Sexual, Reputational & Corporate Cyber Crimes
"High-impact litigation & corporate exposure"
Handle sensitive, high-stakes cyber cases with legal precision. From deepfakes to director liability — understand the law that protects dignity and corporate accountability.
Image-Based Sexual Crimes
Image-based sexual abuse (IBSA) encompasses non-consensual creation, distribution, or threat to distribute intimate images. It's one of the fastest-growing cyber crimes, with devastating psychological impact on victims.
As practitioners, these cases require sensitivity, speed, and strategic action — often involving emergency takedown requests alongside criminal complaints.
A. Morphing — Creating Fake Intimate Images
Elements: (1) Intentionally captures/publishes/transmits; (2) Image of private area; (3) Without consent; (4) In circumstances violating privacy
Punishment: 3 years imprisonment + ₹2 lakh fine
Key Point: "Private area" includes areas typically covered by undergarments. Morphed images showing such areas attract this section even though the actual body isn't the victim's.
Case Law: In State of West Bengal v. Animesh Boxi (2018), court held morphing victim's face onto nude images constitutes offence under S.66E read with S.67A.
B. Revenge Porn / Non-Consensual Intimate Images (NCII)
Definition: Distribution of sexually explicit images/videos without the subject's consent, typically by ex-partners after relationship breakdown.
Key Legal Issue: The images may have been consensually captured during relationship, but consent to capture ≠ consent to distribute.
| Conduct | IT Act | BNS | Punishment |
|---|---|---|---|
| Publishing intimate images without consent | S.66E + S.67A | S.354C (Voyeurism) | 3-7 years |
| Threatening to publish | — | S.351 (Criminal Intimidation) | 2-7 years |
| Publishing + demanding money | S.66E | S.308 (Extortion) | 7 years + fine |
| Creating fake porn using victim's identity | S.66C + S.67A | S.356 (Defamation) | 3-5 years |
1. Emergency Takedown: Contact platform's abuse team immediately. Most platforms have expedited processes for NCII removal.
2. Evidence Preservation: Screenshot/archive content BEFORE takedown request (use archive.org or similar).
3. IT Rules 2021: Under Rule 3(2)(b), intermediaries must remove intimate images within 24 hours of complaint.
4. StopNCII.org: Use this tool to create hash of intimate images — prevents re-upload across participating platforms.
Deepfakes & AI-Generated Content
Deepfakes use AI to create hyper-realistic fake videos — swapping faces, mimicking voices, generating entirely synthetic content. The technology has become accessible to anyone with a smartphone.
Legal Challenge: Indian law doesn't specifically criminalize "deepfakes" — we must map conduct to existing sections. This requires creative legal interpretation.
A. Types of Deepfake Abuse
Identity Theft (S.66C): Using someone's likeness without authorization = using their "unique identification feature"
Cheating by Personation (S.66D): If deepfake used to deceive for financial/other gain
Obscenity (S.67A): If deepfake is sexually explicit material
Defamation (S.356 BNS): If deepfake harms reputation
IT Rules 2021 Amendment: Rule 3(1)(b)(v) requires intermediaries to ensure users don't post content that "deceives or misleads" including "impersonation"
Context: After viral deepfake videos of actresses, MeitY issued advisory to social media platforms.
Key Points:
• Intermediaries must remove deepfake content within 36 hours of complaint
• Failure to comply = loss of safe harbour under S.79
• Platforms must implement AI detection tools
Practitioner Note: Use this advisory as leverage when requesting takedowns. Cite non-compliance as grounds for platform liability.
Evidence Challenges:
• Deepfake detection tools have high error rates
• No standardized forensic methodology yet
• Expert witness testimony crucial but expensive
Practical Approach:
• Focus on circumstantial evidence: who had motive, capability, access to source images
• Digital trail: metadata, upload timestamps, account ownership
• Victim's alibi proving they weren't actually in the depicted situation
Sextortion — Sexual Extortion
Definition: Threatening to distribute intimate images/information unless victim pays money or provides more sexual content.
Key Feature: Combines sexual abuse with financial extortion. Victims often too ashamed to report, leading to severe psychological trauma and even suicides.
