Prosecution Of Smuggling Of Rare Earth Minerals
1. Introduction: Data Breaches in Private Companies
A data breach occurs when sensitive, protected, or confidential information is accessed, disclosed, or stolen by unauthorized individuals. In private companies, this typically involves:
Customer personal data (emails, phone numbers, addresses)
Financial data (credit card, bank account information)
Intellectual property
Employee data
Why it is a criminal matter:
Unauthorized access violates privacy laws.
Mishandling or negligent storage can constitute criminal negligence.
Intentional misuse can lead to fraud, theft, or corporate espionage charges.
2. Legal Framework in India
Laws addressing data breaches:
Information Technology Act, 2000 (IT Act)
Section 43: Penalty for damage to computer systems or unauthorized access.
Section 66: Hacking with intent to cause damage or theft of data.
Section 72: Breach of confidentiality or privacy.
Indian Penal Code (IPC), 1860
Section 406: Criminal breach of trust (for misuse of data).
Section 420: Cheating (if data used for fraud).
Section 463–471: Forgery and falsification of digital records.
Consumer Protection Act, 2019
Compensation claims for loss due to data leaks.
International Frameworks
GDPR (EU) – breaches must be reported and liable for fines.
US HIPAA (for health data), CCPA (California Consumer Privacy Act)
3. Elements of Criminal Liability
To prosecute a private company or its executives for a data breach, the following must be established:
Unauthorized Access – Someone accessed confidential data without permission.
Intent or Negligence – Either deliberate misuse or negligent handling of data.
Causation of Harm – Financial loss, reputational damage, or privacy infringement occurred.
Violation of Law – IT Act, IPC, or other applicable statutes.
Evidence used in prosecution:
Server logs and digital forensic reports
Emails and internal communications
Expert testimony on IT security failures
Customer or employee complaints
4. Case Laws on Data Breaches in Private Companies
Here are five landmark cases with detailed explanations:
Case 1: Sony PlayStation Network Hack (2011, USA)
Facts: Hackers accessed Sony’s network, stealing personal information of over 77 million users.
Key Issue: Failure of security and unauthorized access to private data.
Prosecution:
Class-action lawsuits by users.
Investigation under US federal computer fraud statutes (18 U.S.C. § 1030).
Findings: Sony’s security measures were inadequate, contributing to breach.
Outcome: Sony paid $15 million settlement to affected users and invested in enhanced security.
Significance: Demonstrates that companies can be legally liable for failing to protect user data.
Case 2: Yahoo Data Breach (2013–2014, USA)
Facts: Yahoo experienced breaches compromising 3 billion user accounts.
Key Issue: Negligence in safeguarding private data and delayed disclosure.
Prosecution:
Class-action lawsuits; SEC investigation for misleading investors about the breach.
Findings: Yahoo knew about the breaches but did not disclose promptly.
Outcome: $117.5 million settlement; CEO resigned; significant corporate reputational damage.
Significance: Reinforces corporate duty to disclose breaches under securities law.
Case 3: Capital One Data Breach (2019, USA)
Facts: Hacker stole data of 106 million customers including Social Security numbers.
Key Issue: Unauthorized access to financial data due to misconfigured cloud servers.
Prosecution:
Hacker charged under federal computer fraud and identity theft laws.
Capital One faced lawsuits for negligence.
Findings: Misconfigured cloud firewall allowed breach.
Outcome: Capital One paid $80 million fine to regulators; strengthened cybersecurity.
Significance: Private companies are liable for misconfigured security infrastructure leading to breaches.
Case 4: Facebook–Cambridge Analytica Scandal (2018, UK & USA)
Facts: Cambridge Analytica accessed 87 million Facebook profiles without consent for political advertising.
Key Issue: Misuse of private data collected by the company.
Prosecution:
Federal Trade Commission (FTC) investigation in US.
UK Information Commissioner fined £500,000 for GDPR violations.
Findings: Facebook failed to enforce consent protocols.
Outcome: Facebook agreed to $5 billion settlement with FTC; strengthened data policies.
Significance: Shows corporate liability for third-party misuse of user data.
Case 5: Indian Medical Data Leak – Practo Case (2019, India)
Facts: Personal and health data of 3.5 million users allegedly leaked online from Practo.
Key Issue: Breach of confidential health information by private company.
Prosecution:
IT Act Sections 43, 66, 72 invoked.
Findings: Vulnerabilities in data storage exposed sensitive information.
Outcome: Investigation launched by CERT-In and police; company updated security protocols.
Significance: Demonstrates Indian private companies can face criminal liability for data breaches, even without evidence of hacking by outsiders.
Case 6: Airtel User Data Breach (2017, India)
Facts: Personal data of millions of mobile subscribers allegedly exposed due to server vulnerabilities.
Key Issue: Negligence in securing customer data.
Prosecution:
IT Act Sections 43 & 72; potential Section 66 for unauthorized access.
Findings: Audit revealed improper access control mechanisms.
Outcome: Telecom regulator issued notice; company compensated affected users.
Significance: Highlights corporate duty to implement robust data security frameworks.
5. Key Takeaways from Cases
Companies Are Criminally Liable for Negligence – Failure to protect sensitive data can attract IT Act and IPC provisions.
Intentional Misuse Is Heavily Punished – Hackers and insiders face criminal charges; companies face civil and regulatory penalties.
Global Precedent Matters – US, UK, and Indian cases show similar principles on corporate accountability.
Data Breaches Can Lead to Huge Financial Liability – Settlements often run into millions of dollars.
Regulatory Scrutiny Is Increasing – Laws like GDPR and IT Act demand proactive protection and breach disclosure.
RELATED Blog
comments