Business Ethics Paper on Cyber-Liability

Definition
Vicarious liability is a situation in which one party is held partly responsible for the unlawful actions of a third party. The third party also carries his or her own share of the liability. Vicarious liability can arise in situations where one party is supposed to be responsible for (and have control over) a third party, and is negligent in carrying out that responsibility and exercising that control. For example, an employer can be held liable for the unlawful actions of an employee, such as harassment or discrimination in the workplace. Even though the employer is not the one who committed the unlawful act, the employer is held liable because it is considered responsible for its employees’ actions while they are on the job and it is considered to be able to prevent and/or limit any harmful acts performed by its employees. The employer may be able to avoid vicarious liability by exercising reasonable care to prevent the unlawful behavior. Another common source of vicarious liability occurs when a child behaves negligently.

The parent can sometimes be held vicariously liable for the child’s actions. One situation where this might occur is if a child injures or kills someone while driving. Vicarious liability was also define as the tort doctrine that imposes responsibility upon one person for the failure of another, with whom the person has a special relationship (such as parent and child, employer and employee, or owner of vehicle and driver), to exercise such care as a reasonably prudent person would use under similar circumstances. To claim under the tort of vicarious liability, firstly, someone should know all the requirement of vicarious liability should be establish first in order to claim under the tort of vicarious liability. The requirements are as the following:- There must be a wrongful tortious act There must be special relationship between employee-employer The tort must occur within the course of employment Example of Case of Vicarious Liability:- (i) Lister v Helsey Hall Limited (2001) This case is about the sexual abuse by a warden of a school boarding house to a student. The issue of this case is whether the warden’s action in abusing the pupil was closely connected with employment would it be fair and just to hold his employers liable.

Result: The company which owned and ran the school was responsible for the warden conduct as the warden responsibilities include the welfare and safety. It was considered that vicarious liability would not apply to other employees. (ii) Limpus v London Omnibus and Co. In this case, the driver of the bus in order to overtake another bus was driving in a very rash and negligent manner and hence ended up injuring the plaintiff. The catch in this case is such a tendency was known to the employer and he had prohibited the driver from doing so. Result: Clearly the servant has acted negligently and the master then becomes vicariously liable. (iii) Ricketts v Thomas Tilling Ltd. The driver who had been authorized to drive the bus, feels tired and asks the conductor to drive the bus for some time. The conductor while driving the bus, does so quite negligently and hurts a pedestrian X. X brings a suit against the bus company. Will he succeed? Result: By a clear application of the principle of wrongful delegation, it is quite conclusive that the master is liable. Hence X will succeed.

(2) Cyber-Liability
Definition
Any organization operating a Web site or conducting e-business needs protection from an invading army of exposures, such as e-theft, destruction of critical data, defamation, libel, copyright or trademark infringement, e-vandalism, e-threats, denial of service, and more. Cyber-liability is focused on the ever-increasing risks and rapidly evolving liability exposures associated with the creation, transmission, security and storage of data, particularly private, personal and proprietary information. Today’s businesses face the threat of hackers trying to steal data, and the accidental disclosure of such information, or loss of such information can give rise to liabilities to customers, clients and the government.

Cyber-liability addresses the first and third party risks associated with e-business, Internet, networks and informational assets. Cyber-liability insurance coverage offers cutting edge protection for exposures arising out of Internet communications. The concept of cyber liability takes into account first and third party risks. The risk category includes privacy issues, the infringement of intellectual property, virus transmission, or any other serious trouble that may be passed from first to third parties via the Web. Cyber-liability is composed of two defined risks:- (i) Security Liability Security liability is the unauthorized access / use of a utility’s (or vendor/partner/ independent contractor) network. In 2007, the exposure increasingly involves the theft of mobile computer equipment such as a desktop server or a laptop to perpetrate data theft. It is well known that many cases involve inside employees who have trusted access into the network. Employees or trusted third parties with access into the network can steal identity information, critical business information, transmit malicious code, and participate in a denial of service attack against network or the network of others. This risk includes paper documents, as well as electronic data.

