Duties of Subscribers & Penalties , Compensation & Adjudication

Written By BareMinLaw

Section 40. Generating key pair.

  • Once a Digital Signature Certificate is accepted by the subscriber & the certificate contains a public key that corresponds to the subscriber’s private key, then:

    1. The subscriber himself must generate that key pair.

    2. The key pair must be generated by following the prescribed security procedure.

Section 40A. Duties of subscriber of Electronic Signature Certificate.

  • A subscriber has certain responsibilities regarding an Electronic Signature Certificate.

    1. For an Electronic Signature Certificate, the subscriber must carry out specific duties.

    2. These duties are not fixed in the Act itself, but will be prescribed through rules made under the Act.

Section 41. Acceptance of Digital Signature Certificate.

41(1).

  • A subscriber is considered to have accepted a Digital Signature Certificate if he:

    1. (a). Publishes it, or allows it to be published, to one or more persons.

    2. (b). Publishes it, or authorises its publication, in a repository,

    3. (c). Shows approval in any other way, even if it is not formal publication.

41(2).

  • By accepting the Digital Signature Certificate, the subscriber makes a declaration to everyone who reasonably relies on that certificate, that:

  • The following statements and assurances listed are true and trustworthy:

  • (a).

    1. The subscriber gives an assurance about ownership and authority over the key.

    2. The subscriber possesses the private key.

    3. This private key matches the public key mentioned in the Digital Signature Certificate.

    4. The subscriber is legally entitled to hold and use that private key.

  • (b).

    1. The subscriber confirms the truth of all information given for the certificate.

    2. All statements and details provided by the subscriber to the Certifying Authority are correct.

    3. Every important fact related to the certificate has been truthfully disclosed.

    4. Nothing relevant has been misstated or hidden.

  • (c).

    1. The subscriber confirms the accuracy of the certificate details to the extent of their knowledge.

    2. Every detail in the Digital Signature Certificate that the subscriber is aware of, is true and correct.

Section 42. Control of private key.

42(1).

  • Every subscriber must take reasonable care to keep control over their private key.

  • The private key must correspond to the public key mentioned in the Digital Signature Certificate.

  • The subscriber must take all necessary steps to prevent the private key from being disclosed or misused.

42(2).

  • If the private key linked to the Digital Signature Certificate is compromised. (For example: Lost, Stolen, or Accessed by someone else).

  • The subscriber must inform the Certifying Authority immediately, without delay.

  • The information must be given in the manner prescribed by the regulations.

Explanation:

  • The law makes it clear that there should be no confusion on this point.

  • The subscriber remains responsible and liable for the use of the private key.

  • This liability continues until the subscriber informs the Certifying Authority that the private key has been compromised.

Section 43. Penalty and compensation for damage to computer, computer system.

  • Unauthorised acts involving computers.

  • When a person acts without permission from the owner or any other person who is lawfully in charge of the computer, computer system, or computer network.

  • The following unauthorized action will attract legal consequences:

  • (a).

    1. A person enters, uses, or gains entry into a computer, computer system, computer network, or computer resource without permission.

  • (b).

    1. A person takes data without permission from a computer or related system.

    2. The person downloads, copies, or extracts data or information.

    3. This data may be from a computer , a computer system & computer network.

    4. It also includes data stored on removable storage devices like pen drives, hard disks, CDs, etc.

    5. All of this is done without the permission of the owner or the person in charge.

  • (c).

    1. The person introduces or causes the introduction of a computer contaminant or virus.

    2. This may be into a computer, computer system, or computer network.

    3. The act is done without authorisation from the owner or the person in charge.

  • (d).

    1. The person damages or causes damage to a computer, a computer system, or a computer network.

    2. The damage may also be to data, computer databases, or software and other programs stored in the system.

    3. The act is done without authorisation.

  • (e).

    1. A person interferes with or interrupts the normal functioning of a computer or digital system without permission.

    2. The person disrupts or causes disruption.

    3. The disruption may affect a computer, a computer system, or a computer network.

    4. The act is done without authorisation.

  • (f).

    1. The person blocks or prevents authorised users from accessing a computer or network.

    2. The person denies access, or causes access to be denied.

    3. The access is denied to someone who is legally authorised.

    4. The denial may be done by any method.

    5. It relates to a computer, computer system, or computer network.

  • (g).

    1. A person helps someone else gain illegal access to a computer system.

    2. The person gives assistance or help.

    3. The help is given to another person.

    4. The purpose of the help is to enable access to a computer, computer system, or computer network.

    5. Such access is in violation of the Act or the rules and regulations made under it.

  • (h).

