Chandu Gopalakrishnan
The Economic Times
Miffed because your firm keeps a tab on your online activities? The company has valid reasons for that. The law holds your boss responsible for your misdeeds and mistakes, even unintentional ones, that cause loss for your firm’s clients. Lawyers call it ‘vicarious liability’.
Employees nabbed for using office networks for illegal activities is not new. But when it is done from office computers, the employer company can face punitive action.
“Section 85 of the Information Technology Act makes the company and its directors and officers in charge of business liable for any cyber crimes committed with the company’s computer resource,” says Na Vijayashankar, a Bangalore-based e-business consultant and cyber law expert.
Vicarious liability is a form of secondary liability (indirect liability) that nails responsibility on the superior also for the acts committed by their subordinates.
Remember the famous baazee.com case? CDs of lewd MMS featuring two students from a
Apart from Section 85, he also had to face charges under Section 67 of the Information Technology Act (transmission of obscene material through electronic media). In this case, Bajaj had neither a role nor any knowledge of the online auction of the CDs done by the IIT student.
The boy had passed on his ware like any personal commodity that was auctioned by several customers of the website. The company failed to detect it, and they had to face legal action. When the cyber crime is committed from within the company premises using its network, the legal liability of the employer becomes greater.
However, as in any section of the law, there are saving clauses. Firstly, the employer should have no knowledge about the crime. Secondly, they should have exercised due diligence.
“In most cases, we can presume that the company was ignorant, thereby satisfying the first clause. But the second clause expects that the company was not ‘negligent’. This is subject to interpretation based on the circumstances of the case,” says Vijayashankar. “In the baazee.com case, the CEO was arrested on the charge of such vicarious liability and we need to see a valid defence from the company of its due diligence,” he adds.
Going by the law, the CEO or director coming under the scanner is a “collateral damage,” says Capt Raghu Raman, CEO of Mahindra Special Services Group, the Mahindra group arm that specialises in corporate information security management and consulting.
“But putting the blame on a company for the trouble caused by misuse of its network is like holding Sunil Mittal responsible for someone using an Airtel mobile connection for terrorism activities. The legal liability over the company depends on how they have prepared themselves,” he adds.
“First, the firm has to define what is acceptable and what is not regarding the usage of office networks and resources. Then they have to prove that they have trained the employees in using the network. Finally, they have to make sure that they carry out regular assessment of employee activities,” he elaborates.
“For instance, a company gives laptops to its employees, and doesn’t want its employees to use pornography in it. First, they have to define what pornography is. Second, they should make the employee aware of the definition and the repercussions they’ll face on violation. Finally, they should check the laptops from time to time. Thereby, they’ll be clear of the blame, because they had done their job.”
Lack of proper audit of employee activities is clearly seen the most in online financial transactions these days, says Vijayashankar. “In a recent fraud case concerning an Indian online share trader, brought to media attention by the Online Investors Association, a manager had committed a misappropriation and the security mechanism set up by the company failed to spot and prevent it, which went on for a long time,” he adds. “There was perhaps lack of branch inspection and information security, which can be held as ‘lack of due diligence’.”
Keeping a tab on employees does not mean that the firm should play big brother, says Capt Raman. “But the firm cannot claim to be ignorant of any misdeed that invites legal liability unless they carry out timely audit,” he says.
With a move to amend the Information Technology Act going on, unconfirmed reports say that many in the IT sector are lobbying to cut the provision of vicarious liability from the Act. When the baazee.com CEO was arrested, the then NASSCOM president Kiran Karnik had vehemently criticised the move. “If it is because of the wording in the IT Act that such a thing can happen, then we surely need to amend the Act,” he had told reporters when asked about the need for an amendment to the Act.
No comments:
Post a Comment