This article is written by Mohammad Khurshid Anwar, pursuing a Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from Lawsikho.com.

Introduction 

We are in an age of information, where businesses are using technologies and are getting dependent on it more and more everyday. These technologies are one of the key tools for companies for their advancement. While moving forward with technology, companies generate data which becomes a driving force for these companies to spread their business. For those reasons, it is important to keep their data safe, misuse of these data by any competitor or mere spread of confidential data may affect any company business. For example, for a service-oriented sector, client list is sensitive, or for a tech company a technology behind a patented product is important. If this kind of data falls in wrong hands it can significantly affect companies and can cause irreparable damage.  Companies spend large amounts of money to keep their data secure. 

There are many threats to any company data, company data is attacked all the time from external and internal sources. In accordance with the Data Breach Investigation Report from Verison.com – most of the attacks are from external sources which accounts for 70% of attacks whereas 30% are internal attacks. These external attacks can be dealt with by improvement of technology, implementing latest software security. However, these 30% internal attacks majorly employee or ex-employee or a partner or a contractor is involved. These internal data thefts are specifically targeted and can cause big impact especially when an employee is involved. 

This article will deal with the issue of data theft by employees, common methods of data theft by employees, how to prevent it, and what are the legal alternatives for employers.

Data theft by employee

Employee data theft happens generally during separation of employees from the company through resignation or termination. Reason for data theft can be anything, most common among them are –

• Setting up a competing business
• Use of information at new job
• A sense of ownership of what was created
• Revenge against employer

The most common type of data theft by employee are:

• Customer information
• Financial records
• Software code
• Email lists
• Strategic plans
• Process documents
• Secret formulas
• Databases
• Research and development materials
• Employee records

For an employee, data theft is easy as they have access to key data storage locations, internal know-how of functioning of the company and a possible exit route with key data in hand. 

Prevention measures

Data theft by employees can be reduced if correct preventive measures are in place, following are some of the preventive measures recommended for reducing data theft:

• Identify sensitive data and its location: employers need to be attentive to identifying sensitive data, some types of data can be classified data and others in the process of operation can become sensitive. These sensitive data need to be kept at a particular location with certain protection and limited access.

• Limiting data access for employees: it is recommended to give employees only those access rights which are required for employees to accomplish their work. Fewer access rights reduce the risk of data misuse by employees and complicates data theft for outside malefactors.

• Periodical employee’s activity monitoring around sensitive data: all employee action shall be monitored all the time. With actions visibility, data theft can be detected in early stages. 

• Analyze user behavior: just monitoring activity is not enough. To detect misuse as the earliest, software solutions can help facilitate behavior anomaly discovery and alert potentially malicious actors. For instance, employers can set up a custom alert that notifies any time an employer exceeds the number of sensitive files read.

• Establish clear security policies: establish company IT policy with proper guidelines, these guidelines shall be endorsed by senior management. These guidelines shall further include consequences of not adhering to the guidelines along with suitable disciplinary action.

• Keep regular backup: in addition to stealing data, departing employees sometimes also damage or delete the original files. It is necessary to take regular backups.

• Have a proper exit process: before exiting from the company, employees shall be made to take proper clearances from the IT department. The IT department on receiving such a request or prior information shall disable the departing employee’s key data access area, disable his IDs and take necessary precaution for all data protection before the employee leaves. It may happen sometimes that employees may leave without informing in such cases. Also, the IT department shall take appropriate action to protect company data.

Legal protection against data theft

India doesn’t have a law dealing with data protection, data theft being one of the major cyber-crimes that is covered under Indian IT Act 2000. Information Technology Act, 2000 is primary Indian Law dealing with cybercrime and e-commerce. The law is based on the United Nation Model Law on electronic commerce 1996 recommended by the UN General Assembly on 30 January 1997. The IT Act covers the whole of India and recognizes electronic records and digital signatures. The IT Act was framed originally to provide legal infrastructure for e-commerce in India.

Section 43 (b) of the IT Act deals with unauthorized downloading, copying, extracting information, data or a database whereas Section 43 (c) deals with compensation in case of unauthorized introduction of computer viruses or other contaminants. Clause (i) deals with destroying, deleting or altering any information residing on a computer or diminishing its value.

Data is an intangible asset whose value could run into millions of dollars, but Section 43 does not quantify the compensation to be paid. Hence, a complainant is dependent on the mercy of our courts and the intelligence of his lawyer. 

Section 66 of the Act protects against data theft, while Section 72A deals with the punishment for disclosure of information in breach of a lawful contract. Both these Sections provide for a penalty that includes imprisonment of up to three years or fine of up to Rs5 lakh or both.

Case study

• Devendra Rameshchandra Jain v The State Of Maharashtra And … on 26 February, 2020

In this case Applicant Awadhesh Kumar Paras Nath Pathak was employed in Cosmo Films Limited Company. Applicant was employed as Technical Manager since 05.08.1996. He tendered resignation on 04.12.2018. At that time, he was the managing head of the said plant. His resignation was accepted on 31.12.2018. Thereafter the applicant got employment in Jindal Polyfilms Ltd., Igatpuri, Dist. Nasik.

While leaving Cosmo Films the applicant was asked to return the said laptop. At that time, the applicant requested one Sachin Gore, who is the employee of Cosmo Films, to copy his personal data which was stored in the said laptop under the folder AKP-115 and provide the same to the applicant as the said folder contained applicant’s personal data. The said Sachin Gore, believing the representation of the applicant, copied the data from the folder AKP-115 in a pen drive and provided it to the applicant. Later it was found that the said folder contained the data regarding manufacturing of flm, rates of products, commission value, manufacturing line, production line etc. This folder contained many important files relating to production and business plans of Cosmo Films. The case was registered under Sections 408, 420 of the Indian Penal Code and 43(b), 66 C and 72 of the Information Technology Amendment Act, 2008, came to be registered against the applicant.

• Ms. Raina Kumari vs The Managing Director on 23 September, 2015

In this case Ms. Raina Kumari was denied service end benefits. Ms. Raina Kumari was working up to 26.06.2012 and resigned, during her employment she was entrusted with the confidential software data, source codes and development works of clients based in India and abroad. Ms. Raina Kumari colluded with one Mr. Vivek Kumar, employee of defendant and committed offence of theft, criminal breach of trust, hacking of computer data, tampering with confidential electronic, uploading/downloading of electronic data and cheating and have caused the defendant company to suffer valuable loss and plaintiff has made wrongful gain.

Conclusion 

With increasing dependence of businesses on technologies, data protection is becoming more and more important. Data theft can be from external sources or internal sources. Major data thefts are from external sources, these attacks from external sources can be dealt with implementation of technology. 

The attempt for data theft is less from internal sources but can be detrimental for company business. Majority of internal data theft is caused by employees of the company. To keep the data secure, companies shall implement effective preventive measures like effective implementation of company guidelines, limiting access of data for each employee, periodic or continuous monitoring of employee action, identification of sensitive data, keeping regular back up and other measures as required. 

Further, there is no particular act to deal with data theft alone however it is covered by Indian IT Act 2000 which provides remedy through Section 43, Section 66 and Section 72 against data theft. 

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: