1. INTRODUCTION
In todays digital era, the indispensability of the internet and computers cannot be denied. The ability to share and exchange information immediately has provided unprecedented and unparalleled benefits in the areas of education, business, entertainment, and social interaction.
At the same time, our increased dependence on the internet and lack of cybersecurity creates significant opportunities for the commission of cybercrimes.
Cyber-crime may be defined as any activity that uses the internet to commit a crime. [1] One such cybercrime is data theft, the occurrence of which has increased dramatically in recent years.
Data as defined in Section 2(o) of the Information Technology Act 2000 means a representation of information, knowledge, fact, or concept which has been prepared and processed into a computer system or network or internally in the memory of the computer. Data is an indispensable element in business today and the security and effective management of data can be considered as major driving forces of an organization.
Modern-day enterprises and businesses have huge amounts of data that they store digitally such as financial accounts, Intellectual Property, trade secrets, and other confidential information which may be contributing to the firms reputation and goodwill.
Data has become a weapon for corporates to capture larger market shares. A single enterprise may hold the personal information of thousands of individuals. Hence it becomes crucial to ensure that this data is protected and prevent it from getting into the wrong hands.
India is transitioning into a data-driven digital economy with initiatives like Make in India, Digital India, and Startup India. Data is the new oil of the digital economy. [2] It is the key for the smooth functioning of the economy and with this oil leaking profusely there is an imminent threat to businesses and individuals.
2. WHAT IS DATA THEFT?
Data theft has been defined in Section 43(b) of the Information Technology Act,2000 as an act of extracting, copying, or downloading any data, computer database, or information from such computer system or computer network including information held or stored in any removable storage medium. [3] In other words, data theft may be defined as an act of illegally taking data and information from a company or an individual without his consent and knowledge.
Some of the most common causes of a data breach are weak and stolen passwords, back door entry through poorly written software applications, malware, insider threats, unauthorized use of confidential information by employees, phishing, and physical attacks. [4]
Statistics show that in 2019 there were around 285 cases of data theft reported in India. [5] This number spiked by 37% in 2020. [6]
Here, lets take a look at some of the biggest recent cybersecurity attacks :
The Big Basket data leak of October 2020 is considered to be one of the biggest loot in cyberspace wherein detailed personal information (email address, mobile number, home address, and date of birth) of over 20 million customers had been leaked on the dark web. [7]
Another notable incident would be the database leak of Police Department examination in February 2021, wherein personal identifiable information of over 5 lakh Indian Police personnel was put for sale. [8]
Another worrisome incident took place in January 2021 when Covid-19 test results of at least 1500 patients had been leaked by a government website and were publicly accessible to anyone through google. In August 2019, healthcare records of over 68 lakh patients and doctors were stolen by hackers from a healthcare website based in India. [9]
On March 29, 2021, the Mobikwik payment app came into the limelight when personal data including Know-your customer (KYC) documents, Aadhar card details, credit card details, and mobile numbers linked to the app of over 110 million users were reported to be on sale on the dark web. Although the company has denied the data breach, evidence and cyber-security experts claim the leak to be genuine. [10]
3. DATA PROTECTION REGIME IN INDIA
3.1 INFORMATION TECHNOLOGY ACT 2000:
The Information Technology Act, 2000 was enacted with the prime objective to create an enabling environment for commercial use of Information Technology. The Information Technology Act specifies the acts which have been made punishable. [11]
There is no express legislation dealing with data protection in India, however, data protection and data theft have been read into statute through certain provisions of the Information Technology Act. Provisions of the Information Technology Act [12] which deal with data theft have been discussed below:
- Section 43- Clause (b) of this section protects against unauthorized downloading and extracting of data from a database or any storage devise. Clause (c) penalizes the introduction of computer viruses and contamination of the computer system or network. Clause (g) penalized assistance in such unauthorized access.
- Section 65 punishes intentional or unintentional tampering with computer source documents with up to three years imprisonment or with a fine of up to 2 lakh Rupees.
- Section 66 protects against hacking. According to this section, any person who intentionally causes damage to public information residing in computers or commits hacking shall be punished with three years imprisonment and a fine which may go up to 2 lakh Rupees.
- Section 70 provides protection to data stored in a protected system, any such act would attract imprisonment for 10 years and shall also be liable to fine.
- Section 72 provides protection against breach of confidentiality and privacy of data, any such act would attract imprisonment of two years and a fine which may go up to 1 lakh Rupees.
