by May 1, 2012 0 comments

As data becomes the largest corporate asset, data theft or data siphoning is becoming an epidemic in India. Let me relate a few cases that happened in recent months which would seal my view.

Case 1: Purchase manager of textile company arrested for stealing customer contacts

Two employees of a textile shop were arrested for stealing important data. One of them was the purchase manager who downloaded customers contacts and other important data from his shop computer to his mobile phone and sent it to his employee friend. The shop management accused that the manger’s friend had sent offer messages to all their customers and tried to attract them. The textile shop claimed that this had affected their business badly.

Case 2: BU head steals 1.5 Lakh customer records

In Mumbai, the business head of a pharmaceutical call centre had been arrested for stealing confidential electronic data of 1.5 lakh clients and selling it to a rival firm online for Rs 50,000. He along with his customer care executive, committed the crime to earn quick bucks because they were dissatisfied with the salary they were getting at their job.

[image_library_tag 300/62300, border=”0″ align=”right” hspace=”4″ vspace=”4″ ,default]

Case 3: Ex-director and two others charged with cheating and data theft

The top three former officials of a pharma firm in Mumbai stole data that belonged to their previous employer. They were arrested by the police and charged with cheating and data theft under the Information Technology Act. The three arrested were an ex-director, a former general manager and an ex-manager. All three have been remanded to judicial custody.

Case 4: Travel portal charges rival’s CEO for stealing data

Two CEOs, from different travel portals, were arrested after being questioned by Gurgaon police. The charges of data theft were leveled against them by a rival online travel company. This company accused the CEOs of conniving with senior executives to pilfer data, which the company alleged had led to huge business losses.

Case 5: Hospital fires Biz Dev Mgr for diverting customers to rivals

A reputed multi-specialty hospital in Gujarat was offering attractive packages to foreign patients. The main link is the hospital’s website that generates a majority of the business as the hospital staff handles queries, offers and negotiates hospitalization expenses and also offers round-the-clock online services. One fine day though the hospital authorities realized that the traffic to their site had suddenly dropped. Apart from routine patients, others were just not turning up. This actually started happening after the hospital fired its business development manager. Apparently, he had access to official mails from patients, and was cleverly diverting them to other hospitals. He even offered them competitive packages from these hospitals with the help of existing database of inquiries from patients.

So what is data theft or data siphoning as per Indian law?

According to the IT Act 2000, crime of data theft under Section 43(b) is stated as if any person without permission of the owner or any other person who is in-charge of a computer, computer system or computer network, downloads, copies or extracts any data, computer database or information from such computer, computer system or computer network. It is the term used when any information in the form of data is illegally copied or taken from a business or other individual without his knowledge or consent. The act of illegally downloading data from a networked computer to a USB flash drive is called thumbsucking. The use of an iPod or other portable music player for the same purpose is called podslurping.

Importance of data

In this era of Information Technology, data is a corporate asset. It is an important raw-material for brick & mortar companies, BPOs, technology and IT companies. Data has also become an important tool and weapon for corporates to capture larger market shares. Due to the importance of data in this new era, its security has become a major issue with all industries. The theft & piracy of data is a threat, faced by the IT players, who spend millions to compile or buy data from the market. Their profits depend on the security of their data.

[image_library_tag 301/62301, border=”0″ align=”right” hspace=”4″ vspace=”4″ ,default]

Mobile data–a unique problem

Apart from the data theft incidents I just described, it’s also important to look at data vis-à-vis the new era of cloud computing. Thanks to this new paradigm, data theft has added an international character. For example, systems may be accessed in USA, their data manipulated in China and consequences felt in India. The result of this ability is that different countries, jurisdictions, laws and rules will come into play which becomes an issue in itself. Further, collection of evidence in such circumstances becomes another issue as investigation is in three different countries, all of whom may not be on talking terms, is almost impossible and poor technical know-how of cops adds to the woes. Also, the lack of coordination amongst different investigating agencies and a not-so-sure extradition process is another headache. However, the biggest of all these issues is the lack of specific laws in the country dealing with this crime. So even if the culprit is caught, he can easily get away by picking and choosing any of the various loopholes in our law.