Common Sextortion Patterns
| Element | Section | Why It Applies |
|---|---|---|
| Recording without consent | S.66E IT Act | Capturing private image in violation of privacy |
| Threatening to publish | S.351 BNS | Criminal intimidation |
| Demanding money/sexual favours | S.308 BNS | Extortion (non-bailable, 7 years) |
| Actually distributing content | S.67A IT Act | Publishing sexually explicit material |
| If victim is minor | S.67B IT Act + POCSO | CSAM + aggravated penetrative sexual assault |
For Victims:
• Don't pay: Payment never stops demands — only leads to escalating requests
• Don't engage: Stop all communication with extortionist
• Preserve evidence: Screenshot all threats, payment demands, communications
• Report immediately: 1930 helpline, cybercrime.gov.in, local police
• Psychological support: Connect with mental health resources — shame is the weapon, professional help breaks the cycle
If representing accused:
• Challenge chain of custody for digital evidence
• Question identification — was accused actually the person communicating?
• Examine consent issues — were images shared voluntarily originally?
• Distinguish between S.308 (extortion) and S.351 (intimidation) — significantly different sentences
• If no actual distribution, argue lesser offence (attempt vs completed)
Corporate Cyber Crimes
Corporations face cyber crime liability from two directions: (1) As victims — data breaches, ransomware, industrial espionage; (2) As perpetrators — employee misconduct, compliance failures, vicarious liability.
Corporate cyber crime practice is lucrative — companies pay premium for lawyers who understand both technical risks and legal exposure.
A. Data Breaches — Criminal Dimensions
Not every data breach is criminal. Criminal liability arises when:
• Intentional disclosure: Employee deliberately leaks data (S.72 IT Act)
• Gross negligence: Company consciously disregards security obligations (DPDPA 2023)
• Cover-up: Failure to report breach to authorities (CERT-In rules, DPDPA)
• Insider trading: Using breach knowledge before public disclosure (SEBI regulations)
| Conduct | Legal Provision | Punishment | Who's Liable |
|---|---|---|---|
| Unauthorized data disclosure by service provider | S.72 IT Act | 2 years + ₹1 lakh | Individual + Company |
| Breach of lawfully obtained information | S.72A IT Act | 3 years + ₹5 lakh | Individual + Company |
| Failure to report cyber incident | CERT-In Directions 2022 | S.70B penalties | Company + CISO |
| DPDPA non-compliance leading to breach | DPDPA 2023 S.33 | Up to ₹250 Cr | Data Fiduciary |
| Failure to implement security practices | S.43A IT Act | Compensation to affected | Body Corporate |
B. Employee-Driven Cyber Offences
Facts: Senior manager at IT company copied source code, client database, and pricing information before resigning. Joined competitor. New employer launched similar product within 3 months.
Multi-Track Approach:
1. Criminal: FIR under S.43 + S.66 + S.72A IT Act against employee
2. Civil: Injunction against competitor + damages claim
3. Labour: Recovery of notice period salary, forfeiture of dues
4. Arbitration: If employment contract has arbitration clause for confidentiality breach
Key Evidence: Email server logs, USB activity logs, cloud access records, DLP alerts, exit interview recordings.
Before Filing FIR:
• Conduct internal forensic investigation — preserve chain of custody
• Document through legal privilege (attorney-client protection)
• Consider reputation risk of public criminal case
• Evaluate evidence strength — criminal burden is "beyond reasonable doubt"
Strategic Choice: Sometimes civil injunction + settlement is more effective than prolonged criminal prosecution. Criminal case can be leverage for commercial settlement.
Vicarious Liability — Directors & Officers
Indian law imposes personal criminal liability on directors and officers for corporate cyber offences. This is not mere regulatory penalty — it means potential arrest, prosecution, and imprisonment.
Understanding this liability framework is crucial for advising corporate clients on compliance and for defending executives in cyber crime cases.
Text: Where a person committing a contravention of any of the provisions of this Act or any rule, direction or order made thereunder is a company, every person who at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention...
