In what is India’s first adjudication of a phishing case, ICICI Bank was recently directed to pay Rs1.28 million (US$27,500) to a client. This covers both the amount that was withdrawn from the client’s account and costs incurred by him in his effort to get the money back.
Delivering judgment in Umashankar Sivasubramanian v Branch Manager, ICICI Bank & Ors, under the Cyber Regulations Appellate Tribunal Rules, 2000, the adjudicating officer for the government of Tamil Nadu, PWC Davidar, said ICICI Bank appeared to have “washed its hands off the customer”. He added that “the bank had failed to establish that due diligence was exercised to prevent the contravention of the nature of unauthorized access as laid out in section 43 of the Information Technology Act of 2000”.
In its defence the bank said Sivasubramanian had negligently disclosed his password and so had fallen prey to the phishing fraud.
The judgment is probably a first for cases filed under the Information Technology Act. Although the bank may appeal, for now it is the law of the land and will bring hope to victims of phishing.
The update of court judgments is compiled by Bhasin & Co, Advocates, a corporate law firm based in New Delhi. The authors can be contacted at [email protected] or [email protected] Readers should not act on the basis of this information without seeking professional legal advice.