INTRODUCTION
In today’s world Data is a very valuable asset for any organization. Data which an organization possesses could be anything like personal data of the clients, financial details, confidential data, in-house data generated during the course of business activity, trade secrets, softwares, etc.
Any data/ document in an electronic form by its nature are portable, easy to copy and more prone to theft than paper documents by employees. Data in an electronic form is not only easy to be stolen but the quantity in which it can be taken is formidable.
In India, Cyber laws are majorly governed by the Information Technology Act, 2000 (hereinafter referred to as the ‘IT Act’) and Rules framed there under.
Section 2(o) of the IT Act, 2000 defines the word “Data” in following words:
"data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;
Unlike the European Union which recently enforced the ‘General Data Protection Regulation’ superseding the Data Protection Directive, in India there is no separate comprehensive legislation on data protection. However, there are ‘Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011’ (hereinafter referred to as the IT Rules, 2011) which protects ‘Sensitive personal data’.
Sensitive personal data or information of a person under the IT Rules, 2011 means such personal information which consists of information relating to:
- password;
- financial information such as Bank account or credit card or debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- Biometric information.
DATA THEFT
‘DATA THEFT’ in simple terms means an act of illegal/ unauthorized copying, removal or stealing of confidential, valuable or personal data/ information from an organization or business without its knowledge or consent. Data theft could be with respect to stealing or hacking passwords, financial or banking information, personal information of clients/ other employees, information of importance to a body corporate like trade secrets, client database, softwares, source codes, confidential information, information which the body corporate is bound to protect, hacking into databases and many more in line with these.
Employees are undoubtedly the biggest asset for any organization. However, if employees are negligent about following the security measures set up to protect the company’s data or if they themselves do something with an intent to compromise someone’s privacy or to obtain confidential information, they could become its biggest liability.
Such an act by an employee casts liability not only on the offender employee but also on the body corporate which possesses or deals with any such sensitive personal data or information.
Section 43A of the IT Act provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.
Further, Section 72A provides for the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of information is made in breach of lawful contract.
Now the questions arises what an Employer should do, firstly, to prevent the Data theft and secondly, to punish the offenders in case of a data theft.
“PREVENTION IS ALWAYS BETTER THAN CURE”
Some of the preventive measures than an organization can take, notwithstanding the size of an organization, are as follows:
- Data Protection Policy for Employees: A detailed and well drafted data protection policy is very important for any organization. Especially the corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’, as leak of such personal data gives a cause of action in favour of the concerned person which could land the organization into a legal battle. Such policy should clearly define the types of data like ‘personal data’, ‘confidential data’, ‘trade secrets’, etc. It should also identify all data that an employee is permitted to access, and that data created by the employee in the scope of their employment is property of the company.
- Non-disclosure and confidentially clauses in the Employment contract: It is very important that the non-disclosure and confidentiality clauses in an employment contract are clearly defined and drafted in such a manner which could be enforced in a court of law and not hit by Section 27 of the Indian Contract Act as void. Such clear clauses binds an employee not to disclose data and other confidential information of the companies to third parties outside the course of business.
- Use of Better technology: Companies should encrypt or protect all computers, devices, and systems so as to prevent the employees from installing any software or hardware. Proper firewalls should be enabled so as to prevent outsiders from entering into the company network. Companies should not allow employees to create CDs/DVDs or copy data to USB drives unless there is a business need. Use of good anti-virus software and anti-spyware.
- Exit formalities: Upon termination of an employee, secure all electronic devices the employee had access to like computers, phones, etc. Get the devices verified by the IT team of the company for any leak of data or illegal activity and immediately change passwords, access, authorization and/or delete usernames.
CORRECTIVE MEASURES
Once theft occurs, the employer can take following legal actions against the culprit employees:
- Civil suit for breach of contract: A civil suit may be filed against the culprit employees for violating the data protection policy and breaching the terms of the employment contract like non-disclosure, confidentiality.
- Information Technology Act, 2000: In India, Cyber laws are majorly governed by the IT Act and Rules framed there under. Provisions of IT Act such as Section 43 (Penalty and compensation for damage to computer, computer system, etc); Section 65 (Tampering with computer source documents); Section 66 (Computer related offences); Section 72 (Penalty for breach of confidentiality and privacy); Section 76 (Confiscation) can be taken recourse to depending upon the nature of theft.
- Indian Penal Code: Section 405 and 408 – Criminal Breach of Trust: As the employees are entrusted with the data/ information by the employer during the course of their employment and if an employee dishonestly misappropriates or converts to his own use or dishonestly uses or disposes of that that data/ information, he/she may be charged under this section.;
Section 378 – Theft: Although this section deals with the theft of movable properties and the law at present is not clear whether ‘data/ information’ in its virtual form can be termed as movable property or not, but if the data/ information is stored in a hard disk, pendrive, computer, CD/ DVD, floppy, etc so such things act like a medium and medium is a movable property and if that medium is stolen, the person can be made liable for such act under this section.
- Copyright infringement under the provisions of the Copyright Act.
- In addition to the above, if the stolen data is shared with other parties (such as competitors), the victim can bring an action of criminal conspiracy, collusion, and furtherance of common intention, which makes such other parties an accomplice in the commission of the stealing of data.
CONCLUSION:
Considering the value, quantum and at the same time vulnerability of the data, it is imperative for any organization/ corporate body to take abovementioned preventive measures. Since Indian Law on this issue as it stands today is not clear and remedies are scattered, the best strategies to prevent or minimize loss includes: (1) Development of a comprehensive set of policies and procedure, (2) Deployment and verification of IT security controls and if necessary, (3) seek legal redress.