By Anshima Agarwal
In the rapidly evolving digital landscape, imagine yourself surfing the internet casually when you unknowingly click on a random link, only to discover that your computer has been compromised and your personal data is at the mercy of cybercriminals. These kinds of incidents are referred to as cybersecurity breaches (or cyber-attacks as more commonly known as), when a person with no authorization gets access to your devices, data, network or applications. This is detrimental to individuals as well as organizations. Such breaches and attacks typically take place when a system’s security mechanisms are ineffective. Even tech giants like Google, Microsoft, Facebook, Apple, Amazon etc. failed in preventing them. One such example is of Unacademy, a start-up in edtech, which confirmed a data breach that affected 22 million user accounts. Sensitive data and crucial infrastructure are at risk due to the worrying rise in cyberattacks. Every incidence has an impact that is felt across industries, which undermines trust, causes disruptions in business, and increases the need for effective cybersecurity solutions.
This article explores the legal repercussions of unlawful access to confidential information, systems, and networks in an effort to breakdown the complicated framework of liabilities and remedies in our digital society. The application of tort law to cybersecurity breaches is analysed through case studies, illustrating how traditional torts like trespass have extended into the digital realm. The integration of tort law principles is proposed as a means to hold negligent parties accountable, promoting justice and equitable outcomes. However, challenges such as jurisdictional complexities and establishing causal connections are acknowledged.
A more responsible digital environment is promoted through addressing legal culpability in cyber incidents through tort law, which enables victims to seek compensation and hold negligent parties accountable. The article will begin with an overview of tort law and cybersecurity breaches, discuss several kinds of "cyber torts", legal frameworks that address them, and then conclude with some proposals for strengthening tort law in the cyber context. Looking toward the future, the article discusses the evolving nature of tort law to address challenges in the digital world. It anticipates the strengthening of data protection laws globally and emphasizes the role of courts in establishing standards for determining negligence and liability in cybersecurity matters.
In conclusion, it emphasizes the intertwined future of cybersecurity and tort law, where organizations, individuals, and legal authorities collaborate to create a safer and more secure digital environment.
Tort is category of private/civil wrong, wherein the legal right of an individual is violated by the wrongdoer. In case of “cyber tort”, technology becomes the medium of committing this wrong.
Tort law is based on the legal maxim “ubi jus ibi remedium” which means – where there is a right there is a remedy. By enforcing these rights and duties, it is ensured that everyone respects those rights of others. It is a largely uncodified law in India, but has a broad scope, covering aspects including personal injury, property damage, defamation, and economic loss, offering a mechanism for seeking compensation and promoting social justice.
Torts are generally classified into certain categories, such as negligence, intentional torts and strict liability torts. Negligence in simple terms involves four essential elements: duty of care, breach of that duty, causation, and damages. In the context of cyber security breaches, duty refers to the legal obligation to exercise reasonable care to protect sensitive information and systems from cyber threats, and a breach can occur when an individual or organization fails to protect such sensitive information, by compromising the data and devices of others. For instance, an inexperienced employee who foregoes security precautions in favour of expediency or speed, or a technical employee engaging in unethical IT activities or an external provider leaving a server open with confidential information exposed. It may cause financial or reputational harm, along with identity theft, causing emotional damage and mental distress. A real-life example of this is a leading criminal law firm Tuckers which was fined £98,000 by the Information Commissioner after a ransomware attack that encrypted nearly a million files exploited its “negligent security practices”[1].
In case of intentional torts, the wrongdoer knowingly does an act which can harm others.
Cyber fraud (misrepresentation and deception through digital means to gain sensitive information), cyber defamation (publishing false information online) and intrusion upon one’s privacy in the digital sphere, fall in this category of torts. While granting ad interim injunction in one such case, the court held that “reputation is built over the years but it can be demolished quickly on social media, so it calls for urgent measures when the court is satisfied that reputation deserves protection”.[2] In some cases, the effects of online defamation could be exponentially worse than an offline incident due to the global nature of the Internet and the fact that the statements can be accessed by virtually anyone.[3] Furthermore, the problem of internet anonymity poses even greater concerns when it comes to defamation because, depending on the media, it may be exceedingly challenging to identify the source or author of the claims.
The tort of strict liability holds someone liable without requiring any proof of fault or negligence. It might not be suitable in the cyberspace context, for indirect claims can be made against system sellers and internet service providers for the harms caused by third-party cyberspace actors.[4] The traditional trespass law should not apply to cyber-invasions of public information resources, like unsolicited emails or information gathering.[5] It can however come under the tort of nuisance.
AN OVERVIEW OF COMMON CYBERSECURITY BREACHES
Cyber attacks can be generally classified in the following few categories: data breaches, phishing, insider threats and malware attacks. Breach of privacy is a kind of cyber tort which affects an ordinary person. Data breaches happen when uninvited individuals access private or sensitive data, which can then be stolen, misused, or exposed. This data includes, and is not limited to, names and family information, personal history and contacts, and financial records. Security errors, negligence, or deliberate cyberattacks can all lead to these breaches. Data breaches can have a significant negative effect, leading to monetary losses, reputational injury, legal responsibilities, and even the possibility of harm to the people whose personal data was compromised.
Deploying malicious software, such as viruses or trojans to compromise systems is a type of malware attack. Malicious websites and infected email attachments are a common medium of infiltrating malware. In web jacking, hackers gain access and control over the website of other. Phishing attacks refer to those disguised legitimate emails and messages that trick users to reveal sensitive information such as one time password, login credentials or card details.
Attacks known as denial of service (DoS) attempt to hinder legitimate users from accessing a target system or network by flooding it with an overwhelming amount of traffic. This causes financial damage to the organization and disruption of services for the user. Insider threats originate from within the organization, where confidential information is misused either intentionally or unknowingly by employees. Other kinds of cyber torts include cyber-stalking, harassment via emails, cyber vandalism, online fraud, email bombing and data tampering.
Addressing all such threats requires a multi layered approach that combines technical defences and legal safeguards, to maintain the integrity of systems and networks.
EXISTING LEGAL FRAMEWORK
Data intruders, hackers and all those involved in a cyber breach are subject to criminal as well as civil liability.[6] To protect the impacted party from harm, civil sanctions are proposed. Criminal sanction is the prosecution which results in fine or imprisonment.
As the digital landscape continues to change, the legal framework for cybersecurity is essential to dealing with the growing potential risks posed by cyber-attacks. This section examines cybersecurity laws that are currently in place, such as data protection and privacy rules, as well as the difficulties in applying tort law to cyber breaches. It is important to hold someone accountable, especially in cases involving breach of privileged information by government bodies and corporate entities.
To protect people's personal information and control how businesses manage and use data, many nations have passed data protection and privacy laws. In accordance with privacy rules, consent must be obtained, data breaches must be reported, and data security must be maintained. The most notable legislation in this regard in India is the Digital Personal Data Protection Bill that aims to establish a comprehensive framework for data processing, storage, and transfer. The major liability in cyber tort in India is through Information Technology Act, 2000. S.43 of the Act provides for civil remedies in case of damage to computers, etc. Also, S. 65, 66 and 67 deal with similar wrongs, but provide for imprisonment, along with fines.
In order to assist businesses in establishing best practices for safeguarding their systems and data, governments and industry associations frequently formulate cybersecurity standards and guidelines, aiming to reduce the risk of cyber breaches. Before 2013, India did not have a cybersecurity policy. The Department of Electronics and Information Technology (DeitY) drafted the "National Cyber Security Policy" in 2013 to establish a secure and resilient cyberspace ecosystem. It attempts to safeguard both private and public infrastructure from cyber-attacks. As stated in the policy, "information, such as personal information (of web users), financial and banking information, and sovereign data" will be protected. Additionally, the Indian Computer Emergency Response Team (CERT-In) issues advisories and guidelines to prevent and mitigate cyber threats. The Reserve Bank of India (RBI) also sets specific cybersecurity requirements for banks and financial institutions to protect customers' financial data.
APPLYING TORT LAW TO CYBER BREACHES
In one case[7], Cyber Promotions sent unsolicited emails to CompuServe's subscribers using their computer system, causing customer dissatisfaction and system slowdowns. Despite warnings to stop, Cyber Promotions continued sending the emails, leading CompuServe to file a trespass to chattels lawsuit. The Court granted a preliminary injunction in favour of CompuServe, as they demonstrated that the intrusion into their computer system caused harm to their business reputation and goodwill. Thus, trespass is no longer a traditional tort involving only tangible goods but has extended to include wrongs committed through cyber space.
