Data Theft incidents increasing in the corporate world around India : An interview with Advocate Prashant Mali , International Cyber Law & Cyber Security Expert Lawyer
Q. 1 . What is Data Theft as per Indian Law ?
According to The amended Information Technology Act, 2000, Crime of data theft under Section 43(b) is stated as If any person without permission of the owner or any other person who is incharge of a computer, computer system of computer network, downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network. It is the term used when any information in the form of data is illegally copied or taken from a business or other individual without his knowledge or consent. The act of illegally downloading data from a networked computer to a USB flash drive is called thumbsucking. The use of an iPod or other portable music player for the same purpose is called podslurping.
Q.2. Can you tell us some examples of Data Theft as per law ?
a. Forwarding emails to personal email id from corporate id’s without prior permission from office management.
b. Sending data files as attachments from corporate ids to personal email ids with malafide intentions.
c. Copying data on pen drives from computers without the permission of the owner.
d. Selecting, copying and pasting data from websites for financial gain.
e. Downloading .mp3, .mp4 files or Videos from websites like youtube without purchasing or using the downloaded material for financial gain.
f. Helping people to commit offence of Data Theft.
Q. 3. Is data an asset to an organization ?
In this era of Information Technology, Data has become an Corporate ASSET , Data is an important raw-material for Brick & Mortar companies, BPO’s, Technology and IT Companies. Data has also become an important tool and weapon for Corporates to capture larger market shares. Due to the importance of Data in this new era, its security has become a major issue with all the industries. The theft & piracy of data is a threat, faced by the IT players, who spend millions to compile or buy data from the market. Their profits depend upon the security of their Data.
Q.4. What are Issues because of Data Mobility ?
The major issue regarding Data Theft is its International character, for example Systems may be accessed in USA, the data manipulated in China and the consequences felt in India. The result of this ability is that different sovereignties, jurisdictions, laws and rules will come into play which again is an issue in itself. Further, collection of evidence in such circumstances become another issue as investigation in three different countries, all of whom may not be in talking terms, is almost impossible and poor technical know-how of our cops adds to the woes. Also, the lack of coordination between different investigating agencies and a not-so-sure extradition process is another head ache. However the biggest of all these issues is the lack of specific laws in the country dealing with this crime, so even if the culprit is caught he can easily get away by picking and choosing any of the of various loopholes in our law.
Q.5. Any recent data on cyber crimes you can state in specific
Based on Nasscom data, globally around $114 billion is the total loss of cash in 12 months and $274 billion is the total loss of time for victims of cyber crime which means on an average 10 days were spent by victims to satisfactorily resolve hassles of cyber crime. In India, $4 billion is the total loss of cash in 12 months and with around $3.6 billion total loss of time for victims of cyber crime, an average 15 days were spent by victims to satisfactorily resolve hassles of cyber crime.
The theft of confidential business information is the third-largest cost from cyber crime and cyber espionage. Business confidential information can be turned into immediate gain. The loss of investment information, exploration data, and sensitive commercial negotiation data can be used immediately. The damage to individual companies runs into the millions of dollars. For example, hacking of central banks or finance ministries could provide valuable economic information on the direction of markets or interest rates.
Q.6. What are Laws in India to safeguard the cyber crime of Data Theft ?
The problem of data theft which has emerged as one of the major cyber crimes worldwide In U.K which has The Data Protection Act, 1984 though India & USA do not have specific Laws to deal only with Data Protection, India has its Information Technology Act, 2000 along with The IT Rules of 2011. The various sections of the IT Act, 2000 which deals with the problem are :
Section 43(b) provides protection against downloading, copying or extracting data or database or information by imposing heavy civil compensation which can run in crores. The unauthorized downloading, extraction and copying of data are also covered under this section. Clause(c) of this section imposes compensation for unauthorized introduction of computer contaminants or computer virus. Clause(i) provides compensation for destroying, deleting or altering any information residing on computer or diminishing its value.
Note : Since section 43 does talk on the exact amount of compensation, One remains on mercy of Courts and intelligence of lawyers, coz data being intangible asset the worth can run into millions or trillions of denominations.
Section 65: This section provides for computer source code. If anyone knowingly or intentionally conceals, destroys, alters or causes another to do as such shall have to suffer imprisonment of up to 3 years or fine up to 2 lakh rupees, or both. This takes care by providing protection against tampering of computer source documents i.e. Copying/theft of Software Programs.
Section 66:- Protection against Data Theft has been provided under this section. This section imposes the penalty of imprisonment of up to three years or fine up to five lakh rupees or both on the person who commits crime of data theft
“85 Offences by Companies.- (1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder is a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.
Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.
(2) Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.”
Q.7. Can Data Theft be covered under traditional Indian Laws ?
Section 378 of the Indian Penal Code, 1860 defines ‘Theft’ as follows:-
Theft – Whoever, intending to take dishonestly any movable property out of the possession of any person without that person’s consent, moves that property in order to such taking, is said to commit theft.
