Information Technology Security in Data Governance --
A View from the Lens of Corporate Governance

(By Dr.Lina Acca Mathew, Asst.Professor, Government Law College,  Ernakulam)

Introduction

Today India is in the midst of an information technology revolution. The Digital India Programme launched by the Indian Government is aimed at transforming the country into a digitally empowered society. The Smart Cities Mission is aimed at developing 100 smart cities in India. Ensuring the security of this digital ecosystem is a challenge. As evidenced in the multiple Aadhar data leaks, cyber attacks happen galore in the areas of privacy invasion, breach of cloud security, breach of e-commerce data, cyber warfare and exploitation of vulnerabilities in Operational Technology (OT) and the Internet of Things (IoT) systems. The Mirai Botnet attack, hackable cardiac devices from St.Jude Medical Hospital, and the Owlet WiFi baby heart monitor hack all signify the increase of such cyber-attacks with increased usage of IoT devices. It is necessary for both public and private business enterprises to secure themselves to defend against this new form of warfare. Without a clear cyber security program, an enterprise’s operations, reputation, financial condition and very existence can be substantially endangered.

A Report of the Uday Kotak Committee constituted by SEBI, released in October 2017, recommended several sweeping changes to be made with regard to corporate governance of listed companies in India such as board size and diversity, enhanced disclosure requirements, and investor protection improvement measures. The Committee recognized cyber security as a key priority in safeguarding rights of shareholders, for which the scope and periodicity of core board committees such as Audit, Risk, and Technology needs to be enhanced. It recommended that the role of a listed entity’s Risk Management Committee be legally mandated to include cyber security concerns. The Top 500 listed entities are duty-bound to constitute such Risk Management Committees. In addition, these listed entities ought to constitute Information Technology Committees to focus on digital and technology aspects in conjunction with the Risk Management Committee. Thereafter, on 9 May 2018, SEBI made suitable amendments to the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015. Although the Kotak Committee’s recommendations regarding the constitution of an Information Technology Committee were not accepted by SEBI, it can be seen as a wake-up call for the management to address cyber-security issues in operational risk profiles. The Companies Act 2013 envisages mechanisms to hold management liable for cyber security-linked breaches in companies, through spelling out fiduciary duties of directors and through class actions¹. Yet, there is need to go beyond data security and privacy issues to ensure that the handling of data within the organization and beyond it is done in a fair and ethical manner. Clearly defined principles and practiceswhich are clearly communicated can produce honest and appropriate behaviors, which will help to preserve consumer trust in the long run. Such an ethics-driven approach to Data Governance would encourage the appropriate use of the technology that generates, analyses and propagates data in accordance with data protection laws.²

Terminologies: Nature and Scope

Information Technology security involves, defining, achieving and maintaining confidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability (ISO GMITS technical report).³ It is necessary for every organization to adopt a systematic approach in order to identify requirements for such security within it, implement these security measures and administer security compliance measures, called the process of management of Information Technology security. It is the Governing Board of every company that is responsible for ensuring the establishment and maintenance of a sound system of internal controls.⁴ Hence the Governing Board must take the overall responsibility for ensuring protection of the confidentiality, integrity and the availability of data in the business enterprise, and is accountable for loss, damage or theft of any such information. This makes it necessary that information security compliance documents be included in the corporate governance documents of the organization.

The internal controls for ensuring confidentiality, integrity and availability of information can be enforced through guidelines and baseline controls. Adequate orientation and training must be given in order for good governance of information security. Skilling and re-skilling measures are needed to create professionals to meet the growing demand. It is the Chief Information Security Officer (CISO) or Chief Security Officer (CSO) who plays a pivotal role in ensuring the cyber security of an organization. Such person must be a senior business manager who also has expertise in risk management and corporate governance.

The following are considered to be the core pillars of information security:

