In this article, Ashima Bhargava of Amity Law School, Lucknow, and Richa Ray, pursuing a Diploma in Advanced Contract Drafting, Negotiation and Dispute Resolution from Lawsikho, put forth the legal actions which can be taken on data theft.

Introduction

When it comes to Data Theft, there is a very old and famous saying:

Control + Alt + Delete when you leave your seat

In very simple words the slogan writer clearly says how we can stop data theft by hackers but what should we do when it is done by one of our employees? To find out the solution, It is very important to understand the meaning of Data Theft. It means an act of stealing digital information on computers, servers and electronic devices of an unknown victim with the intent to compromise privacy or obtain confidential information.

Many employees actually don’t even know that they are committing data theft. They think taking corporate data with them is as similar an offence as taking paper clips home but sometimes there is intentional data theft by the employees so that they can cause loss to their current company.

When we, as common people, hear the phrase ‘data breach’ or a story about cybersecurity, the initial thought that comes to us is that it is a result of actions of a sophisticated hacker. Yes, industries are of course getting targeted by sophisticated cyber-attacks however, many unsophisticated data breaches are happening every day where employees are stealing data and trying to profit from this in some or the other way.

In the case of the ‘Wolf of Manchester’, Shane Jerman took photographs of customer information while working for AXA Insurance, sending 100 lines of data a week via Whatsapp to Stuart McGill who was a former employee of the firm in a six month period in 2015.  Investigators believe that the claims management company Mid North West Ltd. would have used the data to call AXA customers and try to refer them onto solicitors who would aid with their accident claims. Jerman and McGill made a total of £18,250 between them. In 2018 Verizon found that 28% of all its breaches were insider jobs and most of them were done for profits, while ‘pure fun’ was also one of the motivations.

In another case in May 2015 Jawbone accused Fitbit, in California State Court, accusing its rival of systematically plundering confidential information by hiring Jawbone employees who downloaded sensitive information shortly before leaving. As per the complaint Fitbit approached nearly 33% of Jawbone’s employees in early 2015 who then chose to leave the company and while doing as such they downloaded the data, such as Jawbone’s current and future business plans and products. According to court filings, those individuals used thumb drives to download records and used programs to cover their tracks or erase system logs.

In another incident, SunTrust Banks Inc. reported data theft by an employee who is alleged to have stolen important information of about 1.5 million customers and provided it to a “criminal third party”. Therefore, the employers should keep in mind the various measures that they can take to prevent the company’s secret from leaking out by the employees who are entrusted with the company’s sensitive information. For this, they need to upgrade the policies and enhance data security.

Understanding data theft

The major issue regarding data theft is its international character. The data of the country is being leaked by the foreign countries and then there are a lot of manipulations and ultimately the consequences of such things are felt in India. Also, there are a lot of lack of coordination between the different agencies on how to tackle such situations. So here we need to find out whether there are any specific laws or any legal actions which need to be taken to prevent such activities. Does India have sufficient laws? In the Information Technology Act 2000, there are certain laws which deal with such crimes. Therefore, here we will be discussing the legal actions that can be taken if any such thing happens.

Motivations of data thief

We can easily classify the various types of Data thief. Some of them are –

a) The Clueless

This category tops the list as they lack even the most basic security awareness and become victims to every phishing attack since they start clicking on every link. They are those people who send the company’s attachment to wrong people disclosing profit margins etc. They somehow unknowingly share company documents on public services or through chat services and social media.

b) The Entrepreneur

Next comes in the list those employees who are planning to leave the company or start their own company and in the process start to gather company data during their notice period. In some cases where the IT fails to revoke all the access permissions, they gather data by using their active credentials before leaving the company eg. Customer lists, document templates, policies and procedures, all these are huge time savers in a new company.

c) The Criminal

This is the category of people who are only motivated by financial gain, their only aim is to gather data to sell it elsewhere.

d) The Disrupter

This category is motivated by revenge or malicious intent. Users in this category delete or remove important data to disrupt operations. Mostly, IT professionals, if involved, fall in this category as they have the permissions to enter the database and cause some real damage before they leave.

e) The Legal Expert

Last but not the least, this category users believe that they have some claim on the work that they have produced on the workplace but unfortunately, copyright law does not apply to projects completed at work and on company equipment. 

