This article is written by Khadeeja Zaidi who is pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.

Introduction

In the epoch of the cyber world, as the use of electronics became more widespread, technology was also expanding, and people became more comfortable with the word ‘cyber.’ The advancement of IT has given rise to a cyberspace in which the Internet offers equal opportunity for all people to access any information, data collection, analysis, etc. using high technology. Due to a surge in the number of web users, the abuse of cyberspace infrastructure has taken hold, giving rise to cyber criminals both domestically and internationally.

Since the term “Crime” has a general definition as “a legal error that may be accompanied by criminal action that may result in prosecution” while “Crime” may be “unauthorized actions in which the machine is a weapon or a target or even both.”

What falls within the ambit of Cyber Crimes? 

It may be hackers who vandalize a site, access classified documents, steal trade secrets, or use the Internet for IP law. It may also contain ‘denial of services’ and virus attacks that block normal traffic from visiting your site. Cyber criminals are not limited to outsiders, except in the cases of malware and regarding security cyber attacks which are commonly committed by staff of a single organization who can easily hack the company’s password and data storage for their gain. Cyber attacks also include criminal activities involving the use of devices to further commit crimes, i.e. financial crimes, the trading of fraudulent articles, pornography, online poker, IP crimes, e-mail, spoofing, fraud, cyber defamation, cyber stalking, unauthorised access to the computing device, misuse of electronic record, e-mail bombing, physical, etc.

The exponential advancement of IT presents new threats to the legislation. These challenges are not limited to any particular standard legal category, but exist, for instance, in criminal law, intellectual property law, contract law and violence. One such challenge is the rising threat of data theft. It is the term used where any material in the form of data is unlawfully copied or taken from a company or other individual without his or her permission or approval.

Data is a vital commodity in this new age of information technology (IT). Data is an important raw material for call centres and IT businesses. Data has since been a critical tool and arm for companies to win bigger market shares. Owing to the value of Data in this modern age, its protection has become a big concern for the IT industry. Data theft is a challenge posed by IT players who spend millions on compiling or buying data from the industry. Their income relies on data protection.

Contemporary companies rely heavily on their IT networks to carry out much of their business activities. In exchange, they have a wealth of data that has to be processed online. Although some of the stored data can be freely accessible, confidential data such as consumer and employee personal information, trade secrets, intellectual property, email messages, service delivery algorithms, etc. must be shielded to reduce financial and reputational risks related to data failure.

Unlike the European General Data Protection Regulation as well as the US sector-specific legislation, India does not yet have a dedicated data protection code. The Personal Data Security Bill has been tabled in Parliament, but it needs to be seen how the actual piece of legislation will work. As of now, the IT Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Regulations, 2011 (subsequently referred to as the SPDI Rules) and the IPC, 1860, provide redress for both the organization and individuals concerned.

Challenges

The main problem with respect to data theft is its international nature, e.g. systems can be accessed in the USA, data exploited in China and the implications felt in India. The consequence of this potential is that separate sovereignties, territories, laws and regulations can come into effect, which again is yet again the problem in itself. Furthermore, under certain cases, a gathering of facts has become another matter, as the prosecution in three separate places, one of which may not have been on decent terms, is almost unlikely and the weak technological know-how of our cops adds to the worries. The lack of cooperation between the various investigative bodies and the not-so-safe procedure of extradition is another headache. However, the worst of all these problems is the absence of clear regulations in the country dealing with this offense, because even though the perpetrator is caught, he can simply get away by picking and selecting some of the different loopholes in the rule.

Need of Cyber Law

IT has expanded all over the globe. Computers are used in any field where cyberspace offers equitable opportunity for economic prosperity and human advancement for everyone. As the usage of cyberspace is growing more complex as well as the spectrum of online interactions is widening, cyber crimes, i.e. violation of online contracts, internet crime, etc., are expanding. As a result of these repercussions, the cyberspace regulator ought to enact a stringent regulation to control cyber-crime criminal activity and to ensure adequate justice for the victim of cyber-crime. In the new context of cyber security, there is a strong need to control cyber criminals and, most particularly, in the context of cyber terrorism and hackers, cyber laws must be made tougher.

