Question

Do any types of security actions regarding employee theft infringe on an employee's right to privacy?

Answer 1

MEANING OF RIGHT TO PRIVACY

Employee privacy rights are the rules that limit how extensively an employer can search an employee’s possessions or person; monitor their actions, speech, or correspondence; and know about their personal lives, especially but not exclusively in the workplace. The nature and extent of these protections have become a greater concern in recent years, especially with the rise of the internet and social media. Many of these means of communication may seem private, but in truth, there is hardly any real privacy to be had with them. Employers can usually search through anything that appears on company computers, and they can conduct searches of social media and the internet, as well.

Employment law covers all the obligations and rights concerning the employer-employee relationship, regardless if one is a current employee, former employee, or job applicant. This type of law involves legal issues including wrongfully termination discrimination, workplace safety taxation, and wages. Many of these issues are governed by applicable federal and state law. Where the employment relationship is based on a valid contract made between the employer and employee, state contract law alone may dictate the rights and duties of the parties involved. The rights of public employees, on the other hand, may differ from the rights of private employees.

PREVENTION IS ALWAYS BETTER THAN CURE”

Some of the preventive measures than an organization can take, not with standing the size of an organization, are as follows:

Data Protection Policy for Employees:

A detailed and well drafted data protection policy is very important for any organization. Especially the corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’, as leak of such personal data gives a cause of action in favour of the concerned person which could land the organization into a legal battle. Such policy should clearly define the types of data like ‘personal data’, ‘confidential data’, ‘trade secrets’, etc. It should also identify all data that an employee is permitted to access, and that data created by the employee in the scope of their employment is property of the company.

Non-disclosure and confidentially clauses in the Employment contract:

It is very important that the non-disclosure and confidentiality clauses in an employment contract are clearly defined and drafted in such a manner which could be enforced in a court of law and not hit by Section 27 of the Indian Contract Act as void. Such clear clauses binds an employee not to disclose data and other confidential information of the companies to third parties outside the course of business.

Use of Better technology:

Companies should encrypt or protect all computers, devices, and systems so as to prevent the employees from installing any software or hardware. Proper firewalls should be enabled so as to prevent outsiders from entering into the company network. Companies should not allow employees to create CDs/DVDs or copy data to USB drives unless there is a business need. Use of good anti-virus software and anti-spyware.

Exit formalities:

Upon termination of an employee, secure all electronic devices the employee had access to like computers, phones, etc. Get the devices verified by the IT team of the company for any leak of data or illegal activity and immediately change passwords, access, authorization and/or delete usernames.

CORRECTIVE MEASURES

Once theft occurs, the employer can take following legal actions against the culprit employees:

Civil suit for breach of contract:

A civil suit may be filed against the culprit employees for violating the data protection policy and breaching the terms of the employment contract like non-disclosure, confidentiality.

Information Technology Act, 2000:

In India, Cyber laws are majorly governed by the IT Act and Rules framed there under. Provisions of IT Act such as Section 43 (Penalty and compensation for damage to computer, computer system, etc); Section 65 (Tampering with computer source documents); Section 66 (Computer related offences); Section 72 (Penalty for breach of confidentiality and privacy); Section 76 (Confiscation) can be taken recourse to depending upon the nature of theft.

Indian Penal Code:

Section 405 and 408 – Criminal Breach of Trust: As the employees are entrusted with the data/ information by the employer during the course of their employment and if an employee dishonestly misappropriates or converts to his own use or dishonestly uses or disposes of that that data/ information, he/she may be charged under this section.;

Section 378 – Theft: Although this section deals with the theft of movable properties and the law at present is not clear whether ‘data/ information’ in its virtual form can be termed as movable property or not, but if the data/ information is stored in a hard disk, pendrive, computer, CD/ DVD, floppy, etc so such things act like a medium and medium is a movable property and if that medium is stolen, the person can be made liable for such act under this section.

Copyright infringement under the provisions of the Copyright Act.

In addition to the above, if the stolen data is shared with other parties (such as competitors), the victim can bring an action of criminal conspiracy, collusion, and furtherance of common intention, which makes such other parties an accomplice in the commission of the stealing of data.

CONCLUSION:

Considering the value, quantum and at the same time vulnerability of the data, it is imperative for any organization/ corporate body to take abovementioned preventive measures. Since Indian Law on this issue as it stands today is not clear and remedies are scattered, the best strategies to prevent or minimize loss includes: (1) Development of a comprehensive set of policies and procedure,

(2) Deployment and verification of IT security controls and if necessary,

(3) seek legal redress.