(ii) Privacy Liability
Privacy liability is the violation of privacy laws or regulations that permit individuals to control the collection, access, transmission, use, and accuracy of their personally identifiable medical and / or financial information. The most serious civil and regulatory exposure surrounds personally identifiable non-public information; however there are risks associated with disclosure or theft of confidential corporate data of others. Cyber liability insurance protects against compensation claims arising from:- Staff misuse of company email (for which you are responsible), or the content on your website or blog, that defames or libels a third party System damage caused by viruses or malware you may have transmitted (unknowingly) via email or the internet Security breaches that give unauthorized access to confidential data Financial losses caused by the failure of a company website, the collapse of your internet provider or the work of computer hackers Why all organizations and peoples should consider and have it (cyber liability insurance):- Provides specialized protection often not included in general liability policies Protects your financial interests against the greater risks associated with a high profile online presence, even if a claim against you is invalid Minimizes the disruption to your business of managing your way back to normality in the event of any incident

Question 2: List the top categories of litigation of cyber-liability.

In general, sanctions could include “exclusion from entitlement to public benefits or aid; temporary or permanent disqualification from the practice of commercial activities; placing under judicial supervision; judicial winding-up; and also temporary or permanent closure of establishments which have been used for committing the offence”. Sanctions imposed would have to be “effective, proportionate and dissuasive” in order to be justified. One of the top categories of litigation of cyber-liability is hacker attack. Hacker means someone who tries to break into computer system and enjoys doing the computer programming rather than just theorizing about it. Hacker will be a proficient programmer or engineer with sufficient technical knowledge to understand the weak point in security system in the computer. This hacker attacks can take legal action if the person is arrested for involving highly private files in the case of national security.

There is some case in February 1999, where Ministry of Defence Satellite has been hacked by a small group of hackers gained control of a MoD (Ministry of Defence) Skynet military satellite. They manage to reprogram the control system before being discovered. Therefore, no arrests have been made by U.S Air Force. Breach of privacy also can be defined as a hacker attack. A breach of privacy occurs when there is unauthorized access to any personal information. According to Daniel J., S (2008), privacy is apparent in today’s society as individuals hold more and more “personal” information spread to the public. Based on this statement, sites owners or the business owners should keep the users’ personal information in confidential and also should not get reach by the other users’. In online shopping website, the owner should private their customer’s information such as their personal details such as name, address and contact numbers in the website. When it viewed by other consumers that have violence the rights of the consumers, it may cause litigation.

Cyber fraud is also one of the top categories of litigation of cyber-liability. Cyber fraud refers to any type of deliberate fraud for invalid or illegal profit that occurs in online. Fraud occurs when trickery was used to gain a dishonest advantage which is often financial over to another person. There are four types of fraud which is individual fraud, corporate fraud, online fraud and advance free fraud. The most common form is online credit card theft. Paid product purchased through online auctions and no delivery of merchandise or software is common form of monetary cyber fraud. The example of fraud case is on March 2007 at Kuala Lumpur where NorzanaRuslan was sentenced by court to serve 50 months jail after pleading guilty to fraudulently withdrawing RM 1.24 million from a Tabung Haji account. She also sentenced to 24 months for a second transaction that she had made using forged identity card in the name of other people identity.

Question 3: Draft a guideline on cyber-liability for students in University Malaysia Sabah.

There are some guidelines that can be used by UMS students regarding cyber-liability. These include:- (i) E-mail Students must always remember that they are communicating with other human being. They must introduce themselves, be courteous and tolerant. E-mail also can become public, so never write anything that would make them concern. Always be careful when choosing a subject heading. The most important thing is that they must ensure they give a clear idea of what the e-mail is all about. Avoid writing in capital letters for more than a word because it can be as shouting.

(ii) Social Networking Site
Don’t post personal information, such as telephone number and address carelessly. Must always be careful with all information that they post. Don’t give any password to anyone. Before post the photos or anything, think first. Personal photos should not have revealed any information that can give negative impacts. Just add people as friends to the site if they know that particular person. Always check the privacy setting of the social networking site. This is to make sure that there are no people trying to steal their information.

(iii) Computer Virus
Every student must have installed anti-virus software to protect their information from being stealing and also to protect their gadget. Don’t ever open any suspicious e-mail. Don’t download anything from sites that are not legal or from other unapproved sites.

(iv) Boards / Blog
Inappropriate comments must be unacceptable.
All comment will be published on discussion boards, so students need to be aware before gives any comment. Consequences of breach of these protocols may need requirement of a retraction, disciplinary action and removal of any comment deemed to be inappropriate. So, students need to be careful. On line unit discussions are opened a forum for communication between students and the unit coordinator. Students can use this service to try to solve their problem.

