The Call No One Wants

Tuesday afternoon. The Sub-Registrar's office calls. A sale deed for your Gurgaon flat was registered last week using your digital signature certificate. You were in Bengaluru that whole week. You never met the buyer. You never signed anything. The Registrar's clerk is reading out a transaction number you have never seen, and you can hear the polite confusion turning into something harder. You hang up. You open your laptop. You search "DSC misused what to do" and the answers are paragraphs of statute that nobody at home can read.

The other version — quieter, equally common: an ITR for the previous year was e-filed in your name with a refund routed to a bank account that is not yours. Or your old company's filings at MCA continue to show your DIN affixation, even though you resigned six months ago. Or the chartered accountant you trusted retained a copy of your USB token "for convenience" and is using it to sign vendor returns that you never approved.

This article is for any of those moments. It explains in plain Indian English what your law actually gives you, and what you must do in the first 24 hours, the first week, and the first month.

Why E-Signature Misuse Is Different from Forging a Pen

An ink signature is unique to your hand. A digital signature is a different thing entirely. It is a mathematical operation done with a private key — a string of data that is unique to you and was generated by you when you applied for your Digital Signature Certificate (DSC). The Certifying Authority (CA) — eMudhra, NSDL, Capricorn, IDRBT and a few others — issued you this certificate after verifying your identity under Section 35 of the IT Act — the law on issuance of electronic signature certificates.

The catch is in Section 42 of the IT Act — the law on control of the private key. The section opens with this duty:

Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure.

And it ends with this warning:

For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.

Read those two sentences slowly. Indian law treats your private key like a loaded weapon you have to keep locked up. If somebody copies it, gets your USB token, or takes the password you use to invoke it, every electronic record signed with that key is presumed to be signed by you — until you tell the CA otherwise. Cyber-law commentary admits the rule is harsh: many subscribers will not even realise their key has been compromised until financial damage shows up. But until you intimate the CA, the legal liability sits with you.

This is the structural difference between electronic and pen signatures: you cannot disown a digital signature merely by saying "that is not my handwriting". You have to prove that the private-key control was breached, and you have to do it fast.

The Section 42 Trap You Must Escape Fast

Once you know — or even reasonably suspect — that your private key has been compromised, Section 42(2) makes intimation to the Certifying Authority not just a right but a mandatory duty. The intimation must be made "without any delay". The form and manner is whatever the CA's regulations specify, but in practice every licensed CA has a published "compromise notification" channel — an online form, an email address, or a registered-post route.

Three things to know about this intimation:

  1. It is in writing. Verbal calls do not count for the purposes of Section 42.
  2. It cuts off your liability prospectively. Cyber-law commentary describes the moment of intimation as the point where "the ball shifts to the court of the Certifying Authority".
  3. It is the legal trigger for revocation under Section 38 — and for the public notice under Section 39 IT Act, which puts every relying party on notice that the certificate is no longer trustworthy.

If you delay, every dishonest signature affixed in the meantime continues to legally bind you, at least until the contrary is proved. If you act, the post-intimation signatures are clearly the responsibility of whoever affixed them, with the CA in the loop.

Practical wording for the intimation does not need to be elegant. It needs to identify (i) you, (ii) your DSC serial number, (iii) the suspected compromise event, (iv) a request for immediate suspension under Section 37 and revocation under Section 38, and (v) a request for publication of notice under Section 39. Keep the acknowledgement.

Which Crimes Are Stacked Against the Wrongdoer

Indian criminal law gives the prosecution a set of overlapping sections to charge anyone who misuses your e-signature. A good cyber FIR usually invokes more than one. Translating each on first use:

  • Section 66C of the IT Act — the offence of identity theft. Punishes whoever "fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person". Up to three years' jail, up to Rs 1 lakh fine. Bailable.
  • Section 66 of the IT Act — computer-related offences. Triggered when the same act is also a Section 43 act done dishonestly or fraudulently. Up to three years' jail, up to Rs 5 lakh fine.
  • Section 66D of the IT Act — cheating by personation using a computer resource. If the wrongdoer pretended to be you. Up to three years, up to Rs 1 lakh fine.
  • Section 463 IPC — forgery. Making a false document with intent to cause damage or to support a fraudulent claim. Section 464 IPC defines what counts as a "false document"; cyber-law commentary notes that a digital signature affixation passing itself off as having been made by you fits squarely in clause "First" of Section 464.
  • Sections 467 and 468 IPC — forgery of valuable security and forgery for the purpose of cheating. Non-bailable. These attach where the misused signature is on a sale deed, share certificate, valuable security or commercial document.
  • Section 471 IPC — using a forged document as genuine. Often used along with Section 467/468 against the person who relied on the forgery to make a gain.

The Supreme Court in Mohammed Ibrahim v State of Bihar (2009) set out the test of "false document" under Section 464, holding that the document must purport to have been made or executed by, or by the authority of, a person by whom or by whose authority the maker knows it was not made. A digital signature placed without the holder's authority and presented as a genuine signature satisfies that requirement.

Revoke and Suspend Without Delay

Section 37 of the IT Act — suspension of digital signature certificate — lets the Certifying Authority suspend your DSC on your request. The suspension is for up to 15 days unless the subscriber is given an opportunity of being heard. Use suspension when you are still investigating, when you are not yet sure of the scope of misuse, or when you need a holding step before formal revocation.

Section 38 of the IT Act — revocation of digital signature certificate — is the heavier hammer. Revocation can be requested by you (Section 38(1)(a)) or done by the CA suo motu (Section 38(2)) on grounds including that a material fact represented in the certificate is false, that an issuance requirement was not satisfied, or that the CA's own private key or security system was compromised. Revocation is permanent: you will need a fresh DSC for any future signing.

Once a DSC is suspended or revoked, Section 39 of the IT Act — notice of suspension or revocation — requires the CA to publish a notice in the repository specified in the certificate. This is critical because relying parties (banks, Sub-Registrars, MCA, Income Tax Department) check the certificate's validity at the moment of verification. Once the notice is up, no fresh fraud against you can succeed using that certificate.

If you have multiple DSCs — one personal, one for the company, one for GST filings — revoke each separately. The signatures are independent and so is the chain of trust.

Filing the FIR and Claiming Money Back

The criminal track and the civil track run in parallel for e-signature misuse exactly as they do for password misuse.

The FIR. Walk into a police station — preferably the cyber cell or the local station with a written complaint addressed to the SHO. Cite Section 66C IT Act, Section 66 IT Act read with Section 43, Section 66D where personation is involved, and IPC Sections 463, 464, 465, 467, 468 and 471 where the misuse is on a deed, share certificate, return or other formal document. Under Section 173 of the BNSS — the law on registration of FIRs, the station cannot refuse on jurisdiction grounds; zero-FIR is now statutory.

If the police hesitate, BNSS Section 173(4) gives you the right to escalate in writing to the Superintendent of Police, and BNSS Section 175(3) lets you approach a Magistrate to direct registration and investigation. Carry copies of the misused document, your Section 42 intimation, the CA's revocation acknowledgement and any forensics you already have. Police investigation under Section 175 BNSS can include seizing the device on which the private key was used — Section 193(3) BNSS specifically requires the chain of custody for electronic devices to be recorded.

The compensation claim. Section 43 of the IT Act gives you damages against any person who, without permission, accesses, copies, alters or disrupts a computer resource. The wrongful affixation of your digital signature is access plus alteration. Section 46 of the IT Act — power of the Adjudicating Officer — gives the AO jurisdiction to award compensation up to Rs 5 crore. Above that, regular civil courts have jurisdiction. The AO has the powers of a civil court and the order, if unpaid, is recoverable as an arrear of land revenue under Section 64 IT Act.

Where the misuse hurt your bank account or financial filings, the loss may also fall under banking-related compensation routes, particularly if your bank or e-filing intermediary failed to verify before processing. Section 43A IT Act gives you an unlimited compensation claim against a body corporate that was negligent with your sensitive personal data — and Rule 3 of the IT Rules, 2011, expressly includes financial information in that definition.

