BACK TO IT ACT
IT Act 2000AMENDED 2008

Section 66C

Punishment for Identity Theft

THE STATUTE

Original Text

Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

Simplified

Section 66C targets identity theft in the digital space — specifically the fraudulent use of someone else's electronic credentials. This covers: using someone's stolen password to access their bank account; deploying a cloned digital signature on a document; using OTPs stolen through SIM swapping; and using biometric data fraudulently. Three key observations: First, the punishment is imprisonment AND fine — not or — making the fine mandatory upon conviction. Second, the offence is non-bailable: unlike Section 66 (bailable), identity theft requires the accused to apply for bail, giving courts discretion to refuse. Third, it is triable by a Court of Session, the highest trial court, reflecting the seriousness with which Parliament viewed identity theft. The provision captures a complete spectrum of identity theft scenarios: if a person clones a SIM card to receive banking OTPs and drain an account, that is 66C; if they then use the stolen account to commit further fraud, 66D (cheating by personation) is additionally attracted; and if they purchase anything with the stolen identity, Sections 415-420 of IPC/BNS on cheating may also apply. Identity theft prosecutions have surged with UPI fraud, phishing attacks, and KYC fraud.

Common Queries

Section 66C punishes fraudulently or dishonestly using another person's electronic signature, password, or any unique identification feature. This covers using someone's net banking password, copying their digital signature, or misusing their Aadhaar OTP.
Section 66C requires misuse of a specific identification feature (password, signature, biometric). Section 66D is broader — it covers any cheating through impersonation using a computer or communication device, even without misusing a specific credential.
Yes. A SIM swap fraudster who obtains a duplicate SIM by impersonating the subscriber and then uses the SIM to receive OTPs and access banking accounts commits identity theft under Section 66C in addition to other offences.

Legal Evolution

Before 2008, India had no specific criminal provision for digital identity theft. Prosecutors had to rely on IPC cheating provisions (Sections 415-420), which were drafted for physical impersonation. The 2008 Amendment's Section 66C filled this gap. It was modelled on the US Identity Theft and Assumption Deterrence Act 1998 and the UK Identity Cards Act 2006. The provision has become increasingly important with the expansion of Aadhaar-based identity verification, UPI payments, and digital KYC across financial services.

Key Amendments

Inserted by IT (Amendment) Act 2008 — no equivalent in original IT Act 2000.

Non-bailable and triable by Sessions Court — stricter than the parent Section 66.

Both imprisonment AND fine mandatory — not alternative punishments.

Landmark Precedents

Pune Citibank Mphasis Fraud Case (2005-2008)

Sessions Court, Pune
RELEVANCE

Pre-66C case involving call centre employees using customer PINs to fraudulently transfer ₹1.5 crore — would now be prosecuted under Section 66C for identity theft.

State v. Hemraj (2015)

Sessions Court, Gurgaon
RELEVANCE

Conviction under Section 66C for SIM swapping to steal banking OTPs — established pattern for identity theft prosecutions in the mobile banking era.