(v) Secure Wireless Transmissions
The data that was sent over the wireless network is more subject to interception than sent by Ethernet network (computer networking technologies for local area networks (LANs)). Everyone can use the data by wireless that enable portable computer and access the data stored there if the wireless access point is not configured securely. (vi) Protect the Data in Transit with IP security Usually, the network connection in UMS is among the staff or the students. So, to protect the data transit, students can used internet protocol security (IP security) to help them to protect it from hacker, hack and breakdown the system. The data also should be resided on different host than the publicly accessible server.

(vii) Online Backup Nowadays, cloud storage has become a popular option for back up the data in computer and many providers now offering the packages for a monthly or yearly service fee or a flat fee based on how much data is stored. Students should choose established and reliable providers that store encrypted data on computer servers in secure, multiple location and should ask how quickly their files can be accessed in an emergency. (viii) Use Passwords as a Key Having a password policy for students is a good practice. Utilize simple guidelines such as:- Do not share password with anyone. Do not share computer or laptop with others while logged into it. Use special characters to create the password. For example “$” could be used for “S” and so on. Username and password may often be guess by other people but if they are using the strong identification method and students login in with the other ways, it may increase the security protection.

(ix) Utilize Automatic Updates
Use applications and software tools that automatically load the new updates on all network in their computer and any others devices. Install an anti-virus product that automatically updates their computer or software with the latest upgrades.

REFERENCES

“Cyber Liability”, retrieved on 10 October 2013 from
http://www.filetransferglossary.com/cyber-liability/.
“Cyber Liability Risk Management”, retrieved on 12 October 2013 from . Daniel, J. S. 2008. In Understanding Privacy. Cambridge, MA: Harvard University Press. “Employer Liability for the Wrong Acts of its Employees”, retrieved on 8 October 2013 from http://www.mccarthy.ca/pubs/wrongful_acts.pdf. Johonnes, G., Edward, L. & Rafael, P. (nd). Toward Privacy for Social Networks. A Zero- Knowledge Based Definition of Privacy. Houlton, S. 2011. Insurance Coverage for the Computer Age (Cyber-Security Policies Needed To Deal with Data Loss and Theft): Connecticut Law Tribune an ALM Publication. 37(7): 1-2. “How to Defend a Case of Vicarious Liability”, retrieved on 7 October 2013 from . Neyers, J. W. 2005. A Theory of Vicarious Liability. 43(2): 1-41. Section of Litigation: “Criminal Litigation”, retrieved on 5 October 2013 from http://apps.americanbar.org/litigation/committees/criminal/email/winter2013/w
inter2013-0313-best-practices-advising-clients-cyber-security.html. Stephens, S. & Fort, S. 2008. Cyber Liability & Higher Education Aon Professional Risk Solutions White Paper: AON Risk Services. : 1-14. “Vicarious Liability”, retrieved on 8 October 2013 from http://legal-dictionary.thefreedictionary.com/Vicarious+Liability.

“Vicarious Liability”, retrieved on 10 October 2013 from . “Vicarious Liability Law & Legal Definition Articles”, retrieved on 11 October 2013 from http://definitions.uslegal.com/v/vicarious-liability/. “Woman Sentenced to Jail for RM1.24 Million Fraud Case”, retrieved on 5 October 2013 from http://malaysiacrimewatch.lokety.com/woman-sentenced-to-jail-for-rm124-million-fraud-case/. “5 Reasons You Should Have Cyber Liability Insurance”, retrieved on 8 October 2013 from http://www.inc.com/minda-zetlin/6-reasons-you-should-have-cyber-liability-insurance.html.

APPENDIX

(1)
5 Reasons You Should Have Cyber Liability Insurance BY MINDA ZETLIN It’s not just for big companies. Cyber insurance can make the difference between staying in business or shutting your doors after an attack. Imagine for a moment that your company has come under attack by a skilled hacker. The hacker has accessed your customers’ names and contact information–and worse–your employees’ social security numbers. On top of that, your website is disabled so that you can’t take orders or collect the payments you need to stay in business. Wouldn’t it be nice to have cyber liability insurance right about now? Insurance that protects you in case of a cyber attack may seem like something only large corporations would ever need, or could ever afford. But believe it or not, cyber liability insurance makes lots of sense for small companies as well.

