Modern-day enterprises rely extensively on their IT infrastructure to conduct most of their business operations. In turn, they have a plethora of data that needs to be stored digitally. While some of the stored data may be publicly available, sensitive data like customers’ and employees’ personal information, trade secrets, intellectual property, email communication, algorithms for providing services, etc. must be protected to ensure that financial and reputational risks due to data loss are minimised.
In September 2019, a risk mitigation firm Kroll conducted a survey on data thefts across the globe. It found that 41% of its survey participants from India had experienced incidents of data theft in the last year. This number is comparatively higher than in developed countries such as the USA (26%), the UK (32%), and Japan (27%). With the push for initiatives like Digital India, Start-up India, and Make in India, data theft poses an imminent risk for Indian businesses.
Unlike Europe’s General Data Protection Regulation and the USA’s sector-specific laws, India is yet to have a dedicated data protection law. The Personal Data Protection Bill has been tabled in the Parliament, but it remains to be seen how the final piece of legislation will look like. As of now, the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as “the SPDI rules”), along with the good-old Indian Penal Code, 1860 provide remedies for an affected organisation and individual.
Relevant Legal Definitions
Rule 3 in the SPDI rules specify that the following types of data or information shall be considered as personal and sensitive:
- Bank Account details
- Credit/debit card details
- Present and past health records
- Sexual orientation
- Biometric data
This rule also specifies that any information that is freely available in the public domain or can be furnished under the Right to Information Act, 2005, or any such law must not be considered as personal and sensitive.
“Data” and “information” have been defined under Section 2(o) and Section 2(v) of the Information Technology Act, 2000, respectively. Data has been defined as a representation of information, knowledge, facts, concepts, or instructions in a formal manner, and is intended to be processed in a computer system or computer network, or stored internally in the computer’s memory. On the other hand, information includes data, message, text, images, sound, voice, codes, computer programmes, software, and databases, along with microfilm or computer-generated microfiche.
Remedies available with an affected organisation
As of now, Indian law does not have a specific definition for data theft. However, out of many scenarios specified under Section 43 of the Information Technology Act, 2000, clause (b) talks about downloading, copying, or extracting any data, database, or information from a computer system, computer network, or a removable storage device without the permission of the owner or any person who is in charge of the said system, network, or device. Clause (j) in the same provision specifically focusses on stealing, concealing, destroying, or altering the computer source code with an intention to cause damage.
Plainly, “data theft” can be defined as an unauthorised act of copying or stealing confidential or personal information from an organisation without the required permissions. As discussed earlier, data theft is possible in the context of client details, source codes, trade secrets, personal information of employees and clients, etc. It has been seen so often that the existing employees of an organisation are involved in data theft. It is also evident from the fact that though employees are an organisation’s biggest asset, they could end up becoming its biggest liability (read pose a high risk to its business continuity, whether intentionally or unintentionally). Hence, it is recommended that organisations must implement a comprehensive set of information security policies supported by the relevant non-disclosure and confidentiality clauses in their employment contracts.
If an organisation identifies specific individuals that have been involved in data theft, it has civil as well as criminal remedies available.
Against the identified employees, an organisation can file a civil suit under Section 43(b) of the Information Technology Act, 2000. Section 46 specifies that the power to adjudicate rests with an IT adjudicator. However, an IT adjudicator can only decide in matters wherein the claim for injury or damage does not exceed ₹5 crores. For claims exceeding ₹5 crores, an affected organisation must file its suit for the same before the competent court. In addition, depending upon the employment contracts, the organisation can also file a suit for breach of contract under the Indian Contract Act, 1872.
For the same set of acts specified under Section 43 of the Information Technology Act, 2000, Section 66 prescribes imprisonment up to three years or fine up to ₹5 lakh or both. Also, Section 405 and 408 of the Indian Penal Code, 1860 are relevant provisions that can be applied in the case of data theft. Section 405 defines criminal breach of trust while Section 408 provides punishment for criminal breach of trust by clerk or servant. Section 408 prescribes for imprisonment up to 7 years along with the liability to pay the fine.
Another interesting provision here can be Section 378 of the Indian Penal Code, 1860 as it talks about theft of movable property. However, for this provision to be applicable, it first needs to be decided by the courts, whether data or information stored digitally can be considered as a moveable property or not.
Remedies available with an affected individual whose data has been stolen
Section 43A of the Information Technology Act, 2000 specifies that when a body corporate fails in implementing and maintaining reasonable security practices and procedures resulting in wrongful loss or wrongful gain to any person, it shall be liable to pay compensation to the affected person. Here, “reasonable security practices and procedures” are considered to be implemented if an organisation has a comprehensively documented and implemented information security program such as ISO 27001:2013, as given in Rule 8 of the SPDI rules. Moreover, an affected person can also seek punishment under Section 72A for disclosure of information in breach of lawful contract. However, for this provision to be applicable, an affected party must be availing a service under a lawful contract.
Though the Information Technology Act, 2000 and the SPDI rules miss out on many vital issues surrounding data theft in Indian cyber space, they have served as a primary ground to provide remedies for affected organisations as well as individuals. As it is an inherent obligation of an organisation to ensure the safety of every piece of data stored with it, data privacy is not just a business concern anymore. Failure to protect the stored data does not only have financial repercussions due to legal proceedings and loss of clients, but such incidents also affect an organisation’s reputation in the market.
A modified version of this article got published in Jaipur and Ahemadabad editions of the First India newspaper on February 28, 2020. The digital copy is available here.
Featured Image Credits: https://www.freepik.com/katemangostar