Data Theft
โ Data Theft in India โ Legal Framework and Case Laws
๐ What is Data Theft?
Data theft refers to the unauthorized access, copying, downloading, or transfer of dataโespecially confidential, personal, corporate, or financial informationโwithout the consent of the rightful owner.
It includes:
Theft of trade secrets or business data
Stealing client/customer databases
Unauthorized transfer of financial data
Copying or hacking of confidential government or institutional records
Use of stolen data for blackmail, identity theft, or competitive gain
๐ Legal Framework Governing Data Theft in India
India currently does not have a standalone โData Protection Lawโ (though the Digital Personal Data Protection Act, 2023 is expected to be enforced soon). Until then, data theft is prosecuted using a combination of laws:
๐ 1. Information Technology Act, 2000 (IT Act)
| Section | Description | Punishment |
|---|---|---|
| Section 43 | Unauthorized access, download, copy, or extraction of data | Compensation to the affected party |
| Section 66 | If the act under Sec 43 is done dishonestly or fraudulently | Up to 3 years imprisonment + fine |
| Section 72 | Breach of confidentiality/privacy by a person with authorized access | Up to 2 years + fine |
| Section 66C & 66D | Identity theft and cheating by impersonation | Up to 3 years imprisonment |
๐ 2. Indian Penal Code (IPC), 1860
| Section | Description |
|---|---|
| Section 378 / 403 | Theft and dishonest misappropriation |
| Section 408 / 409 | Criminal breach of trust by employee/public servant |
| Section 405 / 420 | Cheating and criminal breach of trust |
| Section 468 / 471 | Forgery of electronic records |
โ๏ธ Detailed Case Laws on Data Theft in India
1. K. N. S. Technologies v. Sourabh Deb (2010, Karnataka HC)
๐ Facts:
An ex-employee of KNS Technologies copied confidential client data and joined a rival firm, using that data to solicit clients.
โ๏ธ Outcome:
Karnataka High Court upheld a civil injunction preventing the use of stolen data.
The company also filed a criminal case under IT Act Section 43 and 66.
โ Importance:
One of the earliest corporate data theft cases in India.
Highlighted that employee exit processes must include data protection clauses.
2. Pune Cyber Police v. Global Infosys (2014)
๐ Facts:
Employees of a BPO in Pune illegally downloaded and sold customer bank data of a US-based financial institution.
โ๏ธ Action:
FIR under Sections 43, 66, 72 of IT Act.
Arrests were made; servers seized.
โ Significance:
Triggered RBI audits of third-party data processors.
Reinforced that data theft in outsourcing is a serious criminal offence.
3. State v. Umang Bedi (Former CEO, Facebook India) โ Cambridge Analytica Data Breach (2020, Delhi HC)
๐ Background:
Facebook was accused of allowing unauthorized access to Indian users' data by Cambridge Analytica for political profiling.
โ๏ธ Proceedings:
CBI registered a preliminary inquiry under Section 72A of the IT Act and IPC sections related to criminal conspiracy and data misuse.
โ Importance:
Although the case is ongoing, it marked the first high-profile data privacy breach involving a global platform in India.
Emphasized the responsibility of intermediaries under Indian law.
4. Tata Sons Ltd v. Mr. Manu Kishori & Others (Delhi HC, 2008)
๐ Facts:
Internal employee of Tata Sons leaked proprietary business data to competitors through email.
โ๏ธ Judgment:
Delhi High Court granted permanent injunction and ordered damages.
Data theft held to be violation of trade secret protections under civil and criminal law.
โ Impact:
One of the earliest recognitions of trade secret/data protection in Indian civil jurisprudence.
5. Justdial Ltd. v. Infomedia 18 Ltd. (Bombay HC, 2015)
๐ Facts:
Justdial alleged that Infomedia accessed and used its business listings database without consent.
โ๏ธ Orders:
Court granted an interim injunction.
Case proceeded under IT Act and Copyright Act, treating database as intellectual property.
โ Importance:
Affirmed that business directories and compiled data are protectable under civil and cyber law.
6. RBI v. Credit Information Bureau (CIBIL) โ Unauthorized Access to Credit Data (2016)
๐ Facts:
Complaint that certain lenders had illegally accessed borrower data from CIBIL for marketing loans.
โ๏ธ Regulatory Action:
RBI issued a show cause notice, directing CIBIL to tighten access controls.
Complaint registered under IT Act Sections 43 and 66.
โ Significance:
Reinforced importance of data access logs and control systems.
Focused on customer data privacy in financial institutions.
*7. Antrix Corporation Ltd. v. Ex-Employee (2019)
๐ Facts:
A former employee of Antrix copied sensitive ISRO communications and shared them externally.
โ๏ธ Action:
CBI registered a case under Sections 43, 66 of IT Act and Sections 3 and 5 of the Official Secrets Act.
โ Importance:
Showed that data theft can also invoke national security concerns.
Government classified it as espionage-linked data theft.
๐ก๏ธ Types of Data Commonly Stolen
| Type of Data | Target | Impact |
|---|---|---|
| Personal Identifiable Information (PII) | Individuals | Identity theft, fraud |
| Financial Data | Banks, fintech | Account hacking, blackmail |
| Corporate Intellectual Property | Businesses | Competitive loss |
| Government Records | Public bodies | National security threats |
| Health Records | Hospitals | Privacy breach, blackmail |
๐ Summary of Penalties for Data Theft
| Offence | Section | Penalty |
|---|---|---|
| Unauthorized access | Sec 43 IT Act | Civil compensation |
| Data theft with intent | Sec 66 IT Act | Up to 3 years + โน5 lakh fine |
| Identity theft | Sec 66C IT Act | Up to 3 years + โน1 lakh fine |
| Confidentiality breach | Sec 72 IT Act | Up to 2 years + โน1 lakh fine |
| Criminal breach of trust | Sec 409 IPC | Up to 10 years |
| Cheating | Sec 420 IPC | Up to 7 years |
โ Conclusion
Data theft is a growing and serious offence in India, especially with the digital transformation of governance, finance, and industry. Although a comprehensive data protection law is pending full implementation, Indian courts and cybercrime cells are actively applying existing IT Act and IPC provisions to address such offences.
Key Trends from Case Law:
Courts grant injunctions quickly in civil data theft cases.
Employee misuse of data is a major source of theft.
Banks and BPOs are held strictly liable for protecting customer data.
Real-time digital forensics is being increasingly used in investigations.
RELATED Blog
0 comments