1. Confidentiality , which only allows access to data for which the user is permitted

2. Integrity, which ensures that data is not tampered or altered by unauthorized users

3.      Availability, which ensures that systems and data are available to authorized users when they need it.

Many ‘security by design principles’ are identified as beneficial when integrating security aspects into a system, like the Least Privilege Design Principle granting minimum user access rights to specific information and tools- like time based limits - for preventing potential damaging attacks from users, the Fail-Safe Defaults Design Principle allowing access to resources only if explicit access is granted to a user, the Economy of Mechanism Design Principle requiring systems to be designed as simple and small as possible; the Complete Mediation Design Principle requiring every access to every resource to be validated for authorization, the Open Design Principle requiring the non-dependence of the security of a system and its algorithms upon the secrecy of its design or implementation, the Separation Privilege Design Principle requiring all resource approved resource access attempts be granted based on more than a single condition, as when a user should be validated for active status and has access to the specific resource, the Least Common Mechanism Design Principle requiring non-sharing of mechanisms used to access resources, the Psychological Acceptability Design Principle requiring security mechanisms not to make resources more difficult to access than if the security mechanisms were not present, and the Defence in Depth Design Principle, whereby the layering of resource access authorization verification in a system is inculcated so that unauthorized users would need to circumvent each authorization attempt in order to gain access to a resource. Until now, the accepted legal framework for the Indian technology sector is the Information Technology Act, 2000. While it provides for norms for data collection and its usage, it doesn’t elaborate guidelines for data storage techniques, user consent as well as norms for data processing. Hence the Personal Data Protection Bill 2018, tabled for the winter session of Parliament, 2019, is of greatest importance. As per the recommendation of the Srikrishna Committee (2018), companies which process huge amounts of data may have to register themselves as significant data fiduciaries under the Data Protection Authority. This will increase compliance costs, including periodic company audits and the need for skilled privacy professionals and data protection specialists who are equipped to handle compliance requirements coming from various privacy regulations around the world.

Problems faced in organizations due to cyber security breaches:

The recent cyber security breach of the Kudankulam Nuclear Power Plant did not gain access to the Nuclear Power Plant Control System located in an air gap but gained access to the plant’s administrative network. This is a serious issue, as there are demonstrated novel ways to jump the air gap. A malware called DTrack is the culprit, and also aims at infiltrating banks, ATM machines and research centers.⁵ Whatsapp recently disclosed that that a cyber attack by the Pegasus spyware had attacked 1400 devices across twenty countries spanning four continents. This spyware can record any conversation made in nearby areas through the microphone or camera. It tracks live GPS location and keeps a log of any text message or email sent, records calls, passwords, contacts and biometric

information. It can access records from cloud-based accounts and can even bypass two-factor authentication mechanisms⁶. These incidents highlight the need for a robust cyber security governance system in all business organizations.

Organizations have been unable to promptly identify breach of security protocols in the absence of appropriate security controls. Breach of cyber security protocols in companies may result in compromise of employee records and customer records, and loss or damage of internal records. Intellectual property losses are rampant, like loss of strategic business plans, deal –related information and sensitive financial information, not to mention damage to reputation, goodwill and brand image. Prevention and detection methods have been found useless against most modern methods of cyber attacks, and many enterprises are inept in knowledge and resources to combat these highly skilled techno-criminals. Supervisory control and data acquisition (SCADA) systems and Industrial Control System (ICS) technologies are susceptible to attacks by such cyber criminals for the purposes of economic gain, espionage, disruption and destruction. Security incidents caused through embedded systems and operational technologies has increased considerably. Critical infrastructure asset owners have to employ methods to neutralize these attacks as well as engage in capacity-building in order to combat future attacks. Effective cyber security governance can prevent huge financial losses caused by loss of customers, legal defense services, court settlements, investigations, forensics and deployment of detection software, services and policies (PwC-DSCI, 2013).⁷

Suggested Solutions

Cyber security insurance schemes are one method to lessen the negative impact of cybercrimes on the financial health of companies. Such insurance coverage may extend to data destruction, denial of service attacks, theft and extortion, including incidence response and remediation, investigation and security- audit expenses, privacy notification, crisis and reputation management, forensic investigations, data restoration, business interruption etc. (PwC-DSCI,2013)

Cyber security is vulnerable to unauthorized access by insiders who already have authorized access, as well as former employees. Absence of proper background checks upon such employees, vendors and business partners is found to be the most common cause of such breaches. It is necessary to establish protocols for exit-related processes so that all accounts and access keys of the former employees are deactivated when they exit. Use of more advanced authentication technologies which do not require passwords- like biometrics, facial and voice recognition technologies is increasingly being employedby companies in order to manage access management, authentication and sensitization (PwC-DSCI, 2013).

Most Indian organizations have adopted a security framework like the ISO 27001 and the US National Institute of Standards and Technology (NIST) Cyber Security Framework. Other observed standards are PCI-DSS, BS-25999/ISO 2230. The benefits of such frameworks are increase in capacities to identify and prioritize security risks, quickly detect and mitigate security incidents, ensure greater security for sensitive data, understand security gaps better, improve internal communication and external collaboration, and to have greater capacity to compete across global markets. The use of data analytics, security event correlation, behavioral profiling, use of Virtual Desktop Interface (VDI) are being explored for better solutions (PwC-DSCI, 2013).

