Data Breaches And Criminal Liability
What is a Data Breach?
A data breach occurs when sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals.
This may include personal data, financial information, health records, or trade secrets.
With increased digitalization, data breaches have become a significant threat affecting individuals, organizations, and national security.
Legal Framework in India
The Information Technology Act, 2000 (IT Act), particularly Section 43 and Section 66, addresses unauthorized access, data theft, and hacking.
Section 72A deals with disclosure of personal information in breach of lawful contract.
Indian Penal Code (IPC) provisions like Section 379 (theft), Section 403 (criminal breach of trust), and Section 420 (cheating) may also apply.
The Personal Data Protection Bill, 2019 (pending legislation) aims to regulate data privacy and breaches more comprehensively.
Courts are increasingly recognizing the seriousness of data breaches and awarding compensation and penalties.
Criminal Liability in Data Breaches
Criminal liability arises when data breach involves:
Unauthorized access or hacking (Section 66 IT Act).
Data theft or copying without permission (Section 43 IT Act).
Disclosure of confidential information in violation of contract or law (Section 72A IT Act).
Identity theft, fraud, or cheating using stolen data.
Penalties include imprisonment, fines, or both.
Companies or individuals may face prosecution, investigation, and civil liability.
Authorities such as the Cyber Crime Cells and CERT-IN handle investigations.
Important Case Laws on Data Breaches and Criminal Liability
1. Shreya Singhal v. Union of India (2015) 5 SCC 1
Facts: Challenge to Section 66A of the IT Act which dealt with offensive online content.
Holding:
Although Section 66A was struck down, the Supreme Court recognized the importance of balancing free speech and protection against cyber offences.
Highlighted the need for proper safeguards and clarity in IT offences.
Laid down principles applicable to cybercrime and data offences.
Significance: Affirmed judicial vigilance in cyber laws including data breach offences.
2. R. K. Anand v. Registrar, Delhi High Court (2009) 8 SCC 106
Facts: Case dealing with unauthorized disclosure of personal information.
Holding:
Supreme Court recognized right to privacy under the right to life (Article 21).
Data breach involving personal information can attract legal consequences.
Unauthorized disclosure is a violation of fundamental rights.
Significance: Foundation for privacy protection against data breaches.
3. Sabu Mathew George v. Union of India (2021) W.P. (C) No. 10329/2021
Facts: Involved unauthorized access and leakage of personal data.
Holding:
High Court directed investigation into cyber breach and penal action.
Emphasized the need for strict enforcement of IT Act and data protection.
Highlighted the role of police cyber cells.
4. People’s Union for Civil Liberties (PUCL) v. Union of India (1997) 1 SCC 301
Facts: Case involving illegal telephone tapping and interception.
Holding:
Court held that interception or breach of private communication without authority is illegal.
Such breaches attract criminal liability.
Set the tone for cyber and data privacy jurisprudence.
5. K.S. Puttaswamy v. Union of India (2017) 10 SCC 1
Facts: Landmark privacy judgment.
Holding:
Recognized the Right to Privacy as a fundamental right.
Data breaches violating privacy rights can have serious legal consequences, including criminal liability.
Emphasized the need for a robust data protection regime.
6. Anvar P.V. v. P.K. Basheer (2014) 10 SCC 473
Facts: Evidence involving electronic records and data integrity.
Holding:
Supreme Court underscored the importance of authenticity and reliability of electronic evidence in cybercrime cases.
Courts must ensure data breach evidence is credible for prosecution.
7. Indian Bank Officers' Association v. Union of India (1998) 8 SCC 889
Facts: Unauthorized disclosure of bank customer data.
Holding:
Court ruled such disclosures violate banking secrecy and data protection norms.
Held liable under IPC and IT Act.
Summary Table of Case Laws
| Case | Court | Key Holding |
|---|---|---|
| Shreya Singhal v. Union of India (2015) | Supreme Court | Cyber offences require clear safeguards and balance with rights |
| R.K. Anand v. Delhi HC (2009) | Supreme Court | Right to privacy includes protection against data breach |
| Sabu Mathew George v. Union of India (2021) | High Court | Enforcement of IT Act and police action against data breach |
| PUCL v. Union of India (1997) | Supreme Court | Illegal interception of communication attracts criminal liability |
| K.S. Puttaswamy v. Union of India (2017) | Supreme Court | Right to privacy fundamental; data breaches have serious consequences |
| Anvar P.V. v. P.K. Basheer (2014) | Supreme Court | Authenticity of electronic evidence critical in cybercrime cases |
| Indian Bank Officers' Association (1998) | Supreme Court | Unauthorized disclosure of data violates legal provisions |
Practical Aspects
Investigation: Cyber Crime Cells investigate data breaches and collect digital evidence.
Reporting: Victims should promptly report data breaches to police and CERT-IN.
Penalties: Offenders can be punished with imprisonment (up to 3 years or more), fines, or both.
Civil liability: Victims can claim damages for breach of privacy or data theft.
Preventive measures: Organizations are encouraged to implement data security policies and comply with IT Act provisions.
Conclusion
Data breaches attract criminal liability under IT Act and IPC.
Courts emphasize the right to privacy and impose strict sanctions for unauthorized data access or disclosure.
Effective enforcement requires coordination between police, cyber cells, and courts.
The evolving legal landscape reflects the increasing significance of data protection and cybersecurity.
Robust investigation, proper evidence handling, and awareness of legal provisions are critical in addressing data breaches.
RELATED Blog
0 comments