Delhi-based Sanjay Luthra often sits late in his office. While this marketing
executive, working with a financial services firm, spends most of this time on
genuine office work, he also surfs through pornographic sites and, often, goes
into sex-related chat rooms. A pretty common scenario in many of the country's
New Economy companies today. Luthra never dreamt his carnal peccadilloes in the
virtual world would one day land him in trouble, till he got a call from his MD
who gave him a stern warning that any such activity in the future would result
in instantaneous termination of his employment.
While Luthra was left pretty flabbergasted, little did he realize that his
action, and that of his other colleagues, could have put his MD, Agarwal, and
the organization's CIO, Bakshi, behind bars. And this is no exaggeration-the
fallout of the DPS MMS-Baazee-IIT Kharagpur imbroglio has left corporate India
on the tenterhooks over the possibility of pornographic content residing on
their LANs. What makes the scenario worse is that there is no clarity amongst
most corporates about their legal obligations in this regard.
Need for due diligence
Legal eagles, however, assert that in the Indian scenario the corporate CEOs
responsible for maintaining any asset, whether IT or non IT, have certain legal
obligations. "But, this would apply as much to maintenance of a vehicle by a
company which may involve itself in an accident, or smuggling, or even for a
hoarding in a public place which falls off causing an injury, or a computer
network which facilitates offences," explains Chennai-based, noted, cyber law
specialist Na Vijayshankar, popularly known as Naavi.
Agrees Pavan Duggal, Supreme Court advocate and another cyber law luminary,
"Clearly, when a company provides Internet access to its employees over a
network, it is providing the service of Internet access to its employees and
would come within the ambit of the definition of a network service provider
under explanation to Section 79 of the Information Technology Act 2000."
The law also prescribes what is the extent of liability and under what
circumstances the "Vicarious Responsibility" of the corporate management
fructifies, and what are the remedies available to the corporate executives who
are indirectly a party in the crime, as asset owners. For example, in the IT Act
2000, both under Section 79 and Section 85, it is stated clearly that
"Intermediaries" and "Corporate Executives" shall not be responsible if they had
no knowledge of the crime and that they had exercised "Due Diligence". It seems
that this "Due Diligence" part is a gray area where adequate clarity is still
lacking. While the IT Act does not specifically define it, Naavi feels that
trying to define what is "Due Diligence" under a variety of contexts would be a
futile exercise, and will lead to more complications and loopholes. "Due
Diligence" is, therefore, left to emerge as an industry practice. Courts will
consider the facts of a case and determine, in any particular instance, if "Due
Diligence" was exercised or not. He also feels that most information asset
owners such as Bazee.com have not so far given sufficient thought to the cyber
law compliance requirements in their business processes and, hence, carry on
doing their business negligently, thus endangering the public. However, it
should be clarified that presence of pornographic content on LAN per se is not
an offence unless it leads to or is kept for the purpose of publishing,
distribution, promotion, or sale. Neither is mere surfing of pornographic sites
an offence under the IT Act unless it is accompanied by publishing or
transmission. Similarly, receiving porn mails either through spam or otherwise
is also not an offence.
|
However, in the context of a corporate network, the "Due Diligence" of the
network owner has to be determined based on the "efforts taken to prevent
offences". Lack of suitable measures to educate the employees of the dangers of
dealing with pornographic stuff and taking of some minimal steps in prevention
would amount to "negligence". Hence, if any offence takes place in the network,
as a consequence of such freedom, vicarious responsibility should rest with the
company.
In case of employees receiving porn via mail from outside, the employer could
be made liable in the case if it is shown that he had not exercised "Due
Diligence" to prevent the coming of such pornographic material on to his LAN.
Duggal feels there is a need for having appropriate filters in place, as also
appropriate periodical checkups, to ensure that the LAN does not have
pornographic material-all these being part of good corporate practices that we
should have in place, which contribute towards establishment of the proof of all
"Due Diligence" exercised by the company. It might not appeal to logic that the
CEO/CIO could provoke legal action against employees like Luthra, even in the
event of spam coming to the employees. However, if the employees do not delete
the said pornographic material and continue to save them into the hard disks of
their respective computers, and regularly access them, then that would become
sufficient ground for taking disciplinary action against such employees.
The corporate response
A part of corporate India too seems to have woken up to its responsibilities
and is taking adequate measures. Arun Gupta, CIO of Pfizer India informs that
his company has stringent policies on pornography. Each employee signs an
agreement at the time of joining the company outlining his use of the
office-computing infrastructure for official purposes-it provides the list of
inclusions and exclusions. Pornographic content is strictly forbidden and the
policy allows for content filtering as well as monitoring. All suspect websites
are blocked and downloaded, and content subject to scrutiny. Email filtering
solutions reduce the instances of such content coming through the mail.
Everyday, at the time of logging into the network, a disclaimer is flashed on
each screen advising all employees and contractors of the salient points of this
policy, and it has to be accepted to complete a successful login. In the event
of any employee found in violation, the reprimand is swift and can result in
termination of the employee.
Mani Mulki, CIO, Godrej Soaps, agrees with Gupta and informs that his
organization too has taken adequate measures. While he is aware of his legal
liabilities, he has already put Checkpoint firewall in place, besides monitoring
surfing of pornographic sites. Not all employees are given Internet access
unless business requirements demand it. Both Pfizer and Godrej, and,
increasingly, many other corporates today, have policy based restricted access
to certain offending websites, and this list is actively managed. Spam filters
also aid in managing email based propagation of such messages. The management of
these is usually outsourced to specialist companies. Use of instant messengers
is also not allowed on many corporate networks and such usage is actively
monitored and discouraged. A few like Godrej use their own internal messenger
for intra-office communication but that is not extended to entitities outside.
Despite such assurances from the corporate side, Naavi feels that many
companies today dispay a bit of arrogance. Comments such as: Indian Law is
foolish; Who are you to advocate moral policing; Let us have freedom of surfing;
are the comments often heard from the industry people. "I suspect that such
statements indicate a level of arrogance and disrespect to law and may provoke
judiciary to accord stringent punishments, in certain cases, if such behavior is
exhibited in the course of the judicial process," he adds.
Source: Rajneesh De for Dataquest