Victim Protection Laws in Cybercrimes: Are They Adequate?

Likitha Sri Meka, a 3rd year student pursuing BBA LLB from Symbiosis Law School, Hyderabad. Read More

---

Abstract

Cybercrimes have been considered one of the most sophisticated and dynamic crimes of the present digital age. Cybercrime victims encounter an entirely new and different scenario than traditional victims of crime. The article attempts to explore the term “victim” in cybercrimes by elaborating on different types of people and organizations who become vulnerable to online crimes like hacking, identity theft, cyberbullying, and online fraud.

Definitions of the term “victim” in cybercrime law are often left broad, covering individuals or businesses that have suffered personal damage or whose information or systems have been compromised. Determination of victimhood is, thus, complex. It delineates the current legislative frameworks that came into the general practice of dealing with cybercrimes, such as international conventions and national laws adopted in many countries, like in India, the Information Technology Act, 2000.

Despite these frameworks, protection for the victims of cybercrime often fails mainly because technology tends to run ahead of the law, the awareness of victims is lacking, and anonymity is provided through the cyberspace. Case laws addressing key judgments help demonstrate the judicial response towards cybercrimes and identify the failures in victim protection. Through this analysis, the article identifies significant gaps in the current legal structures. It has indicated the lack of comprehensive cybercrime victim compensation schemes and support systems for victims. The enhancement of mechanisms of protection for victims may be enhanced through proposals to set up special cybercrime courts, networks for supporting victims, and an updating of the legislative framework to be more effective at combating emerging cyber threats.

Keywords Cybercrime, Victim protection, Legal framework, Data privacy, Digital safety

Introduction

Cybercrime is defined as offenses committed with the use of computers, digital devices, and the internet as the main medium of execution. The technology boom in the digital age has transformed everyday life, communication, commerce, and made a new space of crime. Cybercrime encompasses all sorts of crimes, such as hacking, data breach, identity theft, phishing, cyberbullying, online fraud, and many more. As societies increasingly rely on digital platforms for both personal and professional functions, the scope and impact of cybercrimes have expanded, affecting individuals, corporations, governments, and critical infrastructures around the world. The anonymity and global reach of the internet make it easier for cybercriminals to operate, making the fight against such crimes even more challenging.

In the case of cybercrimes, a “victim” refers to individuals who may experience direct financial losses or psychological damage. However, it can be individuals whose personal information is stolen, organizations whose data is compromised, or entire communities whose activities are disrupted by ransomware attacks. In addition, businesses suffer from cybercrimes through reputational damage, loss of intellectual property, and operational disruptions. Even governments are susceptible to cyberattacks, targeting national security or critical infrastructure. Victimhood in cybercrimes, therefore, is both vast and multi-dimensional; not only is it the immediate damage but also the ripple effect on digital trust and security.

The importance of victim protection laws in cybercrime cases cannot be overemphasized. Efficient victim protection mechanisms ensure that victims are served justice, compensation, and support to recover from the impacts of cybercrimes. Such laws are important for creating a secure digital environment in which people and organizations can operate online without apprehension of being exploited or harmed. Victim protection laws also deter; they send the message that rights of cybercrime victims will be protected.

This article seeks to critically examine the adequacy of existing victim protection laws in cases of cybercrime. By evaluating current legal frameworks, case law, and challenges facing cybercrime victims, this article aims to pinpoint gaps in the legal system that may be subject to improvement and suggest ways by which victim protection can be increased and justice brought to victims amid evolving digital threats.

It goes to say, the term victim is broad because, in its meaning, relates to any party in the computer-related offenses involved with cybercrime. The legality in defining victims becomes a defining aspect of providing them with necessary rights and subsequently giving them all sorts of appropriate remedies under law. In India, for example, the term “victim” is defined under Section 2(wa) of the Code of Criminal Procedure, 1973 (CrPC), which provides that a “victim” is someone who suffers harm due to the commission of an offense and includes the legal representatives of such persons. Although this definition is not specific to cyber, it applies to cybercrimes as well, and therefore individuals or entities that suffer harm through cyber offenses can find redress in the legal system.

The victims of cybercrime can be categorized into three broad groups: individuals, organizations, and governments. Each category has its unique problems and needs legal protection accordingly.

