Email Communication “ A Threat To The Corporate Confidential Database
NEERAJ AARORA, AICWA, LLB, PGD (Cyber Law), ACFE (USA)
The internet has now become an essential business communication resource in the corporate world. Email has revolutionized how the corporate world communicates. Now more than 50 % of all business communications occur electronically. The email as a corporate communication tool has replaced memos, faxes and couriers as a communication device. The increasing level of dependency on e-mail communication which is now undoubtedly the most vibrant mode of communication in the corporate world is also making it the weakest security link in the network via which the confidential information’s/data of the organization can be transferred. The researches have shown that a majority of data leaks happen from within, either by accident or for malafide or illegal purpose by valid users who have access to the data within a corporate network. A company’s greatest asset – their employees – can also be their greatest security liabilities who transfer the secret data/information via email to the detriment of the organization with impunity. Most efforts of the IT department of the organization focus on addressing external threats like spam, viruses, Trojan horses, spy ware etc. but they least pay attention to the threat from within. While this method of dealing with email system security-from the “outside in” can check the cyber security breaches from outside, what about inside threat, that is disgruntled employees who send confidential information/data via email. After all, any secret electronic document or other piece of information that is transmitted via email represents a potential costly leak of confidential business assets. What make the email most vulnerable is not difficult to gauge from the fact that email makes it extremely easy to distribute a company’s most important assets, including:
- Intellectual property
- Trade secrets
- Confidential information’s/data
- Clients information/vendor information
The biggest risk/loss to an organization occurs when this confidential data/information’s, trade secrets etc. are lost and fall into the hands of the competitors which results into devastating repercussions which can:
- Undermine competitive advantage resulting into heavy business loss.
- Breach confidentiality with customers, clients, partners and associates
- Create public relations disasters where front-page news translates to stock price decline
The following case involves email as the mechanism for transporting the information out of the hands of the organization which demonstrates what can happen if such secret data/information’s falls into the wrong hands:
In New South Communication Corp. v. Universal Telephone Co., 2002 WL 31246558 (E.D. La. Oct. 4, 2002), the plaintiff obtained an injunction after convincing a district court that its former employees had misappropriated trade secret information via the company’s e-mail system. An employee who had signed a non-compete agreement with the plaintiff had given his termination notice. He then e-mailed the company’s proprietary financial information to his home email account. The day after he terminated employment, he was able to log onto the company’s computer system through his home computer and he proceeded to e-mail himself other documents containing proprietary information and financial information. The Court found that the purpose of the e-mails was to misappropriate confidential and trade secret information.
Downloading/copying/extracting any data from computer & its transmission via email involve contravention U/s 43 IT Act and may entail heavy penalty:
To prevent copying/downloading/extracting of data/information in digital medium, Section 43 (b) IT Act, 2000 is an extension of the copyright protection to the digital medium by the legislature. It protects data, computer data base or information from unauthorized downloading, copying or extraction from any computer, computer system or computer network, server etc. including information or data held or stored in any removable storage medium like USB drives. Thus, Section 43 (b) IT Act makes the act of downloading/copying/extraction as contravention punishable under the act. When the employee unauthorisedly downloads the confidential data from the data centre and sends it via email through attachment, it attracts the provision of Section 43 (b) IT Act, 2000. It is a well established fact that any downloading or copying or extracting from the server, computer will generate a log showing the user/computer system that has accessed the server along with IP address through which the same has been accessed. Further, the soft copy as well as hard copy of the email with headers is to be preserved for evidentiary purposes to establish the contravening act of the employee before the adjudicating forum. Thus, if the employer organization finds that any of its employee has copied or downloaded the confidential data or information from its computer network or server can file an application for adjudication proceedings against the disgruntled employee before the Adjudicating Officer appointed u/s 46 IT Act. The Adjudicating officer who are basically the IT Secretaries of the respective states, adjudicate the complaint filed before it within a period of Six months and can pass order imposing penalty upto Rs. 1 Crores.