Get legal help from Pinaka Legal — Cyber Law experts in Delhi

Proving It in Court — Section 65B and Forensics

The trial of an e-signature misuse case is largely a documentary exercise. The evidence is not the wrongdoer's handwriting; it is timestamps, server logs, key-usage trails, and certificates of integrity.

The legal admissibility rule is Section 65B of the Indian Evidence Act, 1872 — proof of electronic record (now Section 63 of the Bharatiya Sakshya Adhiniyam, 2023). Any printout or copy of the signed document or any system log produced in court must be accompanied by a certificate identifying the device, the period over which it was used, the integrity of the data, and the name and signature of the person responsible for the operation of the device. The Supreme Court has clarified that this certificate is mandatory; without it, the electronic record is inadmissible.

The evidence stack typically looks like this: (i) the signed document with the embedded signature data, (ii) the CA's verification report on the public key, signature time and validity status of the certificate at that moment, (iii) the device logs showing where the signature was generated, (iv) your Section 42 intimation timeline showing that you reported the compromise, (v) your alibi or non-association evidence (CCTV, travel records, banking patterns) to show you could not have been at the place or device of signing.

Cyber-law commentary makes the practical point that simply showing your private key was used does not, by itself, prove you used it. Section 36 of the IT Act requires the CA to certify that the subscriber holds the private key — but it does not certify who physically affixed a particular signature. Your defence in a misuse trial is exactly that gap: that the private-key control was breached at the time of the affixation in question.

When the Certifying Authority Itself Was at Fault

Sometimes the misuse is upstream of you. A licensed Certifying Authority may have issued a DSC in your name to someone else who walked in with forged identity documents. Or your CA's own systems were breached, and certificates were generated without proper KYC. Cyber-law commentary records the existence of such failures and the pressure they put on the system.

If this happened, three things change:

  1. Section 38(2)(a) of the IT Act authorises the CA to revoke a DSC where a material fact represented in it was false or has been concealed. You can demand revocation in writing, citing the false KYC.
  2. Section 38(2)(b) authorises revocation where a requirement for issuance was not satisfied. Section 35 IT Act sets out the issuance requirements — including Rule 25 of the IT (Certifying Authorities) Rules, 2000, which mandates verification of identity. A failure here is a Section 38(2)(b) ground.
  3. You may have a Section 43A compensation claim against the CA for failure to maintain reasonable security practices. CAs are body corporates; they hold sensitive personal data; the duty applies.

Add a complaint to the Controller of Certifying Authorities (CCA), the regulator that licenses CAs under Section 21 of the IT Act. The CCA can audit and discipline a CA for breach of the issuance procedure. The Controller's complaint is administrative and runs in parallel to your civil and criminal actions.

What Should I Actually Do Now?

  1. Today, within hours. Send a Section 42(2) IT Act written intimation to your Certifying Authority that your private key is compromised. Email + registered post. Keep proof of dispatch.
  2. In the same email, request immediate suspension under Section 37 IT Act and revocation under Section 38 IT Act, plus publication of notice under Section 39 in the certificate's repository.
  3. Disconnect the USB token / e-Sign credentials from every device. If a desktop or laptop holds the key, isolate that machine — do not reformat yet, the disk is evidence.
  4. Pull and screenshot every record of the suspect signature affixations: the signed PDF, the digital signature properties dialog, the timestamp, the application that consumed the signature (e-MCA, e-Sangrah, ITR, Sub-Registrar receipt).
  5. Lodge a complaint at cybercrime.gov.in with all evidence uploaded. Note your complaint reference number.
  6. File a written FIR at the local police station or cyber cell citing Sections 66C, 66, 66D IT Act and IPC Sections 463/464/465/467/468/471 as applicable. Carry the misused document, Section 42 intimation, CA acknowledgement.
  7. If the police refuse, escalate under BNSS Section 173(4) to the SP, then under Section 175(3) to the Magistrate.
  8. Inform every relying party — your bank, the Income Tax Department, MCA, the Sub-Registrar — in writing that the signature on the relevant document is disputed and the certificate has been intimated as compromised.
  9. If a deed, share transfer or company filing is involved, file a civil suit for cancellation under Section 31 of the Specific Relief Act in the appropriate court, or move the National Company Law Tribunal under Section 7/9 of the Companies Act for company filings.
  10. File a Section 46 IT Act application before the Adjudicating Officer of your state for compensation. If a body corporate's negligence enabled the misuse, plead Section 43A.
  11. Send a Controller of Certifying Authorities complaint if the CA's KYC or security failed, requesting an audit under Section 21 IT Act.
  12. Get a fresh DSC issued from a different licensed CA only after the old one is fully revoked and the old USB token is destroyed.