1. People : People are the most common victims of cybercrimes. Victims of these cybercrimes include identity theft, cyberbullying, as well as harassment from the internet. Identity theft involves taking personal information forcibly and using it for fraud either through a credit card number or a social security number to the detriment of the victim. One person may lose money, but it also has long-term reputational damage. Cyberbullying and online harassment also frequently target victims through social media sites, leading to serious emotional and psychological implications. In this context, the victim suffers not only personal injury but also an invasion of their privacy.
2. Organizations: Organisations-Commercial, Banking and Healthcare Organizations-are other frequent victims of cybercrimes. It exposes sensitive information like customer data, intellectual property, or trade secrets to unlawful access and distribution. Ransomware attacks, in which the hackers lock an organization’s data and demand payment for the release, may cripple the organization’s operations by causing financial loss, reputational damage, and disruption of services. The impacts of cybercrimes on organizations are more sensitive and varied than mere direct loss of financial gains, such as the effects lasting into long-term loss of customer trust and compliance problems on data protection regulations.
3. Governments: Governments are the prime targets of cybercrime where many fall in categories involving cyber espionage and hacking. Cyber attacks into national security, public infrastructure, and sensitive governmental data can create severe national risks. Cyber espionage, where sensitive information belonging to the government is stolen or leaked out, threatens national security and sovereignty. At its best, hacking attempts can cripple public services, causing widespread harm to citizens and the functioning of the state. Victims in such cases are the citizens who depend on the government for safety, services, and infrastructures, as well as the state itself to protect its interests.

Thus, in cybercrime, the concept of “victim” is broad; hence, well-rounded legal systems are needed for the different aspects of harm different stakeholders face today.

Current Legislation Framework on Victim Protection

1. International Norms

Internationally, cybercrime legislation is more of a tool that shall help countries enjoy cooperation and an unhindered uniformity in combating cybercrimes while ensuring victim protection. The Budapest Convention on Cybercrime, adopted by the Council of Europe in 2001, is the most important international instrument. It is the first binding international agreement that addresses crimes committed via the internet, including offenses such as illegal access, data breaches, and online fraud. The Convention emphasizes the need for countries to adopt effective laws, improve international cooperation, and provide victim support mechanisms. The Budapest Convention serves as a universal standard, with the implementation of its provisions depending on the cooperation of signatory countries. Several such nations have enacted domestic laws in accordance with the convention’s directives.

The United Nations Office on Drugs and Crime (UNODC) sets global standards in cybercrime. It advocates for harmonization of the laws of various nations and gives technical assistance to member countries. The UNODC’s Comprehensive Cybercrime Legislation Guide helps states build robust legal frameworks to protect victims of cybercrime and prosecute offenders effectively.

2. Indian Legal Framework

IT Act 2000 is the chief law for India regarding cybercrimes and protection of victims, and sets out a legal framework to govern offenses like hacking, identity theft, cyberstalking, and online fraud. Important provisions associated with the protection of the victim are as follows:

• Section 66A, which was repealed by the Supreme Court in 2015, provided for punishment for sending offensive messages through a communication service, which is relevant to online harassment.
• Section 66C criminalizes identity theft by punishing the unlawful use of someone’s personal identification information.
• Section 66D targets online cheating through impersonation and fraudulent activities conducted via digital platforms.
• Section 72 pertains to the violation of confidentiality and privacy, in which intermediaries will face penalties for accessing personal data without authorization.

Moreover, India’s Digital Personal Data Protection Act, 2023 is further strengthened. It makes severe measures binding upon the organizations processing the personal data of individuals. There is also a statement of rights by the data subject, who must be able to exercise control over their data and redress violation.

Under the Indian Penal Code, Section 354D specifically deals with stalking, which includes cyberstalking, and thus provides a legal recourse for victims to seek justice against online harassment.

Comparative Analysis

Internationally, the countries like USA and EU have also strong cybercrime victim protection laws. The Computer Fraud and Abuse Act, 1986 in the USA also deals with unauthorised access to computer systems and various kinds of cyber crimes such as fraud and identity theft. The act sets out an expansive framework of both criminal penalties as well as victim restitution.

The GDPR in the EU is considered the most comprehensive piece of legislation in terms of privacy and data protection. It affords many protective safeguards for individuals whose data is processed illegally; emphasis has been laid on compensation for the victim of data breaches and violations of their rights to privacy. In effect, the extraterritorial application of the law ensures that organisations beyond the EU also adhere to highly stringent data protection rules when dealing with data belonging to EU residents.

