In today’s world Data is a very valuable asset for any organization. Data which an organization possesses could be anything like personal data of the clients, financial details, confidential data, in-house data generated during the course of business activity, trade secrets, software’s, etc.
Any data/ document in an electronic form by its nature are portable, easy to copy and more prone to theft than paper documents by employees. Data in an electronic form is not only easy to be stolen but the quantity in which it can be taken is formidable.
In India, Cyber laws are majorly governed by the Information Technology Act, 2000 (hereinafter referred to as the ‘IT Act’) and Rules framed there under. Unlike the European Union which recently enforced the ‘General Data Protection Regulation’ superseding the Data Protection Directive, in India there is no separate comprehensive legislation on data protection. However, there are ‘Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011’ (hereinafter referred to as the IT Rules, 2011) which protects ‘Sensitive personal data’.
Sensitive personal data or information of a person under the IT Rules, 2011 means such personal information which consists of information relating to:
2. Financial information such as Bank account or credit card or debit card or other payment instrument details.
3. Physical, physiological, and mental health condition.
4. Sexual orientation.
5. Medical records and history.
6. Biometric information.
Data theft refers to an act of illegal/ unauthorized copying, removal or stealing of confidential, valuable, or personal data/ information from an organization or business without its knowledge or consent. Data theft could be with respect to stealing or hacking passwords, financial or banking information, personal information of clients/ other employees, information of importance to a body corporate like trade secrets, client database, software’s, source codes, confidential information, information which the body corporate is bound to protect, hacking into databases and many more in line with these. Employees are undoubtedly the biggest asset for any organization.
However, if employees are negligent about following the security measures set up to protect the company’s data or if they themselves do something with an intent to compromise someone’s privacy or to obtain confidential information, they could become its biggest liability. Such an act by an employee casts liability not only on the offender employee but also on the body corporate which possesses or deals with any such sensitive personal data or information.
Section 43A of the IT Act provides that whenever a corporate body possesses or deals with any sensitive personal data or information and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s)
Further, Section 72A provides for the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of information is made in breach of lawful contract.
Legal measures against the employee leaking confidential information:
• Civil suit for breach of contract:
A civil suit may be filed against the culprit employees for violating the data protection policy and breaching the terms of the employment contract like non-disclosure, confidentiality.
• Information Technology Act, 2000:
In India, Cyber laws are majorly governed by the IT Act and Rules framed there under. Provisions of IT Act such as Section 43 (Penalty and compensation for damage to computer, computer system, etc); Section 65 (Tampering with computer source documents); Section 66 (Computer related offences); Section 72 (Penalty for breach of confidentiality and privacy); Section 76 (Confiscation) can be taken recourse to depending upon the nature of theft.
• Indian Penal Code: Section 405 and 408:
Criminal Breach of Trust: As the employees are entrusted with the data/ information by the employer during the course of their employment and if an employee dishonestly misappropriates or converts to his own use or dishonestly uses or disposes of that that data/ information, he/she may be charged under this section.;
• Section 378 – Theft:
Although this section deals with the theft of movable properties and the law at present is not clear whether ‘data/ information’ in its virtual form can be termed as movable property or not, but if the data/ information is stored in a hard disk, pen drive, computer, CD/ DVD, floppy, etc so such things act like a medium and medium is a movable property and if that medium is stolen, the person can be made liable for such act under this section.
• Copyright infringement under the provisions of the Copyright Act.
In addition to the above, if the stolen data is shared with other parties (such as competitors), the victim can bring an action of criminal conspiracy, collusion, and furtherance of common intention, which makes such other parties an accomplice in the commission of the stealing of data.
Considering the value, quantum and at the same time vulnerability of the data, itis imperative for any organization/ corporate body to take abovementioned measures. Since Indian Law on this issue as it stands today is not clear and remedies are scattered, the best strategies to minimize loss includes:
(1) Development of a comprehensive set of policies and procedure,
(2) Deploymentand verification of IT security controls and if necessary,
(3) seek legal redress.
How FYOC can help you?
We believe in the benefit of lasting relationship. We assist you with finding best legal advisors, helping you with Fighting Your Own Case.
We will help you to find right advocate for your dispute and also help you to fight your own case. We believe in democratic, non-profit, and problem solving systemically with legal counsel which would strengthen the community. The determination of the need for legal services and the choice of a lawyer are extremely important decisions. Our mission is to provide a easy-to-understand and effective legal advice to our clients and make their life less complicated with the legal terms.