We proudly call ourselves a software superpower. We proclaim we are the outsourcing capital of the world. Most of the world's data passes in some form through our virtual borders.
But we as a nation rarely file cybercrime complaints with the police, who we perceive are not equipped to handle technology crime. We enacted an IT Act in the year 2000 but yet only have a handful of judgments from our legal ecosystem which have applied sections of the IT Act.
Conventional crime is localised and deterministic. But technology has changed all of this. Last year just one man, Jerome Kerviel, who worked for Societe Generale Bank, caused it a loss of euro 5 billion.
Without technology, you would need dozens of people to commit a fraud of such magnitude. This fraud went on for years as it is very easy to backdate entries on a computer. Even today nobody really knows what techniques Kerviel used to hack the bank's computer system. The worst part is that we will never know.
How many Kerviels are out there even today, nobody really knows. For instance, it's been months and we still have no idea of the extent of loss at Satyam and we may never know.
Earlier, whenever a conventional fraud happened in an organisation, nobody ran to inform the audit committee or the board. After Satyam, technology crimes have become a corporate governance issue, and rightly so.
At the first whiff of conventional fraud it is easy to get a grip on its magnitude. With the advent of technology, it has become very difficult to even understand the nature of the fraud. What does the management of a company do if it finds that a fraud has taken place? For months, it is unlikely to have an idea about the extent of the fraud.
Should they report this to the audit committee or the board? They must, because if they do not, the board could be held guilty of collusion with the criminal. We have to bear in mind that the CEO/CFO has to sign a document every quarter which talks of material loss to the company.
The company must also file a complaint with the police that a crime has been committed. The police in India are not adequately trained to investigate technology fraud (there may be exceptions in a couple of cities such as Mumbai) and the company must bring in outside forensics experts not only to investigate but also to make sure that all the evidence is sanitised so it can be used in court.
If the court throws out the evidence on the ground that it is contaminated, charges could be filed against the company for doing a cover-up job. I have yet to see our police force understand the science of evidence gathering in a technology crime.
Finally, does the organisation report the cybercrime to the stock exchanges or the regulators? How will it quantify the extent of the damage? The fraud could turn out to be a red herring. The biggest problem is that the suspect is likely to turn around and say that whatever he did had the sanction of the management. Thus every company must have firewalls in place to make sure that the blame remains at a certain level. Everyone should not be singed.
Technology crimes raise more issues than we have answers for. Nobody really knows how companies should respond to such a complex situation. After Satyam, companies are reacting to corporate governance but more out of fright. Regulators must get together to set up a procedure that everyone must follow when it comes to reporting fraud in the greater interests of transparency and corporate governance.
Governance involves public money and public interest. It is important that safeguards, processes, firewalls and a counter-strategy are put in place in anticipation.
Vijay Mukhi is head of IT at Ficci and consultant on e-corporate governance and cyber Law with DSK Legal. The views are his own