In comparison, although the cybercrime laws in India have developed, there is still room for improvement, especially in the areas of victim compensation and the swift response of law courts to emerging cyber threats. International frameworks are a call for harmonized law that centers on the victim and addresses fast-changing technological changes.

Challenges in Victim Protection

1. Legislative Gaps

Defining jurisdiction is highly ambiguous in most cases of cross-border offenses against victims. As the internet knows no borders, cybercriminals can target people in one country while operating from another, creating a challenge to enforce laws. Such issues arise where jurisdiction is an issue, hence affecting the determination of which country may prosecute and apply which law to the case at hand, thereby resulting in delays and inefficiency in such processes.

Another critical legislative gap is the absence of proper data protection laws in some jurisdictions. While the EU, with its General Data Protection Regulation (GDPR), has robust data protection frameworks, many others, including India, are still working to establish comprehensive laws that effectively safeguard personal data and provide victims with adequate legal recourse in cases of breaches or misuse.

2. Implementation Issues

Most of the steps in implementing the existing laws encounter many setbacks, especially with the delay of investigation and prosecution. The complexity of cybercrimes requires much special knowledge and resources that most of the law enforcement agencies do not have, hence slow responses and protracted legal processes.

Limited awareness and accessibility of victim support mechanisms further exacerbate the situation. Many victims are either unaware of their legal rights or unsure of how to navigate the legal system, leading to underreporting of cybercrimes and inadequate support.

3. Technological Barriers

Technological advancements also present significant barriers in victim protection. The use of encryption and anonymity tools by cybercriminals complicates efforts to trace perpetrators. With such anonymity, it is hard to identify, apprehend, and prosecute criminals. Likewise, the dark web, where illegal activities such as selling stolen data or carrying out cyberattacks are often organized, poses a significant challenge in holding perpetrators accountable and providing victims with compensation or justice.

Case Laws

India

1. Shreya Singhal v. Union of India, AIR 2015 SC 1523

The Shreya Singhal v. Union of India case was a landmark judgment by the Supreme Court of India that dealt with the constitutionality of Section 66A of the Information Technology Act, 2000. This provision criminalized the sending of offensive messages through communication services, which could include social media platforms. The petitioners contended that the law was overbroad and infringed fundamental rights under Articles 19(1)(a) (freedom of speech) and 21 (right to life and personal liberty). The Court struck down Section 66A, decriminalizing online speech that was “offensive” or “annoying,” thereby protecting people from arbitrary arrest or legal action on vague terms.

This decriminalization greatly affected the victims of cyber harassment, as Section 66A had often been misused to target online critics, political dissenters, and individuals facing cyberbullying. While the judgment brought relief to many who were unjustly accused under this provision, it also created a legislative gap regarding the specific legal protection of victims of cyber harassment. This has called attention to the need for more targeted legal provisions to address cyber harassment and online abuse without infringing upon freedom of expression.

2. Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473

In Anvar P.V. v. P.K. Basheer, the Supreme Court addressed the admissibility of electronic evidence in cybercrime cases. Holding: The Court concluded that electronic documents, such as emails and messages, are admissible evidence in court when they meet all the requirements laid down by the Information Technology Act, 2000 and Indian Evidence Act, 1872. This case created guidelines for proving authenticity and for accepting digital evidence, which was very important to be established at a time when evidence was going to be almost entirely digital for cybercrime offenses.

This has equipped the victims with a valuable judicial instrument, especially with regards to the electronic evidence involved like hacking logs, emails, and social media communication. In essence, it reiterated the requirement for digital evidence to prosecute cyber criminals and provide victim relief against internet-based crimes effectively.

International Cases

1. Google Spain SL v. Agencia Española de Protección de Datos (2014) (CJEU)

The case of Google Spain SL v. Agencia Española de Protección de Datos before the European Union Court of Justice (CJEU) handled the topic of the “right to be forgotten.” The Court ruled that search engines like Google must remove links to information that is no longer relevant or accurate about a person upon request from that person, thereby protecting victims from harm to their reputation online. The impact of this ruling has been enormous in the context of privacy protection and the rights of individuals to control their personal data, offering victims a remedy against the presence of bad outdated information online.