Does India have sufficient Laws to prevent data theft?

The issue of data theft, which has evolved as one of the world’s biggest cybercrimes, has drawn little focus from lawmakers in India. Unlike the U.K. Data Protection Act, 1984, there is no clear law in India to resolve this issue, although India boasts of its IT Act, 2000 to resolve the ever-increasing challenge of cyber criminals, including data theft. The reality is that the IT Act, 2000 is not well prepared to deal with these crimes.

Remedies available to an affected organisation

For now, Indian legislation does not really have a defined concept of data theft. Similarly, out of many of the cases provided in section 43 of the IT Act, 2000, subsection (b) refers to uploading, copying or removing any data, database or information from a computing device, computer network or external storage device without any of the consent of the holder and any person responsible of that system, network or device. In the same clause, paragraph (j) explicitly focuses on stealing, concealing, damaging or altering the source code of the machine with a view to causing harm.

Precisely, “data theft” can be described as an unauthorized act of copying or stealing confidential or personal information from an organization without the permissions necessary. As mentioned above, data manipulation is possible in the sense of client records, source codes, trade secrets, personal information of employees and customers, etc. It has been shown too much that the existing staff of the organization are involved in data theft. It is also clear from the fact that, while workers are the biggest asset of the organization, they could end up being its biggest liability. It is also recommended that organizations adopt a robust set of information security policies backed by the applicable non-disclosure and confidentiality provisions in their employment agreements.

When an organization discovers particular person who have now been involved in data theft, both civil and criminal remedies are usable

Civil Remedy

An organization can file a lawsuit against named staff pursuant to Section 43(b) of the Information Technology Act, 2000. Section 46 states that the power of adjudication lies with the IT adjudicator. However, the IT adjudicator may rule only in cases where the claim for injury or harm does not exceed 5 crores. In the case of claims exceeding 5 crores, the company concerned should file an action for the same action before the competent court. In addition, depending on work contracts, the organization can also bring an action for infringement of contract under the Indian Contract Act, 1872.

Criminal Remedy

For the similar set of actions as provided for in Section 43 of the IT Act 2000, Section 66 provides for imprisonment of up to three years or a fine of up to five lakhs or both. Parts 405 and 408 of the Indian Penal Code, 1860, are also applicable clauses that can be enforced in the case of data theft. Section 405 describes a criminal breach of trust, while Section 408 provides for a prosecution for a criminal infringement of confidence by a clerk or servant. Section 408 provides for incarceration of up to 7 years with the obligation to pay the fine.

Another amazing clause may be Section 378 of the Indian Penal Code, 1860, which refers to theft of movable property. Consequently, in order for this clause to apply, it must first be determined by the courts whether or not digitally stored data or information may be treated as a moveable property.

Remedies available to an affected individual whose data has been stolen

Section 43A of the IT Act, 2000 provides that if a corporate entity fails to enforce and retain fair security policies and procedures resulting in wrongful loss or wrongful benefit to any individual, it shall be liable to pay compensation to the person concerned. Here, “acceptable security policies and procedures” are deemed to be enforced if the company has a comprehensively recorded and implemented information security program such as ISO 27001:2013, as set out in Rule 8 of the SPDI regulations. In addition, the individual concerned can also seek penalty under Section 72A for the disclosure of information in violation of the lawful contract. However, in order to apply this clause, the party concerned must make use of the service under a legal contract

Conclusion

While the IT Act, 2000 and the SPDI regulations fail to fix a range of core concerns related to data protection in the Indian cyber world, both have emerged as the predominant basis for providing solutions for impacted entities as well as individuals. As an organization’s inherent duty is to ensure the confidentiality of any bit of data stored with it, data protection is no longer just a business issue. Failure to secure the stored data not only has financial implications related to court action and lack of business, but it also damages the image of the company mostly on the marketplace.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: