Data is a gold mine in today's world with the advancement of the civilization
crimes also advances now theft is done by the educated peoples. Data is the key
to one's life if someone stole your data they don't only know about your
personal life, your financial status, your views politically or socially but
they can also manipulate it.
Online banking frauds, and Phishing is a few examples of how this data theft can
affect your finances. From stealing your credit card details to stealing your
biometric and cloning your sim card data thieves can nil your account in a
fraction of seconds. India is the hub of this kind of financial fraud.
By stealing your data, they don't only know what you are thinking they can
manipulate your thinking too. In the case of Facebook, Analytica world has
become aware of how your data can be used against you and change not only the
social but the political course of the country.
So, the common people must be aware of data theft what harm it can do and the
rights and remedies available to them in case their data is stolen which law in
India covers the crime of data theft and how can their grievances be solved.
I hope this article helps to solve all your queries.
What is Data Theft?
In simple terms, Data Theft means illegal copying, removal, or stealing
confidential or valuable information from a corporate or a business, or an
individual without their knowledge or consent.
In this theft, an individual has a threat to get their password, personal
information, banking, or financial information getting stolen. Corporates and
businesses have the threat of getting their sensitive information like client
data, software source code, corporate trade secrets, confidential information
The legal definition of Data Theft is given in IT Act 2000 in section 43
sub-clause (b) which defines it as If any person without the permission of the
owner or any other person who is in charge of a computer, the computer system of
computer network, downloads, copies, or extracts any data, computer database, or
information from such as computer, computer system or computer network. It is
the term used when any information in the form of data is illegally copied or
taken from a business or another individual without his knowledge or consent.
Laws govern the Data Theft in India:
Data Theft in India is mainly governed by the IT Act 2000. Section 43 of the act
talks about the definition and types of Data Theft and sections 65, 70, and 72
of the acts talk about penalties imposed in case of Data Theft.
Certain sections of IPC can also be invoked in the case of Data Breach Sections
like 403 which deals with the imposition of the criminal penalty for dishonest
misappropriation or conversion of movable property for one's use. Section 378
which deals with the theft of immovable property now data is abstract but if it
is stored in some hardware drive like floppy, pen drive, etc and it gets stolen
then section 378 can be invoked.
Section 63B of the Indian Copyright Act provides that any person who knowingly
makes use of a computer or an infringing copy of a computer program shall be
punishable. In cases such as Govindan v. Gopalakrishna
 and McMillan v. Suresh Chunder Deb and others
, the courts have stated that:
a compilation created by
devoting capital, time, skill, and energy, even if being taken from a common
source, is a literary work and is thus subject to copyright protection.
courts supported their decisions by stating that:
Even a minor level of
creativity in a compilation was protected and that no individual had the right
to seize the rewards of another's hard work for their own.
Credit Information Companies Regulation Act, 2005 (CICRA) also deals with data
theft. In this act norms are made that how can an entity can collect and
maintain a data of an individual and if there is any leak or alteration of this
data then the entities will be held liable.
What kind of Data fall within the ambit of the IT Act?
There are two types of data according to the IT Act Personal Information and
Sensitive Personal Data.
Personal Information means any information which directly, indirectly, or in
combination with other information is capable of identifying any person.
Section 43A of the IT Act deals with sensitive personal data but it does not
specifically define it but says that it means any personal information which is
prescribed as sensitive by the government is sensitive to personal information.
The Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data and Information) Rules 2011 define 'sensitive personal
data as personal information relating to:
- financial information such as bank account or credit card details;
- physical, physiological, and mental health;
- sexual orientation;
- medical records and history; and
- biometric information.
- Section 43A of the IT Act says that when any corporate dealing,
handling, or processing any personal or sensitive data in a computer system
that is owned, controlled, or operated by them and they are negligent in
providing reasonable security and measures because of which it causes a
wrongful gain or wrongful loss to some the person then such corporate is
liable to compensate the affected person.
- As it is mentioned in the Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal Data or Information) Rules
2011 Rule (8). If any person or corporation which follows the IS/ISO/IEC 27001 code
or any code for data protection which is verified by the Central Government is
said to comply with the reasonable security and procedure for data protection.
Section 72A of the IT Act provides that any person including an intermediatory
(definition is in section (2)(W) of IT Act 2000) if providing a service under
any legal contract in:
- which they had an access to the personal information of another person
and they use this information for wrongful gain or wrongful loss without the
consent of that the person or in breach of legal contract then they are
liable to get punished for this act.