This “right to be forgotten” mechanism is helpful to those victims of cybercrimes, like defamation, who can get the injuring material stricken from search results so that they gain greater control over their digital identity.

2. United States v. Thomas, 74 F.3d 701 (6th Cir. 1996)

In United States v. Thomas, the U.S. Court of Appeals resolved the case of jurisdiction arising in crossborder cybercrime cases. Such a case prosecuted a defendant upon charges of managing a cyberpornography ring but evidence and its victims were at different jurisdictions around the world. The court provided a ruling with regard to their ability to provide jurisdiction over acts that had substantial effects within the country, even in the event those criminal activities may have occurred on foreign soil.

This case highlights some of the issues involved in cybercrime prosecution when crossing national boundaries. Most often, the issue leaves the victim with no good remedy. The case underlines the need for international legal cooperation when handling cybercrimes that cut across victims’ locations in various countries, avoiding situations where a victim is denied justice due to conflicts in jurisdiction.

Effectiveness of Victim Protection Mechanisms

1. Support Services for Victims

There are various measures taken to provide support to the victims of cybercrimes. In India, the Ministry of Home Affairs has established the Cyber Crime Reporting Portal through which people can report cybercrimes like online harassment, fraud, and identity theft. This portal has made reporting easier and ensures that the victims have a way to access legal redress. Other helplines are also available for immediate support and guidance to victims. For example, National Cyber Crime Helpline has 155260.

Supporting the victims are the Non-Governmental Organizations, which include various organizations, and there are digital literacy campaigns. Some of the most notable organizations providing counseling, legal advice, and representation for the victim are Cyber Peace Foundation and Internet Freedom Foundation. The digital literacy campaign works in creating awareness concerning the online threat and equips people to act to prevent further victimization.

2. Redressal Mechanisms

To expedite justice for the victims of cybercrimes, many states in India have established dedicated Cybercrime Cells within the police departments. They specialize in cybercrime investigations and ensure that victims’ complaints are handled with the necessary technical expertise. Besides, fast-track courts have also been established in a few jurisdictions, which prioritize cases of cybercrimes, resulting in quicker resolutions and relief for the victims.

The schemes of compensation to the victims, though less evolved, are gaining significant importance as an instrument of justice. Some states offer compensation or reimbursement of loss suffered on account of cybercrime. The Indian Digital Personal Data Protection Act, 2023 also includes data breach victims for legal recourse for seeking redress and compensation from the organizations that have mishandled their personal data.

While these developments are steps forward, there also is a compelling need for harmonized, universal policies that create more access to support services as well as consistent restitution for victims.

Proposals for Strengthening Victim Protection

1. International Cooperation in Cybercrime Investigations

Cybercrimes are cross-border crimes. International cooperation is, therefore, a very important step in enhancing victim protection. Cybercriminals often operate across multiple jurisdictions, making it difficult for law enforcement agencies in individual countries to effectively pursue investigations and bring perpetrators to justice. Such strengthening of frameworks  and bilateral agreements between the countries can serve as a structured approach toward cross border cybercrime investigation. This will therefore allow law enforcement agencies to share data, coordinate efforts, and speed up the prosecution process of the offenders. Additionally, international cooperation would support victims, as cross border cybercrimes tend to cut across different jurisdictions where victims are often not aware of how to seek help or report crime.

2. Comprehensive Victim Compensation Schemes Should be Included in Legislative Reforms

Most legal systems lack comprehensive victim compensation schemes for cybercrimes. Under current provisions, victims are usually not compensated with restitution for their losses. In some cases, this is the financial fraud case, identity theft case, or even cyberbullying. Therefore, legislative reforms should give more importance to specific compensation schemes for cybercrime victims. These could include financial compensation for direct losses, costs incurred during the recovery process, and mental health support for those affected by online harassment or defamation. Creating a centralized fund, with clear guidelines for victims to apply for compensation, could provide essential financial relief and encourage more victims to report crimes.

3. Promoting Digital Literacy to Reduce Vulnerability to Cybercrimes

The best approach that can minimize the number of victims of cybercrime is promoting digital literacy at the national level. Most cybercrimes can be avoided if individuals know the simplest things to do for safety online, including knowing how to recognize phishing emails, creating a good password, and steering clear of malware. Governments, educational institutions, and NGOs should consider providing digital literacy programs, focusing on vulnerable populations, like children and older persons, and low-income groups. Public awareness can also be promoted via social networking sites so that the awareness level of the people about the risks of cybercrimes and preventive measures against cybercrimes may be enhanced.

