Work from home has become a need of the hour during the global pandemic to cure the draconian spread of incurable coronavirus. Businesses are facing major financial crisis and to top that they too are facing novel challenges of safeguarding confidential information, risk of infringement of trade secrets amid work from home.
The possibilities are further enhanced by the fact that at present, India does not have any dedicated data protection legislation. Though the Personal Data Protection Bill, 2019 was introduced in the Lok Sabha, it is yet to see the light of day.
Confidentiality and Data Privacy Risks in Work from Home Arrangements
- Professionals and workers working from home inevitably rely on their home networks which are often less secure, making them more vulnerable to hacking and leakage than that of an institutional setup with sophisticated Virtual Private Network (VPNs), firewalls and antivirus.
- Cloud-based service used by work from home professionals for data storage and access to client’s information increasing the risk of data leakage and accidental loss of data in one’s own personal computer cannot be overlooked.
- The use of insufficiently guarded personal gadgets and transmission of confidential information through the e-platforms i.e. emails has increased the possibilities of confidentiality breaches and data theft.
- Remote workers can also jeopardize companies trade secret exposure from the comfort and convenience of their own homes, via voice assistance systems, smart speakers and home surveillance systems such as Google Assistant, Amazon Alexa, Echo.
- Corporates are at high risk when remote worker takes a physical file or documents from office.
- Despite large number of organizations using VPN for business continuity for communicating through emails, video conferencing and other chat tools, cyber-attacks are being witnessed globally amid work from home.
All these situations could pose great risks to the workers, for which the company may be liable by reason of vicarious liability.
Remedies under Indian law
Following are various enactments under Indian law that protects and provide remedies for breach of confidentiality. These can be categorized into two:
- ‘Civil Remedies’ under the Specific Relief Act, 1963 read with the Code of Civil Procedure, 1908 (‘CPC’), and (ii) the Indian Contract Act, 1872 (‘ICA’);
- ‘Penal Remedies’ under (i) the Information Technology Act, 2000 (‘IT Act’) read with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and (ii) the Indian Penal Code (‘IPC’), 1860.
Let’s understand the abovementioned civil and penal remedies in more details. Civil Remedies can further be classified into prohibitory injunction and damages. Prohibitory injunction orders can be passed for preventing the dissemination of any confidential information against the receiver of information for breach of such information under Section 38 of the Specific Relief Act, 1963 or under the CPC. Such injunctive relief shall be in addition to any other remedies available. In relation to the other form of civil remedies, if a receiver of information has already breached the non-disclosure agreement, either before or after the prohibitory injunction of the court,damages can be sought in favour of provider of information under Section 73 or Section 74 of the ICA.
Further in terms of penal remedies Section 72A of the IT Act is relevant. It provides that where a person discloses personal information to any third party without the consent of such party, ‘with an intent to cause or knowing that it will cause wrongful loss or wrongful gain’, such a person, including intermediary shall be punished with imprisonment or fine or with both. Section 43A of the IT Act obliges a body corporate to pay damages by way of compensation wherein it has negligently implemented security practices or procedures to safeguard “sensitive personal data or information”. Section 72 of the IT Act provides if an officer unwarrantedly discloses any material like “any electronic record, book, register, correspondence, information, document” without the consent of the provider of information, he shall be liable to imprisonment or fine or with both. This provision is a remedy against a government official who breaches the confidential information received while enrolling for the Aarogya Setu app.In case of data theft under Section 43 of the IT Act, person may be mandated to pay damages by way of compensation. Further, Section 66 prescribes penal consequences in the nature of imprisonment or fine or both.
Apart from the penal provision under the IT Act as stated above, IPC provides for criminal misappropriation of confidential information[1]. Similarly, a person can also be prosecuted for the criminal breach of trust for sharing the confidential information with an unauthorized third person.[2]
Prevention Better than Cure
In light of the danger of confidential information and private data loss that may arise from work from home arrangements, stringent safety measures are advised to be implemented to mitigate losses which shall include:
(i) Development of a comprehensive data privacy and remote work from home policies, (ii) Contractual protection by making employees sign water tight clauses under confidentiality agreement or non-disclosure agreement and non-compete agreements; (iii) businesses should consider patent protection that are in transition into new areas of operation to address the Covid-19 pitfalls; (iv) Enhancing IT securities by updating technology with the use of a firewall, anti-virus software; (v) use of encrypted computers and devices; (vi) Ensuring confidential documents are password protected;(vii) prohibition on discussing confidential information in the presence of third parties, including family members, friends, or smart devices (i.e. Google Assistant, Alexa, etc.); (viii) trade secret preservation policy should be analyzed and revised to address Covid-19 specific threats.
Conclusion
Without proper safety measures against the risk of loss of confidential information, the issue can be ‘epidemic’ for the company. While businesses navigate through these unprecedented times, they must prioritize the preservation of confidential information. Further, during these times of novel challenges, business entrepreneurs should consider protecting emerging intellectual property, especially businesses that are venturing a transition into new areas of operation to address the Covid-19 emergency.
Considering that Indian law on this issue, as it stands today is not clear, remedies are scattered and pending enactment of the Personal Data Protection Bill, 2019, it becomes utmost important for the companies to work with legal counsel to craft remote working policies, water tight non-disclosure agreements including legal advice to ensure robust security systems that minimizes the risk of infringement of confidential information.
– Tanushree Pande & Tanvi Pande
tanushree@aplawchambers.in
[1] Section 403 of IPC
[2] Section 405 & 408 of IPC
