In today's world, data has become Property of every person. Data[1] includes personal data (name, age, date of birth etc.) and sensitive personal data[2] (passwords, financial information, health parameters etc.). In this era of online surfing, shopping, trading etc., numerous companies collect and process data for various purposes like analyzing & determining the cause of problems, decision making. Such companies handling data needs to be cautious and prevent any breach. Breach can be caused through negligent release of data in the public domain or not having proper available measures to prevent computer and /or data hacking.

Unauthorized third parties can use data for unlawful activities like cyber-squatting, phishing, misusing personal information (identity theft). Therefore, it is vital to protect data. Before, we delve into the question of consequences of data breach, we shall look into few points on how to protect data and obligations under law.

Secured IT Infrastructure:

This means using systems having secured network connection and strong anti-virus software. Along with this, it is extremely important that the systems and software are regularly updated, periodically tested with maintenance of audit trail of all changes.

Compliance with Laws/ Rules & Regulations:

Data protection is governed by Information Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011. The law requires that, before collecting and processing data it is imperative of any company/ person to take the consent of the data owner and inform the purpose of collecting the same. The law also requires that a company shall provide a privacy policy to its customers.

It is the obligation of a company to provide terms and condition and privacy policy where it is expressly mentioned that the company shall collect, handle and process data. Further, if the company transfers the data to any third party, the same should be expressly captured in the policy.

Companies should enter into a Non-disclosure Agreement (NDA) where any personal or sensitive personal information is disclosed. The company receiving the information shall not disclose the information unless it is under statutory obligation. Further, after the termination, the company receiving the information should provide a certificate confirming destruction of the personal data and ensure that the data is not in use.

Companies handling such personal and sensitive personal information should also have agreement with its employees. The agreement must expressly mention that employees have to maintain the privacy and confidentiality. Additionally, the data must be safeguarded at the time of termination of the employment agreement.

Consequences of Data Breach:

Information and Technology Act, 2000 prescribes punishments for breach of data & unauthorized use of data.[3]

Companies possessing, handling, dealing & processing data have statutory duty to protect data from breach. Where the company is negligent in doing so by not maintaining proper security measures and causing gain to any person, such company shall be liable to pay compensation to the affected individual/ customer.

Section 72 of the Information & Technology Act, 2000 prescribes the punishment of maximum 2 years & penalty of Rs, 1,00,000/- for breach of data or unauthorized use of data by any third party.

It is unlawful of a service provider performing under a contract to disclose any private and confidential information without the consent of other party. The punishment prescribed for such an act is imprisonment of 3 years or fine of Rs, 5,00,000 or both.[4]

The Act also applies to person outside India operating through a computer system or network in India.

Companies which protects data of its customers and have secured network connections gains customer trust, increases finances and revenues, builds brand value and good reputation in the market.

End-Notes:

1. Section 2 (1)(o) of Information Technology Act, 2000
2. Rule 3 of Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011.
3. Section 43 A of Information Technology Act, 2000.
4. Section 72 A of Information Technology Act, 2000.
   
   Award Winning Article Is Written By: Ms.Jyotsna Jain
   
   

   Authentication No: SP26210533397-18-920