Corporate governance in cyber security needs to focus on third-party information security processes- which includes compliance of third parties with privacy policies of companies, compliance audit check for personally identifiable information (PII) and established security baselines/standards (PwC-DSCI,2013).

The Governing Board’s attitudes towards information security governance in a company is of utmost importance, with provision for funding of cyber security programmes, identification and communication of key risks, encouragement of organizational culture of cyber security, alignment of cyber security with overall risk management and business goals, regulatory compliance and risk disclosure, internal and external collaboration and communications as well as adequate security incident-response planning (PwC-DSCI,2013).

The Infosys (2019) report states that enterprises must be cognizant to the top cyber security trends like using artificial intelligence for real-time predictive/preventive cyber security instances, greater significance for privacy and data protection, use of blockchain technologies in developing security solutions for edge devices, deception technologies in IoT and OT to enable cyber security, emergence of new business models like cyber insurance, regulatory bodies showing zero tolerance on non compliance, move to the customization of security solutions from personal data protection and the gaining recognition of cyber security startups.⁸

Threat Intelligence Platforms are emerging as the method to support vulnerability management. SOAR (Security Orchestration, Automation and Response) is a solution stack of compatible software programs enabling collection of data about security threats from multiple sources and automated response to low-level security events without human intervention. The SOAR stack allows for increasing the efficiency of physical and digital security operations by using compatible products and services that help define, prioritize,

 standardize and automate incident response functions through Threat And Vulnerability Management which provide formalized workflow, reporting and collaboration capabilities, Security Incident Response which support organisational strategies for planning, management, tracking and coordination of responses to security incidents, and Security Operations Automation which use technologies to support the automation and orchestration of workflows, processes, policy execution and reporting.

Conclusion

The world of information technology is always unstable and continually shifting. There will be a convergence of privacy, individual and corporate identity in the near future. Lack of integrated solutions and shortage of skilled workforce are challenges that each business organization faces. Means must be devised to ensure security at the earliest stages of a business lifecycle, and minimizing risks by embedding security-by-design principles. Hence it is necessary to have strong encryption policies intact. New solutions based on big data, cloud computing and heuristic approaches necessitate recruitment of professionals specialised in hardware cryptography design, lightweight and post quantum cryptographic primitives and implementation of cryptanalysis. Adoption of SOAR technologies would help to ensure security in linked platforms. A comprehensive cyber security programme for corporate governance is necessary, whereby the board and senior management are involved in increasing collaboration between technology partners, building a robust cyber security culture among the employees, and adopting modern solutions to prevent cyber security breaches.

Foot Notes:

1. Krishnakumar T. (2018) Cybersecurity now firmly a corporate governance concern 06.11.2018 https://tech.economictimes.indiatimesxom/news/corporate/cybersecurity-now-firmly-a-corporate-governance-concern/64543995

2.Deshpande D.(2019), Ethics in Data Management and Governance 05.17.2019 https://www.businesstoday.in/opinion/columns/data-management-governance-digital-data-ethical-data-organisations-data-misuse/story/347425.html

3.GMITS: Guidelines for the Management of IT Security, Part 1: Concepts and models for managing and planning IT security, ISO/IEC JTC1/SC27, PDTR 13335-1 (revision), version 28.11.2001.

4. Internal control systems of credit institutions, Banking Supervisory Sub-Committee of the EMI, July 1997, Working paper on Internal Control Systems, prepared by internal auditors of a group of central banks, BIS and EMI, June 1997, Internal control - integrated framework, Committee of Sponsoring Organisations of the Treadway Commission (COSO), September 1992.

5. Dasgupta B. and Ranjan Sen S. (2019). Cyber attack at Kudankulam; critical system safe. Hindustan Times Oct 30, 2019 00:42 1ST.

6. Shrestha, D.B., DH Web Desk (2019). Pegasus spyware: All you need to know.Deccan Herald. Nov 1, 2019 19:01PM 1ST.

7. PricewaterhouseCoopers,India-DataSecurityCouncil of India (2013). Leading industry practices in security and privacy, https://www.pwc.in/assets/pdfs/publications/2013/leading-industry-practices-in-security-and-privacy.pdf

8. Infosys (2019). Assuring Digital-Trust, https://www.infosvs.com/services/cvber-securitv/insights/assuring-cligital-trust.pdf.

