🛡️ Part 4.5

Defence & Corporate Response

"Every accused deserves competent defence; every company needs incident response"

The other side of cyber crime practice: defending the accused through anticipatory bail and quashing, and guiding organizations through cyber incident response, regulatory reporting, and internal investigations.

5.1

Anticipatory Bail in Cyber Cases

📖BNSS Section 482

Direction for Grant of Bail (Anticipatory Bail)

"Where any person has reason to believe that he may be arrested on accusation of having committed a non-bailable offence, he may apply to the High Court or the Court of Session for a direction... that in the event of such arrest he shall be released on bail..."

⚖️

Sushila Aggarwal v. State (NCT of Delhi)

(2020) 5 SCC 1

"There is no time limit for anticipatory bail. It can continue even after charge sheet is filed. The accused need not surrender and then apply for regular bail if anticipatory bail is in force."

📋 Grounds for Anticipatory Bail in Cyber Cases

1. No Flight Risk: Accused has deep roots in community, family, property, passport surrendered

2. Cooperation with Investigation: Ready to join investigation, provide devices, answer queries

3. False Implication: FIR lodged with mala fide intent, counter-blast, business rivalry

4. No Custodial Interrogation Needed: Cyber crimes are document-based; devices already seized

5. Clean Antecedents: No prior criminal history, respected member of society

6. Technical Nature: Complex analysis needed — accused custody won't expedite investigation

💡 Cyber Crime Specific Arguments

Device Already Seized: "All electronic evidence is with investigation. My custody adds nothing."

Digital Trail: "Unlike physical crimes, cyber crimes leave digital trails. I cannot destroy evidence."

Technical Analysis: "Investigation requires FSL analysis, not my interrogation."

Identity Theft Defence: "My credentials were misused. I'm victim, not perpetrator."

5.2

Quashing of FIR — S.528 BNSS

📖BNSS Section 528

Inherent Powers of High Court

"Nothing in this Sanhita shall be deemed to limit or affect the inherent powers of the High Court to make such orders as may be necessary to give effect to any order under this Sanhita, or to prevent abuse of the process of any Court or otherwise to secure the ends of justice."

⚖️

State of Haryana v. Bhajan Lal

1992 Supp (1) SCC 335

Seven categories where FIR can be quashed: (1) No cognizable offence disclosed; (2) Allegations don't constitute offence; (3) Uncontroverted allegations absurd; (4) Express legal bar; (5) Manifest injustice; (6) Criminal proceedings for civil dispute; (7) Compromise in compoundable offences.

Quashing Ground	Cyber Crime Application
No offence disclosed	FIR alleges "hacking" but describes authorized access by employee
Civil dispute	Business dispute dressed as cheating/fraud case
Mala fide prosecution	Counter-blast FIR filed after original complaint
Compoundable offence	Defamation (S.356 BNS) case after settlement
Legal bar	S.79 IT Act safe harbor protects intermediary
Identity theft	Accused's credentials misused — no mens rea

⚠️ Quashing Limitations

Mini-Trial Prohibited: Court cannot weigh evidence at quashing stage — only looks at FIR allegations

Serious Offences: Courts hesitant to quash in S.66F (cyber terrorism), POCSO cases

Investigation Stage: Usually quashing considered after charge sheet, not during investigation

5.3

Corporate Incident Response

🏢 Incident Response Workflow

When a company suffers a cyber attack, structured response is critical:

Detection & Containment

Identify breach, isolate affected systems, preserve evidence before remediation

Legal Assessment

Evaluate reporting obligations — CERT-In (6 hours), SEBI, RBI, sectoral regulators

Regulatory Reporting

Mandatory CERT-In notification within 6 hours for prescribed incidents

Law Enforcement

File FIR if criminal activity suspected, coordinate with cyber cell

Stakeholder Communication

Board notification, affected individuals, public disclosure if required

Remediation & Review

Fix vulnerabilities, update policies, document lessons learned

⚠️ Common Corporate Mistakes

Destroying Evidence: Wiping systems before forensic imaging — loses evidence for prosecution

Delayed Reporting: Missing CERT-In 6-hour window — regulatory penalty

No Privilege Protection: Internal investigation not under legal privilege — discoverable

Public Statements: Premature disclosure before facts known — liability exposure

5.4

CERT-In Reporting Obligations

🚨 Mandatory 6-Hour Reporting

CERT-In Directions (April 2022) mandate reporting of cyber incidents within 6 hours of detection:

• Targeted scanning/probing of critical networks

• Compromise of critical systems/information

• Unauthorized access to IT systems/data

• Defacement of websites

• Malware attacks (ransomware, cryptominers)

• Attacks on servers, databases, cloud, IoT devices

• Data breaches and data leaks

• Attacks on critical infrastructure

Regulator	Reporting Requirement	Timeline
CERT-In	All cyber security incidents	6 hours
RBI	Cyber incidents in banks/NBFCs	2-6 hours
SEBI	Cyber incidents in market entities	6 hours
IRDAI	Cyber incidents in insurers	48 hours
DPDPA (DPB)	Personal data breaches	72 hours (proposed)

💡 CERT-In Reporting Checklist

☑️ Nature and type of incident

☑️ Date and time of detection

☑️ Number of systems/users affected

☑️ Brief description of impact

☑️ Initial containment measures taken

☑️ Contact details for follow-up

Report via: incident@cert-in.org.in or online portal

5.5

Internal Investigation Management

🔍 Privilege-Protected Investigation

Internal investigations should be structured to maintain legal privilege:

1. Engage External Counsel: Investigation directed by lawyers maintains attorney-client privilege

2. Clear Scope: Written engagement letter defining purpose as legal advice

3. Separate Tracks: Business remediation vs. privileged legal investigation

4. Upjohn Warnings: Inform employees that lawyer represents company, not individual

5. Document Control: All reports to counsel, marked privileged and confidential

⚠️ Privilege Waiver Risks

Voluntary Disclosure: Sharing investigation report with regulators may waive privilege

Mixed Purpose: If investigation serves business purpose, privilege may not apply

Employee Interviews: Without Upjohn warnings, employees may claim reliance

Third-Party Sharing: Sharing with auditors, insurers may waive privilege

✅ Best Practices for Corporate Counsel

☑️ Preserve all evidence before any remediation

☑️ Engage forensic firm under legal direction for privilege

☑️ Map all regulatory reporting obligations early

☑️ Prepare holding statements for stakeholders

☑️ Coordinate with cyber insurance carrier

☑️ Document decision-making process contemporaneously

☑️ Consider law enforcement engagement — benefits and risks

🎯 Key Takeaways — Part 4.5

Anticipatory bail: No time limit, continues after charge sheet (Sushila Aggarwal)
Cyber-specific grounds: devices seized, digital trail exists, technical analysis needed
Quashing under S.528 BNSS: Bhajan Lal 7 categories apply to cyber cases
Common quashing grounds: civil dispute, no offence, S.79 safe harbor, settlement
Corporate incident response: Detect → Legal assess → Report → FIR → Communicate → Remediate
CERT-In mandatory reporting: 6 hours for prescribed cyber incidents
Multiple regulators: CERT-In, RBI, SEBI, IRDAI, DPB — map obligations early
Privilege protection: Engage external counsel, investigation under legal direction
Upjohn warnings: Inform employees lawyer represents company, not them
Evidence preservation: Forensic image before remediation — critical for prosecution