3.2 INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE DATA OR INFORMATION) RULES, 2011 (SPDI RULES):
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Data or Information) Rules of 2011 cover the principle of privacy and data protection under the Information Technology Act. The Sensitive Personal Data or Information (SPDI) Rules mandate adherence to specified procedures and measures required to be taken by a body corporate which stores, processes, or deal with sensitive personal information or data in a computer source which it owns.[13] Some of the key features of these Rules have been highlighted below[14]:
- Body corporates are required to take prior consent of information providers before storing any data. Data shall be stored if it is essential and required for compliance with the law.
- Body corporate needs to ensure that the information provider knows about the collection of information and the purpose for which it is being collected.
- Personal information should not be retained for longer than is necessary for achieving the corresponding purpose.
- Body corporates shall not disclose personal information to any third party without the prior consent of the information provider.
- A body corporate handling sensitive personal data is required to formulate a privacy policy containing the purpose of collection, type of information, security practices and procedures being followed, etc., and to publish the same on their website and make it readily available to the information provider.
3.3 INDIAN PENAL CODE 1860:
The question which often arises for consideration is whether the provisions of the Indian Penal Code 1860 could be applied to the concept of data theft. Section 378 defines the term Theft as an act of dishonestly taking possession of a persons movable property without his consent. Movable property as described in Section 22 of the Indian Penal Code refers to the corporeal property except for land and other things permanently attached to the earth. Hence, if data is stored in a tangible medium (Disc or floppy) it would be considered as movable property and would come under the definition of theft under Section 378. Data stored electronically is intangible and at best can be compared to electricity. The question of whether electricity could be stolen was answered in the negative by the Supreme Court in the case of Avtar Singh v. State of Punjab[15]. Supreme Court held that it was not a movable property and hence could not be stolen and does not come under Section 358 of the Code. However, since Section 39 of the Electricity Act extended to Section 358 of the Code, electricity can be covered under Section 358. Since the Information Technology Act is silent on any such special provision and extension, the provision of theft under the Indian Penal Code does not apply to data theft.
3.4 CONSTITUTION OF INDIA:
Privacy is closely connected to data protection. Privacy relates to the ability to control the dissemination and use of ones personal information. An individuals data includes his name, address, telephone numbers, profession, family details, choices, etc., and passing of such information to interested parties without the consent of the individual can lead to intrusion in privacy.[16]
The concept of the right to privacy is not enumerated as a fundamental right in our Constitution but has been inferred from Article 21 of the Constitution which provides protects life and liberty. The first decision of the Supreme Court in this aspect was in Kharak Singh v. State of U.P[17]. Supreme Court took the concept of right to privacy forward and placed it in the plane of a fundamental right in R. Rajagopal v. State of Tamil Nadu[18]. The Supreme Court held that the right to privacy is implicit in the right to life and liberty guaranteed to the citizens of this country by Article 21. The Court further observed that A citizen has a right to safeguard the privacy of his own, his family, marriage, motherhood, childbearing and education the most amongst other matters. No one can publish any matter concerning the above rights without his consent. If he does so, he would be violating the right to privacy of the person concerned and would be liable in an action for damages.[19]
In District Registrar and Collector v. Canara Bank[20] Supreme Court held that disclosure of private documents of customers or copies of such private documents would amount to a breach of confidentiality and would, therefore, be violative of Article 21.
In Unique Identification Authority of India and Another v. Central Bureau of Investigation[21] the Supreme Court restrained the Unique Identification Authority of India from transferring any persons biometric information with an Aadhar Number to any other agency without such persons consent in writing as the same would be a violation of his right to privacy. [22]
Therefore, data theft would not only attract provisions of the Information Technology Act but would also be a violation of the right to privacy of an individual under Article 21 of the Constitution.
3.5 OTHER LAWS:
Depending on the type of data that has been stolen, several other acts, apart from the Information Technology Act and the SPDI Rules, also come into the picture. If the data stolen is financial in its essence (credit or debit card details), then the same would attract provisions of the Credit Information Companies (Regulation) Act 2005 along with the circulars of the Reserve Bank of India. Data theft in the telecom sector would attract the Telecom Commercial Communications Customer Preference Regulations of 2010.
4. CONCLUSION
Cybercrimes like data theft are a worldwide phenomenon and transcend jurisdictional borders and can impact several aspects of our daily lives. The consequences of these crimes are often remarkable in their enormity and impact.[23] Whilst we may never be able to eradicate these crimes, it is fundamental that we, as individuals and a community, understand the gravity of the threats posed and take adequate precautions and security measures. Some simple security measures which may be taken to prevent data theft are removing sensitive data from the system, ensuring that systems are password-protected, limiting employee access to reduce unauthorized access to sensitive information, implementing a firewall, two-factor authentication, deploying anti-virus software, and creating a license agreement with customers and users.
