Data Breaches and the Statutory Framework In India

“ If you torture the data long enough, it will confess to anything.”

~Ronald Coase

A data breach refers to an incident in which information is accessed without authorization. The information may be sensitive, protected or confidential. The foremost common sorts of data breaches involve ransomware, password guessing, recording keystrokes, and phishing.

With data serving as an asset for people and organizations, data breaches are becoming a noteworthy concern across the globe. Cyble Inc, a cybersecurity firm, revealed that personal details of millions of Indian job seekers were leaked and put up on the dark web for free. The firm further claimed that the data leak seemed to have originated from a resume aggregator which accumulates data from various job portals.

According to another report, hackers embezzled patient and doctor records of 6.8 million Indian citizens from a leading healthcare website based in India. It was observed that the data was looted by some Chinese cybercriminals. Moreover, it was found that the records were being sold on an underground forum, sometimes being available under USD 2000.

India does not have a dedicated law governing the field of data protection and privacy.

However, there are certain provisions laid down in the Information Technology Act, 2000 (IT Act) regarding data protection and privacy. The primary objective of the IT Act, 2000 is to deal with cybercrime and electronic commerce. The Act was amended in 2008 and came into force a year later introducing some important sections to handle matters associated with data breaches. Prior to the amendment, the Act did not have any significant reference to data protection.

Section 43 of the Act imposes a penalty and compensation on any person whom without authorization does any of the following acts

1. accesses or secures access to a computer, computer system, computer network or computer resource.

2. downloads, copies or extracts any data or information from such computer, computer system or computer network.

3. introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network.

4. damages or causes to be damaged any computer, computer system or computer network, data, computer database or any other programmes in such computer, computer system or computer network.

5. disrupts or causes disruption of any computer, computer system or computer network.

6. denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means.

7. provides any assistance to any person to enable access to a computer, computer system or computer network.

8. charges the services availed of by a person to the account of another person by tampering or manipulating any computer, computer system, or computer network.

9. destroys, deletes or alters any information in a computer resource or reduces its value or utility or affects it injuriously by any means.

10. steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage.

Section 43A makes a body corporate liable to pay compensation if it neglects to implement and maintain reasonable security practices and procedures to safeguard data.

Section 65 contains punishment for tampering with computer source document by knowing or intentionally concealing, destroying or altering it or by causing another person to do the same.

Section 66 imposes criminal liability on a person who dishonestly or fraudulently performs any act specified under Section 43 of the Act.

Section 72 talks about the breach of confidentiality and privacy and provides a punishment against accessing and disclosing any electronic records, book, information, document or other material without the approval of the person concerned.

Section 72A specifies the punishment for disclosure of information in breach of lawful contract and elucidates that if any person while rendering services within the terms of a lawful contract makes access to any personal information about another person with an intention to cause wrongful loss or wrongful gain by disclosing or in breach of the contract shall be punished.

The Personal Data Protection Bill, 2019 (PDPB) was introduced in Lok Sabha by Ravi Shankar Prasad, the Minister of Electronics and Information Technology, on December 11, 2019.

Formerly, a draft of the Personal Data Protection Bill was submitted by the Justice (Retd.) BN Srikrishna committee in July 2019. The Bill concentrates to provide protection of personal data and aims at setting up a Data Protection Authority in India to address the issues pertaining to the personal data of an individual.

The Bill is certainly a move in a beneficial direction. Although as of March 2020 the Bill is pending and being analysed by a Joint Parliamentary Committee.

Conclusion

The Information Technology Act, 2000 imposes civil and criminal liability in case of data breach and infringement of confidentiality and privacy.

Presently, the IT Act is the only legislation which covers some vital issues regarding data security.

Advancement in technology has led to more usage of e-commerce websites and online transactions have become a part of day-to-day life. A person has multiple accounts on a single digital platform. People tend to store their data into various electronic devices. This has encouraged hackers and cyber attackers to involve in data breach practices. Many individuals and organisations have experienced a data breach that resulted in the loss or theft of valuable data.

The main concern is that people rely on diverse apps, institutions and organisations assuming that their data is safe with them but in reality, they are not even aware of their data being sold on the underground markets.

The current legal framework appears to be insufficient to handle the challenges of the data breaches. The Personal Data Protection Bill, 2019 is yet to take the shape of legislation.

Therefore, it is preferable that without further ado, India enacts a strict and independent law for dealing with data protection and privacy.

References:

1. http://www.legalserviceindia.com/article/l406-Does-India-have-a-Data-Protection-law.html

2. https://www.mondaq.com/india/data-protection/655034/data-protection-laws-in-india--everything-you-must-know

3. https://www.mondaq.com/india/it-and-internet/13430/cyberlaw-in-india-the-information-technology-act-2000--some-perspectives