Laws in India to protect data theft/siphoning

Data theft as a crime can be dealt with under various provisions of the Indian Penal Code, 1860 (IPC), The IT Act, 2000 & The Copyright Act, 1957. In so far as data theft by employees and other independent contractors are concerned, the offense of Criminal Breach of Trust, defined and made punishable under Sections 405 — 409 of IPC, 1860, needs to be activated and Agreement(s) with employees and independent contractors should be drafted keeping in view the said provisions of IPC. The various sections of the IT Act, 2000 which deal with the best practices to protect data and penalties in case of theft are briefly discussed below.

Section 43-A: Compensation for failure to protect data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

“Body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

Section 43, Clause(b)

This provides protection against downloading, copying or extracting data or database or information by imposing heavy civil compensation which can run into Crores. The unauthorized downloading, extraction and copying of data are also covered under this section. Clause (c) of this section imposes compensation for unauthorized introduction of computer contaminants or computer viruses. Clause(i) provides compensation for destroying, deleting or altering any information residing on computer or diminishing its value.

Note: Since section 43 does not talk about the exact amount of compensation, one remains on the mercy of courts and intelligence of lawyers, because data being an intangible asset, its worth can run into millions or trillions of denominations.

Section 65

This section provides for computer source code. If anyone knowingly or intentionally conceals, destroys, alters or causes another to do as such shall have to suffer imprisonment of up to 3 years or fine up to 2 Lakh rupees, or both. This takes care by providing protection against tampering of computer source documents i.e. copying/theft of s/w programs.

Section 66

Protection against data theft has been provided under this section. This section imposes the penalty of imprisonment of up to three years or fine up to five Lakh rupees or both on the person who commits crime of data theft.

Can data theft be covered under IPC?

Section 378 of the Indian Penal Code, 1860 defines ‘Theft’ as follows:-

Theft— Whosoever, intending to take dishonestly any movable property out of the possession of any person without that person’s consent, moves that property in order to such taking, is said to commit theft.

Section 22 of I.P.C., 1860 defines “movable property” as follows:-

“The words “movable property” are intended to include corporeal property of every description, except land and things attached to the earth or permanently fastened to anything which is attached to the earth.”

Since Section 378 I.P.C. only refers to “Movable Property” i.e. Corporeal Property, and data by itself is intangible, it is not covered under the definition of “Theft”. However, if data is stored in a medium (CD, Floppy etc.) and such medium is stolen, it would be covered under the definition of ‘Theft’, since the medium is a movable property. But if data is transmitted electronically, i.e. in intangible form, it would not specifically constitute theft under the IPC.

“Data”, in its intangible form, can at best be put at par with electricity. The question whether electricity could be stolen, arose before the Hon’ble Supreme Court in the case “Avtar Singh vs. State of Punjab” (AIR 1965 SC 666). Answering the question, the Supreme Court held that electricity is not a movable property, hence, is not covered under the definition of ‘Theft’ under Section 378 IPC. However, since Section 39 of the Electricity Act extended Section 378 IPC to apply to electricity, so it so became specifically covered within the meaning of “Theft”.

Precaution against law violation

Permission to be sought from the owner of data while copying or downloading his files, strict following of best security practices of ones organization while handling data or moving data from one device to another.

When one plans to copy data or download data from their friends, clients, teachers or employers, computer or network, on the pen drive or iPod or any storage device, one needs to remember these acts can put you behind bars for the next three years and make you a miser by Rupees five Lakhs or you can become further miser to the extent of insolvency if compensation claim suit is also filed in the civil court that runs in trillions.

I do not suggest copying or downloading songs from free songs websites because neither they purchase the songs from their owners nor are you purchasing from them. It therefore, simply makes you a data theft criminal.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.