In our increasingly digitized business landscape, data reigns supreme. It has become a valuable commodity that pertains to every aspect of a business, from a client’s personal details to business strategies for the next quarter. However, with great value comes even greater vulnerability. The illegal activity of data theft of such proprietary information has multiplied. The vast amounts of data generated every minute are a prize sought after by both hackers and, at times, employees of a company. This unauthorized acquisition and use of data is a widespread and complex problem with serious impacts for organizations. This article explores the issue of data theft by employees, its far-reaching effects, and potential solutions for organizations.

What Is Data Theft, and How Is It Perpetrated?

Data theft, also known as a data breach or data intrusion, involves obtaining, copying, or retrieving confidential or sensitive information from an individual or an organization without their knowledge or consent. This could encompass actions such as stealing or hacking employee passwords, acquiring client details, or obtaining other proprietary information from an organization. Employees employ various techniques to access corporate data. Common methods include taking screenshots, making recordings, and syncing data to personal devices or accounts. For instance, an employee might use screen recording tools to capture internal presentations and subsequently share this data with competitors.

Consider the incident of EduEdge Pro. They are a Bombay-based EdTech institute, whose former senior executive allegedly stole the company’s confidential data, including client details, training material, videos, case studies, and invoices. The executive and her husband then formed their own skills development company and defrauded EduEdge Pro, causing them significant losses.

Another serious example is of Anthony Levandowski, an engineer who worked with Google’s self-driving car division. With the stolen information, he started his organization and ultimately sold it to Uber. After a long-drawn court battle, he was sentenced to 18 months in prison (he was pardoned by ex-president of U.S.A, Donald Trump on the last day of him holding the President’s office) for stealing proprietary information from the Google project.

However, employee defection is not an uncommon incident. Research indicates that there is a 69% increased likelihood of employees extracting data just prior to their resignation. The investigation further revealed that 45% of the stolen data pertained to sensitive data of clients, trailed by source code (14%) and regulated personal data (8%).

What Can You Do About It?

Companies have the legal right to press charges against such employees under a bouquet of laws. Here are some potential avenues:

• Civil Suit for Breach of Contract: A civil suit may be filed against the employee for violating the terms of the employment contract under clauses such as non-disclosure, confidentiality, or any other contract-specific clause.

• Information Technology Act, 2000: Petitions under the following sections of the IT Act may be filed by the employer:

  • Section 43 (Penalty and compensation for damage to computer, computer system, etc);
  • Section 65 (Tampering with computer source documents);
  • Section 66 (Computer related offenses);
  • Section 72 (Penalty for breach of confidentiality and privacy);
  • Section 76 (Confiscation) or any other section as applicable.

• Indian Penal Code: An employer can also choose the route of Section 405 – Criminal Breach of Trust. Employees are entrusted with proprietary information (data) during their employment. If an employee dishonestly uses such information or misappropriates it for his gain, they may be charged under this section and others as applicable.

• Infringement of Intellectual Property: Unauthorized utilization of a firm’s protected content, such as source code, educational resources, videos, or client names, as mentioned in the preceding examples, constitutes not only a violation of the legally enforceable employment contract but also an infringement of intellectual property rights. Legal action can be taken against such instances of misuse, deception, and misappropriation of a company’s esteemed intellectual property, name, goodwill, and reputation, as deemed appropriate.

Your Organisation Has a Liability Too

In data theft situations, the responsibility doesn't rest solely on the errant employee. The legal environment around data protection is multi-dimensional and intricate, expanding the accountability to the employer too. The recently instituted Digital Personal Data Protection (DPDP) Act imposes substantial responsibility on data fiduciaries (organizations). Organizations carry the main responsibility for protecting information from theft, breaches, and unauthorized access. They are obligated to put in place rigorous procedures, encryption strategies, and access controls to protect the data they accumulate and process.

Prevention Is The Best Cure

While legal protection is always available for the aggrieved, it is often a lengthy process until the desired benefits are granted to the party. Therefore, adhering to the strategy of ‘Prevention is the best cure’ is a safer approach. Moreover, the DPDP Act under Section 8(5) mandates organizations to implement reasonable safeguards to prevent data breaches, regardless of their form. Regular training to sensitize employees about reasonable information security practices can be one effective measure in an organization’s compliance arsenal. This approach can serve as a positive aspect for employers, should there be an investigation initiated following a data theft.