The West Bengal Cyber Adjudicating Officer recently directed Vodafone Idea (Vi) to pay Rs2.75 crore to United Hotels and Properties Pvt Ltd as compensation for financial loss sustained due to negligence on the part of Vi (Dilip Kr Jaiswal v Vodafone Idea Ltd and Anr.).
The adjudicating authority concluded that Vi processed a SIM change request without exercising due diligence.
"There was no attempt to confirm with the original owner of the SIM and number about the request for SIM change, except for an SMS allowing only a 30-minute window," the order dated June 19 stated.
As per the petitioners, in February 2023, they received a text message on their business-allocated phone number stating that their SIM replacement would be processes in 30 minutes. Consequently, the SIM stopped functioning.
Since the request was not made by the business or any of its employees, a complaint was registered, leading to the issuance of a duplicate SIM with the same number.
In March 2023, a similar message was received on the number, leading to deactivation once more. However, this time, the business refused to accept a duplicate SIM and chose not to use the number anymore.
A couple of days later, the accounts team of the business found that a fraudulent transaction of roughly Rs70 lakh had taken place. Subsequently, the business froze its accounts.
Subsequently, complaints were filed with the Cyber Crime and Economic Offences Wing at Vani Vihar, a police station and with the Joint Commissioner (Crime), Kolkata Police.
During a review of the bank account, the petitioners discovered that in addition to Rs70 lakh, a sum of about Rs2.63 crore was fraudulently transferred as well. This led to another complaint.
Pursuant to the complaints, about Rs59 lakh was recovered from the transaction of Rs70 lakh.
The adjudicating authority observed that the transactions could not have been authenticated without OTPs received on the registered mobile number.
From the facts on record, the authority noted that a request for a new SIM card was made through email by an impostor named Mohammed Ashfaque. It observed that Mohammed Ashfaque was neither an authorised signatory nor a representative of the petitioners.
The authority concluded that Vi processed the request without exercising due diligence. It noted that there was no attempt to confirm with the original owner of the SIM and number about the request for SIM change, except the text message allowing only a 30-minute window.
It further highlighted that as per instructions issued by the Department of Telecommunications for swapping/replacement/upgradation of SIM cards, proof of identity documents submitted must match the documents available on record with the service provider.
Further, the authority noted that Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules provides certain stipulations to ensure that a corporate body is following reasonable security practices and procedures to protect sensitive and personal data.
It observed that there was no cogent evidence to indicate such compliance by Vi.
""It must have been apparent to Respondent No. 1 (Vi), on the face of request for change of SIM Card that the email id and name of the person do not match the subscriber identity details of the current owner of the phone number xxxxxxxxxx," the authority observed.
The authority also found violation of Rule 3 of Information Technology (Intermediaries Guidelines) Rules and determined that failure by Vi to discharge obligations under IT Act resulted in wrongful loss to the complainant. Hence, it determined that Vi was liable to pay compensation under the Act.
Since the petitioners had suffered a total loss of Rs3,33,64,284 out of which Rs59,01,000 had been recovered, the authority directed Vi to pay the remaining amount, Rs2,74,63,284 as compensation.