The Indian Government, post demonetization, has taken prompt measures to introduce digital payment options to root out black money and corruption. As India transforms into a digital economy, the threat to data and privacy is at an all-time high. Data theft in particular is one area that demands immediate attention. Unlike, UKs Data Protection Regulation and the USAs sector-specific laws, India is yet to have a comprehensive data protection legislation. Indias Personal Data Protection Bill 2006 is still at a nascent stage and continues to develop while it mimics the provisions of far more advanced legislations such as the General Data Protection Regulations of the United Kingdom. Indias present legislation provides little to no protection against data theft. The Information Technology Act deals with data protection and privacy and also has certain provisions loosely linked with data theft but these provisions have not been dealt with exhaustively. Hence a special and stringent law for protection against data theft is much needed.
[1] Dr. Monika Jain. (2017). Victimization of women beneath cyberspace in Indian upbringing. Bharati Law Review, 5. Manupatra. http://docs.manupatra.in/newsline/articles/Upload/786274E9-B397-4610-8912-28D6D03230F9.monika_jain_pdf_1-1111.pdf.
[2] Joris Toonders, Yonego. (2014, July 23). Data Is the New Oil of the Digital Economy. WIRED; WIRED. https://www.wired.com/insights/2014/07/data-new-oil-digital-economy/
[3] Information Technology Act, 43(b) (2000).
[4] 8 Most Common Causes of Data Breach - Sutcliffe Insurance. (2018, October 8). Sutcliffe Insurance. https://www.sutcliffeinsurance.co.uk/news/8-most-common-causes-of-data-breach/.
[5] Sandhya Keelery. (2021, February 24). India: number of cyber crimes related to data theft. Statista. https://www.statista.com/statistics/875925/india-number-of-cyber-crimes-related-to-data-theft/.
[6] Harikumar, N. (2021, March 31). India Struggles To Safeguard Data: Recurring Cases Of Data Breach. BW Businessworld. http://www.businessworld.in/article/India-Struggles-To-Safeguard-Data-Recurring-Cases-Of-Data-Breach/31-03-2021-385235/.
[7] Pranav Mukul. (2020, November 12). Explained: How big is the Bigbasket data breach? The Indian Express. https://indianexpress.com/article/explained/explained-how-big-is-the-bigbasket-data-breach-7026688/.
[8] Pierluigi Paganini. (2021, February 2). Police Exam Database Exposes 500K Indian Citizens PII. Security Affairs. https://securityaffairs.co/wordpress/114148/data-breach/police-exam-database-exposes-500k-indian-citizens-pii.html.
[9] Ghosh, S. (2021, April 28). The biggest data breaches in India. CSO Online. https://www.csoonline.com/article/3541148/the-biggest-data-breaches-in-india.html.
[10] Tech Desk. (2021, April 1). MobiKwik database of 10 crore users leaked on dark web; company denies data breach. The Indian Express. https://indianexpress.com/article/technology/tech-news-technology/mobikwik-database-leaked-on-dark-web-company-denies-any-data-breach-7251448/.
[11] Pariyal Gupta. (2020, June 21). CYBER LAWS- A BRIEF ANALYSIS. Www.legalshala.com. https://www.legalshala.com/post/98.
[12] MINISTRY OF LAW, JUSTICE AND COMPANY AFFAIRS (Legislative Department). (2000). https://www.meity.gov.in/writereaddata/files/itbill2000.pdf.
[13] Advocate Prashant Mali. (2019). Data Protection Laws and Compliance Requirements- Analysis of Laws from Europe, Singapore, and India. Journal of Emerging Technologies and Innovative Research, 6(6).
[14] Data Privacy Regime in India: IT Act and SPDI Rules. (2021, February 15). Preview Tech News. https://previewtech.net/data-privacy-it-act-spdi-rules-2021/.
[15] AIR 1965 SC 666.
[16] Shankar Shiv Singh. (2012). Privacy and Data Protection in India Privacy and Data Protection in India. http://www.supremecourtcases.com/index2.php?option=com_content&itemid=5&do_pdf=1&id=23269.
[17] AIR 1963 SC 1295.
[18] AIR 1995 SC 264.
[19] Justice B. Sudershan Reddy. (2018a). The Constitution of India (4th ed., Vol. 1, pp.1080). Asia Law House.
[20] AIR 2005 SCC 496.
[21] Petition for Special Leave to Appeal (Crl) No(s).2524/2014 in the Supreme Court, Order dated March 24, 2014.
[22] Shalaka Patil, & Vyapak Desai. (2014, April 4). NishithDesai. Www.nishithdesai.com. http://www.nishithdesai.com/information/news-storage/news-details/newsid/2327/html/1.html.
[23] Peter Grabosky, Russell G Smith, & Gillian Dempsy. (2001). Electronic Theft: Unlawful Acquisition in Cyberspace. Cambridge University Press.