Here’s why: 1. It’s more affordable than you think. “I’ve seen policies with premiums as low as $2,000 a year, though it can go up from there,” says Ethan Miller, partner at the San Francisco law firm Hogan Lovells. You can get coverage as high as $30 million and deductibles as low as $10,000, depending on your needs and what you’re willing to pay. Cyber liability insurance is still a fairly new concept, so there’s a lot of variation among policies, and a lot of room for negotiation. 2. It can cover more than you think. Many policies offer “first party” coverage–that is, they will pay you for things like business interruption, the cost of notifying customers of a breach, and even the expense of hiring a public relations firm to repair any damage done to your image as a result of a cyber attack. Having this cash available in the event of a crippling hack can keep the lights on till you’re able to resume your normal cash flow. A good policy can even cover any regulatory fines or penalties you might incur because of a data breach.

Business interruption coverage can be especially important for a small business, Miller says, which may not be as diversified as a larger one, or have the same financial resources. “If a larger company has one line of business shut down by a data breach, it may be able to depend on its other lines for revenue. A smaller company may only have one line of business.” 3. You probably don’t have a risk management team. Big corporations have entire departments devoted to analyzing the risks the company could face and helping set policies and procedures to protect against them. You don’t–but a good insurance carrier can perform a similar function. “There are a couple of ways insurance can bridge that gap,” Miller says. “An insurer might work with a small company to make sure a firewall is in place to protect your network, and make sure you have social media policies that reduce risk.” Your insurer may well be willing to help with these areas because the better protected you are, the less likely you are to have a breach that could result in a claim. 4. Even if you don’t host your data yourself, you’re still responsible. Is your website and any of your data hosted or stored in the cloud? Take a good look at your contracts: You’re still legally responsible. “There’s a significant risk,” says Karen L. Stevenson, senior counsel at Buchalter Nemer, a law firm with offices in California and Arizona.

You can’t fully control how a cloud provider handles your data but an insurance policy can protect you if your cloud provider screws up. 5. Your general policy won’t cover you. Typically, a general liability policy specifically excludes losses incurred because of the Internet, Miller says. So a good cyber liability policy can pick up where your general policy leaves off. Make sure your cyber policy covers laptops and mobile devices as well, to give yourself coverage in as many situations as you can. “Work with your broker to integrate cyber liability with your general policy and employment liability policy,” Miller advises. “You want to give yourself the most seamless coverage possible.”

(2)
Vicarious Liability
Vicarious liability is the tort doctrine that imposes responsibility upon one person for the failure of another, with whom the person has a special relationship (such as Parent and Child, employer and employee, or owner of vehicle and driver), to exercise such care as a reasonably prudent person would use under similar circumstances. Vicarious liability is a legal doctrine that assigns liability for an injury to a person who did not cause the injury but who has a particular legal relationship to the person who did act negligently. It is also referred to as imputed Negligence. Legal relationships that can lead to imputed negligence include the relationship between parent and child, Husband and Wife, owner of a vehicle and driver, and employer and employee. Ordinarily the independent negligence of one person is not imputable to another person. Other theories of liability that are premised on imputed negligence include the Respondeat Superior doctrine and the family car doctrine.

The doctrine of respondeat superior (Latin for “let the master answer”) is based on the employer-employee relationship. The doctrine makes the employer responsible for a lack of care on the part of an employee in relation to those to whom the employer owes a duty of care. For respondeat superior to apply, the employee’s negligence must occur within the scope of her employment. The employer is charged with legal responsibility for the negligence of the employee because the employee is held to be an agent of the employer. If a negligent act is committed by an employee acting within the general scope of her or his employment, the employer will be held liable for damages. For example, if the driver of a gasoline delivery truck runs a red light on the way to a gas station and strikes another car, causing injury, the gasoline delivery company will be responsible for the damages if the driver is found to be negligent. Because the company will automatically be found liable if the driver is negligent, respondeat superior is a form of Strict Liability.

Another common example of imputed negligence is attributing liability to the owner of a car, where the driver of the car committed a negligent act. This type of relationship has been labeled the family car doctrine. The doctrine is based on the assumption that the head of the household provides a car for the family’s use and, therefore, the operator of the car acts as an agent of the owner. When, for example, a child drives a car, registered to a parent, for a family purpose, the parent is responsible for the negligent acts of the child at the wheel. Liability can also be imputed to an owner of a car who lends it to a friend. Again, the driver of the car is acting as the agent of the owner. If the owner is injured by the driver’s negligence and sues the driver, the owner can lose the lawsuit because the negligence of the driver can be imputed to the owner, thereby rendering him contributorily negligent. This concept is known as imputed contributory negligence.

