Breach of confidentiality maintenance covenants amid 'work from home' during COVID-19 lockdown: Concerns and remedies

Confidential information may be understood as information which, either by its nature, or by a specific impression of the provider of the information, has been directed as confidential and has been prohibited to be shared with any unauthorized third person.

Such information must not available in the public domain. The confidential information is generally transferred to a person under a specific contract for a specific purpose only, i.e medical, legal, etc. Confidential information is a superset of various sub-sets of the information like personal data, sensitive personal data, business data or trade secrets.

Pertinently, the term "confidential information" is neither defined in any of the Indian statutes, nor is an exhaustive list possible or desirable. Often, it is the contracts between the parties which define the term “confidential information”.

As a matter of practice and prudence, a provider of information, i.e. an employer or assigner, makes the receiver of the information i.e. employee or assignee, sign a non-disclosure agreement while entering into a contract.

Such agreements are generally widely worded. For example:

The employee agrees that all the confidential information which he/she will gain access to, during his/her service, he/she shall not without prior permission of the provider of information:

(i) use the information provided for his/her benefits (whether be monetary or otherwise) either by himself/herself or through someone else,

(ii) copy the information vide any mode,

(iii) publish or share the information with unauthorized third parties, to the detriment of the provider of information, at or outside the workplace.

As of today, most countries across the world have implemented nationwide lockdowns in the wake of the COVID-19 pandemic. As a consequence of this, workplaces providing non-essential services have been closed.

Individual employers, companies, legal firms, and government departments which maintained strict confidentiality norms and policies - continuous track and blocks on unauthorized movement of shared information, use of office gadgets like phones and computers - have allowed their employees to work from home, mostly through unsecured personal laptops or devices.

A composite look at this situation raises possibilities for either inadvertent or intentional disclosure or misuse of such confidential information, shared by different persons with specific persons for specific purposes.

The use of insufficiently guarded personal gadgets and transmission of confidential information through the e-platforms i.e. emails, which involves intermediaries or data fiduciaries, has increased the possibilities of confidentiality breaches and data theft on the part of the receiver of information on basis of trust or contract. T

The possibilities are further enhanced by the fact that at present, India does not have any dedicated data protection legislation. Though the Personal Data Protection Bill, 2019 was introduced in the Lok Sabha, it is yet to see the light of day.

Remedies

In such circumstances, it becomes pertinent to appreciate the remedies available with the provider of information for breach of confidentiality by the receiver of such information including, the intermediaries. The remedies can be clubbed into two parts, namely, civil remedies and penal remedies.

The parties can seek relief under:

(i) the Specific Relief Act, 1963 read with the Code of Civil Procedure, 1908 (CPC),

(ii) the Indian Contract Act, 1872,

(iii) the Information Technology Act, 2000 (IT Act), and

(iv) the Indian Penal Code (IPC), 1860.

Civil Remedies

Foremost, in the circumstances, where a provider of the information apprehends a breach of the confidentiality agreement by the receiver of the information, the provider may approach the jurisdictional civil court, and apply for a prohibitory injunction against such receiver, under section 38 of the Specific Relief Act, 1963.

Collaterally, a party can also seek for grant of interim prohibitory injunction under Order 39, Rule 1 & 2 of the CPC, until an application for a prohibitory injunction is finally heard and a decree is passed.

However, if the judgment-debtor disobeys the above-mentioned prohibitory decree, and discloses, either fully or partially, the protected confidential information, such a person may be proceeded against under Order 21, Rule 32 of the CPC, wherein a party may be subjected to detention in civil prison, or attachment of the property, or both.

Similarly, a party can be proceeded against under Order 39, Rule 2-A of the CPC for the contravention of interim injunction. Additionally, if such a person contravenes the court’s interim or final prohibitory decree, the court may proceed against such person under the Contempt of the Courts Act, 1971.

Pertinently, it must be noted that where a receiver of the information has already disclosed the confidential information, before the passing of a court decree, the application for prohibitory injunction becomes infructuous, unless, the provider of information fears further disclosure of information by such a party. This is merely a preventive relief which can be sought before the breach of a non-disclosure agreement.

Second, in circumstances where a receiver of the information has already breached the non-disclosure agreement, either before or after the prohibitory injunction of the court, the provider of the confidential information may file a suit for recovery of damages under Section 73 or Section 74 of the Indian Contract Act, 1872.

Generally, non-disclosure agreements do not provide for liquidated damages as until the actual breach occurs, it is difficult and undesirable to assess the damages, as the amount of actual damages varies depending on nature and the extent to which confidential information has been divulged.

Penal Remedies

The penal remedies for breach of non-disclosure agreements are primarily, at present, provided under the IT Act and the IPC.

It is pertinent to note at the outset that the IT Act primarily safeguards the “personal information” and "sensitive personal data or information” of natural persons, as defined under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 against a breach by a body corporate, or any person under a contract.

First, Section 72(A) of the Act, punishes a person for breach of a lawful contract, by disclosing personal information of a person received under a contract for providing particular services. The provision provides that where a person discloses personal information to any third party without the consent of such party, “with an intent to cause or knowing that it will cause wrongful loss or wrongful gain”, such a person, including intermediary shall be punished with imprisonment of maximum three years or fine of maximum five lakh rupees, or with both.

Second, Section 43A of the Act obliges a body corporate to compensate a party wherein it has negligently implemented security practices or procedures to safeguard “sensitive personal data or information”. Where such negligence causes disclosure of such provided confidential information and wrongful loss or wrongful gain to any person, the body corporate shall be liable to pay damages by way of compensation to the person so affected.

Third, Section 72 of the Act safeguards a disclosure by an officer acting under the power provided under the Act or rules or regulation made thereunder, i.e. public officer. When such an officer unwarrantedly discloses any material like “any electronic record, book, register, correspondence, information, document” without the consent of the provider of information, he shall be liable to imprisonment extending to two years or fine extending to one lakh rupees, or with both.

Thus, this provision is a remedy against a government official who breaches the confidential information received while enrolling for the Aarogya Setu app.

Fourth, Section 43 of the Act enlists acts which constitute data theft. Where such a breach has been unintentional or inadvertent, such person may be mandated to pay damages by way of compensation. On the other hand, where the acts provided under Section 43 have been dishonestly and fraudulently done, Section 66 prescribes penal consequences in the nature of imprisonment extending to three years or fine extending to five lakh rupees, or both.

Additionally, the Act prescribes punishment for abetting and attempting to commit the aforesaid offences. Pertinently, the compensation or penalties awarded under this Act do not prevent the award of compensation, the imposition of penalty, or punishment under the other Acts at the time in force.

Lastly, a party in breach of a confidentiality agreement can be prosecuted under several provisions of the Indian Penal Code, 1860. For example, a party in breach can be prosecuted under Section 403 of the Code for criminal misappropriation of confidential information shared to his use. Similarly, such a person can also be prosecuted under Section 405 or Section 408 of the Code for the criminal breach of trust, for sharing the confidential information with an unauthorized third person and/or for a purpose other than for which it was entrusted under the contract. Such information shall be deemed as moveable property.

It is pertinent to note herein that to proceed under the Code, intention is an essential pre-requisite. However, it is not a pre-requisite while availing relief of civil nature under the Contract Act and several provisions of the IT Act.

Conclusion

Besides the above-discussed penal and monetary repercussions, termination from the office and the tarnishing of reputation often deters a disclosure of information to any unauthorized person. A breach by the receiver of such information has a domino effect on all the persons involved, i.e. data provider, employer, and the employee.

It must also be noted that the above-discussed remedies, except for prohibitory injunction, are corrective remedies and not preventive in nature. To prevent such hassles and risks, the provider of information must always have well-drafted non-disclosure agreements, updated technology with the use of a firewall, anti-virus software, and anti-spyware. Computers and devices should be encrypted.

Thus, before allowing employees or assignees to work from home on personal devices during the COVID-19 lockdown, the employer must ensure prior due diligence to safeguard any intentional or inadvertent breach of the confidentiality agreement.

The enactment of the Personal Data Protection Bill, 2019 would have helped secure confidentiality and privacy of the information shared by a person, with the government or any other person including corporate entities. The Bill proposes special legislation with defined rights and duties of the data principal and data fiduciaries to safeguard against the breach or misuse of the data collected.

The author is an advocate practicing at the High Court of Delhi and the Supreme Court of India.