    1. A person fraudulently shifts service charges to someone else’s account.

    2. The person manipulates or tampers with a computer, computer system, or computer network.

    3. By doing so, they charge the cost of services used by one person to the account of another person, without authorisation.

  • (i).

    1. The person destroys, deletes, or changes information stored in a computer resource.

    2. Even if the information is not fully destroyed, the act may Reduce its value, Reduce its usefulness, or otherwise harm it.

    3. This harm can be caused by any method.

  • (j).

    1. A person intentionally interferes with computer source code to cause harm.

    2. The person steals, hides, destroys, or alters computer source code or causes someone else to do any of these acts.

    3. The source code must be used for a computer resource.

    4. The act is done with the intention to cause damage.

    5. The person who commits such acts must compensate the victim.

      1. The person is legally liable.

      2. The compensation is paid to the person who has been affected or harmed by the act.

  • (i).

    1. Computer contaminant means any set of computer instructions designed:

      1. (a). To modify, destroy, record, or transmit any data or program stored in a computer, computer system, or computer network.

      2. (b). To interfere with or take over the normal functioning of a computer, computer system, or computer network.

  • (ii).

    1. Computer data-base means a structured collection of information that:

      1. Represents information, knowledge, facts, concepts, or instructions.

      2. May exist in text, image, audio, or video form.

      3. Is prepared in an organised or formal manner, or is generated by a computer, computer system, or computer network.

      4. Is intended to be used in a computer, computer system, or computer network.

  • (iii).

    1. Computer virus means any computer instruction, data, information, or programme that:

      1. Destroys, damages, degrades, or negatively affects the performance of a computer resource.

      2. Attaches itself to another computer resource.

      3. Operates or activates when a programme, data, or instruction is run, or when some other event occurs in that computer resource.

  • (iv).

    1. Damage means any act that harms a computer resource, including:

      1. Destroying it.

      2. Altering it.

      3. Deleting it.

      4. Adding to it.

      5. Modifying it.

      6. Rearranging it.

    2. by any method whatsoever.

  • (v).

    1. Computer source code means the set of instructions and materials used to create and run a computer resource, including:

      1. The program code or listings.

      2. Computer commands.

      3. The design and layout of the programme.

      4. The programme analysis.

    2. in any form.

    Section 43A. Compensation for failure to protect data.

  • The provision applies to a body corporate. (Company, Firm, or Organisation).

  • This body corporate must be handling sensitive personal data or information.

  • The data should be stored in a computer resource that the body corporate owns, controls, or operates.

  • Under circumstances , the body corporate is negligent in:

    1. Putting proper security measures in place.

    2. Maintaining reasonable security practices and procedures.

  • And because of this negligence:

    1. Someone suffers wrongful loss.

    2. Someone else gains wrongful gain.

  • In such a case, the body corporate becomes legally liable.

  • It must pay damages as compensation to the person who is affected.

Explanation:

  • For the purposes of this section:

  • (i). Body Corporate

    1. Body corporate means any company includes a firm, a sole proprietorship, or any other association of individuals.

    2. These entities should be  engaged in commercial or professional activities.

  • (ii). Reasonability Security Practices & Procedures

  • These are security measures meant to protect information from:

    1. Unauthorised access.

    2. Damage.

    3. Misuse.

    4. Modification.

    5. Disclosure.

    6. Impairment.

  • Such security practices may be:

    1. Specified in an agreement between the parties.

    2. Laid down in any law that is currently in force.

  • If there is no agreement and no applicable law, then:

    1. The Central Government will prescribe what counts as reasonable security practices.

    2. This will be done in consultation with relevant professional bodies or associations.

  • (iii). Sensitive Personal Data & Information.

    1. The exact type of personal information covered will be decided by the Central Government.

      1. Certain personal information will be identified and specified.

      2. The Central Government will prescribe what counts as such personal information.

      3. While doing so, the Government will consult relevant professional bodies or associations.

      4. The Government will decide this as it considers appropriate.

Section 44. Penalty for failure to furnish information, return.

  • If someone has a legal obligation under this Act or its rules and regulations, the following consequences may apply if they fail to comply:

  • (a).

    1. If a person is legally required to submit a document, return, or report to the Controller or the Certifying Authority, and fails to submit it, then:

    2. That person becomes liable to a penalty.

    3. The penalty can be up to ₹1,50,000 for each failure.

  • (b).