- Rule 4 of IT Rules 2011 says that a corporate or any person on behalf of
corporate collects, receives, possesses, stores, deals or handles
the persons from whom they are collecting information.
- The information thus taken should be visible to the information
corporate or any the person on its behalf and should mention the following
- Clear and easily accessible statements of its practices and policies.
- type of personal or sensitive personal data or information collected
under rule 3 of the Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules 2011.
- purpose of collection and usage of such information.
- disclosure of information including sensitive personal data or
information as provided in rule 6 of the Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Data or
Information) Rules 2011.
- reasonable security practices and procedures as provided under rule 8 of
the Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules 2011.
- Rule 5 of the IT Rule 2011 says that before collecting any information
Corporate or the person representing a corporate should take written consent
from the information provider.
- Corporate or any person on his behalf should not collect the information
unless it is for a lawful purpose and collecting the information is
necessary for that purpose.
- Corporate or anyone person on their behalf collecting the information
directly from the information provider shall make sure that the information
provider is aware of the following:
- the fact that the information is being collected.
- the purpose for which the information is being collected.
- the intended recipients of the information.
- the name and address of:
- the agency that is collecting the information.
- the agency that will retain the information.
- Information providers should be able to review the information they have
provided any time they want.
- Information provided should be used only for the purpose it was provided
for and should be removed after the purpose is over.
- Provider of the Information should have the option of not providing the
information in the first place and they also have the freedom to withdraw
the consent at any point of time after providing the consent to the
corporate or any person representing the corporate.
- Corporate should appoint a Grievance Officer and publish his name and
contact details on its website.
- The Grievance Officer shall redress the grievances or provider
information expeditiously but within one month ' from the date of receipt of
- Prior permission of the information provider is needed if corporate want
to share the information given by the information provider with a third
party. Only if the third party has the data protection code as required by
the IT Rules 2011.
- And in the case of a third party is the government-authorized
organization under the law to obtain sensitive data no prior permission of
the information the provider is needed.
- No, the third party shall disclose or publish the information they thus
gain not even the government organization.
- If the third party is situated outside India, then the transfer
may be allowed only if it is necessary for the performance of the lawful
contract between the body corporate or any person on its behalf and provider
of information or where such person has consented to data transfer.
Section 72A of the IT Act 2000 made the employee liable for the breach of data
and disclose it which is likely to cause wrongful gain or wrongful loss without
the consent of the person concerned.
Rule 6(3) of the IT Rules 2011 states that employees can also be held liable if
the sensitive information of the data provider is published. But in this rule
word, 'Consent' is not used so it is not clear that liability will be there even
if the sensitive information is published with consent.
Grievance Redressal Mechanism:
There are two ways to file a complaint in case of data theft. You can file a
complaint either with the:
- Adjudicating officer. or
- Cyber Cell.
There are two modes of registering a complaint in cyber cell:
- Section 46 to Section 64 of the IT Act 2000 talks about the Adjudicating
Officer their appointment, power, jurisdiction, etc. The secretary of the
department of information technology of each state is appointed as the
Adjudicating Officer for that state by default by the central government.
- The adjudicating officer can only handle the cases in which the claim
does not exceed 5 crore rupees. Cases in which the claim exceeded the said
amount will handle by the competent court.
- Adjudicating Officer has two functions first to conduct an investigation
or order an investigation into the violation of an IT Act and second is to
decide the degree of compensation to be granted to the petitioner in case of
violation of the act.
- There is a particular mode to follow to file a complaint with the
Adjudicating Officer. Performa of filing a complaint can be found on this
- Prepare an application of complaint and affix a demand draft of fifty
rupees court fee and a fee towards damages claimed by way of compensation
from the accused, payable by a bank draft along with it.
- Chart for the fee toward the damage claimed can be found here- https://www.chips.gov.in/sites/default/files/proforma.pdf
- Send an additional copy of the complaint with the legitimate photocopies
of the documents submitted to the adjudicating officer's office.
- The the order passed by the Adjudicating Officer can be challenged in
the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within forty-five
days of passing the order.
- If the order is passed by the consent of the parties, then they can't
challenge the order.
- The the order passed by the Tribunal can be challenged in the High Court
within sixty days of passing such an order.
