heartening to note that Bank of India has set a precedence by accepting liability for Phishing in one the cases filed in Bangalore and repaying the amount along with interest to the customer who was a victim of a Phishing fraud. In this case, the banking Ombudsman also directed the Bank to make the payment and the Bank obliged.
We appreciate the attitude of Bank of India and hope they will follow up the decision with the hardening of security with an introduction of digital signatures as a means of authentication of Internet transaction.