- Apprentice Lawyer
The vulnerability of data: A look at data breaches and the statutory framework in India
It is desirable that India finalises and enacts the data protection law at the earliest to patch the lacuna in the current statutory framework.
The world has suffered various data breaches over the years. Closer to home, a cybersecurity firm Cyble Inc on May 23 found that the data of millions of Indian job seekers was leaked on the dark web for free.
This leak involved sensitive personal data such as home address, qualification work experience and more. The firm also said that Aadhaar card details of Indians were also found to have been leaked and that the source of the leak was being investigated. This data leak is said to have originated from a data aggregator or resume aggregator, which compiles data collected from various sources.
Another report states that the Bhim wallet app website was compromised, along with sensitive personal data such as Aadhaar card number, PAN number, residence proof, bank records etc. This report has been denied by the National Payments Corporation of India (NPCI), which says that there has been no such breach.
Smartphones, tablets and computers have become the sine qua non of existence in the 21st century and are required for everything from ordering groceries to hailing a cab. People also require them to keep track of their schedules and communicating with each other. It is no wonder then, that bad actors are constantly trying to compromise the data of millions of users which are stored in these devices. It is very easy to download an app and give them the data which they need to process in order to provide you with the service. However, the fundamental question which needs to be asked is whether they are doing enough to protect your data.
This article seeks to examine the statutory framework prevailing in India for dealing with data breaches and what remedies are provided under the law.
The current law which governs the field is the Information Technology Act of 2000. Chapter IX of the Act specifies the penalties, compensation and adjudication.
Section 43 of the Act lays down the penalty and compensation for damage to a computer, computer system or computer network.
The Section is equipped to deal with the following practical situations:
The accessing or securing of access to a computer, computer system or computer network
The downloading, copying or extracting of any data, computer database or information from a computer, computer system or computer network, including data held or stored in any removable storage medium.
Introducing or causing to be introduced any computer contaminent or computer virus into any computer, computer system or computer network
Damaging or causing damage to any computer, computer system or computer network, data, computer database, or any other programmes residing in the computer, computer system or computer network
Disrupting or causing disruption or any computer, computer system or computer network
Denying or causing the denial of access to any person authorised to access any computer system or computer network by any means.
Providing assistance to any person to facilitate access to a computer, computer system or computer network.
Charges the services availed of by a person to the account of another person by tampering with or manipulating any computer etc.
Destroying, deleting or altering any information residing in a computer resource or diminishing its value or utility or affecting it injuriously by any means
Stealing, concealing, destroying or altering or causing any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage.
Thus, it is clear that the Section provides for dealing with most forms of cyber attacks and data breaches. The penalty specified in the Section is compensation to the person who is affected by these acts.
Section 43A is also compensatory in nature and makes a body corporate liable to pay compensation for failure to protect data.
The Section specifies that if a body corporate which possesses, deals with or handles any sensitive personal data or information in a computer resource which it owns, controls and operates, is found to be negligent in implementing and maintaining reasonable security practices and procedures which cause wrongful loss or wrongful gain to any person, it will be liable to pay compensation to the victim.
While the provision of Section 43 of the Act provides for compensation, Chapter XI of the Act pertains to offences. Section 66 of the Act specifies the punishment for doing any of the acts which are specified in Section 43 dishonestly or fraudulently and provide for criminal liability.
Proceedings instituted will go before an adjudicating officer (Section 46). Appeals from a decision of the adjudicating officer will go to the Cyber Appellate Tribunal (Section 57). Appeals from the decision of the Cyber Appellate Tribunal will go to the High Court (Section 62).
A Division Bench of the Allahabad High Court had occasion to deal with the statutory framework pertaining to data breaches in a proceeding for quashing of FIR. In Amit Kumar Jaduan v State of UP and others [MANU/UP/3289/2018] the court examined Sections 43, 47 and 66 of the Act. Some of the important observations of the court are summarised hereunder:
The act of default must have been committed without the permission of the person who is owner or a person-in-charge of the computer, computer system or computer network.
The act of the defendant must have caused some damage or loss to the person so affected.
The difference between Section 43 and 66 is that the pre-requisite of the latter is the existence of mens rea, while under Section 43 of the Act, it is whether the Act committed is without the permission of the owner or person who is in charge of the computer, computer network, or computer system
Simultaneous actions can be maintained under Section 43 and 66 as there is no provision which bars the same.
While the jurisdiction of civil courts is barred for offences related to Section 43 and there is a special court in the form of an adjudicating authority under the Act to try offences under Chapter IX of the Act, there is no special court created for offences prescribed under chapter XI which consists of Sections 65 to 74 related to offences. Regular criminal courts will have the jurisdiction depending on their power to adjudicate depending upon the quantum of punishment prescribed in the Code of Criminal Procedure.
Analysis and conclusion
Section 43 provides for most of the practical ways data is compromised, and 43A makes companies liable for failing to protect user data. Section 43 requires that the Act committed was without the consent of the victim and some actual loss or damage has to be caused. In many cases, this loss will not be easily quantifiable. This is why Section 66 provides for criminal penalties for dishonestly or fraudulently committing any of the acts which are committed under Section 43, and it is crystal clear that a victim can pursue both the remedies which are available to her in law.
Practically, the problem in availing of these remedies in law is that in many cases of data breaches, the hacker is not known or is a professional hacker operating remotely out of international territories. Thus, instituting proceedings may not result in any actual gain to the victim of the data breach.
In the instance we have cited, the breach was revealed by a cybersecurity firm and not the data or resume aggregator which suffered the data breach. Many of the job seekers who suffered this breach will not even be aware that their data has been compromised and they are at risk.
However, in many such cases, there will be an entity which failed to protect user data, and in such cases, the company which failed to do so can be taken to task. This is why the reporting of these data breaches is of fundamental importance. There is no Section in the Act which mandates reporting data breaches. This lacuna has been sought to be fixed in the Personal Data Protection Bill of 2019, but that is yet to be finalised and brought into law.
It is, therefore, desirable that India finalises and enacts the data protection law at the earliest to patch the lacuna in the current statutory framework.
The author is a Delhi-based Advocate.