Key Elements:
• Person must be "in charge of" and "responsible for" conduct of business
• Liability is automatic unless defence of "due diligence" proved
• Directors, CEO, CFO, CISO typically covered
• Non-executive directors may be covered if involved in relevant decisions
Who Can Be Held Liable?
| Role | Typically Liable? | Defence Available | Risk Level |
|---|---|---|---|
| Managing Director / CEO | Yes — presumed in charge | Due diligence + no knowledge | High |
| CTO / CISO | Yes — directly responsible for IT | Due diligence + proper policies | High |
| CFO | Maybe — if finance systems involved | Not in charge of IT function | Medium |
| Independent Directors | Unlikely — unless active role | Non-executive, no operational control | Low |
| Company Secretary | Maybe — if compliance role | Not in charge of business conduct | Medium |
| DPO (under DPDPA) | Yes — if DPDPA breach | Due diligence in DPO function | High |
Statutory Text: "...Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention."
Two Defences:
1. No Knowledge: Offence occurred without accused's knowledge (difficult to prove for senior management)
2. Due Diligence: All reasonable steps taken to prevent contravention
Building Due Diligence Defence:
• Document all cybersecurity policies and their implementation
• Record board discussions on cyber risk
• Maintain audit trails of compliance reviews
• Evidence of training, awareness programs
• Third-party security audits and certifications
Preliminary Objections:
• Challenge "in charge" status — was accused actually responsible for IT/cyber function?
• Rely on S.M.S. Pharmaceuticals v. Neeta Bhalla — mere designation as director insufficient
• Demand specific allegations of personal involvement
Substantive Defence:
• Present evidence of cybersecurity governance framework
• Show board-level oversight and compliance reviews
• Demonstrate industry-standard security measures were in place
• Argue the breach was despite, not because of, management failures
For Companies Wanting to Protect Leadership:
• Clear Role Definition: Document who is "in charge" of cyber/IT functions
• Board Oversight: Regular cybersecurity updates to board (create paper trail)
• Policy Framework: Comprehensive information security policy
• Incident Response Plan: Documented and tested IR procedures
• Training Records: Evidence of compliance training for all levels
• D&O Insurance: Ensure policy covers cyber-related claims
• Indemnification Agreements: Company to indemnify officers for non-willful violations
While not an IT Act case, the Supreme Court's analysis in SEBI v. Sahara (2012) provides guidance on director liability under similar statutory provisions:
• Active Role Test: Mere designation doesn't create liability — functional responsibility matters
• Knowledge Presumption: Senior management presumed to know company affairs
• Collective Responsibility: Board as a whole responsible for compliance framework
Practitioner Note: These principles are being applied to IT Act S.85 cases by High Courts.
🎯 Key Takeaways — Part 2.5
- Image-based sexual abuse (morphing, revenge porn) is prosecuted under S.66E + S.67A IT Act — consent to capture ≠ consent to distribute
- IT Rules 2021 mandate 24-hour takedown for intimate images — use this as leverage with platforms
- Deepfakes are mapped to existing sections (S.66C, S.66D, S.67A) — no specific deepfake law yet, but MeitY advisory strengthens enforcement
- Sextortion combines S.66E (privacy), S.351 (intimidation), and S.308 BNS (extortion) — ensure comprehensive charging
- If victim is minor, POCSO Act applies in addition to IT Act — significantly enhanced penalties
- Corporate data breaches can attract criminal liability under S.72/72A IT Act and DPDPA 2023
- Employee cyber crimes create dual liability — employee criminally liable, company may face civil/regulatory penalties
- Section 85 IT Act imposes personal liability on directors "in charge of" business — due diligence defence is crucial
- Build due diligence evidence proactively: policies, board minutes, audits, training records
- Multi-track approach often most effective for corporate cases: criminal + civil + regulatory
📝 Quick Assessment — Part 2.5
Module 2 Complete!
Congratulations! You've completed Module 2: Cyber Offences — Substantive Cyber Criminal Law. You now understand the complete spectrum of cyber crimes under Indian law, from IT Act offences to corporate liability.
Take Module 2 Assessment →