India: Adequate Protection To Business Confidential Information: Time Stamping Could Be The Magic Recipe

As offices go digital and employees switch to paperless offices, one constant fear haunting the employers is: what if their employees are aiding and abetting snooping and transferring treasured data to their competitors. And their fears are not totally unfounded as not only digital medium facilitates information stealing by a mere mouse click but also there have been umpteen no. of cases where employees have been found sharing the confidential details including customer details, status of pending offers and technical details of their parent company with companies that may be the direct competitors of their business.¹ While it is true that employers can initiate court action against erring employees, after all most of the employees have a Non-Disclosure Agreement (NDA) with their employers, the challenge of proving this subterfuge before the Court is sometimes too difficult to surpass, more so, in case of electronic documents.

An Overview of Current Provisions

In cases where Employers allege misappropriation of confidential information, it is important for them to establish that the employees of the company/organization/firm had access to/or possession of electronic documents at a certain point in time and the electronic transaction that is in question, took place. Further, it also needs to be ascertained that confidential data that is the subject matter of a misappropriation complaint has not been tampered with since the complaint took place or the employees would easily get away. Required thus is simple, secure, independent and portable proof of electronic record integrity.

If we look at the current legislative framework, for proving existence of electronic documents at a certain point in time, Section 16 of the Indian Evidence Act (Act) would come in handy. The Section lays down that that if there is a question whether a particular act was done, the existence of any course of business, according to which it naturally would have been done, is a relevant fact. For establishing, validity and integrity of the confidential data in question section 65B coupled with section 85 B and 88 A is important. Section 65B elucidates the conditions precedent for the admissibility of the electronic evidence and stipulates that any information contained in an electronic records and printed on paper shall be deemed to be a document for the purposes of the Evidence Act and admissible in any proceeding without further proof of the original (soft copy) if the technical conditions, pertaining to the information contained in the electronic record and the computer on which the information is produced, are met as specified in the section. Section 85B and 88 A are presumptive sections and enjoin the Court to draw a positive conclusion once electronic evidence is tendered before it. While Section 85 B mandates the courts to presume a secure electronic record to be secure since the time when it was first secure, section 88 A specifically deals with emails and lays down that Courts shall presume that the e-mail sent by the originator through the electronic mail server to the addresses is the same as that received. However no presumption as to who sent the mail will be made. This section presumes the authenticity of the electronic message but not the authenticity of the sender of the message. As is clearly apparent none of the sections clearly talk about the evidentiary value of time and date on these documents and whether even they would be presumed to be valid. Further, the authenticity of electronic documents can be proved in accordance with the provisions of the Information Technology Act, 2000 (hereinafter also referred to as 'IT Act'). Section 3 of the Evidence Act read with the Information Technology (Certifying Authorities) Rules, 2000 provides the manner in which electronic records may be authenticated by means of digital or electronic signature. However, the procedure provided for authentication of electronic records under the IT Act does not authenticate time or date when the transaction took place.

Time Stamping needed to eliminate gaps in the current Legislative Framework

In as much as the time on computers and severs may be easily tampered, establishing any case on breach/misappropriation of confidential information would require tendering strong legal evidence that the electronic document in question existed at the relevant point in time and has not been altered since then. And this is where the getting the documents time stamped by a Certifying Authority can prove to be crucial. An analogy here can be drawn from the use of digital signatures. Once a Digital Signature Certificate has been issued by a licensed Certifying Authority, it is a conclusive proof of the identity of the person in whose favour it has been issued and once it is affixed on any electronic document, it is also sufficient for authenticating electronic records. In the same manner, licensed Certifying Authorities may also time stamp the digital document with authoritative and reliable time stamp which will certify time ownership and integrity of content related to digital works. In fact time stamp may also be useful to certify priority in case of intellectual property and boost their protection.

India currently has around eight Certifying Authorities who already issue Digital Signature Certificates. It's time to mandate them to provide time stamping services as well. In fact both the Information Technology (Certifying Authority) Regulations, 2001 and Version 2.6 of the Interoperability Guidelines for Digital Signature Certificates issued under the IT Act lay down that licensed Certifying Authorities may issue certificates for the purposes of time-stamping albeit they do not make it mandatory. Also, the Department of Electronics and Telecommunications has issued Version 1.0 of Time Stamping Services Guidelines for Certifying Authorities in October 2012 which lays down standards and practices to be followed by Certifying Authorities in case they provide time stamping services. But since IT Act remains completely silent on the issue, both the Certifying Authorities and the business Organizations have given time stamping a cold shoulder and time has come to change the same.

^{1 Homage India Private Ltd. v. IMA AG Asia Pacific PTE Ltd, M.F.A No. 1682/2010 C/W M.F.A No. 1683/2010}

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.