Libertatem Magazine

Corporate Espionage and the Information Technology (Amendment) Act, 2008

Contents of this Page

Cyber attacks are not what make the cool war ‘cool.’ As a strategic matter, they do not differ fundamentally from older tools of espionage and sabotage.

-The Hindu.

Corporate espionage is a practice where there is an involvement of impregnation in a corporate system, which is done through spying or with the systems that endorse leaking or copying information, affecting the growth of the organization (victim). The concept of espionage is accompanied not by any straight jacket formula of spying, rather through various means such as trade secrets, data copying, blackmail, surveillance, plans, etc., which result in getting the confidential information of the organization. The thieves, who receive all the information, use intruding methods like recording conversations, acquiring computer data, trapping, etc.

Today’s era is entirely based on the concept of ‘survival of the fittest’, where it gets difficult to realize one’s own competition, notwithstanding whether it is within or outside the organization. Therefore, it becomes important to create a marginal line between “Corporate Espionage” and “Competition Intelligence”. While, on one hand “Competition Intelligence” is completely legal and ethical amounting to form business intelligence; “Corporate Espionage” on the other hand is completely opposite to it. It would be complete injustice if ‘internet’ is not given a due acknowledgment for this ‘highway of information’ for the bundles of data, information, mechanisms or anything related to this. Therefore, with these advancements, spying has also taken a leap further; it no longer needs a physical break into the offices or any working place to acquire any information. The irony is that it involves same mechanisms as are used in competitive intelligence. Public and private sector have witnessed common attacks done through cyber platform. Therefore, it gives an alarming situation to enforce restrictive laws coining to cyber offences.

In the Indian scenario, Information technology Act, 2000 has been enacted which aims to recognize mechanisms stipulating the transactions done by the interchange of electronic data and various ways adopted in an electronic communication. The Act provides with a set of guidelines to the new provisions with regard to privacy of information, protection the data, etc. The safeguards were much needed provisions as there was no specialized statute dealing with cyber crimes as is presently covered by Chapter IX of the IT Act, 2000. It lays down certain guidelines for the provisions pertaining to adjudication, compensation and penalties. Section 43 of the Act covers a huge range of cyber obligations with regard to repudiated accessibility to computer networks, communication, resources, etc. Section 43 also provides for damages of Rupees 1 crore on the defaulter, though, after the amendment the provision says that the defaulter shall be made liable for the damages by compensating the person so affected, when it comes to securing the personal data or any information related thereto, or handled by any company or body corporate through the resource of computers owned or operated by such corporations. Whereas, in the cases where body corporate is found negligent by not instrumenting the reasonable practice of security which may result in wrongful loss or wrongful gain, it shall be held liable to pay damages through the way of compensation to the affected person. The Act has not exclusively explained the term “Sensitive Personal Data”, covering the provisions under Section 43. Further Chapter XI of the Act lays down provisions related to offences and contraventions of Section 43 which have been covered under Section 66 and grant up to three years of imprisonment or fine up to five lacks or both. Furthermore, there have also been some additions to Section 66 of the Act by the inclusions of Sections 66(A) to 66 (F). 66(A) of the Act deals with Communication Service (The provision has now been declared unconstitutional by the virtue of the recent Supreme Court Judgment dated March 24th, 2015 in the case of Shreya Singhal v. Union of India, (2013) 12 SCC 73), 66(B) with Receiving the Computer Resource, 66(C) with Identity Theft, 66(D) with Cheating by the Use of Computer Resource, 66(E) with Privacy Violation and 66(F) deals with Cyber Terrorism.

The IT Act has further come up with punishment of life time imprisonment for Cyber Terrorism. States have been empowered under the Act with right to intercept or monitor any information generated through Computer Resources and issue directions related thereto.

The additions of Section 69(A) and Section 69(B) has also added to the State’s power, exercising which the State can block the websites which are publically accessible, if it is prejudicial to the Security and Integrity of the State. In continuation to this, Section 72 and Section 72(A) stipulate provisions with regard to penalty in the cases of Breach of Any Confidentiality and Privacy of any disclosure of information in a lawful contract.  Endorsing the same, Sections 84(B) and 84(C) of the Act have laid down punishments for the offences regarding abetment and suicide. With the above highlights of the IT (Amendment) Act 2008, Indian laws have taken a great leap towards reducing cyber crimes, theft related to identity or data resources etc. and hence Corporate Espionage.

In order to overcome the malpractices and challenges which the ascending technological advancements may pose, it becomes significant to have in place discrete laws pertaining to cyber security. There is a need to raise harmony in the laws with regard to data protection and cyber crime as it is the incongruity between the laws and regulations between the countries that makes it easier for the spies to breach the computer resources and networks along with other spying practices. Therefore, the only attribute that could hinder the growth of these illegal practices is the ethical code of conduct of business and measures taken by the corporation to ensure that it does not become victim.

With these, I would like to present four major suggestions which should be adopted by the corporations. First, re-evaluate the security principles and take suitable measures to protect themselves from being victimized through Corporate Espionage. Second, establish and identify the sensitive data and information (pricing, trade secrets, R&D process etc.). Third, it is important that the risk assessment should be done and the contingencies along with should be identified and addressed. Fourth, Adequate training should be given to the employees and staffs, workers etc. in order to safeguard the Sensitive and Confidential information.

The more an organization learns about malpractices, the better it gets equipped to address and protect itself.

About the Author