- Offline Mode:
- Register a written complaint in the nearest police station cyber cell.
It can be registered in any city or any area you are present at that time
irrespective of the jurisdiction. Section 154 of CrPC makes it mandatory to
register a complaint irrespective of the jurisdiction.
- Address the complaint to the head of cybercrime where you are filing a
complaint. And write your full contact details in the application
- If it is not possible to file a complaint in the cyber cell you can
register an FIR in the nearest police station.
- If in Police Station they refused to write the FIR you can give a
written complaint to the Commissioner or the Magistrate who has jurisdiction
on that police station.
- Section 80 of the IT Act 2000, gives the power to the police officer to
search and arrest the suspect without a warrant.
- Many cybercrimes are made cognizable offenses under the IPC so the police
must register an FIR and send it back to the police station that has
jurisdiction in the case.
- Online Mode:
Every state has its cybercrime cell with its online portal where the residence
of the state can file their grievances irrespective of which place the person
committed the crime to belong.
Apart from this Central Government has its cybercrime cell online portal where a
person from any part of India can register a complaint. It comes under the
Ministry of Home Affairs. A person who wants to file a complaint can visit the
online portal- https://cybercrime.gov.in/Accept.aspx
and can register their complaint.
You can also file a complaint anonymously.
Documents required to file a Complaint:
- A copy of the stolen data and brief,
- The copyright certificate of the allegedly stolen data,
- Details of the suspected employee/(s),
- The following documents are required about the suspected employee(s):
- Letter of Appointment,
- Non-disclosure Agreement,
- Assigned list of duty and gadgets,
- List of clients that the suspect handles,
- The proof of breach of your copyright data,
- Devices used by the accused during his/her term of service (only if
available) with the company.
- In Sections 405 and 408 of IPC which attract criminal breach of trust
accused can be imprisoned for up to 3years or can be fined or both. If the crime
is committed by the servant, then the accused can be imprisoned for up to seven
years or fined, or both.
- In Section 43 of the IT Act attracts the Penalty and compensation for
damage to the computer, the computer system accused can be penalized for up
to one crore rupees.
- In Section 66 of the IT Act which attracts the computer-related offense
accused can be imprisoned for up to 3years or can be fined up to 5lakh
rupees or both.
- In Section 2(o) and Section 63 of the Copyright Act which attracts
Infringement of Copyright, a monetary fine will be imposed on the accused
which is commensurate with the magnitude of the offense. Further,
infringement of copyright is a criminal offense.
- Section 65 of the IT Act attracts the tampering of computer source
documents in which the accused can be imprisoned for up to 3years or can be
fined 2 lakh rupees or both.
- Section 70 of the IT Act attracts the protection of data in a protected
system in which the accused can be imprisoned for up to ten years or fined
- In Section 72 of the IT Act which attracts the breach of confidentiality
and privacy of the data accused can be punished with imprisonment which may
extend to two years or with a fine which may extend to one lakh rupees or both.
Despite being one of the largest countries in the world in a term of internet
users India lacks the legal framework to secure the data of its citizen. India's
IT Laws are decade-old they can't tackle the problems which the current
generation is facing.
IT laws are not properly implemented neither by the executive nor the
legislature. Adjudicating officers which were supposed to be appointed to
resolve the conflicts their appointment is not done in many states.
There are not even common guidelines or penalty formats is notified by the
legislature which should be followed by the Adjudicating Officers. This creates
havoc because different officers follow different procedures and pass judgment
according to their senses.
Currently, we need a strong Technical Law which can provide a strong data
protection mechanism to the citizen of the country. Laws must be the frame to
not only tackle the present problem but to counter the future issues too.
- V. Govindan vs E.M. Gopalakrishna Kone and Anr., (1954) AIR 1955 Mad
- Macmillan And Anr. vs Suresh Chunder Deb, (1890) (1890) ILR 17 Cal 951
- The Information Technology Act, 2000, No. 21, Act of Parliament, 2000
- Cyber Crime Unit, Delhi Police, http://www.cybercelldelhi.in/Report.html
- Citizen Manual For National Cybercrime Reporting Portal, Indian
Cybercrime Coordination Centre (I4C), Ministry of Home
- Citizen Manual For National Cybercrime Reporting Portal, Indian
Cybercrime Coordination Centre (I4C), Ministry of Home