Delhi Law Firm(Trustman & Co) - Data Theft and Security Law in India

DATA THEFT AND SECURITY LAW IN INDIA

Data is a valuable asset in this modern age of Information Technology (IT). Data is an important raw-material, for Call Centers and I.T. Companies. Data has also become an important tool and weapon for Corporate, to capture larger market shares. The use of Data, for instance, by the Call Centers, has fuelled the boom in the Indian I.T. industry. Due to the importance of Data, in this new age, its’ security has become a major issue in the I.T. industry. The piracy of Data, is a threat, faced by the I.T. players, who spend millions to compile or buy Data from the market. Their profits depend upon the security of the Data.

In the recent past, there have been several cases of “Data Theft” in all the IT hubs of the country including Delhi, Gurgaon, Bangalore and Hyderabad. Mostly, employees working with Call Centres and other I.T. Companies have been accused of “Data Theft”.

The expression “Data Theft” is liberally used by one and all in the I.T. industry. But the question is: Is “Data Theft”, “Theft” in law? Does our law recognise “Data Theft”? Can there be theft of Data, under the Indian Law? What, if any, is the protection given to Data, under the Indian Law? These questions are of substantial importance, to the I.T. industry, which profits out of Data.

Data” in the Information Technology Act, 2000, means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts, magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.

Section 378 of the Indian Penal Code, 1860 defines ‘Theft’ as follows:-

“Theft – Whoever, intending to take dishonestly any movable property out of the possession of any person without that person’s consent, moves that property in order to such taking, is said to commit theft.”

Section 22 of I.P.C., 1860 defines “movable property” as follows:-

“The words “movable property” are intended to include corporeal property of every description, except land and things attached to the earth or permanently fastened to anything which is attached to the earth.”

Since Section 378 I.P.C., only refers to “Movable Property” i.e. Corporeal Property, and Data by itself is intangible, it is not covered under the definition of "Theft”. However, if Data is stored in a medium (CD, Floppy etc.) and such medium is stolen, it would be covered under the definition of ‘Theft’, since the medium is a movable property. But, if Data is clandestinely transmitted electronically i.e. in intangible form, it would not constitute theft under the Indian Law. Therefore, Data, in its intangible form, cannot be stolen, under the Indian Criminal Law.

“Data”, in its intangible form, can be put on par with electricity. The question whether electricity could be stolen, arose before the Hon’ble Supreme Court in the case “Avtar Singh vs State of Punjab” (AIR 1965 SC 666). Answering the question, the Supreme Court held that electricity is not a movable property, hence, is not covered under the definition of ‘Theft’ under Section 378 I.P.C. However, since Section 39 of the Electricity Act specifically extended Section 378 I.P.C. to apply to electricity, it so became covered within the meaning of “Theft”. The Supreme Court has held as follows: -

“(6) With regard to the first reason that Section 39 of the Act extended the operation of Section 378 of the Code, it seems to us beyond question that Section 39 did not extend Section 378 in the sense of amending it or in any way altering the language used in it. Section 378, read by itself even after the enactment of Section 39, would not include a theft of electricity for electricity is not considered to be movable property. The only way in which it can be said that Section 39 extended Section 378 is by stating that it made something which was not a theft under Section 378, a theft within the meaning of that Section. It follows that if Section 39 did so, it created the offence itself and Section 378 did not do so. In this view of the matter, we do not think it possible to say that the thing so made a theft and an offence, became one by virtue of Section 378”

In view of the significance of Data and the imperative necessity to protect it, our law of theft needs to be updated and brought in line with the requirements of the new I.T. age. However, till our law is updated, alternative strategies need to be unleashed to check the piracy of “Data”. In view of the aforesaid legal position, the expression “Data Theft”, is a misnomer in law, and shall not be used hereinafter. Instead, the expressions “Data Crime” and “Data Criminals” shall be used.