(3)
Cyber Liability
Cyber liability is the risk posed by conducting business over the Internet, over other networks or using electronic storage technology. Insurance can be bought and “risk based” security strategies can be used to mitigate against both the first- and third-party risks caused by cyber liability. A “first party” cyber liability occurs when your own information is breached. For example, a hack that results in the exposure of your own trade secrets would create a first party cyber liability. A “third party” cyber liability occurs when customer or partner information your organization has promised to keep safe is breached. For example, a hack that results in the exposure of your customer’s Social Security numbers would create a third party cyber liability.

Companies have compelling reasons to avoid both types of cyber liability, but third party cyber liabilities can be devastating. First party cyber liabilities threaten a company’s competitiveness, but third party cyber liabilities often ruin brands, open the door to million-dollar lawsuits and trigger statutory fines (e.g., HIPAA HITECH’s $50,000 per-incident “willful neglect” fine). File transfer technology frequently transmits information whose disclosure would lead to first- or third-party cyber liabilities. (4) Privacy Breaches Information about privacy breaches and how to respond What is a privacy breach?

A privacy breach occurs when there is unauthorized access to, or collection, use, or disclosure of, personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as PIPEDA, or similar provincial privacy legislation. Some of the most common privacy breaches happen when personal information of customers, patients, clients or employees is stolen, lost or mistakenly disclosed (e.g., a computer containing personal information is stolen or personal information is mistakenly emailed to the wrong people). A privacy breach may also be a consequence of faulty business procedure or operational break-down. How we can help? Unfortunately, privacy breaches are becoming more and more common. Over the last few years, hundreds of thousands of Canadians have been affected by privacy breaches. And the consequences for affected individuals can be significant.

In Canada, the disclosure of privacy breaches is voluntary, and organizations must evaluate the situation and decide for themselves on an appropriate response. However, organizations will often approach the OPC for guidance or to report a breach, and we have developed a number of tools to assist organizations. What does the OPC do when there is a privacy breach? When the OPC learns of a privacy breach (in previous Annual Reports issued by the Office, we referred to them as “incidents”), whether the organization notifies us or we learn about it from another source, we open an “incident” file. Generally speaking, we monitor such incidents; this is not as in-depth a process as an investigation. Essentially, we want to know what happened, what steps are being taken to address the situation, what has been done to mitigate a recurrence, and whether notification to individuals has occurred or been considered. We may also make suggestions to the organization. The Director General of Investigations and Inquiries sends a letter to the organization when the incident file is closed. No findings are issued. There are times when an incident file is turned into a complaint investigation. This occurs when the OPC receives a complaint.

On occasion, the Commissioner may initiate a complaint on her own motion. This happens only in exceptional circumstances, where, for example, the breach is very serious, appears to be systemic or the organization does not appear to be responding adequately. There have been instances in the past when the Office has received a number of complaints about an issue and decided to initiate a complaint (instead of opening several complaint investigations). The complainants, however, had to agree to this, as they would be giving up their rights of recourse to Federal Court in such a circumstance. Legislative reform The House of Commons Standing Committee on Access to Information, Privacy and Ethics (Committee) conducted the first mandated 5-year review of PIPEDA at the end of 2006. One of the areas of concern both to the members of the Committee, as well as to many witnesses appearing before the Committee, was the appropriate response to a privacy breach by organizations. High-profile data breaches occurring at the end of 2006 reinforced the serious nature of this issue. The Privacy Commissioner asked the Committee to recommend a legislative amendment to PIPEDA to include a breach notification provision. In its Report the Committee recognized the importance of this issue and recommended a modified approach.

(5)
Criminal Litigation
Best Practices for Advising Clients on Cyber-Security
By Amanda Marie Baer and Kenneth C. Pickering – March 13, 2013 Data breaches are quickly becoming one of the biggest threats faced by businesses. The sophistication and frequency of attacks and the volume of records compromised continue to escalate. Janet Napolitano, secretary of the Department of Homeland Security, recently testified that public and private computer systems face a dangerous combination of known and unknown vulnerabilities from which no industry, community, or individual is immune. Securing America’s Future: The Cybersecurity Act of 2012: Hearing before the S. Comm. on Homeland Sec., 112th Cong. (2012). A data breach can devastate a company by damaging its reputation and imposing significant direct costs, such as penalties, and indirect costs, such as lost customers and productivity. In 2012, data breaches affected companies across the country, including AOL, LinkedIn, Google, Zappos, and Massachusetts General Hospital. Data breaches also impacted non-profits, such as the Massachusetts eHealth Collaborative, a 35-person organization that spent over 600 employee-hours and $300,000 in fees to respond to the theft of a single laptop.

Almost every company maintains information that identifies customers or employees, such as Social Security numbers or credit-card data. As companies increasingly store personal information electronically, they simultaneously increase their vulnerability to security breaches. By planning in advance, companies can minimize the risk of a data breach and the substantial costs and impact imposed in the event a data breach occurs.

(6)
Six Steps to Guard against a Data Breach
1. Audit. Companies must conduct an audit to develop a clear picture of their vulnerabilities. As a critical component of this audit, companies should track the personal information they collect to understand who the information is collected from, the method(s) by which the information is received, where the information is stored, and who has (or may have) access to the information. In addition, companies should audit their physical equipment, such as laptops and flash drives, to develop an inventory of the equipment and assess the security of each piece.

2. Data classification. After completing an audit, companies should classify the personal information they collect and store according to the level of criticality and sensitivity. The most well-known data-classification scheme is used by the U.S. government, which classifies information pursuant to the top secret/secret/confidential/unclassified scheme. Regardless of the exact schematic employed, the scheme should detail data ownership, security controls, and data retention/destruction requirements for the personal information at each level.

3. Limit data access. By limiting employees’ and vendors’ access to personal information, companies can minimize the scope of losses and establish a level of accountability. To limit access, companies can (a) password-protect data; (b) scan outbound email for attachments; (c) scan data copied to removable drives and backup systems; (d) manage devices by encrypting and tracking them and ensuring that they may be remotely wiped of data; and (e) establish policies to automatically revoke access upon an employee’s termination or resignation.

4. Establish data logs. If a data breach occurs, it is important for companies to have data logs that allow a forensic investigator to determine the scope and cause of a data breach. Data logs are records of events created by a computer program that provide an audit trail. Data logs, such as web, client and server, operating systems, application, firewall, and mail and intrusion detection system logs, should be in place, maintained, and tested.

5. Security systems. Both physical and electronic security systems are necessary to protect against data breaches. Despite the public attention given to electronic data breaches, many data breaches occur when physical paper documents or computers are lost or stolen. To guard against physical breaches, companies can take steps such as storing all documents and equipment with personal information in a locked area with limited access, implementing access controls to the company, maintaining offsite storage facilities, and using overnight-shipping services that allow companies to track delivery. There is an array of technologies that companies can use to guard against electronic breaches, and the development and availability of new technologies is being continually driven by increased data-security regulations.

Many technologies, such as data and disk encryption, firewall protection, encryption of wireless routers, default disabling of shared folders, identity-verification security questions, browsers with phishing and malware protection, and email verification, are widely available and should be used by all companies. 6. Data-breach-incident plan. Companies should develop a data-breach-incident plan that can be used to quickly respond to a data breach. Once a plan is developed, companies should train key management and employees and periodically evaluate and update the plan. Preventing a breach by the implementation of thoughtful cyber-security policies is the best outcome. But responding quickly, being as transparent about the breach as possible, and providing timely customer support are the keys to successfully managing a data breach if one should occur.

(7)
Malaysia Crime Watch
Malaysia Crime Watch is an independent news and discussion site on crime that occurs in Malaysia. It aims to create awareness of the prevalence and types of crime. By this, it is hoped that people will be more informed and take precautions to keep their lives and assets safe. WEDNESDAY, MARCH 7, 2007 Woman Sentenced to Jail for RM1.24 Million Fraud Case 6 March 2007 Kuala Lumpur

27-year-old NorzanaRuslan was sentenced to 50 months’ jail in court yesterday after pleading guilty to fraudulently withdrawing RM1.24 million from a Tabung Haji account. Norzana was also sentenced to 24 months’ jail for a second transaction that she made using a forged identity card in the name of YuhanizPadil. This sentence has been set to run concurrently with the first offence’s sentence from the date of her arrest on 3 August 2005. The hairdresser had used the identity card which was given by her friends whom she met in Shah Alam.