Question

Under Section 22 of the Credit Information Companies (Regulation) Act, 2005, an employee of a fintech company, Y, obtains unauthorised access to credit information of 50 borrowers maintained by a CIC by exploiting a security vulnerability. Y's unauthorized access continues for 60 days before detection. Y never misused the accessed data but retained access through negligent exposure of credentials. The unauthorized access involves 50 distinct individuals' credit information. Which of the following correctly determines Y's criminal liability and penalties under Section 22(2)?

A Y is liable for a single fine of ₹1 lakh (as each person's information is one offence) totalling ₹1 lakh for all 50 individuals
B Y is liable for fine which may extend to ₹1 lakh in respect of each offence, meaning ₹50 lakhs for 50 individuals, and if access continues, with further fine of ₹10,000 for every day on which the default continues
C Y is liable for fine only if intentional misuse is proven; mere unauthorized access without actual harm is covered under civil liability, not criminal penalties
D Y's liability is limited to the fintech company's institutional liability; individual employees cannot be held criminally liable for unauthorized access
E Y's liability is limited to the fintech company's institutional liability; individual employees cannot be held criminally liable for unauthorized access
Practice Next

Hey! Ask a query