📢 Too many exams? Don’t know which one suits you best? Book Your Free Expert 👉 call Now!

    Question

    Under Section 22 of the Credit Information Companies

    (Regulation) Act, 2005, an employee of a fintech company, Y, obtains unauthorised access to credit information of 50 borrowers maintained by a CIC by exploiting a security vulnerability. Y's unauthorized access continues for 60 days before detection. Y never misused the accessed data but retained access through negligent exposure of credentials. The unauthorized access involves 50 distinct individuals' credit information. Which of the following correctly determines Y's criminal liability and penalties under Section 22(2)?
    A Y is liable for a single fine of ₹1 lakh (as each person's information is one offence) totalling ₹1 lakh for all 50 individuals Correct Answer Incorrect Answer
    B Y is liable for fine which may extend to ₹1 lakh in respect of each offence, meaning ₹50 lakhs for 50 individuals, and if access continues, with further fine of ₹10,000 for every day on which the default continues Correct Answer Incorrect Answer
    C Y is liable for fine only if intentional misuse is proven; mere unauthorized access without actual harm is covered under civil liability, not criminal penalties Correct Answer Incorrect Answer
    D Y's liability is limited to the fintech company's institutional liability; individual employees cannot be held criminally liable for unauthorized access Correct Answer Incorrect Answer
    E Y's liability is limited to the fintech company's institutional liability; individual employees cannot be held criminally liable for unauthorized access Correct Answer Incorrect Answer

    Solution

    Explanation: Section 22(2) of the CICRA, 2005 provides: "Any person who obtains unauthorised access to credit information as referred to in sub-section (1) shall be punishable with fine which may extend to one lakh rupees in respect of each offence and if he continues to have such unauthorised access, with further fine which may extend to ten thousand rupees for every day on which the default continues." The provision is explicit on two critical points: (1) "in respect of each offence" – meaning each person's unauthorized access constitutes a separate offence; (2) "for every day" – meaning the continued unauthorized access accrues cumulative daily penalties. In Y's case: First layer: 50 unauthorized accesses to 50 individuals = 50 separate offences = up to ₹50 lakhs (₹1 lakh × 50). Second layer: 60 days of continued access = further fine up to ₹6 lakhs (₹10,000 × 60 days). The provision does NOT require proof of actual misuse or intentional harm; mere unauthorized access constitutes the offence. The statute recognizes both individual and institutional liability. Thus, option (B) correctly applies the cumulative penalty structure of Section 22(2)

    Practice Next
    More Other Laws and Acts Questions
    ask-question