By Anuradha Gandhi and Isha Sharma
In today’s interconnected world, data reigns supreme as the lifeblood of our digital age. From personal information to corporate secrets, the vast volumes of data generated and stored daily have become a prized asset, sought after and leveraged for myriad purposes. However, as data’s value has soared, so too has the illicit practice of data theft.
Section 2 of the Information Technology (IT) Act, 2000 defines ‘data’ meaning a representation of information, knowledge, facts, concepts or instructions that are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
In this age of information where data is power and currency, the unauthorized acquisition and exploitation of data have become a pervasive and multifaceted challenge, with profound implications for individuals, organizations, and even nations. This article delves into the intricate web of data in today’s world and explores the alarming realities of data theft, shedding light on its far-reaching consequences.
Data Theft by ex-employee
Data Theft, also known as data breach or data intrusion, refers to the unauthorized acquisition, copying or retrieval of any confidential or sensitive information from an individual or an enterprise without their knowledge or consent. It could pertain to stealing or hacking passwords, banking information, personal information, client details or information of body corporate such as trade secret, software, source codes, confidential or proprietary information, etc.
It is almost an everyday occurrence where one hears that an ex-employee has been caught using the data stolen or purged from a former employer to setup shop.
Recently, an extremely unsettling incident of data theft has come to the forefront. A prestigious tech institute had lodged a formal complaint against one of its former employees. The former employee was accused of stealing the company’s confidential data which included client information, training materials, videos, invoices, etc.
However, the severity of the data theft deepens as it emerged that the former employee didn’t stop at just pilfering the institute’s valuable data, she took her actions a step further, employing the stolen information to establish a competing company post termination of employment, with an aim to provide similar services to clients but at significantly reduced rates, thus luring away customers from her ex-employer and defrauded them. Her actions extend beyond mere data theft; they encompass a complex web of deceit, fraud and unethical business.
This incident serves as a stark reminder of the persistent and evolving threats posed by insider data breaches, which can have far reaching consequences in today’s digital landscape.
Laws relating to such offences
Charges have been levelled against former employee in many spheres under Indian Penal Code (IPC), 1860 and the Information Technology (IT) Act, 2000.
IT Act, 2000
• Data theft in India is mainly governed by the IT Act, 2000. The provisions of IT Act also penalizes acts pertaining to disclosure of information in breach of lawful contract (Section 72A), breach of confidentiality and privacy (Section 72).
• Acts of pilfering client’s confidential customer/client list and using their information illegally amounts to breach of confidentiality and privacy. Hence, may attract liability under Section 72 of the IT Act 2000
Section 43 of the IT Act covers various categories of data theft. For instance, it specifies that if any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network, downloads, copies or extracts any data, computer database or information from such computer system or computer network including information or data held or stored in any removable storage medium shall be liable to pay damages by way of compensation to the person so affected.
Indian Penal Code, 1860
A landmark judgment was passed by the Hon’ble Supreme Court in the case of Jagjeet Singh v. State of Punjab & Anr. [Special Leave Petition (Criminal) No. 3583 of 2021]1 wherein it observed that instances of hacking, and theft of data, an offence under IPC would also be subject to consideration and not IT alone. Thus, it was remarkably held that the IT Act would not exclude the applicability of the IPC in the matters pertaining to hacking and data theft.
• Section 405 of the IPC deals with the provision pertaining to Criminal Breach of Trust. It states:
“Whoever, being in any manner entrusted with property, or with any dominion over property, dishonestly misappropriates or converts to his own use that property, or dishonestly uses or disposes of that property in violation of any direction of law prescribing the mode in which such trust is to be discharged, or of any legal contract, express or implied, which he has made touching the discharge of such trust, or willfully suffers any other person so to do, commits “criminal breach of trust”.
For instance, if A is entrusted with a responsibility or bound by a contract, express or implied, to deposit a certain sum of money in the account of B. A dishonestly uses the money for his personal purpose. Thus, A in the referred case has committed criminal breach of trust.
• Under section 409 of the IPC, an act of committing criminal breach of trust is a non-bailable and cognizable offence, which may lead to imprisonment for a term extending to three years, or with fine or with both.
Infringement of Intellectual Property Rights:
Any unauthorized use of company’s copyrighted material, including but not limited to using training materials, videos, client’s name, as referred in the instant case, is not only a breach of legally binding employment agreement but also amounts to infringement of intellectual property rights. A legal recourse can be initiated against such instances of misuse, fraud and cheating of one’s well known and renowned intellectual property, name, goodwill and reputation, as it deems fit.
Liability of a body corporate
In cases of such data theft, the responsibility doesn’t rest solely upon the individual involved. The legal landscape surrounding data protection is multifaceted and it extends accountability beyond the rogue employee. Under Section 43-A of the IT Act, the body corporate, which includes the organisation that experienced the data breach, can also be held liable.
[For the purpose of this section, ‘body corporate’ means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.]
Section 43 of the IT Act outlines several offenses related to unauthorized access, downloading, extraction and damage to computer systems and data. This means that if an organisation fails to implement adequate security measures, or conduct due diligence in safeguarding sensitive data, it can be deemed culpable in the event of a data breach.
Additionally, it imposes a liability upon such body corporate to pay damages by way of compensation to the person so affected by such breach as specified.
Digital Personal Data Protection Act, 2023
Even the recently enacted DPDP Act comprehensively addresses the issue of data theft and places a significant responsibility on data fiduciaries. Data Fiduciaries, as custodians of personal data bear the primary responsibility for safeguarding this information against theft, breaches and unauthorized access. They are mandated to implement stringent protocols, encryption methods and access controls to safeguard the data they collect and process.
These legal provisions underscores the importance of not only having stringent security policies and practices but also regularly auditing and reinforcing them, thereby, recognizing data both as an asset and liability. It is noteworthy that data has intrinsic value but can also pose risks or liabilities if mishandled or compromised.