Section 24 Cr.P.C. –  Time to Revamp

(By P.Rajan, Advocate, Thalassery)

Section 24 of the Code of Criminal Procedure 1973 states about appointment of Public Prosecutors for High Courts and District Centers, also Addl. Prosecutors, to represent the Centre as well as the State as the case may be, after adhering to the procedural compliances detailed in the sub-sections thereunder. Of late selection/appointment of Public Prosecutors became a matter of controversy leading to legal procedures reason being primacy of the aspirants relating to extraneous considerations mainly political patronage became the key yardstick. Panel of lawyers by the District Judge to the District Magistrate is the primary step for the appointment at District Centers. This formality is just a routine exercise as it is no secret that Judge’s role in the process of selection is nil. This practice should be avoided by inserting requisite amendments and the Judges of the High Court and other Courts in the State have a say in appointing prosecutors to represent the State before them. It is no gainsaying that a Judge is the best judge to judge a lawyer. In short an aspirant for the post of prosecutor must be before a team of Judges to know of his/her caliber and experience; even if some officers may not be familiar with the person. Lawyer-mediators and amicus curiaadvocates are being selected after some enquiry about the performance of the concerned person in courts, by the senior Judge of that center, even though his effort is minimal.

A glaring example of unsatisfactory conduct of the prosecution; lack of vigilance, during trial became a sensitive issue in the State - the Walayar (Palakkad) Dalit Siblings Death Case as the matter ended in acquittal. Shoddy probe by the Police, the prosecution urges as the ground for the verdict. Lapses on the prosecution side seems to be the vital reason as per the narration of the relatives of the deceased. In short blame game is no explanation for the judgment of acquittal in the case. If the investigation was defective, before opening of the case, the prosecutor in charge could have brought the fact to the notice of the Court as the matter is quite serious. Section 226 of Cr.P.C., the prosecutor as well as the defence have to follow before the matter goes for trial and if the charge appears to be groundless even an order of discharge under S.227 is possible. At this stage itself the lawyer in charge of the case can take appropriate steps,; even further investigation or approach the High Court for suitable direction, avoiding haste to put the matter for trial. If charge seems to be defective, change of charge even before the judgment is permitted under law, and if the death is not homicidal, medical evidence suggests sexual assault, a charge under S.306 I.P.C. on the ground of abetment could have been brought to the notice of the Court. The Godhra Massacre (Gujarat), charge sheeted even political big wigs, tried and acquitted but Apex Courts’ intervention resulted in fresh trial before another State, verdict became favourable to the Prosecution. This judgment is a rare but remains un­changed. Prosecutor is integral part of sessions trial as the appointment is a compelling constitutional necessity. Consultative process envisaged in selection when becomes mere formality result would be drastic. The much discussed siblings’ death case, the facts are not inscrutable and the Supreme Court Judgments favour the prosecution even regarding appreciation of evidence.

Change of Ministry at the national level also paves way for the lawyers representing the Centre and States to resign or accept termination orders and new persons are getting recruited. This itself shows the modalities of the selection and extraneous considerations which play pivotal role than the performance of the persons concerned. Prosecutor is not a protagonist of any party and in theory he stands for the State’s aid to act impartially as an officer of the Court. Withdrawal of serious cases under S.321 Cr.P.C. is another example of political patronage often being done without considering the gravity of the crime and the interest of the victims. The usual expression- public interest always seems to be the reason for withdrawal, but Court’s alertness basing on the Apex Court Judgments become solace to the aggrieved. Criminal Trial is not a fairy tale and the prosecutors role in the conduct of criminal trials is very vital. Unless the selection process even regarding Special Prosecutors is changed the State’s interest so also the Victims grievances cannot be addressed. Recently prosecutors are appointed to conduct POCSO cases outgoing prosecutors had challenged the appointments, also sought extension. When data were called for, of the incumbents few are not competent not strictly on legal grounds but on other reasons, should not have jumped on the band wagon. Many new laws are being promulgated by the Centre but age old provisions like S.24 Cr.P.C. remains unchanged, calls for necessary changes for better administration of justice.                       

……………

A High Court lawyer hailing from a very affluent family with sufficient political clout had desired to become prosecutor and at the drop of a hat obtained the order from the Ministry. When performance became abysmal judgments became the right proof- matter cropped up as an issue of discussion before the authorities. Decision came soon to make him a High Court Judge - no written test or viva voce during that time also - no collegium system either- let the ordinary litigants assess the performance as the Government would not be a great looser. This anecdote might be wishful imagination of an alert legal mind but that imagination was not a staggering one.