4. Specialized Cybercrime Tribunals

The introduction of specialized cybercrime tribunals can expedite the judicial process to handle cybercrime cases and ensure smooth and swift justice delivery to cybercrime victims. These courts would consist of cyber law and technology-trained judges and legal professionals. These courts would serve as a fast-track forum for disposing of cases of cybercrime so that victims are not left to wait for years for justice. Specialized courts can also be well-equipped with the necessary technological infrastructure to handle complex digital evidence and provide verdicts in time. These courts could also be victim-friendly and provide better support and protection to the victims in the course of the legal process.

Together, these proposals would seek to create a more effective and victim-centric framework for addressing cybercrimes, offering a multi-faceted approach to both prevention and redress.

Conclusion

The critical analysis of current laws and mechanisms for victim protection in cybercrimes shows both progress and significant gaps. While frameworks such as the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023 in India, along with international agreements like the Budapest Convention, provide a basis for addressing cybercrimes, they are still short of offering comprehensive protection for victims. Cases, such as overlapping jurisdictions, low levels of compensation awards, and unreasonably slow investigations, only delay the fair hearing of the rights of victims. Moreover, these cyber threats develop continuously, creating a need to constantly update their laws in correlation with technological trends.

A victim-centric approach to legislation and enforcement is necessary to ensure that the rights of victims are protected. Laws should be comprehensive, clear, and tailored to the unique challenges posed by cybercrimes. Strengthening the legal framework is not enough; there is a need for robust victim support services, including helplines, digital literacy programs, and compensation schemes, which can empower victims and help them recover from the financial, emotional, and psychological impacts of cybercrime.

The ever-changing cyber threats make it crucial for legislative bodies, law enforcement agencies, and international organizations to come together periodically to review and restructure existing frameworks. The way forward would involve proactive measures that include enhanced international cooperation, creation of special tribunals, and promotion of digital literacy in society, thus bringing down the scale of victimization and bringing to justice those affected as quickly as possible by cybercrimes. The total intent should be to have a legal and institutional environment where the victim can find justice, security, and healing for him in an increasing world of digitalization.

References

1. The Information Technology Act, 2000 (India). Retrieved from https://www.meity.gov.in/sites/default/files/It%20Act.pdf
2. Digital Personal Data Protection Act, 2023 (India). Retrieved from https://www.meity.gov.in/sites/default/files/Digital%20Personal%20Data%20Protection%20Act%2C%202023.pdf
3. The Code of Criminal Procedure, 1973, Section 2(wa) (India). Retrieved from https://indiacode.nic.in
4. Shreya Singhal v. Union of India, AIR 2015 SC 1523. Supreme Court of India.
5. Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473. Supreme Court of India.
6. Google Spain SL v. Agencia Española de Protección de Datos (2014), CJEU. Case C-131/12. European Court of Justice.
7. United States v. Thomas, 74 F.3d 701 (6th Cir. 1996). United States Court of Appeals for the Sixth Circuit.
8. The Budapest Convention on Cybercrime (2001). Council of Europe. Retrieved from https://www.coe.int/en/web/cybercrime/the-budapest-convention
9. General Data Protection Regulation (GDPR) (2016), Regulation (EU) 2016/679 of the European Parliament and of the Council. Retrieved from https://eur-lex.europa.eu
10. Computer Fraud and Abuse Act, 1986 (USA). Retrieved from https://www.law.cornell.edu/uscode/text/18/1030
11. Ministry of Home Affairs. (2020). Cyber Crime Reporting Portal. Government of India. Retrieved from https://cybercrime.gov.in
12. National Cyber Crime Helpline (India). Retrieved from https://www.cybercrime.gov.in
13. National Cyber Security Policy, 2013 (India). Retrieved from https://www.meity.gov.in/content/national-cyber-security-policy
14. Cyber Peace Foundation. (n.d.). Retrieved from https://cyberpeacefoundation.org
15. Internet Freedom Foundation. (n.d.). Retrieved from https://internetfreedom.in
16. Digital Literacy Campaigns by the Ministry of Electronics and Information Technology. Retrieved from https://www.meity.gov.in