Section 22 of The IPC, 1860 defines “movable property” as follows:-
“The words “movable property” are intended to include corporeal property of every description, except land and things attached to the earth or permanently fastened to anything which is attached to the earth.”
Since Section 378 IPC, only refers to “Movable Property” i.e. Corporeal Property, and Data by itself is intangible, it is not covered under the definition of “Theft”. However, if Data is stored in a medium (CD, Pendrive, SD card etc.) and such medium is stolen, it would be covered under the definition of ‘Theft’, since the medium is a movable property. But, if Data is transmitted electronically, i.e., in intangible form, it would not specifically constitute theft under the IPC.
“Data”, in its intangible form, can at best be put at par with electricity. The question whether electricity could be stolen, arose before the Hon’ble Supreme Court in the case “Avtar Singh vs. State of Punjab” (AIR 1965 SC 666). Answering the question, the Supreme Court held that electricity is not a movable property, hence, is not covered under the definition of ‘Theft’ under Section 378 IPC. However, since Section 39 of the Electricity Act extended Section 378 IPC to apply to electricity, so it so became specifically covered within the meaning of “Theft”.
Section 409 for a Criminal Breach of Trust by a merchant and others which entails a punishment of imprisonment extending to life or 10 years, with fine. Section 409 reads as under:-
“Criminal Breach of Trust by public servant, or by banker, merchant or agent.- Whoever being in any manner entrusted with property, or with any dominion over property in his capacity of public servant or in the way of his business as a banker, merchant, factor, broker, attorney or agent, commits Criminal Breach of Trust in respect of that property, shall be punished with imprisonment for life, or with imprisonment of either description for a term which may extend to ten years, and shall also be liable to fine.”
Section 409 can be activated against Data Criminals from amongst the independent contractors (Call Centre’s etc.) to whom Data may be entrusted in the course of business for carrying out specific tasks / assignments.
It is suggested that the Agreements with employees and independent contractors ( Call Centre’s etc. ) should clearly stipulate an entrustment of Data to them, during the course of employment or business, as the case may be.
The issue of criminal liability of a Company and its’ Principal Officers under the Indian Penal Code, 1860 and other Laws, has agitated the minds of Courts and Jurists for a long time. Recently, the Supreme Court in Standard Chartered Bank vs Directorate of Enforcement, reported in (2005) 4 SCC page 530, inter-alia, has held that ‘the generally accepted modern rule is that except for such crimes as a corporation is held incapable of committing by reason of the fact that they involve personal malicious intent, a corporation may be subject to indictment or other criminal process, although the criminal act is committed through its agents.’
The Supreme Court has also held as follows:- “We do not think that there is a blanket immunity for any company from any prosecution for serious offences merely because the prosecution would ultimately entail a sentence of mandatory imprisonment. The corporate bodies, such as a firm or company undertake a series of activities that affect the life, liberty and property of the citizens. Large-scale financial irregularities are done by various corporations. The corporate vehicle now occupies such a large portion of the industrial, commercial and sociological sectors that amenability of the corporation to criminal law is essential to have a peaceful society with stable economy.”
Q.8. Are there any convictions for Data Theft in India?
Yes and convictions are increasing in Indian Courts recently in Hyderabad a case called as State Vs. Prabhakar sampath was decided, The accused was sentenced to suffer Rigorous Imprisonment for a period of two years and to pay a fine of Rs. 10,000/- .
Note : you can download the judgment copy from //prashantmali.com/cyber-law-cases
Q. 9. Any specific case you would like to describe in specific to our readers
Recently I had to take 2 different Anticipatory Bails one for CEO of an HRMS Company other for a Director of an Payment Processing Company, in both cases a new joining staff in the sales and marketing department had brought Client details data from the previous company where they were working. The earlier companies were business rivals to my client companies too. The moment the rivals came to know and had evidence about the data which was transferred by their ex staff via email and by copying in pen drive, they launched criminal complaint against the ex-staff and my clients. In such cases rivals try to settle business disputes under the barb of data theft, simultaneously they launched a civil suit for compensation in cores of rupees against the CEO or the management too. My clients had no choice but to go thru costly Anticipatory Bail Process and secure a Anticipatory bail.
Q.10. What kind of legal services you provide to corporates for avoiding Data Breaches ?
My Law Firm advices on Data Privacy related laws of India, US, UK & EU countries to many organisations. We also advice on the compliance part and suggest them best framework. In some cases we take active part in policy making coupled with liasoning if the organization is going to purchase any product or solutions with related to data security or data leakage prevention. Data storage for electronic evidence purposes is the other area which if overlooked can expose organisations to a legal risk, we suggest a holistic approach to all our clients.
Q.11. What measures should Government take to prevent Data Leakage and losses due to Data Theft ?
I strongly feel that Government should appoint a Data Controller and a Data Commissioner to implement Section 43A of The IT Act, 2000 with full might. Data leakages incident should be mad compulsorily reported to Data Commissioner’s. Incidents of mishandling the Sensitive Personal Data and the penalty bored by the company should be made public, which sets an example in the peer industry.