Data is a gold mine in today's world with the advancement of the civilization crimes also advances now theft is done by the educated peoples. Data is the key to one's life if someone stole your data they don't only know about your personal life, your financial status, your views politically or socially but they can also manipulate it.

Online banking frauds, and Phishing is a few examples of how this data theft can affect your finances. From stealing your credit card details to stealing your biometric and cloning your sim card data thieves can nil your account in a fraction of seconds. India is the hub of this kind of financial fraud.

By stealing your data, they don't only know what you are thinking they can manipulate your thinking too. In the case of Facebook, Analytica world has become aware of how your data can be used against you and change not only the social but the political course of the country.

So, the common people must be aware of data theft what harm it can do and the rights and remedies available to them in case their data is stolen which law in India covers the crime of data theft and how can their grievances be solved.

I hope this article helps to solve all your queries.

What is Data Theft?
In simple terms, Data Theft means illegal copying, removal, or stealing confidential or valuable information from a corporate or a business, or an individual without their knowledge or consent.

In this theft, an individual has a threat to get their password, personal information, banking, or financial information getting stolen. Corporates and businesses have the threat of getting their sensitive information like client data, software source code, corporate trade secrets, confidential information getting stolen.

The legal definition of Data Theft is given in IT Act 2000 in section 43 sub-clause (b) which defines it as If any person without the permission of the owner or any other person who is in charge of a computer, the computer system of computer network, downloads, copies, or extracts any data, computer database, or information from such as computer, computer system or computer network. It is the term used when any information in the form of data is illegally copied or taken from a business or another individual without his knowledge or consent.

Laws govern the Data Theft in India:
Data Theft in India is mainly governed by the IT Act 2000. Section 43 of the act talks about the definition and types of Data Theft and sections 65, 70, and 72 of the acts talk about penalties imposed in case of Data Theft.

Certain sections of IPC can also be invoked in the case of Data Breach Sections like 403 which deals with the imposition of the criminal penalty for dishonest misappropriation or conversion of movable property for one's use. Section 378 which deals with the theft of immovable property now data is abstract but if it is stored in some hardware drive like floppy, pen drive, etc and it gets stolen then section 378 can be invoked.

Section 63B of the Indian Copyright Act provides that any person who knowingly makes use of a computer or an infringing copy of a computer program shall be punishable. In cases such as Govindan v. Gopalakrishna[1] and McMillan v. Suresh Chunder Deb and others[2], the courts have stated that:
a compilation created by devoting capital, time, skill, and energy, even if being taken from a common source, is a literary work and is thus subject to copyright protection.

The courts supported their decisions by stating that:
Even a minor level of creativity in a compilation was protected and that no individual had the right to seize the rewards of another's hard work for their own.

Credit Information Companies Regulation Act, 2005 (CICRA) also deals with data theft. In this act norms are made that how can an entity can collect and maintain a data of an individual and if there is any leak or alteration of this data then the entities will be held liable.

What kind of Data fall within the ambit of the IT Act?
There are two types of data according to the IT Act Personal Information and Sensitive Personal Data.

Personal Information means any information which directly, indirectly, or in combination with other information is capable of identifying any person.

Section 43A of the IT Act deals with sensitive personal data but it does not specifically define it but says that it means any personal information which is prescribed as sensitive by the government is sensitive to personal information.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules 2011 define 'sensitive personal data as personal information relating to:

• passwords;
• financial information such as bank account or credit card details;
• physical, physiological, and mental health;
• sexual orientation;
• medical records and history; and
• biometric information.

Liabilities:
On Employer:

• Section 43A of the IT Act says that when any corporate dealing, handling, or processing any personal or sensitive data in a computer system that is owned, controlled, or operated by them and they are negligent in providing reasonable security and measures because of which it causes a wrongful gain or wrongful loss to some the person then such corporate is liable to compensate the affected person.
• As it is mentioned in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 Rule (8). If any person or corporation which follows the IS/ISO/IEC 27001 code or any code for data protection which is verified by the Central Government is said to comply with the reasonable security and procedure for data protection.
  