You Can Fight Back, but Move Today

Misuse of an electronic signature is a more frightening event than misuse of a password, because the legal weight of a digital signature on a document is enormous: ITRs, sale deeds, MCA filings, GST returns, share transfers all stand on it. The ground feels unsteady when you realise yours has been used without you. That feeling is real. The legal architecture, however, is more robust than it appears in panic.

Section 42 of the IT Act, as harsh as its liability rule looks, also draws the bright line that protects you: the moment you intimate the Certifying Authority, your slate is wiped going forward. Sections 37 to 39 give a clean route to suspension, revocation and public notice. Section 66C is bailable but it produces an FIR, an investigation, and a charge sheet — and forgery sections under the IPC, where attracted, are not bailable. The Adjudicating Officer track gives you compensation that the wrongdoer, or the body corporate, must actually pay you in cash.

The first 24 hours decide most of what comes after. The CA intimation, the police complaint at cybercrime.gov.in, the FIR — those three steps protect everything else. The civil suit, the NCLT application, the AO claim, the trial — those build on the foundation. If you do step one tonight, the rest is hard but doable.

Frequently Asked Questions

What counts as misuse of an electronic signature?

Any use of your digital signature certificate or e-signature without your present, informed consent. This includes a CA who keeps signing returns after you have terminated their engagement, an employee who uses the company's USB token after resignation, a relative who hijacks your DSC to sell a property in your name, or anyone who copies your private key to another machine. Section 66C of the IT Act expressly covers fraudulent or dishonest use of an electronic signature of another person, with imprisonment up to three years and fine up to Rs 1 lakh.

My DSC was used to sign a sale deed I never authorised — what now?

Move on three fronts the same week. First, lodge an FIR under Section 173 BNSS citing Section 66C IT Act (identity theft) and Section 66 read with Section 43 (unauthorised access), plus IPC Sections 467/468/471 (forgery and use of forged document). Second, file a written intimation under Section 42(2) IT Act to your Certifying Authority that your private key has been compromised, asking for revocation under Section 38. Third, file a civil suit for cancellation of the deed on the ground that the document is a forgery. The earlier the Section 42 intimation, the cleaner your liability cut-off.

Am I liable for everything done with my DSC before I report it?

Largely yes, until you tell the Certifying Authority. The Explanation to Section 42 of the IT Act expressly says the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised. Cyber-law commentary calls this a harsh rule, especially because many subscribers may not even realise their key has been copied. The legal practical takeaway: the moment you suspect any misuse, send the Section 42 intimation in writing. Once the CA is informed, the liability shifts and post-intimation acts are clearly the wrongdoer's.

What is the difference between a digital signature and an electronic signature?

In Indian law as it currently stands, the two largely overlap. Section 2(1)(ta) of the IT Act defines an electronic signature as authentication of an electronic record using techniques specified in the Second Schedule, and that definition includes digital signatures. The Second Schedule technically allows other techniques, but at the time of writing, digital signatures alone are the valid electronic signatures in India. Practically, a Class III DSC issued by a licensed Certifying Authority remains the gold standard for high-value documents like sale deeds, MCA filings and tenders.

How do I revoke or suspend a misused digital signature?

Use Section 38 of the IT Act, which lets the Certifying Authority revoke a Digital Signature Certificate on a request from the subscriber. Write to your CA — eMudhra, NSDL, Capricorn, IDRBT or whoever issued it — asking for immediate revocation citing Section 38(1)(a). Section 37 separately allows suspension up to 15 days. Once revoked, Section 39 requires the CA to publish a notice in the repository, putting the world on notice that the certificate is no longer valid. Anyone relying on it after that does so at their own risk.