Legal actions to take on data theft

If we compare ourselves with any person who is very active in this day-to-day world of business and information technology, one thing always pops up in our mind that what will we do if our data is lost, if someone takes it through hacking or by using our wifi connections. Another question arises in our mind that how the law can help us cope with this kind of situation. What about any legal actions, if they can be taken? Does Indian law is competent enough to help us?

To begin with this, we do have specific laws by which we can proceed to the court for imposing the restrictions on any person who is responsible for the same. So, for now, I will be talking about the laws which are there to help us in punishing that particular person.

SECTION 43 OF THE INFORMATION TECHNOLOGY ACT, 2000 (Penalty and compensation for damage to the computer or the computer system)

If any person without the permission of the owner or the any other person who is the incharge of the computer, computer system or any computer network

• If he accesses or secures access to such computer, computer network or any computer system,

• If he downloads, copies or extracts data from any computer based information from any computer network,

• If he introduces or causes to introduce any computer contaminant, or a virus into a computer, computer system, or a computer network,

• If he damages the computer, computer system, or a computer network,

• If he disrupts or causes disruption of any computer, computer system, or a computer network,

• If he denies any person who has a right to access that computer, computer system, or a computer network,

• If he destroys, deletes any information from the computer to which he has no right to access,

He shall be liable to pay for damages by the way of compensation which would not exceed more than one crores rupees to the person who has heavily affected.

Section 66 of the Information Technology Act, 2000 (Computer-related offences) 

Whoever intentionally or knowingly conceals, destroys, or alters or causes another, intentionally or knowingly to conceal, destroy or alter any computer source code for a computer, computer based programming, computer network, when the computer source code is required to be kept or maintained by law for the time being in force shall be punishable with imprisonment upto three years or with fine which may extend to two lakh rupees or with both.

If any person, dishonestly or fraudulently, does any act which is inconsistent with the provisions of section 43, he shall be punishable with imprisonment for a term which may extend to two three years or with fine which may extend to five lakh rupees or with both.

Section 75 of the Information Technology Act, 2000 (Act to apply for the offence committed outside India)

If an offence is committed outside India, irrespective of a person’s nationality, if the act or conduct constituting the offence involves computer located in India, the person shall be made liable.

Section 378 of the Indian Penal Code

Although the section deals with the movable property only and data is itself an intangible so it doesn’t come under theft since the data is stored in the floppy, hard disk etc so such things act like a medium and medium is movable property and if that medium is stolen, the person can be made liable for such act.

Data theft and misuse when offshoring data to India

As the number of companies is growing in India, they are becoming more centralized and using less expensive information, consequently, they are now turning to offshore outsourcing to fulfill many of their of their business and human resources processes. So in order to protect the companies from the becoming the victim of data theft, there are some preventive measures. In this wake of concern of data security and privacy in India, the NASSCOM (National Association of Softwares and Service Companies), one of the most recognized organisation in the Information Technology sector has put in several measures to control such data theft and misuse of the same. Like if a company has to deal with the data theft, they will file a complaint in the police station or the Cybercrime centres but what if the company believes that the police or the cybercrime centre does not possess such capacity to help the company then they will go to the CBI or the Central Board of Investigation, it is an independent body, autonomous body who has themselves trained the cybercrime units. They will look into the matter cautiously and come up with a value judgement. The company can also file a criminal complaint under the information technology act. Upon the receipt of the complaint, the controller of the certifying authorities investigates allegations and can order for the punishment of an offender under the provisions of the IT Act.

How to file a complaint on data theft

To file a complaint if data theft takes place, here are the following measures:

1. First of all, for the cyber complaint, write an application to the head of the cyber cell.
2. Provide the following things in the application:

• Name
• Address
• Email address
• Phone number

3.   In case of hacking or say Data theft, the following details are required for cyber cell    complaint:

• Logs of the server
• A hard copy and soft copy of the defected page
• If the data of the defected site is compromised you will need a soft copy of the original data as well as the compromised data.
• Control mechanisms details of access in which you have to tell who has accessed your computer.
• If you have any doubt or you are feeling suspicious about anyone, then you have to provide the list of those suspicions.