  Section 72A of the IT Act provides that any person including an intermediatory (definition is in section (2)(W) of IT Act 2000) if providing a service under any legal contract in:
  
  • which they had an access to the personal information of another person and they use this information for wrongful gain or wrongful loss without the consent of that the person or in breach of legal contract then they are liable to get punished for this act.
  • Rule 4 of IT Rules 2011 says that a corporate or any person on behalf of corporate collects, receives, possesses, stores, deals or handles information or sensitive information shall disclose their privacy policy to the persons from whom they are collecting information.
  • The information thus taken should be visible to the information provider.
  • The the privacy policy should be published on the website of the corporate or any the person on its behalf and should mention the following points:
    
    1. Clear and easily accessible statements of its practices and policies.
    2. type of personal or sensitive personal data or information collected under rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
    3. purpose of collection and usage of such information.
    4. disclosure of information including sensitive personal data or information as provided in rule 6 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
    5. reasonable security practices and procedures as provided under rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.
        
• Rule 5 of the IT Rule 2011 says that before collecting any information Corporate or the person representing a corporate should take written consent from the information provider.
   
• Corporate or any person on his behalf should not collect the information unless it is for a lawful purpose and collecting the information is necessary for that purpose.
   
• Corporate or anyone person on their behalf collecting the information directly from the information provider shall make sure that the information provider is aware of the following:
  
  1. the fact that the information is being collected.
  2. the purpose for which the information is being collected.
  3. the intended recipients of the information.
  4.  the name and address of:
     
     1. the agency that is collecting the information.
     2. the agency that will retain the information.
         
• Information providers should be able to review the information they have provided any time they want.
   
• Information provided should be used only for the purpose it was provided for and should be removed after the purpose is over.
   
• Provider of the Information should have the option of not providing the information in the first place and they also have the freedom to withdraw the consent at any point of time after providing the consent to the corporate or any person representing the corporate.
   
• Corporate should appoint a Grievance Officer and publish his name and contact details on its website.
   
• The Grievance Officer shall redress the grievances or provider information expeditiously but within one month ' from the date of receipt of the grievance.
   
• Prior permission of the information provider is needed if corporate want to share the information given by the information provider with a third party. Only if the third party has the data protection code as required by the IT Rules 2011.
   
• And in the case of a third party is the government-authorized organization under the law to obtain sensitive data no prior permission of the information the provider is needed.
• No, the third party shall disclose or publish the information they thus gain not even the government organization.
   
•  If the third party is situated outside India, then the transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.
   

On Employee:
Section 72A of the IT Act 2000 made the employee liable for the breach of data and disclose it which is likely to cause wrongful gain or wrongful loss without the consent of the person concerned.

Rule 6(3) of the IT Rules 2011 states that employees can also be held liable if the sensitive information of the data provider is published. But in this rule word, 'Consent' is not used so it is not clear that liability will be there even if the sensitive information is published with consent.

Grievance Redressal Mechanism:
There are two ways to file a complaint in case of data theft. You can file a complaint either with the:

1. Adjudicating officer. or
2. Cyber Cell.

Adjudicating Officer

• Section 46 to Section 64 of the IT Act 2000 talks about the Adjudicating Officer their appointment, power, jurisdiction, etc. The secretary of the department of information technology of each state is appointed as the Adjudicating Officer for that state by default by the central government.
   
• The adjudicating officer can only handle the cases in which the claim does not exceed 5 crore rupees. Cases in which the claim exceeded the said amount will handle by the competent court.
   
• Adjudicating Officer has two functions first to conduct an investigation or order an investigation into the violation of an IT Act and second is to decide the degree of compensation to be granted to the petitioner in case of violation of the act.
   
• There is a particular mode to follow to file a complaint with the Adjudicating Officer. Performa of filing a complaint can be found on this link- https://www.chips.gov.in/sites/default/files/proforma.pdf
   
• Prepare an application of complaint and affix a demand draft of fifty rupees court fee and a fee towards damages claimed by way of compensation from the accused, payable by a bank draft along with it.
   
• Chart for the fee toward the damage claimed can be found here- https://www.chips.gov.in/sites/default/files/proforma.pdf
   
• Send an additional copy of the complaint with the legitimate photocopies of the documents submitted to the adjudicating officer's office.
   
• The the order passed by the Adjudicating Officer can be challenged in the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within forty-five days of passing the order.
• If the order is passed by the consent of the parties, then they can't challenge the order.
   
