Data Theft - Issues And Laws

Shaurya Gupta, Development Associate Consultant, SAP India, Author
Vaibhav Gupta, Advocate (Co-Author)
Email Id :

Date : 28/08/2020
Punjab & Haryana High Court, Chandigarh
📱 +91 9876929372

Data Theft - Issues And Laws


With the rapid growth of the Information Technology, serious threats and challenges are being posed by different jurisdictions. Such challenges are not confined to single legal category but are spread out under different heads of law, be it Criminal Law, Intellectual Property Law, Contract or even Torts. One such challenge, which would cover the above stated laws is `Data Theft'. Data theft is the term used when any information in the form of data is illegally copied or taken from anywhere be it from a business or other individual without his knowledge or consent. The biggest threat in case of `Data Theft' is that the said stolen data can be used in any form to cause economic and other forms of losses to the owner of the data or even can be used against the security of a particular country.

Due to the increasing importance of the data in the modern world, its usage and its security have become a major issue. The concern is so serious that a theft of data in one country can be manipulated in a different jurisdiction and the consequences of which can be felt in another jurisdiction altogether. The result of which would be that different jurisdictional laws would come into play in such a scenario and it would be difficult to grab the real thief and thus making it vulnerable to serious security multinational issues.


In India, the issues of Data Theft has not been specifically dealt by way of special legislation but are part and parcel of number of legislations clubbed together. Section 43 of the Information Technology Act, 2000 provides for protection against destruction and unauthorized access of the computer system by imposing heavy penalty up to one crore. The unauthorized downloading, extraction and copying of the data are also covered under this Section. The section further imposes penalty for unauthorized introduction of computer viruses of contaminants. Section 65 of the said Act further provides for computer source code. If any one knowingly or intentionally conceals, destroys, alters or causes another to do as such shall have to suffer imprisonment of up to 3 years or fine up to 2 lakh rupees. Section 66 further provides protection against hacking. As per this section, hacking is defined as any act with an intention to cause wrongful loss of damage to any person or with the knowledge that wrongful loss or damage will be caused to any person and information residing in a computer resource must be either destroyed, deleted, altered or its value and utility get diminished. This section imposes the penalty of imprisonment of up to three years or fine up to two lakh rupees or both on the hacker. Section 70 of the IT Act, 2000 also provides for protection to the data stored in the protected system. As per the said section, protected systems are those computers, computer system or computer network to which the appropriate government, by issuing gazette information in the official gazette, declared it as protected system. Any access or attempt to secure access of that system in contravention of the provision of this section will make the person accessed liable to punishment of imprisonment which may extend to ten year and shall also be liable to fine.

Even though, as enumerated above, there are provisions in the Indian law system qua the Data theft but still there being number of loop holes and non effective implementation of the same, data theft cases have hit India on multiple occasions. Recently, India's largest Bank, the State Bank of India (SBI), left one of its servers unprotected which exposed the data of its 422 million customers. The server, situated in Mumbai, contained partial bank account numbers, bank balances and phones of individual using the bank's SBI Quick Service. TechCrunch's investigation revealed that the back-end text message system was left unprotected allowing anyone to tract text message coming in and going out in real time. On a single day, SBI Quick sends out nearly three million text messages- and database archive has messages dating back to December, 2018. Another case that shook the entire nation was that when more than 1.3 million credit and debit card details from Indian Banks were spotted for sale in October. Group-IB, a Singapore based cybersecurity based company, found that the information was being sold for $100 apiece- which means the total database was valued at over #130 million. The information was not stolen off servers or payment accounts but obtained via skimming devices installed at ATMs or on PoS Systems. The card details varied with respect to their issuing banks. According to Group-IB, data dumps from India are rare, yet this set was one of the single largest and most valuable data uploads on the dark web.