    1. If a person is required by regulations to:

      1. File a return.

      2. Furnish information, books, or other documents, within a specified time & the person fails to do so within that time, then:

    2. The person becomes liable to a penalty.

    3. The penalty can be up to ₹5,000 for every day the failure continues.

  • (c).

    1. If a person is required by the Act or regulations to maintain books of account or records, and fails to maintain them, then:

    2. That person becomes liable to a penalty.

    3. The penalty can be up to ₹10,000 for each day the failure continues.

Section 45. Residuary penalty.

  • If a person violates any rule or registration made under this Act, and no separate penalty is specifically provided for that violation, then the person becomes liable.

  • The liability can be:

    1. Compensation up to ₹25,000 payable to the person affected.

    2. A penalty up to ₹25,000.

Section 46. Power to adjudicate.

46(1).

  • In deciding whether a person has committed a contravention under this Act the following rules apply:

  • The contravention may be of: The Act or any rule, regulation, direction, or order made under it.

  • Such a contravention must be one that makes the person liable to pay a penalty or compensation.

  • The Central Government will appoint an adjudicating officer in order to adjudicate that officer.

  • The appointment 46(3).

  • The adjudicating officer must be:

    1. Not below the rank of Director to the Government of India.

    2. An equivalent officer of a State Government.

  • The adjudicating officer will conduct an inquiry in the manner prescribed by the Central Government.

46(1A).

  • The adjudicating officer appointed under 46(1) can decide cases where the claim for injury or damage is up to ₹5 crore.

  • If the claim for injury or damage exceeds ₹5 crore then the matter will be handled by the competent court, not the adjudicating officer.

46(2).

  • The adjudicating officer must first give the concerned person a reasonable opportunity to present their case.

  • An inquiry is then conducted.

  • If, after the inquiry, the officer is satisfied that a contravention has been committed then the officer may:

    1. Impose a penalty.

    2. Award compensation.

  • as the officer considers appropriate, but only in accordance with the provisions of the Act.

46(3).

  • A person cannot be appointed as an adjudicating officer arbitrarily.

  • The person must have relevant experience.

  • The required experience includes:

    1. Experience in the field of Information Technology.

    2. Legal or judicial experience.

  • The exact qualifications and experience will be prescribed by the Central Government.

46(4).

  • If the Central Government appoints more than one adjudicating officer it must issue an order.

  • That order will clearly specify:

    1. The types of matters each adjudicating officer will handle.

    2. The geographical areas (places) where each officer will have authority.

46(5).

  • Every adjudicating officer has the same powers as a civil court.

  • These powers are the ones granted to the Appellate Tribunal under Section 58(2).

  • This allows the adjudicating officer to effectively conduct inquiries and decide cases.

  • (a).

    1. All proceedings before the adjudicating officer are considered judicial proceedings.

    2. They fall within the meaning of Sections 193 and 228 of the Indian Penal Code.

    3. This implies that:

      1. Giving false evidence (Section 193 IPC).

      2. Insulting or interrupting the adjudicating officer (Section 228 IPC),

    4. can attract criminal liability.

  • (b).

  • The adjudicating officer is treated as a civil court for limited criminal procedure purposes.

    1. The adjudicating officer is deemed to be a civil court.

    2. This is only for the purposes of Sections 345 and 346 of the Code of Criminal Procedure, 1973.

    3. These sections relate to action for certain offences committed in the presence of the court, such as contempt or disturbance.

  • (c).

    1. The adjudicating officer is deemed to be a civil court.

    2. This is specifically for the purposes of Order XXI of the Civil Procedure Code, 1908.

    3. Order XXI deals with the execution of decrees and orders (For example: Recovery of money & Attachment of property.)

Section 47. Factors to be taken into account by the adjudicating officer

  • When deciding the amount of compensation, the adjudicating officer must consider certain specific factors.

  • These factors are:

  • (a).

    1. The amount of unfair gain or advantage obtained because of the default, if it can be measured.

    2. If the wrongdoer benefited financially or otherwise, that gain must be taken into account.

  • (b).

    1. The amount of loss or harm suffered by any person due to the default.

    2. The actual damage caused to others is an important factor in fixing compensation.

  • (c).

    1. The repetitive nature of the default.

    2. If the same violation has been committed repeatedly, it might attract a higher compensation.

BareMinLaw https://bareminlaw.com
Previous

Electronic Signature Certificates

Next

The Appellate Tribunal