Judicial Orders Against the Maxim “Lex Non Cogit ad Impossibilia”

(By Sajeer H., Section Officer, Law Department, Govt. Secretariat, Thiruvananthapuram)

The title maxim means law cannot compel to do an impossible thing. It is the general rule in criminal law that a wrong doer is only to be punished and not the person who represent him. If a company or society done a wrongful act, other than an act in Section 138 of Negotiable Instruments Act, a criminal liability or personal liability is to be fastened against that juristic persons and not against its representatives.

K.H.Singla v. Avatar Sing Saini & Ors.(1 (2019) CPJ 3 (SC) our Apex Court has expressed  a doubt as to “whether the default committed by the secretary of a co-operative society, in absence of any personal liability imposed, be imprisoned under Section 27 of the Consumer Protection Act, 1986”. But the doubt was not finally cleared in its above judgement. Therefore, it is an attempt to swim, against the flow of prosecutions towards personal liability against Company Directors and Secretaries of societies.

The factual matrix of the case aforesaid was that, the Chandigarh State Bank of Patiala Employees Co-operative Credit Society had been undergoing liquidation process and a liquidator was appointed. The Complainant in the above case filed a complaint before the District Consumer Disputes Redressal Forum. The Forum directed the society to pay the maturity amount along with interest @ of 10 percentage per annum. In addition to the award, an amount of rupees 10,000 was passed as compensation. Rupees 500 was also ordered as cost. Aggrieved by the order of the District Forum the society had preferred an appeal before the State Commission. In appeal the order of the District Forum was upheld by the State Commission. Alleging that the society has not paid the maturity amount along with the interest as ordered by the District Forum, the complainant approached the District Forum by way of application under Section 27 of the Consumer Protection Act. The District Forum sentenced the appellant therein for two years simple imprisonment and imposed a fine of rupees 5000. It was further ordered that in case of failure to deposit the fine the appellant shall undergo further simple imprisonment for a term of three months.

Aggrieved by the order of the District Forum the appellant had preferred an appeal before the State Commission. The State Commission had passed an interim stay order subject to the condition that the appellant shall deposit the entire amount as ordered by the District Forum within a period of eight weeks from the date of the order. The society had preferred a revision before the National Commission and the said revision petition was subsequently withdrawn by seeking liberty to file appeal. The appeal was preferred and the same was dismissed with the finding that “appellant had shown his inability to pay the decretal amount”. Under those circumstances the District Forum convicted the appellant and sentenced him with simple imprisonment of two years.

The appellant preferred appeal before the National Commission. The National Commission dismissed the appeal by confirming the order of the State Commission. Against which an appeal was preferred before the Honourable Supreme Court.

Disposing the appeal Honourable Supreme Court held that “it is to be noted that there is no order passed by the District Forum against the secretary, the appellant, in its individual capacity. The appellant was shown as the secretary of the society during the relevant period. For the default committed by the society and in absence of any personal liability imposed on the appellant, the appellant is to be imprisoned under Section 27 of the Act is doubtful.

Section 27 of the Consumer Protection Act, empowers the District Forum, State Commission and National Commission as the case may be, to impose the penalties. It empowers the authorities to pass an order to punish a person with imprisonment for a term which shall not be less than one month but which may extend to three years or with fine , in the case of trader or a person against whom the complaint is made omits to comply with any order passed by the authorities.

Person as per Section 2(m) of the Consumer Protection Act is that, it includes a firm whether registered or not, a Hindu undivided family, a co-operative society, every other association of persons whether registered under Societies Registration Act, 1860 or not. This section never mention the term “or any representatives”. As far as the Consumer Protection Act is concerned, when a criminal action is proposed against a juristic person the liability only rest upon it and not against its representatives.

The term “personal liability”, in Cambridge Dictionary, means “the fact of a person, rather than a company or organisation, being legally responsible for something. In the case of accident personal liability occurs in or out of your home, which results in bodily injury or property damage that you are held legally responsible for. In Black’s Law Dictionary personal liability means, any financial loan that must be paid for by an individual usually taken from his/her assets.

Here it means that when an act of the person directly and substantially causes damage to another, then he is to be personally liable in the eye of law. But a person acting on the representative capacity and done this in good faith then he cannot be personally liable for the wrong caused by the company.

Section 141 of the Negotiable Instruments Act is an exception to the above provision. It says that, If the person committing an offence under Section 138 is a company, every person who, at the time the offence was committed, was in charge of, and was responsible to the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly. Where any offence under this Act has been committed by a company and it is proved that the offence has been committed with the consent or connivance of, or is attributable to, any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of that offence and shall be liable to be proceeded against and punished accordingly.

