FINAL SUBMISSION- INFORMATION TECHNOLOGY

By
Achlesh Chandra Mishra
Class- BA LLB, Group A
PRN- 14010223001

Symbiosis Law School, NOIDA

Symbiosis International University, PUNE

In March, 2018

Under the guidance of

Prof. Twinkle Maheshwary

Associate Professor
Symbiosis Law School, NOIDA
Symbiosis International University, Pune
 CERTIFICATE
The Project entitled “DATA THEFT UNDER IT LAW WITH CASE ANALYSIS”
submitted to the Symbiosis Law School, NOIDA for competition law as part of internal
assessment is based on my original work carried out under the guidance of Prof. Twinkle
Maheshwary from December to April. The research work has not been submitted elsewhere
for award of any degree. The material borrowed from other sources and incorporated in the
thesis has been duly acknowledged. I understand that I myself could be held responsible and
accountable for plagiarism, if any, detected later on.

Signature of the candidate

Date: 01.03.2018
 ACKNOWLEDGEMENT

I would like to thank my father and my professor for the constant support while doing the
project. The project has taught me the various cybercrimes that are much prevailing in
INFORMATION TECHNOLOGY LAW. Further I have also done case analysis State Vs
Prabhakar sampath (Hyderabad ) on thus further enhancing my knowledge. I hope to do
more interesting research projects like this in the future.
INTRODUCTION
Cyber Crime is not defined in Information Technology Act 2000 or in the I.T. Amendment
Act 2008 or in any other legislation in India. In fact, it cannot be too. Offence or crime has
been dealt with elaborately listing various acts and the punishments for each, under the Indian
Penal Code, 1860 and quite a few other legislations too. Hence, to define cybercrime, we can
say, it is just a combination of crime and computer. To put it in simple terms ‘any offence or
crime in which a computer is used is a cybercrime’. Interestingly even a petty offence like
stealing or pick-pocket can be brought within the broader purview of cybercrime if the basic
data or aid to such an offence is a computer or information stored in a computer used (or
misused) by the fraudster. The I.T. Act defines a computer, computer network, data,
information and all other necessary ingredients that form part of a cybercrime, about which
we will now be discussing in detail.

In a cyber crime, computer or the data itself the target or the object of offence or a tool in
committing some other offence, providing the necessary inputs for that offence. All such acts
of crime will come under the broader definition of cyber crime. Chapter IX dealing with
Penalties, Compensation and Adjudication is a major significant step in the direction of
combating data theft, claiming compensation, introduction of security practices etc discussed
in Section 43, and which deserve detailed description.

Section 43 deals with penalties and compensation for damage to computer, computer system
etc. This section is the first major and significant legislative step in India to combat the issue
of data theft. The IT industry has for long been clamouring for a legislation in India to
address the crime of data theft, just like physical theft or larceny of goods and commodities.
This Section addresses the civil offence of theft of data. If any person without permission of
the owner or any other person who is in charge of a computer, accesses or downloads, copies
or extracts any data or introduces any computer contaminant like virus or damages or disrupts
any computer or denies access to a computer to an authorised user or tampers etc…he shall
be liable to pay damages to the person so affected. Earlier in the ITA -2000 the maximum
damages under this head was Rs.1 crore, which (the ceiling) was since removed in the ITAA
2008.

The essence of this Section is civil liability. Criminality in the offence of data theft is being
separately dealt with later under Sections 65 and 66. Writing a virus program or spreading a
virus mail, a bot, a Trojan or any other malware in a computer network or causing a Denial of
Service Attack in a server will all come under this Section and attract civil liability by way of
compensation. Under this Section, words like Computer Virus, Compute Contaminant,
Computer database and Source Code are all described and defined. Questions like the
employees’ liability in an organisation which is sued against for data theft or such offences
and the amount of responsibility of the employer or the owner and the concept of due
diligence were all debated in the first few years of ITA -2000 in court litigations like the
bazee.com case and other cases. Subsequently need was felt for defining the corporate
liability for data protection and information security at the corporate level was given a serious
look.1

The new Section 43-A dealing with compensation for failure to protect data was introduced
in the ITAA -2008. This is another watershed in the area of data protection especially at the
corporate level. As per this Section, where a body corporate is negligent in implementing
reasonable security practices and thereby causes wrongful loss or gain to any person, such
body corporate shall be liable to pay damages by way of compensation to the person so
affected. The Section further explains the phrase ‘body corporate’ and quite significantly the
phrases ‘reasonable security practices and procedures’ and ‘sensitive personal data or
information’.

