Data theft and legal penalties

What is Data Theft

data-theft

Data theft in simple sense can be explained as the unauthorized copying or removal of confidential information from a business house or enterprise.  There are various forms of data theft like identity theft, theft of customer records and theft of proprietary information or intellectual property of a company. It can also be described as illegally copying or taking information from a company or from an individual.

Generally, the information relating to credit card numbers, passwords, social security numbers and other personal or corporate confidential information is targeted in data theft. Since this information is obtained illegally the persons stealing the information will be prosecuted as per law.

The damage caused by data theft is considerable, since the technology enables transmitting of vey huge files via email and various storage media like USB drives, external hard disks etc. The illegal download of data from a network or computer into flash drives (USB) is called thumb sucking. The same act using portable music players, i-pods is called pod slurping.

 The data theft is a growing problem perpetrated primarily by persons having access to technologies like desktops, laptops and other removable media capable of storage including digital cameras.

Illustration of data theft

Data Thief

A visits his friend B’ house, finds that the B’s laptop is switched on, A tries to surf into the hard disk and finds some files to his interest, then A copies such files into a USB flash drive without the permission of B, in this case the act of A constitutes the crime of data theft.

Data theft can be take place anywhere if your data or data device is not protected or not secure. 

Provisions under Information Technology Act 2008

In India, the crime of data theft is explained under Section 43(b) of the Information Technology Amended Act 2008 which states that if any person without the permission of the owner or any other person who is in charge of a computer or computer system or computer network – downloads, copies or extracts any data, computer database or information from such computer, computer system or computer network or data held or stored in any removable storage medium.

Laws on Legal Data Protection in USA

Legal Data Protection

The data is classified into groups on the basis of utility and importance in US. Then, the degree of protection is awarded accordingly to different classes of data. In US, data breach notification statutes are enacted and vary from state to state. They generally require the businesses handling personal information about residents within a state to notify them if there is an unauthorized acquisition of such information. The legislation regarding data protection are often industry, process or state specific in US. The data protection laws in regard to financial services are the most advanced since US has the largest economy in the world and financial institutions hold millions of personal and sensitive data, information.

The laws are getting more stringent with the evolution of state breach legislations protecting PII (Personally identifiable Information). Thus, the business houses must comply with the laws especially the businesses engaging in interstate commerce or e-commerce or transactions.

Significance of Data Protection Laws in USA

The HIPPA (Health Information Portability and Accountability Act) guidelines provide protection to health information like medical records and other protected health information of individuals.

Data ProtectionThe Identity Theft Penalty Enhance Act of 2004 was enacted to prevent identity theft and relative issues and sets out the penalties for identity theft and allied acts leading to serious cyber crimes.

The GLBA (Gramm Leach Bliley Act) also known as the Financial Services Modernization Act 1999 intends to sale of private financial data or information.  The financial institutions are required to avail their privacy policy to customers at the beginning of their relationship and every year thereafter.  The organization’s position on revealing the personal data or information to third parties and affiliates would be specifically stated in the privacy policy.

The SOX (Sarbanes Oxley Act) is relevant to data protection since the CEO and CFO must attest the quality control mechanisms used to protect the sensitive data from unauthorized access.

The other laws are SB 1386, OPPA, FCRA and various State Breach Laws.

Section 43(b) of the Information Technology Amended Act 2008 read with Section 66 is applicable for data theft. The provisions of the Indian Penal Code 1860 under Section 379,405 & 420 are also applicable for the same crime.

The criminal complaint can be filed by the victim in the police station where the above cyber crime has been committed or where he comes to know about the said crime. The compensation can also be claimed up to Rs. 5 crores before the adjudicating officer (generally IT SECRETARY of the state) and above Rs.5 crores before the civil court of competent jurisdiction.

Hacktivism Accounts for Considerable Data Theft in USA

Data Theft CaseVerizon Data Breach Investigations Report 2012 found 855 data breaches totaling nearly 174 million stolen data records. The study by Verizon showcases that hacktivism accounts for 58 % of the total stolen data in 2011.  The hacktivist steals data for political purposes. Verizon states that although these groups claim to have other motives, most members are professional cyber criminals deliberately trying to steal data or information they can turn into cash. The breaches were reported by corporate and government websites.

Data theft has become a mechanism for political protest. The hacktivism has around some time, but it’s mainly the website defacements that are prominent. The strong transatlantic cooperation in the field of data protection enhances consumer trust and can promote the growth of the Global Internet Economy evolving digital transatlantic market.

UCLA Data Breach Case – A Legal Case study on Data Theft

Legal DataThe UCLA data breach case indicates that Data Theft does not always mean being hacked. In a recent announcement UCLA held that 16,000 patients were potential victims of identity theft as a doctor’s home office was burglarized. This is an example of an employee taking a laptop or storage device home from the office resulting in a serious data breach.

The UCLA had sent letters to all the 16,000 warning the possibility of identity theft. They had to hire a top identity theft protection firm with a hope to mitigate the loss.  Data breaches cost big bucks in US. The online theft of intellectual property awakens national security significance because of its impact on competitiveness on major American companies.

Data Theft Punishment

Data Theft PunishmentIf the crime of data theft is proved under the Information Technology Act, the accused shall be punished with a fine which may extend up to five lakh rupees or imprisonment which may extend to three years or both. If the offence of data theft is under Section 379 along with Section 420 of Indian Penal Code 1860, then the offence is said to be cognizable, compoundable and non-bailable while if the said offence is under the Information Technology Amended Act 2008 (Section 77-B) the offence shall be cognizable and bailable.

Read More about Information Technology Law

SAI SUSHANTH,
FINAL YR MS IN CYBER LAW AND SECURITY,
NATIONAL LAW UNIVERSITY, JODHPUR

Share

About BizLegis

Biz and Legis Law firm with online legal service and lawyer services
This entry was posted in Legal, Legal Data Protection and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


5 − = 2

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>