Here the personal liability arose only on the offence committed under Section 138 of the Negotiable Instruments Act only. The director, Manager, Secretary or other officer of the company may be changed from time to time. One person who act upon as the Director, Manager, Secretary or other officer of the Company during the occasion of the offence committed may not be the Director, Manager, Secretary or other officer of the same company in the verdict time. But it is specifically said in Section 141 of the N.I. Act that the Director, Manager, Secretary or other officer shall deemed to be liable and punished. No where in the provision says the word personal liability. More over the proviso to Section 141 says , “Provided that, nothing contained in this sub-section shall render any person liable to punishment if he proves that the offence was committed without his knowledge, or that he had exercised all due diligence to prevent the commission of such offence: Provided further that where a person is nominated as a Director of a company by virtue of his holding any office or employment in the Central Government or State Government or a financial corporation owned or controlled by the Central Government or the State Government, as the case may be, he shall not be liable for prosecution”.

On a conjoined reading of Section 141 and its proviso it is crystal clear that a person is not personally liable in 138 offences if he proves that the offence was committed without the consent or knowledge of him. More over no personal property of him is liable for that offence.

Here in Section 27 of the Consumer Protection Act, its area is far more different than that of Section 138 of the Negotiable Instruments Act. Section 27 of the Consumer Protection Act says that “Where a trader or a person against whom a complaint is made or the complainant fails or omits to comply with any order made by the District Forum, the State Commission or the National Commission, as the case may be, such trader or person or complainant shall be punishable with imprisonment for a term which shall not be less than one month but which may extend to three years, or with fine which shall not be less than two thousand rupees but which may extend to ten thousand rupees, or with both”. Nowhere in the section declares that a person is not personally liable under this section if he proves that the offence was committed without the consent or knowledge of him. Therefore, if an offence committed by a Company, the Company shall be liable for the same but no coercive steps can be taken against the Director, Secretary and staff of the Company.

It is highly inadvisable to punish a Director, Secretary or staff of a Company personally and put them behind bars for the reason of the act they done in good faith in pursuance of a duty.

Article 20 of the Constitution of India reads, no person shall be convicted of any offence except for violation of law in force at the time of commission of the act charged as an offence. When a Director or Secretary who representing a Company or Co-operative Society respectively, he is only representing that Company or Firm and so he could not be impleaded nor proceeded in its individual capacity or no liability can be fastened against him.

Section 2(m) of the Consumer Protection Act is clear that a person as inclusive of a firm whether registered or not and where a person proceeded is a firm or company a sentence of imprisonment against it is not possible.

In ANZ Grindlays Bank Ltd. v. Directorate of Enforcement(2005 (2) KLT 876 (SC) ) Honourable Supreme Court held that “a company cannot be sentenced to imprisonment, it can nevertheless be prosecuted and the court can impose punishment of fine instead.”

Law does not compel the doing of impossibilities. It is impossible to arrest and detain a company. But a representative of it can be arrested and detained on the actions done by him during the time of his tenure. A company or society may have many branch offices in different places. Different managers or secretaries should be appointed or posted in such branches. They may be new persons in that post and so they may not aware about the financial dealing of the company or the society. If an execution order is to be passed against the office bearers of the company or society and as a result the Managing Director or the Secretary is too arrested and sentenced to three years imprisonment for the wrong act of the Company, Society or Firm, then that is against the provisions of Article 21 of the Constitution of India. Any order passed against ANZ Grindlays Bank Ltd. v. Directorate of Enforcement(2005 (2) KLT 876) (SC) may be per incurium. In that aspect, the court can impose fine upon the company or society and if they are reluctant to pay the amount, its properties can only be attached.

Section 320 Cr.P.C. – Need for Amendment

(By Devi A.R., Section Officer, Law Department, Govt.Secretariat, Trivandrum)

The basic aim of every criminal justice administration is to punish the offender and thereby maintain the social order and peace. It also aims to prevent others from doing the same offence and to satisfy vengeance of the victim and the society against the offender. In accusatorial system of trial, in every offence, State is the de jurevictim and de factovictim is a witness. In certain cases the State dilutes its stand against the accused and the de facto victim is allowed to compound the offences with the accused either with or without the permission of the court, as the case may be.

Compounding in the context of criminal law means forbearance from the prosecution as a result of an amicable settlement between the parties. (237th Law Commission Report at p.6). In cases of compounding of offences the role of the State became meagre and the victim is allowed to compound the offence with and without the permission of the court. Section 320 of the Criminal Procedure Code listed the offences which can be compounded wherein sub-clause (1) listed the offence which could be compounded with the permission of the court and sub-clause (2) listed the offences which could be compounded without the permission of the court. The provision detailed in Section 320 of the Code of Criminal Procedure 1973 corresponds to Section 345 of the Code of Criminal Procedure 1898, with minor alterations.

