Hindu Business Line: THIRUVANANTHAPURAM: Thursday, August
24, 2017.
At a time
when threats to data security have taken centre-stage, a public sector bank has
been faulted for ‘causing harassment’ to a customer whose net banking
credentials were compromised for no fault of his.
Acting on a
complaint from Balaji Srinivasan, a Hyderabad-based software engineer, the
Central Information Commission (CIC) chastised respondent Indian Bank for
dragging its feet in the case, and awarded a token compensation to the
appellant.
‘Serious
breach’
The personal
credentials of the appellant’s net banking account were found compromised on
December 6, 2014, with the name, address, PAN and mobile number having been
affected.
These details
were replaced with zeroes and cross signs. The breach was so serious that the
net banking platform failed to display the two secret questions pre-set as
security keys and demanded him to re-set the security keys by generating an
OTP.
Since he did
not get satisfactory responses from the bank regarding the breach, Srinivasan
took recourse to an RTI application dated July 7, 2015, but to no avail.
The bank
later admitted to changes in the net banking profile of the appellant’s account
and claimed the problem had occurred in the course of migration of data to Core
Banking System (CBS) and rectified the mistake subsequently.
Srinivasan
stated to the CIC that the issue raised by him is a matter of larger public
interest concerning the security of customer accounts in various banks, which
it agreed with.
The
submission that the mistake occurred during migration of data and that it has
been rectified does not answer the queries of the appellant, the CIC noted in
its final order dated July 28, 2017.
It asked the
bank to either provide the specific information sought by the appellant through
his RTI applications or file a sworn affidavit, explaining in detail the
reason(s) underlying the security breach.
The bank
stated that it will file a sworn affidavit. The CIC directed it to do the same
with a copy to the appellant within 15 days of the receipt of its order, and
keep it posted.
Token
compensation
The affidavit
should indicate the date on which the changes were made to the appellant’s
account and the date on which the mistake was rectified. The CIC expects the
respondents to give a reply that explains the factors underlying the mistake,
rather than taking shelter behind a general submission, such as problems
connected with the migration of data to CBS.
It also noted
that the appellant had not only suffered harassment, but also did not get a
satisfactory reply from the bank to his queries.
“It is
difficult to compensate an appellant for such harassment in monetary terms.
However, by virtue of the power vested in us under Section 19 (8) (b) of the
RTI Act, we direct the bank to pay a token compensation of ₹5,000 to the
appellant. It should ensure that this is done within 10 days of the receipt of
its order, under intimation to the CIC.”