The corporate responsibility for data protection is greatly emphasized by inserting Section
43A whereby corporates are under an obligation to ensure adoption of reasonable security
practices.

LITERATURE REVIEW ANALYSIS

1. Aishwarya Joshi (2015)2
In this Paper the author tried to emphasise on to what extent are the Indian laws
pertaining to identity theft sufficient to cater to the present requirement and she also
tried to analyse the present condition of law implementation mechanism of the laws is
in synchrony with the legislations. Although, in her project she discussed and
concluded that the data protection laws in India are not very strong at present but the
proposed Personal Data Protection Bill is a positive step towards implementing
stricter data protection laws. The recommendations made by her that can be
implemented in India to make the laws regarding identity theft more effective.
 Making amendment to the present laws for imposing stricter punishment for
aggravated forms of identity theft.
 Different training academy must be established in India which can help the
local police department to investigate the cybercrime.
 Various countries should co-operate using multilateral treaties in order to have
basic uniformity in terms of sharing cybercrime information.
 In order to prevent or minimize threat of identity theft, the biological aspect of
identity verification (biometric) like fingerprint, voiceprint, iris scan and hand
geometry, etc. should be used where ever there is an online financial
transactions or email account login.
 Lastly, the government needs to create awareness amongst consumers with
respect to ways of protecting personal information and safe internet practices.
1
THE EVOLUTIONAL VIEW OF THE TYPES OF IDENTITY TH EFTS AND ONLINE FRAUDS IN THE ERA OF THE
INTERNET, Internet Journal of Criminology © (2011), a
2
Aishwarya Joshi; IDENTITY THEFT- A CRITICAL AND COMPARATIVE ANALYSIS OF VARIOUS LAWS IN INDIA;
(JCIL) Vol. 2 Issue 6 (2015)
 2. M/s TaxMann (2009)3
The author dealt with Information Technology Act 2000 and the I.T. Amendment Act
2008 in detail and other legislations dealing with electronic offences. He believes a
crime-free society is Utopian and exists only in dreamland; it should be constant
endeavour of rules to keep the crimes lowest. Technology is always a double-edged
sword and can be used for both the purposes – good or bad. There should be the
persistent efforts of rulers and law makers to ensure that technology grows in a
healthy manner and is used for legal and ethical business growth and not for
committing crimes. It should be the duty of the three stake holders viz
 the rulers, regulators, law makers and investigators ii)
 Internet or Network Service Providers or banks and other intermediaries and
 The users to take care of information security playing their respective role
within the permitted parameters and ensuring compliance with the law of the
land.
3. Aastha Bhardwaj, Ms Priyanka Gupta(2015)4
The aim of this paper is to find out the limitations of the IT Act and to provide
provisions for further amendments on the basis of International cyber laws.
Information Technology sector has witnessed exponential growth. Technology has
become part and parcel of our daily life and has multiplier effect in every sector of
industry .The major pitfall of this phenomenal growth has given rise to cybercrimes at
an alarming rate. Since Cyber Criminals were found to be a step ahead of technology,
regular amendments became need of the hour. The paper also discuss the legislations
so far introduced and proposed the improvements that can be in corporated on issues
like spamming, phishing, integrity of transactions and pornography in further
amendments of IT Act.
4. Anil Kumar Gupta, Manoj Kumar Gupta(2012)5
In this paper the authors have tried to review the Cyber Laws and its perspectives
from the Indian IT Act 2000 also tried to specifies about the various modes of Cyber
Crimes and discussing about impacts of these cybercrimes, in the end section of this
paper they have discussed about the remedies that has been provided under the Indian
IT Act 2000. As new-new technology come every day, the offences has also increased
therefore the IT Act 2000 need to be amended in order to include those offences
which are now not included in the Act. In India cybercrime is of not of high rate
therefore we have time in order to tighten the cyber laws and include the offences
which are now not included in the IT Act 2000.