Criminal Law amendments on compounding of offences 

Cr.P.C. Amendment Act, 2005

The amendment Act omitted Section 324 from the list of compoundable offence. After this amendment came into force the total number of compoundable offence is 56 in the table, under sub-section it is 21 and in table under sub-section (2) it is 35 as against 57 earlier.

Cr.P.C. Amendment Act, 2008

The tables forming part of Section 320(1) and (2) underwent changes. As recommended by the Law Commission Report No 154 and 177 a numerous offences listed out in the table under sub-section (2) was shifted to the table under sub-section (1). In consonance with the 41st report of the Law Commission the amendment omitted Section 354 (assault of women with intent to outrage her modesty) from the list of compounding of offences. Section 312 was included in the table under Section 320(2). After the Cr.P.C. (Amendment) Act, 2008 the number of compoundable offences are 56.43 in the Table under sub-section (1) of Section 320 and13 in table under sub-section (2).

Variance of opinion on Compounding of Offences in different Law Commission Reports

Law Commissions at different times submitted reports on the scope of compounding of offences in the Criminal Procedure Code. These recommendations exposed several variances. 41st report rejected the proposal of enlarging the list of compounding of offence and also framing general rule for determining the compoundablity of offences. Whereas the 154th report recommended that more offences shall be brought into the category of compoundable offences by the parties without the intervention of the court except those offences against the public at a large. It was also suggested for the inclusion of sub-section (3A) as suggested in clause 20 of 1994 Bill to the extent that it empower the investigating officer to compound offences, which are compoundable, at the investigation stage and make a report to the magistrate who will give effect to the compounding of such offence the Commission also opined that this will reduce the number of cases proceeding for trial at the threshold stage itself and relieve the court docket to great extent.
177th report also supported the 154th report in this regard. But the 237th report suggested that the Courts are flooded with cases and, therefore, more and more offences should be identified for compoundability is only a secondary consideration. It also recommended against vesting the authority on the investigating police officer to make recommendation for compounding the offence. Regarding Section 324 the 154th Law Commission Report recommended for shifting it to table under sub-section (1) so that it could be compounded without the permission of the court and 177th report recommended for retaining it in the table.

Views of the Apex Court on Compounding of non compoundable offences by the High Courts

In B.S.Joshi v. State of Haryana(2003 (2) KLT 1062 (SC) the accused was charged under Section 498A and 406 I.P.C. later, when the parties came to settlement they approached the High Court to quash the F.I.R. by exercising its inherent jurisdiction under 482 Cr.P.C. The High Court declined to exercise inherent power to quash the F.I.R. on a non compoundable offence. On appeal the Apex Court observed that Section 320 would not be a bar to the exercise the inherent power to quash an F.I.R. for the purpose of securing ends of justice. The observations of the Apex Court accredited the power of the High Court to exercise inherent jurisdiction against an existing statutory provision. Later the judgments in Nikhil Merchant v. C.B.I.(2008 (3) KLT 769 (SC) and Manoj Sharma v. State & Ors. (2008 (4) KLT 417 (SC) = (2008) 16 SCC 1),Shiji @ Pappu & Ors. v. Radhika & Anr. (2011 (4) KLT 682 (SC)Gian Singh v. State of Punjab etc.(2012 (4) KLT 108 (SC) witnessed the legal dictum in B.S.Joshi’ scase. In State of Rajasthan v. Shambhu Kewatcase (2014 (1) KLT Suppl.32 (SC), the Hon’ble Apex Court held the view that powers under Section 482 can be exercised for compounding of a non compoundable offence but in  the case at hand it made the following sturdy and pertinent observations;

“…. Why Section 307 I.P.C. is held to be non-compoundable, because the Code has identified which conduct should be brought within the ambit of non-compoundable offences. Such provisions are not meant, just to protect the individual, but the society as a whole. …Taking a lenient view on a serious offence like the present, will leave a wrong impression about the criminal justice system and will encourage further criminal acts, which will endanger the peaceful co-existence and welfare of the society at large.”

In Narinder Singh v. State of Punjab(2014 (2) KLT SN 45 (C.No.61) SC) contra to the judgment inShambhu KewatCase, the Hon’ble Apex Court quashed the criminal proceedings under  Sections 307, 324, 323, 34 I.P.C.  relying on the judgment in  Dimpey Gujral v. Union Territory through Administrator(2012 (4) KLT Suppl.81 (SC) and on the observation in Gian Singh’scase that the offence under Section 307 of the I.P.C. is  of a personal nature and not offences against the society.