• The the order passed by the Tribunal can be challenged in the High Court within sixty days of passing such an order.[3]

Cyber Cell:
There are two modes of registering a complaint in cyber cell:

1. Offline Mode:
   
   • Register a written complaint in the nearest police station cyber cell. It can be registered in any city or any area you are present at that time irrespective of the jurisdiction. Section 154 of CrPC makes it mandatory to register a complaint irrespective of the jurisdiction.
   • Address the complaint to the head of cybercrime where you are filing a complaint. And write your full contact details in the application
   • If it is not possible to file a complaint in the cyber cell you can register an FIR in the nearest police station.
   • If in Police Station they refused to write the FIR you can give a written complaint to the Commissioner or the Magistrate who has jurisdiction on that police station.
   • Section 80 of the IT Act 2000, gives the power to the police officer to search and arrest the suspect without a warrant.
   • Many cybercrimes are made cognizable offenses under the IPC so the police must register an FIR and send it back to the police station that has jurisdiction in the case.[4]
      
2. Online Mode:
   Every state has its cybercrime cell with its online portal where the residence of the state can file their grievances irrespective of which place the person committed the crime to belong.
   
   Apart from this Central Government has its cybercrime cell online portal where a person from any part of India can register a complaint. It comes under the Ministry of Home Affairs. A person who wants to file a complaint can visit the online portal- https://cybercrime.gov.in/Accept.aspx
   and can register their complaint. You can also file a complaint anonymously.[5]

Documents required to file a Complaint:

• A copy of the stolen data and brief,
• The copyright certificate of the allegedly stolen data,
• Details of the suspected employee/(s),
• The following documents are required about the suspected employee(s):
  
  • Letter of Appointment,
  • Non-disclosure Agreement,
  • Assigned list of duty and gadgets,
  • List of clients that the suspect handles,
• The proof of breach of your copyright data,
• Devices used by the accused during his/her term of service (only if available) with the company.[6]

Penalties:

• In Sections 405 and 408 of IPC which attract criminal breach of trust accused can be imprisoned for up to 3years or can be fined or both. If the crime is committed by the servant, then the accused can be imprisoned for up to seven years or fined, or both.
• In Section 43 of the IT Act attracts the Penalty and compensation for damage to the computer, the computer system accused can be penalized for up to one crore rupees.
• In Section 66 of the IT Act which attracts the computer-related offense accused can be imprisoned for up to 3years or can be fined up to 5lakh rupees or both.
• In Section 2(o) and Section 63 of the Copyright Act which attracts Infringement of Copyright, a monetary fine will be imposed on the accused which is commensurate with the magnitude of the offense. Further, infringement of copyright is a criminal offense.
• Section 65 of the IT Act attracts the tampering of computer source documents in which the accused can be imprisoned for up to 3years or can be fined 2 lakh rupees or both.
• Section 70 of the IT Act attracts the protection of data in a protected system in which the accused can be imprisoned for up to ten years or fined or both.
• In Section 72 of the IT Act which attracts the breach of confidentiality and privacy of the data accused can be punished with imprisonment which may extend to two years or with a fine which may extend to one lakh rupees or both.

Conclusion
Despite being one of the largest countries in the world in a term of internet users India lacks the legal framework to secure the data of its citizen. India's IT Laws are decade-old they can't tackle the problems which the current generation is facing.

IT laws are not properly implemented neither by the executive nor the legislature. Adjudicating officers which were supposed to be appointed to resolve the conflicts their appointment is not done in many states.

There are not even common guidelines or penalty formats is notified by the legislature which should be followed by the Adjudicating Officers. This creates havoc because different officers follow different procedures and pass judgment according to their senses.

Currently, we need a strong Technical Law which can provide a strong data protection mechanism to the citizen of the country. Laws must be the frame to not only tackle the present problem but to counter the future issues too.

End-Notes:

1. V. Govindan vs E.M. Gopalakrishna Kone and Anr., (1954) AIR 1955 Mad 391(India
2. Macmillan And Anr. vs Suresh Chunder Deb, (1890) (1890) ILR 17 Cal 951
3. The Information Technology Act, 2000, No. 21, Act of Parliament, 2000 (India).
4. Cyber Crime Unit, Delhi Police, http://www.cybercelldelhi.in/Report.html
5. Citizen Manual For National Cybercrime Reporting Portal, Indian Cybercrime Coordination Centre (I4C), Ministry of Home Affairs, https://cybercrime.gov.in/UploadMedia/MHA-CitizenManualReportCPRGRcomplaints-v10.pdf
6. Citizen Manual For National Cybercrime Reporting Portal, Indian Cybercrime Coordination Centre (I4C), Ministry of Home Affairs, https://cybercrime.gov.in/UploadMedia/MHA-CitizenManualReportOtherCyberCrime-v10.pdf