4. You can file a complaint from any of the cyber cells of the city or you can directly mail at their respective websites. Here is the complete information of the prominent cyber cells of the country. You can refer this link for the same.

How to Register Cyber Crime Complaint with Cyber Cell of Police – Online Complaint Procedure

What employers should do

Today, practically there are endless options to share data making data theft an easy way to harm a company. To name a few ways that we can share data in a digital workplace, we can transfer any number of data between devices, take a photo with smartphones, transfer to any number of cloud services and multiple storage options etc. Current security practices are often focused on the external threats without giving much emphasis to the internal theft but now, this flaw is receiving more and more attention.

To protect his company an employer should consider as many solutions as possible. All the below-mentioned solutions can reduce the risk of insider threats if applied.

(a) Documentation

Companies must draft a detailed data governance policies handbook which includes all the requirements of the company, as part of the hiring process. These policies must include the types of data like ‘personal data’, ‘confidential data’ etc. and also identify the data that an employee is permitted to access and also that company is the owner of the data that is created by the employee during the course of his/her employment.

(b) Better technology

To prevent the employees from installing any software and hardware that belongs to the Company, Employers should ensure that all computers, devices and systems are encrypted. Companies should install firewalls to prevent the outsiders from entering the company network. Employees should not be allowed to create CDs/DVDs or copy data to USB unless there is any business need.

(c) Whistleblowers

Companies should reward those employees who give a tip of any suspicious user activity.

(d) BYOD

BYOD, in other words, bringing your own device might save the employees on their budget but it poses an unnecessary and unacceptable threat of data leakage. Employee’s tablets and phones could be used by their family members who can access ant company data on the device.

(e) Install snort

Snort detects unusual activity on the Company’s network that might be the precursor to an employee running off with the company’s database. It is worthwhile software as it detects disgruntled employees before he or she does any damage.

(f) Exit formalities

Upon termination, it is important for employer to secure all the electronic devices of the employee which includes computer, phones, tablets etc. and get it verified by sending it to the company’s IT team and getting it checked if there is any leak of data or illegal activity and the It team should immediately change passwords, access, authorization, and delete usernames.

Corrective measures

In case the theft has occurred, employers can take the following actions against the culprit employee:

(a) Civil Suit for breach of Contract

A civil suit can be filed against the culprit employee for breaching the terms of employment contract such as Non-disclosure, confidentiality etc. and violation of data protection policy.

(b) Information Technology Act 2000

Cyber laws, in India, are majorly governed by the IT Act. Provisions of IT Act such as Section 43 ((Penalty and compensation for damage to computer, computer system etc.); Section 65 (Tampering with computer source documents); Section 66 (computer-related offences); Section 72 (Penalty for breach of confidentiality and privacy); Section 76 (Confiscation) can be taken recourse to depending upon the nature of theft.

(c) Indian Penal Code

Section 405 and 408 – Criminal Breach of Trust: Since the employees are entrusted with the Company’s data by the employee during the course of their employment, if any employee dishonestly misappropriated or uses or disposes off that data or information, he/she may be charged under this section.

Non-Disclosure Agreement

Moreover, the provision of Non-Disclosure-Agreement is also one of the ways in which the company can stop its employees or former employees from stealing the data. By signing an NDA, the employees are legally by means of a contract bound not to disclose data and other relevant information of the companies to third parties outside the course of business.

Conclusion

These are the laws which are applicable in today’s era for the prevention of data theft. Though these laws have been made by the legislature there is no proper implementation of these laws. Neither the executory body nor the caretakers have taken these laws seriously. On the other hand, when we talk about the citizens, they are even hardly aware of these laws. This has lead to a lot of increasing cyber crimes including data theft in the I.T. sector. So it is the sheer need to make these people aware of these laws and direct the concerned authority for proper implementation and lodging proper complaints and providing justice to the victims. It is a common responsibility of the government and judiciary to seriously look into the laws and take strict actions if these laws are being violated in any form, be it by any person like the police officer, and common man, just anyone. Therefore in my article, I have just made an attempt to make the people aware of these legal actions that can be taken towards data theft.

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: