Complaints from an employer against an employee for data theft is a common occurrence in the corporate world particularly when the employee has exited the company and also started a competing business.
In the current business environment where the corporate work is carried on with the use of e-mails and from home computers, it is natural that in most cases, employees will have corporate data in their personal custody and in personal computers.
Most companies will also have employee contracts which typically has an NDA clause in which the employee is supposed to return corporate data in his hands in the event of his leaving the company etc. However, some of the provisions of the employee NDA contract are impractical and is ignored in practice.
Hence disputes do arise in every resignation of an employee and quite often when a critical employee leaves the organization, the organization may also be unreasonable in pursuing criminal cases against the employee using the business practice to which both were parties during the employment including sharing of the corporate data in the personal domain of the employee.
In resolving such cases, the Courts need to appreciate corporate practices, the “Data Protection/Information Security policies” of the Company, the intention of the parties etc besides the provisions under law such as ITA2000/8.
One such interesting case was recently decided at TDSAT in the case of Dr Rishi Dixit & Ors Vs PreventiNe Life Care Pvt Ltd. PreventiNe Life Care is a genetics laboratory based in Mumbai (India), offering genetic screening and predictive testing services in association with various Hospitals. It obviously handles “Sensitive Personal Data” which is the subject of data protection obligations under ITA 2000/8 and the upcoming PDPA and industry standards such as HIPAA etc. Dr Dixit is a medical professional employed in the organization and delivering his professional services as head of diagnostic services. He appears to have resigned in 2012 along with some of his research colleagues and later set up a rival company.
The Company had alleged that the accused had stolen software and also corporate data in the form of confidential algorithm, formulas, process, client/customer list, project, research paper,diagnostic procedure and other important information, which were the properties of the Company, through emails sent from the company network to the personal e-mails. Using the said information the accused are alleged to have started a rival company Navigene Genetic Science Pvt Ltd and adopted a similar business model.
The Adjudicator had therefore granted a compensation of Rs 30 lakhs to be paid by the accused to the Complainant (PreventiNe Life Care) which was challenged in an appeal to TDSAT and was disposed off recently on 31st May 2019.
This case has implications for study under ITA 2000/8, Data Protection regulations, and also Copyright laws. There are similar cases that may be under litigation in many courts including the civil and criminal courts outside the Adjudication/TDSAT system and the judgement could have its indirect influence in such cases.
Some observations on the judgement are recorded here for academic discussion.
- The rival company was opened while the accused were still in the service of the earlier company and therefore violated one of the clauses of the employment contract. This was however a matter for the civil courts to adjudicate as regards the compensation and was rightly noted as not falling under Section 46 of ITA 2000/8.
- The Adjudicator also noted that he is not considering the IPR issues involved in the dispute. However the possibility of some of the information being “Copied” from e-mails sent by the Company to the accused has been taken note of and hence Copyright violations have been recognized.
- The defense that the information was sent by the company to the personal e-mails of the employees and thereby the company relinquished its right on the confidentiality of the information has been rejected.
- The use of such information for purposes other than for which they were shared by the Company has been held as a contravention of Section 43 of ITA 2000. Accordingly contravention of Section 43(b), 43(i) and 43(j) along with Section 66 of ITA 2000/8 was taken into account by the Adjudicating Officer.
- TDSAT has made a specific comment that the complainant is free to pursue the matters of employment contract and copyright which have not been taken into account in this adjudication in a separate action and proceeded to look at the appeal in the context of the application of ITA 2000/8 both for the misuse of data in the form of software on which the company had rights as well as the business data.
- TDSAT has after comparing the reports generated by the systems used by the two parties come to the conclusions that there are significant differences between the two which may not indicate that the software was stolen. (This is relevant for the copyright issue also).
- It was recognized that if the software was stolen and modified, the person responsible was a person who was not a party to the dispute and hence some of the charges regarding conspiracy to steal, modify and misuse the software cannot be validated.
- As a result of the observations recorded by TDSAT, the charge that the appellants had stolen, copied or misused the proprietary software developed by the respondent for generating the diagnostic reports is held not sustainable against the appellants. This substantially eliminates the “Copy Right” aspect and any remedies under the copyright law might have been seriously dented by the observations.
- As regards the other allegation, some data has been provided as proof from the hard disk of the computer system used by the accused. It is not clear if the electronic evidence produced in this respect was appropriately certified under Section 65B. The defense appears to have failed to challenge the evidence and therefore the evidence might have been admitted by deemed mutual consent. Considering that the final outcome of the case was very much dependent on this evidence, the omission could be considered catastrophic. (Ed: This observation of Naavi is not to dispute whether the accused deserved to be punished but to flag a common mistake that many litigants do which enables the accused to escape liability on technical grounds)
- It has been held by TDSAT that one of the accused who was also the promoter of the rival company cannot be held liable under Section 43 since there is no evidence against him of the data being stolen from the victim company and has only used his domain knowledge to interpret whatever data was made available to him by the other co-accused.
- Since one of the two allegations (Software theft) failed and one of the accused was also held not liable, the damage of Rs 30 lakhs granted by the Adjudicator was reduced to rs 15 lakhs.
It is also noted that the judgement appears to have been written by honourable Sri A.K. Bhargava, member of the TDSAT since it involved significant technical issues besides the legality of the applicability of Section 43(b), 43(i) and 43(j) of ITA 2000/8 to the dispute.
The advantage of a two member TDSAT with a technical member has been highlighted in this case. Cyber Appellate Tribunal when first formed was a single Judicial member body and though subsequently a technical member was appointed, no hearing could be held by the two member body until it was merged with TDSAT.
Naavi has also for a long time advocated that the Adjudication body under ITA2000 should be fortified by adding the Law Secretary of the State to the panel. Hopefully, this suggestion will be considered by the Government and I request the IT Minister to consider this amendment to ITA 2008 when the next opportunity arises.
It must be noted that this case was a complicated Techno Legal Issue involving ITA 2000/8 as well as Copyright issues and TDSAT has shown dexterity and finesse in arriving at the final judgement. The judgement makes a good case study for academicians.