3
M/s TaxMann; Cyber Laws in India;Book- “IT” Security of IIBF Published; chapter 7 (2009)
4
Aastha Bhardwaj, Ms Priyanka Gupta; IT ACT 2000: Scope, Impacts and Amendments; International Journal of
Electrical Electronics & Computer Science Engineering Special Issue - TeLMISR , ISSN : 2348-2273(2015).
5
Anil Kumar Gupta, Manoj Kumar Gupta, “EGovernance Initiative in Cyber Law Making”, International Archive
of Applied Sciences and Technology Volume 3 [2] June 2012: 97 – 101.
 5. J. Vanathi, S. Jayaprasanna(2014)6
-This paper puts forward the collective knowledge of Cybercrimes prevalent in
Digital world to create awareness in our younger generation, this paper focuses on the
various crimes that take place in Cyberspace and the Laws pertaining to it. The
cybercrimes rate in India and also the prevention measures to be implemented are
discussed so that the young generation will protect themselves from being a victim of
cybercrime. The inevitable uses of Internet in day to day life have increased the
Cybercrimes. .The Current and upcoming generation have become addicts to social
networking sites and are prone to be victims of cybercrimes. Our Indian Universities
and Schools should introduce a subject on Cyber Crime awareness to our students to
educate them .The parents and teachers should instil moral values in our children to
be away from evil deeds . The awareness about cybercrimes should mainly be focused
on rural children as they have less exposure than urban children. This would be an eye
opener to the students to protect themselves from being a victim of cybercrimes.
6. Aryan Chandrapal Singh, Kiran P. Somase and Keshav G. Tambre(2013)7
This articles deal on the various types of the cybercrimes whereas I have only gone
through the Data theft. In the field of computer security, Data theft is the criminally
fraudulent process of attempting to acquire sensitive information such as usernames,
passwords and credit card details, by masquerading as a trustworthy entity in an
electronic attempting to acquire sensitive information such as usernames, passwords
and credit card details, by masquerading as a trustworthy entity in an electronic
communication. Also Phishing is a fraudulent e-mail that attempts to get you to
divulge personal data that can then be used for illegitimate purposes. No single
technology will completely stop Data theft. However, a combination of good
organization and practice, proper application of current technologies, and
improvements in security technology has the potential to drastically reduce the
prevalence of data theft and the losses suffered from it. Data theft attacks can be
detected rapidly through a combination of customer reportage, bounce monitoring,
image use monitoring, honeypots and other techniques.
7. Hindu editor(2018)8
This reports discussed the loophole in the government programme which by the
government is tried to make aadhar a permanent identity card for availing all
government incentive. A bulk data relating to the aadhar (identification) can be
hacked. The suggestion that the entire Aadhaar project has been compromised is
therefore richly embroidered. In this digital age, a growing pool of personal
information that can be easily shared has become available to government and private

6
J. Vanathi, S. Jayaprasanna, “A Study on Cyber Crimes in Digital World”, International Journal on Recent and
Innovation Trends in Computing and Communication; International Journal on Recent and Innovation Trends in
Computing and Communication ISSN: 2321-8169 Volume: 2 Issue: 9(2014)
7
Aryan Chandrapal Singh, Kiran P. Somase and Keshav G. Tambre, “Data Theft: A Computer Security Threat”,
International Journal of Advance Research in Computer Science and Management Studies, Volume 1, Issue 7,
December 2013.

8
Hindu editor; Data theft: on UIDAI exposé JANUARY 09, 2018 00:02 IST (available at
http://www.thehindu.com/opinion/editorial/data-theft/article22399180.ece
 entities. India does not have a legal definition of what constitutes personal
information and lacks a robust and comprehensive data protection law. We need to
have both quickly in place if the Supreme Court’s judgment according privacy the
status of a fundamental right is to have any meaning.

CASE ANALYSIS
Nature of case
In the following case, The Crime of data theft under Section 43(a) is dealt as If any person
without permission of the owner or any other person who is incharge of a computer,
computer system of computer network, downloads, copies or extracts any data, computer data
base or information from such computer, computer system or computer network.

Plaintiff
Arcot K. Balraj, Chief Manager, Administrative affairs of M/s. SIS Infotech Private Limited
situated in Lakshmi Cyber Centre, Road No.12, Banjara Hills, Hyderabad lodged Ex.P1
complaint on 23-12-2008 in Cyber Crimes P.S. CID, Hyderabad stating that the complainant
company by name M/s. SIS Infotech Pvt. Ltd.

Fact
M/s. SIS Infotech Pvt. Ltd., is one of the largest market research firms head quartered in USA
with substantial operations at Hyderabad having 300 employees in the office has been
carrying in the business of research station and support to its parent company in the USA viz.,
M/s. Global Industry Analysts Inc. In the process of their day to day operations, the company
did research for its various clients of GIA and in the process, the company created substantial
huge data and content which is hosted on its Adobe Content Server of M/s. Global Industry
Analysts Inc., (GIA) and can be accessed only by registered users who have access with
permissions. It is alleged that the content, i.e. Research reports was hacked by somebody
successfully by hacking their server www.strategyR.com and downloaded several e-Reports
through some free public sites. PW.1 furnished possible information of the hacker having
worked out from their server as Prabhakar.sampath@gmail.com and IP address is
61.95.152.145 and requested the police to take necessary action.

Issues
The charge against accused is that, he hacked their content server and downloaded following
six e-Reports viz., 1. Anticoagulants.pdf, 2. Bulk_Paclitaxel.pdf, 3. CNS_therapeutics.pdf, 4.
Human_Vaccines.pdf,5..Microplate_Instrumentation_Supplies.pdf,6.Therapeutic_Apheresis.
pdf and it came to the knowledge of PW.2 who is working as Chief Manager-IT and
compliance for M/s. SIS Infotech Pvt. Ltd., and who is incharge and responsible person to
manage the servers and the content security websites including www.strategyR.com

Judgement
In the result, the accused is found guilty for the offence u/Sec.66 of Information Technology
Act 2000 and accordingly he is convicted u/Sec.248(2) Cr.P.C. and sentenced to suffer R.I.
for a period of two years and shall pay a fine of Rs.10,000/- in default of payment of fine the
accused shall undergo S.I. for a period of six months. Remand period undergone by the
accused if any, shall be set off u/Sec.428 Cr.P.C. MO.1 and MO.2 shall be destroyed after
appeal time is over. The investigation conducted in this case has to be appreciated for placing
entire material before the court to arrive at a just and conclusion, hence, false implication of
the accused that carried the illegal activity at a far off distance i.e. from Chennai with whom
the complainant had no any disputes, cannot be believed. Accused is also not an ex-employee
of complainant’s company; hence, they have no necessity to implicate the accused.

The convictions are increasing in Indian Courts recently in Hyderabad a case called as
State Vs. Prabhakar sampath was decided, The accused was sentenced to suffer Rigorous
Imprisonment for a period of two years and to pay a fine of Rs. 10,000/- .
CONCLUSION
In a country where you can create multiple accounts on social networking which is not barred
by the law means that there need more strict law and many of us not even bothered about this.
The society is at dilemma of taking the initiative. He/she can live a life of multiple identities
through e-mail ids and passwords, which do not require physical verification of the details of
the actual person. Although such conduct is illegal under Section 464 of the IPC (making a
false electronic document) and punishable under Section 465 of the same code.

Considering the data theft it would be very hard to identify small data theft whereas the Data
Theft which is identified by cyber cell is big theft. But as there are talks going on for
implementing the proposed Personal Data Protection Bill is a positive step towards
implementing stricter data protection laws. It is based on the European Union Data Privacy
Directive of 1996 and applies to both the government as well as the private companies9.

9
Data Protection Act in India with Compared to the European Union Countries, 11 International Journal of
Electrical & Computer Sciences