Transferring secret data via Email- Can the act be covered under “hacking” within the meaning of Section 66 IT Act?
Apart from the infringement of the copyright or contravention under IT Act which is civil in nature, when employees compromise, breach the secrecy by transmitting these data via email to the competitors or establish a competing business by misuse of these works & information for any purpose not authorized by their employer, it would inevitably result in diminishing the value of these works in the hand of the organisation & injuriously effecting. Thus, the act is squarely covered under Section 66 IT Act and punishable under it because the employees while making access (which may be authorized or unauthorized, doesn’t matter however) to the database, when they copy it & secretly transfer the data through attachment via email residing therein to the competitor, the act would become one of ‘hacking’ as though the data residing in the “computer resource” has not been destroyed or altered but it value has been lost or reduced as the secret data which gave an competitive edge to the organization has fallen in the hand of competitor who may use it resulting in loss to the organization.
The case of Data theft by employee via Email
The company M/s Parsec Technologies Ltd. (PTL) is engaged in the processing of the qualified leads to the US companies out of the raw data purchased by it from the USA. The accused persons, employees of the complainant were running a parallel firm and sent the same raw data as if belonging to their own firm to the call centers for the processing which caused losses to company of over Rs. 3.3 crores. The IP address of the emails carrying data was analyzed which revealed that it has been sent from the office of PTL. The hash value of the embezzled data & that of PTL was found be to be same which clearly establish that the said data belonged to PTL and has been misappropriated by the accused. The accused after misappropriating the raw data, get developed the leads from a company and sold the data to a foreign company and got payment into their own account. A FIR was registered against the accused persons U/s 66 IT Act besides Section 409/420/120-B IPC.
A Comprehensive Corporate Email Policy is the solution-The Indian Scenario:
Now, the IT Managers are beginning to understand that they need to keep closer tabs on outbound email. In order to stop pilferage or leakage of the sensitive corporate information/documents, they tend to think beyond traditional workplace policies which merely govern employee usage of email. Unfortunately, most of these policies only clarifies what is “acceptable use” and what is not, which is geared towards ensuring that email usage doesn’t negatively impact employee productivity. Employees simply understand that they can’t visit Web sites that promote pornography or download MP3 files during working hours. But these rules do not addresses whether or not they can attach a source code file or Copyrightable proprietary information to an email message and send it outside the organization? The Organizations now are formulating a very comprehensive corporate email policy setting email security goals and policies, and then implement robust email security solutions. The standard corporate email policy to govern the employee usage of email should be in clear terms and unambiguous. The following points should be considered and followed in establishing a sound corporate email policy:
- The Corporate E-mail policy must address the issue of confidential information. Clearly define what the confidential/valuable information is and where it resides. The email policy should clearly mention the employees who are authorized to access such information and the procedure they should adopt, conditions, supervision etc. under which they can send the information through email for official purpose only. The Policy should also establish punitive measures and conflict resolution procedures.
- The employees at all levels should be required to sign Corporate Email policy which should stipulate in clear terms that the email usage of employees is monitored & they should not expect privacy in the use of the employer’s communication system and any violation on their part will result in the strict disciplinary action including legal actions. No employees should be granted access to the official network until they sign such agreement.
- Even otherwise, define clearly what types of information are prohibited in the email system? For ex; Transactional data, Customer data, Intellectual property documents, Internal memos etc.
- Clearly restrict the employees to use their personal emails during office hours? Alternatively, their should be a separate computer not connected to the official network or server which can be used to access the personal email by the employees. The said computer should not have any USB drives. However, the outbound email from this isolate computer is also to be monitored.
Certain types of software filters and dedicated email security appliances can be inserted in line with an outgoing mail server, to quickly analyze the integrity of outgoing messages. Use software/hardware that can centrally manage report and audit everything that goes through the organization’s server.