Since Data Theft is no Theft in law, alternative legal strategies need to be explored to check, deter and punish this menace, which is rampant in the I T World, in which Data is a very valuable asset. At the same time, due to its nature, Data is extremely vulnerable to being misappropriated, copied, hacked etc. The maximum risk to Data, is from employees handling /using the same during the course of their employment and other independent contractors (Call Centres etc.) entrusted with Data to carry out specific tasks / assignments. The most common modus- operandi adopted by Data Criminals is to sell the same to competitors, who benefit through reduction in effort, time and costs of building their own Data Base or buying the same from the market.

The Data Criminal can be dealt with under various provisions of the Indian Penal Code, 1860 (I.P.C.), I.T. Act, 2000 & The Copyright Act , 1957. In so far as the Data Criminals from amongst the employees and other independent contractors are concerned, the offence of Criminal Breach of Trust, defined and made punishable under Sections 405 – 409 of I.P.C., 1860, needs to be activated and the Agreement(s) with employees and independent contractors should be drafted keeping in view the said provisions of I.P.C.

I.P.C., 1860

Section 405 of I.P.C., 1860 defines Criminal Breach of Trust as follows:-

“Criminal Breach of Trust.- Whoever, being in any manner entrusted with property, or with any dominion over property, dishonestly misappropriates or converts to his own use that property, or dishonestly uses or disposes of that property in violation of any direction of law prescribing the mode in which such trust is to be discharged, or of any legal contract, express or implied, which he has made touching the discharge of such trust, or willfully suffers any other person so to do, commits ‘criminal breach of trust’ ”.

Section 405 refers to “property” and not “movable property”, hence, the word “property” is not restrictive. Therefore, Data would be covered within the ambit of “property” in Section 405 I.P.C.

Section 406 I.P.C. punishes Criminal Breach of Trust with punishment of imprisonment upto 3 years, or with fine, or with both.

Where the Data is entrusted to a carrier, warfinger or warehouse-keeper, who commits Criminal Breach of Trust, he is liable to be punished with imprisonment of upto 7 years with fine, under Section 407 I.P.C. Similarly, Criminal breach of trust by a servant, entails a punishment of imprisonment upto 7 years, under section 408 I.P.C.

Section 409 is a specie of Criminal Breach of Trust, committed by a merchant, banker, factor, broker, agent or attorney, which entails a punishment of imprisonment extending to life or 10 years, with fine. Section 409 should be activated against Data Criminals from amongst the independent contractors (Call Centres etc.) to whom Data may be entrusted in the course of business for carrying out specific tasks / assignments.

It is suggested that the Agreements with employees and independent contractors ( Call Centres etc. ) should clearly stipulate an entrustment of Data to them, during the course of employment or business, as the case may be, with a view to activate the offence of Criminal Breach of Trust.

I.T.Act, 2000

Some of the provisions of the I.T.Act, 2000 can also be invoked, parallel to the aforesaid provisions of I.P.C., against Data Criminals. For instance, Section 43 (b) of the I.T.Act, 2000, which is as follows, makes the Defendant liable to pay damages by way of compensation not exceeding Rs. 1 crore to the person affected.

“43. If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network,-

b) downloads, copies or extracts any data, computer database or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;……….”

he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.

Certain Amendments have been proposed to the I.T. Act, 2000, whereby Section 66, which presently defines and punishes ‘Hacking’, is sought to be replaced. The proposed amendment seeks to punish “Data Theft” with imprisonment upto one year or fine of Rs.2 lakh or both. The amendment proposed needs to be expedited, before India is exposed in the International Community, as being a Nation without a law on “Data Theft”. Until we have a law specifically punishing “Data Theft”, the Copyright Act, 1957 can also be pressed into action. The definition of “literary work” under Section 2(o) of the Copyright Act, 1957 includes Computer Databases. Infringement of Copyright is also a criminal offence under Section 63, which needs to be activated, rather than chasing Data Criminals for Theft under I.P.C., 1860.

To conclude, it is reiterated that our laws need to be updated expeditiously, with a view to ensure maximum protection to ‘Data’, which is critical, for retaining the credibility of the Indian I.T. industry.

Kaviraj Singh, Lawyer