With new dimensions of this new medium, possible violations like cyber porn or cyber obscenity torts, misrepresentation on internet, passing off, copyright violations and cyber defamation increase the significance of the law of torts.[8] By integrating tort law principles into cyber cases, victims have a means to hold negligent parties accountable for their actions, promoting justice and equitable outcomes. It offers them a way to seek compensation and redress for the harm caused. By establishing cybersecurity standards under tort law, organizations are compelled to take reasonable measures to protect sensitive data and systems from cyber threats. Knowing the potential legal consequences of negligence, businesses are more likely to prioritize cybersecurity to safeguard their assets and reputation.
While tort law presents a legal mechanism of seeking damages and determining liability in the event of cyber incidents, doing so effectively in a digital environment poses a number of concerns. Cyberattacks may originate from a wide range of sources, such as independent hackers, or criminal organizations operating across borders. It is difficult to establish legal jurisdiction and hold the guilty party accountable because it is not easy to ascertain the perpetrator's legitimate name and location. Even if it is found, under which jurisdiction will the case fall under, since the breach took place online, is a question to be considered. Moreover, due to the complex nature of cyber incidents, proving a direct causal connection between the defendant's activities and the harm that resulted from them tends to be challenging. Cyberattacks occasionally involve a number of steps, and an array of events, making it hard to narrow down the damage on a specific action or act of negligence. Also, unlike physical property damage, the impact of cyber breaches might not be immediately apparent. For instance, the long-term consequences of stolen data, such as identity theft, may unfold over time. Additionally, the intangible nature of data and the difficulty in assessing its value complicates the calculation of damages.
FUTURE IMPLICATIONS AND CONCLUSION
Tort law continues to grow and expand to address challenges related to attribution, causation, and damages in the digital world as cyber occurrences increase in frequency. More nations may establish or strengthen data protection laws, imposing harsher fines for non-compliance and data breaches as data privacy becomes a significant concern.
Courts and other legal authorities need to strive to establish strict standards for determining negligence and liability in cybersecurity matters. This can entail defining norms for reasonable security measures that commercial enterprises must adhere to. Further, to ensure that they adequately protect victims of cyber breaches and consider the constantly developing nature of cyber risks, governments should regularly review and update tort laws. Organizations, on their part, must comply with relevant data protection laws and regulations, ensuring proper data handling, storage, and breach notification procedures are in place. They must maintain regular backups of critical data to mitigate the impact of ransomware attacks or data loss incidents. And lastly, individuals should exercise caution while sharing personal information online, be wary of suspicious emails or messages, and enable multi-factor authentication whenever possible.
Cyber interests of the netizen are also required to be protected by extending the principles of liability under torts and adding new pigeon holes (of cyber tort) to the expanding tree of the law of torts.[9] In conclusion, the future of cybersecurity and tort law is intertwined, with both domains continuously evolving to meet the challenges posed by cyber threats. By implementing stronger tort law principles and adopting proactive cybersecurity measures, organizations and individuals can minimize liability and contribute to a safer and more secure digital landscape.
The author of this article is Anshima Agarwal, a second-year BALLB student at National Law University, Delhi.
[1] Neil Rose, ‘Top Criminal Law Firm Fined £98,000 for Cyber Security Negligence’ (Legal Futures, 10 March 2022) <https://www.legalfutures.co.uk/latest-news/top-criminal-law-firm-fined-98000-for-cyber-security-negligence> accessed 26 July 2023.
[2] Vinai Kumar Saxena v Aam Aadmi Party [2022] 5 HCC (Del) 662.
[3] Cyber Crimes and Cyber Torts: A Comparative and Analytical Perspective (2016-17) 24 ALJ 93.
[4] N. Stephan Kinsella, 'Against Intellectual Property' (2007) 87(1) Boston University Law Review 77, 89.
[5] ibid.
[6] Yash Tiwari, ‘Cyber Torts: A Dark Shade of Information Technology in India’ (2019) 13 NJA Law Journal 171.
[7] CompuServe Inc v Cyber Promotions [1997] US Dist LEXIS 4549.
[8] Cyber Crimes and Cyber Torts: A Comparative and Analytical Perspective (2016-17) 24 ALJ 93.
[9] ibid.
This article contains the view of the author and the publisher in no way associates with the views or ideologies of the author. All the moral rights vests with the Author(s).
Comments