Data Protection and Theft

DATA PROTECTION AND THEFT

Forms of Data in Law Firms

The (Indian) Information Technology Act, 2000 (hereinafter referred to as the Act) deals with the issues relating to payment of compensation (Civil) and punishment (Criminal) in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data. Data is defined under Section 2(o) of the information Technology Act, 2000 as: “data means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer; “ Law firms have an immense pool of critical and private data and its usage in any other manner, other than the instruction of the client raises an ethical and legal question. In order to obtain legal advice a client often confide with the law firm with embarrassing details, classified information, future plans. Therefore it is of utmost importance that such data be protected. Additionally, it is to be noted that the obligations of law firms to protect confidential data begins only after the creation of a relationship of an attorney and client.[1] Furthermore, The Indian Evidence Act, 1872 under sections 126 to 129 deals with the privileged communication that is attached to professional communication between a legal adviser and the client. It prohibits attorneys from disclosing any communications exchanged with the client and stating the contents or conditions of documents in possession of the legal advisor in course of and for the latter's employment with the client. The responsibility which is carried by the attorney while discussing with the client, is also to be maintained within a law firm which engages the services of various attorneys.

Effect and obstacles to data theft

The electronic nature of data leaves a gaping hole for exploitation and therefore theft largely goes unnoticed until the revelation by the perpetrators of such theft. Further the effect of data theft in a law firm shall result in concealing such a fact from the client and the public in general to avoid any embarrassment, reputational damage and reduced client confidence for inability to take any action to curtail such theft. Section 72A of the Act provides that disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable with imprisonment for a term extending to three years and fine extending to INR 5,00,000 (Approx. US$ 10750). Further Section 72 of the Act provides for penalty for breach of confidentiality and privacy. The Section provides that any person who, in pursuance of any of the powers conferred under the Act, Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to INR 100,000, or with both.

Method of data protection

Many of the vulnerabilities that exist in protection of data from theft exists due to the inadequacies present in the computer system administrators. Further, even if such loopholes are adequately covered by the programmers and administrators, the trust, freedom to work, enjoyed by the employees and advocates working with a law firm enable them to exploit such a position to their own advantage. Further by virtue of Section 43A of the Act, any body corporate including a firm may be held responsible for leak of sensitive information or data in case it is negligent in implementing and maintaining a reasonable security standards and procedure. Further in case any wrongful loss is caused in consequence of such leak, the firm shall be responsible to pay compensation as well as damages to such a person affected. In order to curb such misuse of data usage various firms employ various tactics. Titus & Co., a law firm based out of New Delhi, does not allow temporary employees, or interns to carry any mobile devices into their office premises. Reasonable security practices and procedures is defined under Explanation (ii) of Section 43A of the Act as security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment as may be specified in an agreement between the parties or as may be specified in any law for the time. Moreover the Government of India in conference of the powers granted under Section 87 read with Section 43A of the Act, framed the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter referred to as the Rules). Rule 3 of the Rules defines sensitive personal data or information as any information involving the financial information, passwords, physical, psychological condition, sexual orientation, biometric information or any clause of a contract. Further, Rule 4 and 5 of the Rules prescribes that sensitive data and information held by a body corporate or any person on its behalf, then a privacy policy for handling of or dealing in personal information including sensitive personal data or information shall be prepared by the body corporate and it shall ensure that the same is available for view by such providers of information who has provided such information under lawful contract. Additionally, Rule 4 of the Rules states that disclosure of any personal data or information requires the prior permission of the provider of the information. It is pertinent to note that the Ministry of Communication and Information Technology, vide Press note dated 24.11.2011 has clarified that the Rules were applicable on law firms.[2] Moreover, the Bar Council of India, the statutory authority which regulates and represents the Indian bar mandates that an advocate shall not breach the obligations imposed upon him/her under Section 126 of the Indian Evidence Act. [3]

Conclusion

Undoubtedly, the concept of data theft and protection is at a nascent stage in India. Whoever there are reasons for jubilation with the Data Privacy Protection Bill, 2013 pending in the parliament. Further the framers of the Rules have attempted to adopt ideas from jurisdictions which have long standing and mature data protection regulations. These Rules are only therefore a first step. Moreover, stringent implementation of the law and healthy development of the data privacy and protection jurisprudence in the long run is what one needs to watch out for.

---

[1] Kalikumar Pal v. RajkumarPal 1931 (58) Cal 1379, Para 5 [2] Ministry of Communication and Information technology, Press Note No. 11-7/2010-S-I(Pt. 1) [3] Bar Council of India Rules, Part VI, Chapter II, Section II, Rule 17.

Cite this page