Introduction
Recently we came across an issue faced by one of our clients, which is an incorporated company in India. We were told that there was an unauthorised data leak from the client’s system and that the digital files leaked contained confidential financial transaction data of our client which came to be shared with a third party (one of the lenders of our client) with the allegation that our client was utilizing the loan taken from this lender for extraneous purposes including manipulation of the stock price. Our client wished to take action but was clueless about what were its remedies.
There have been multiple instances of sharing of the data of corporations by disgruntled employees as also by persons having access to such data in other capacity and the Digital Personal Data Protection Act of 2023(“DPDP Act) introduced in India does little or nothing for the protection of data of the corporations or commission of breach thereof as it focuses mainly on the protection of the digital personal data defined as “personal data in digital form”, with personal data having been defined as “any data about an individual identifiable by or in relation to such data”.
Init further deals with the aspects of obligations of data fiduciary, consent, purpose, storage, and storage of the data, data retention and obligations of significant data fiduciary.
DPDP Act focuses on protection of personal data, obligations of data fiduciary, data storage, data retention and obligations of significant data fiduciary. As this act does not provide remedies to a corporate entity for breach of its data, we seek to explore what could be possible remedies for the events or incidents of data breach against a corporation by the employees or any other third parties.
Remedies against breach of data of an incorporated entity by the employees or any other third persons
The remedies for data breach and confidentiality breach against a corporation are not to be found in any single statute dealing with the issue, making it difficult to have efficient remedies. We however, seek to take into consideration, possible violations of contracts and different statutes and explore the landscape of possible remedies.
Data breach by physical sharing of data
It is possible that the person committing a breach of data belonging to a corporation might share such data unauthorizedly in physical form rather than send it via email. Assuming that the incorporated entity has a well drafted confidentiality agreement as well as a privacy policy and data protection policy in place and the same is duly signed by the person having access to such data belonging to the corporate entity, sharing of the physical data will give rise to the breach of contractual obligation and the same will entitle the corporate entity to take action in terms of the Indian Contract Act.
It is normally difficult to establish the sharing of the data in physical form and our recommendation will be to have a system in place to disable the option in the system to print the documents. We also recommend having a suitable confidentiality agreement and data protection policies in place providing for payment of genuine pre-estimate of damages in case of breach of data.
Breach of data through unauthorized access to the computer or computer system of the corporate entity
Establishing a breach of data through means of the computer or through sharing over emails is comparatively easier. What could be done by an entity that has come to know about a breach of the data is that it could begin with obtaining a digital forensic analysis report from such service provider and collecting necessary evidence for the same.
In case the report leads to a breach of data by any individual, remedies could be under the Indian Contract Act as already described above. Additionally, Chapter IX of Information Technology Act, 2000(“IT Act”) contains relevant provisions for penalties, compensation and adjudication regarding breach of data. Section 43 of the IT Act provides that;
“43[Penalty and compensation] for damage to computer, computer system, etc.–If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,–
(a) accesses or secures access to such computer, computer system or computer network [or computer resource];
(b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data, computer database or any other programmes residing in such computer, computer system or computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
(f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
(h) charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer networ
[(i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
(j) steal, conceal, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage;]
5 [he shall be liable to pay damages by way of compensation to the person so affected.]
Explanation.–For the purposes of this section,–
(i) “computer contaminant” means any set of computer instructions that are designed–
(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or
(b) by any means to usurp the normal operation of the computer, computer system, or computer network;
(ii) “computer data-base” means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network;
(iii) “computer virus” means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource;
(iv) “damage” means to destroy, alter, delete, add, modify or rearrange any computer resource by any means.
[(v) “computer source code” means the listing of programme, computer commands, design and layout and programme analysis of computer resource in any form.]”
Section 46 of the IT Act provides that any person who has committed a contravention of any provisions of the IT Act of 2000 or any rule or regulation will be subject to the jurisdiction of the adjudicating officer appointed under the IT Act of 2000 and he may be liable for the damages not exceeding the amount of INR 5 crores.
Section 66 of the IT Act provides that if any person dishonestly or fraudulently does any act referred to in section 43, he shall be punishable with imprisonment for a term extending up to three years or with a fine which may be which may extend to five lakh rupees or with both.
Possible actions for breach of data in physical or digital form
If the breach of data is accompanied by any defamatory allegations, then the same will give rise to the offence punishable under Section 356 of the Bharatiya Nyaya Sanhita of 2023 (“BNS of 2023”) which is punishable by simple imprisonment extending up to 2 years or with a fine, or with both, or with community service.
If the data can be argued to be a property, such data breach will further give rise to the offences of criminal breach of trust and theft, which are punishable BNS of 2023 with imprisonment of up to 7 years.
Whether or not the data can be considered property within the meaning of the provisions pertaining to the criminal breach of trust and theft, is highly debatable issue and required to be considered vis a vie definitions contained in transfer of property act of 1882 and Indian Penal code and the concept of intangible property. As on date, there appears to be no binding precedent holding that the data amounts to the property.
Conclusion
While there is a need for data protection law for the protection of the data of the corporations, the current framework of law provides a right to the corporation in case of breach of data to take the following actions:
- Civil or commercial suit for damages for breach of contractual obligations.
- Proceedings under Section 46 of the IT Act of 2000 for violation of the provisions of Section 43 of the IT Act of 2000 claiming damages up to an amount of INR 5 crores.
- Criminal proceedings u/s. 66 of IT Act before the competent court for the punishment for violation of the provisions of the IT Act arising out of data breach.
- Possible action for Criminal Defamation based on facts
- Possible criminal action for criminal breach of trust and theft
*The content of this article is intended to provide general information. No reader or user should act or refrain from acting on the basis of the information written above without first seeking legal advice from a qualified law practitioner.