 In order to remove the disparity between its two decisions, in Narinder Singh v. State of Punjab and State of Rajasthan v. Shambhu Kewat,The Hon’ble Apex Court in State of Madhya Pradesh v. Laxmi Narayan(2019 (2) KLT OnLine 2025 (SC), issued guidelines to be followed by the High Court while exercising the powers under Section 482 against Section 320.

The guidelines issued by the three Bench in State of Madhya Pradesh v. Laxmi Narayan,is a requisite in the judicial setup for avoiding conflicts in the judicial decisions.  But if there is any perplexity in the existing legal provisions or the existing one is inadequate to meet the ends of justice it should be taken notice by the Legislature. The Legislature is the authority which is supposed to make additions/deletions through legislative amendment in the existing provisions or to make new laws to meet changing societal needs.

Number of Petitions being filed before various High Courts under Section 482, for compounding of non compoundable offence, indicates the need of legislative intervention on the policy towards compounding offences. Section 320 may be modified to the extent that;

•    The title to Section 320 ‘Compounding of offences’ may be amended as ‘Compoundability of Offences’

•    Sub-section (1) may list out offences which are strictly non compoundable at any instance. The offence to be included in may be identified after proper study and it should be kept beyond the exercise of inherent powers of any legal forum.

•    Sub-section (2) may list out the offence which could be compounded only with the permission of the court.

•    Section 320A may be added to the effect that the offences coming under special statutes may be made compoundable by fixing a general criteria like, the offence for which the maximum punishment prescribed is imprisonment for 3 years is compoundable etc.

As the entire issue discussed is coming under the field of legislative domain, the above detailed suggestions are put forwarded before the legislative wisdom to consider.

A Note on The Decision Reported In 2019 (4)KLT 544 –
Gangadharan C.K. v. Kumaran And Others Rendered by His Lordship Hon’ble Justice P. Somarajan on 10.10.2019 on Law of Pre-Emption

(By N.Subramaniam, Advocate, High Court of Kerala)

1. At the outset itself, with respect to His Lordship, it is to be stated that the above decision is a complete dictionary by itself on the Law of Pre-emption.

2. His Lordship has found and ruled that it has brought to the notice of all that “a right of pre-emption was really unknown to Hindu law. Its origination is from the Mohammedan Law and applied to both Hindus and Muslims based on equity and good conscience. But it was not regulated by statutory law except in Punjab and Agra. In so far as Muslims are concerned, right of pre-emption forms part of their personal law, but among Hindus, the right of pre-emption mainly recognized as a customary right. No doubt, the right of pre-emption can also be created by a contract.

3. His Lordship has opined and ruled that “pre-emption is a right of claiming or purchasing property before or in preference to others, when it is put for sale. The basic-concept of pre emption right is to preserve and give protection to the property of family from being intruded by strangers claiming under any member based on any transfer of immovable property. In order to constitute a pre-emption right, it should be satisfied that, the pre-emptor should have some relation with respect to the property as a member of family, to which the property belonged and it must find a place in the document under which the property was given to the owner. In other words, the pre-emption right claimed should find a place in the document of conveyance either by gift, partition, settlement or sale and it may be either based on customary right or practice, prevailed. His Lordship also has found that a right of pre-emption can also be created by a contract between parties.

4. The right of pre-emptor between two different methods have been pointed out in the judgment in para 5 and that there need not be any lawful consideration for creating a pre­emption right, if it is based on custom or practice, provided it should be included in the document of title of the owner. But that does not mean that the pre-emption right created is valueless.

5. His Lordship has dealt with Section 40 of T.P. Act in this connection.

6. It is found that to create a right of pre-emption, no registration is necessary.

Tail Piece

1)  Registration is not necessary for creating a right of pre-emption.

     AIR 1923 Bom.226 & 227.      (Tribhuvan Uttamram v. Vai Kushal).

2) Pre-emption - There is a conflict of opinion whether an agreement providing that if one of the parties thereto wished to sell his property or his share of the property the other party should have a right to pre-empt, is a document which creates of itself any interest in immovable property, or a document merely creating a right to obtain another document. It has been held by Madras High Court in Ramasami v. Chinnan (1901) 24 Mad.449, 461 in Tribhuvan v. Bai Kushal (1922) 47 Bom.283 in Kashi Kunbi v. Sumer Kunbi 73 I.C.666 (1923) A.B.226, (1910) 32 All. 206, 5 I.C.234.