Can I claim compensation if my e-signature was misused on a financial document?

Yes. Section 43 of the IT Act gives you damages for unauthorised access, copying, alteration or disruption of a computer resource — exactly what happens when someone affixes your private key without permission. Claims up to Rs 5 crore go before the Adjudicating Officer of your state under Section 46 IT Act. If a body corporate (a bank, e-filing intermediary, or service provider) was negligent in safeguarding your DSC or login, Section 43A IT Act gives you an unlimited compensation route. The Adjudicating Officer's powers are those of a civil court and orders are enforceable as land revenue arrears.

What if my CA gave the certificate based on forged documents?

Section 38(2) of the IT Act allows the Certifying Authority to suo motu revoke a Digital Signature Certificate if a material fact represented in it was false or has been concealed, or if a requirement for issuance was not satisfied. So if someone obtained a DSC in your name using forged ID, you can write to the CA demanding revocation under Section 38(2)(a) and (b). Parallel offences include Section 66C (identity theft) and IPC Sections 463/464/465 (forgery of false document). Take a copy of the CA's KYC file along with your FIR, and file a complaint to the Controller of Certifying Authorities for an audit.

How is my electronic signature proved or disproved in court?

Through Section 65B of the Indian Evidence Act (now Section 63 of the Bharatiya Sakshya Adhiniyam, 2023). The signed electronic record is produced with a Section 65B certificate identifying the device, the integrity of the data, and the absence of tampering. The Certifying Authority's verification log of the public key and time-stamp becomes critical. If you allege forgery, your defence is that the affixation was without your private-key control and outside your knowledge — the cyber forensics report, system logs and key-usage timestamps will be the centre of the trial.

Is e-signature misuse a bailable offence?

Section 66C — the main identity-theft provision — is bailable. So is Section 66, Section 66D and Section 72A. Cyber-law commentary criticises this as a paper-tiger feature. But bailability does not mean impunity. The FIR runs, the charge sheet under Section 193 BNSS is filed, the trial happens, and conviction at the end carries imprisonment up to three years. Forgery offences under IPC Sections 467 and 468, where attracted alongside Section 66C, are non-bailable and far more serious. The choice of sections matters and a cyber-trained lawyer adds value here.

Does my Aadhaar e-Sign or DocuSign signature carry the same protection?

Yes for the legal protection, with caveats on technical reliability. An Aadhaar e-Sign through a licensed e-Sign service provider operates under Section 3A of the IT Act and Schedule II. DocuSign-style click-sign tools operate under contract law more than Section 3A. Section 66C protects the misuse of any electronic signature or unique identification feature, and Section 43 covers unauthorised use of any computer resource — so the legal options remain. For high-value documents, prefer a licensed Certifying Authority's DSC over a click-to-sign solution.

What if my DSC is used to file a fake company resolution at MCA?

Three steps simultaneously. File MCA's online complaint and request investigation by the Registrar of Companies. File an FIR under Section 66C IT Act, Section 66 IT Act, IPC Sections 463/464/468/471 for forgery and use of forged document, and Section 447 of the Companies Act for fraud. Send a Section 42(2) IT Act intimation to your Certifying Authority and seek revocation under Section 38. Apply to the National Company Law Tribunal if the resolution led to share allotments or director changes. The MCA's own director-KYC and DIN-deactivation process can also help freeze further misuse.

How long do I have to act after I discover the misuse?

Move within days, not weeks. Section 514 of BNSS limits cognizance of offences punishable with up to three years to a three-year window. Section 42 IT Act liability continues to attach to you personally until you intimate the Certifying Authority — every day of delay is a day you may answer for. Civil compensation claims under Sections 43 / 43A have ordinary limitation principles applied by the Adjudicating Officer. The cyber forensics window for server-side logs at the CA and platforms is usually six to twelve months, after which crucial records are routinely overwritten.

Related Reads

For more articles on Indian law, visit the Pinaka Legal Blog.

For queries, call +91 8595704798 or email info@pinakalegal.com.