The international initiatives are perhaps more developed and mature as regards the Data theft is concerned. The European Economic Area (EEA) which has 31 members and accounts for a significant proportion of the world's population and global trade has framed European Union Data Protection Directive in 1995. As per the said Directive, data protection is a fundamental right for European Union citizens. However, the extent of protection once any personal data leaves Europe has been a longstanding concern. The key provision i.e. Article 25 (1), which prohibits EU Member States from allowing the transfer of personal information to countries that do not have adequate protections in place. Further the Directive also sets out requirements for the transfer of data outside the European Union. The European Commission has been vested with the power to draft standard contractual clauses in order to provide guidance to companies and other data controllers in their interactions with customers in the European Union, and to facilitate adequate safeguards that would allow them to transfer data to other countries and processors located outside the European Union.

The Asia-Pacific Economic Cooperation (APEC) has also focused on the development of Cross Border Privacy Rules System (CBPRs). This system is an innovative self regulatory mechanism for allowing the transfer of data between APEC members where a company has voluntarily joined the scheme. The said system provides standard data privacy policies that businesses can use in order to comply with the APEC privacy framework. The system is meant to facilitate cross border data flows by providing a voluntary framework to ensure certainty and minimum privacy protections.

The African Union has also adopted African Union Convention of Cyber-security and Personal Data Protection in the year 2014. The said convention specifies the required content of data privacy laws and requires its member states to establish a data protection authority.

The Commonwealth countries has contributed to the development of data protection regimes through the influence of Commonwealth model laws on national legislation of member countries. The two relevant model laws are the Privacy Bill and the Protection of Personal Information Bill. Both address the key issues relating to the information privacy. It also provides technical assistance and capacity building assistance to its members, particularly less developed countries like Africa, Caribbean and the Pacific.

Although, the International Community is taking every possible step to curb the menace of data theft, yet the same is not prone to such crime. In May 2019 Australian graphic design tool website Canva suffered an attack that exposed email addresses, usernames, names, cities of residence, and salted and hashed with bcrypt passwords (for users not using social logins - around 61 million) of 137 million users. Canva says the hackers managed to view, but not steal, files with partial credit card and payment data. The suspected culprit(s) - known as Gnosticplayers - contacted ZDNet to boast about the incident, saying that Canva had detected their attack and closed their data breach server. The attacker also claimed to have gained OAuth login tokens for users who signed in via Google. The company confirmed the incident and subsequently notified users, prompted them to change passwords, and reset OAuth tokens. However, according to a later post by Canva, a list of approximately 4 million Canva accounts containing stolen user passwords was later decrypted and shared online, leading the company to invalidate unchanged passwords and notify users with unencrypted passwords in the list.

In December 2018, New York-based video messaging service Dubsmash had 162 million email addresses, usernames, PBKDF2 password hashes, and other personal data such as dates of birth stolen, all of which was then put up for sale on the Dream Market dark web market the following December. The information was being sold as part of a collected dump also including the likes of MyFitnessPal (more on that below), MyHeritage (92 million), ShareThis, Armor Games, and dating app Coffee Meets Bagel. Dubsmash acknowledged the breach and sale of information had occurred - and provided advice around password changing - but failed to say how the attackers got in or confirm how many users were affected.


As data theft risk becomes increasingly problematic, companies and organization need to take steps to protect their sensitive data. Some of the duties, which the Information Technology Industry must ensure are enumerated as under:-

• Secure sensitive customer, employee and patient data by keeping storage devices containing sensitive information in a locked, secure area and restricting its access.

• Proper disposal of sensitive data and removal of all data from computers and devices before disposing the same.

• Use password protection for all business computers and devices and require employees to have unique user names and strong passwords

• Encrypt sensitive data and use encryption on all laptops, devices and emails

• Protect against viruses and malware by installing appropriate antivirus and antispyware software

• Secure access to the network with firewalls, remote access through properly configured virtual private networks and wi-fi networks that are secure and encrypted

• Train employees to ensure they understand data protection practices and its importance.

© Chawla Publications (P) Ltd.