Significant security threats often come from within: according to a security risk study by the Finnish Central Chamber of Commerce (2012), around 20 % of large Finnish companies reported that a former employee had illegally copied files and confidential information during employment. Some 20 % of the companies did not even know whether such infringements had taken place. Statistics suggest that companies rarely act on their suspicions.
These results are very likely a reflection of strict Finnish privacy laws, which make internal security threats quite difficult to monitor. A company considering acting on its suspicions also faces significant legal barriers, often making it difficult to prove malpractice.
A company must first commence internal investigations to determine whether there is a proven violation of trade secrets to report to the police. To confirm its suspicions, the management would probably need to examine electronic files, particularly employee e-mails and log files, to determine an intention to betray company secrets, such as via regular e-mails to a competitor.
In Finland, the acceptability of investigating electronic files depends on the data category. Companies are usually allowed to access material that does not constitute electronic communications. In the majority of cases however, companies are not allowed to access electronic communications (e.g. e-mails and log files), although it should be noted that to the extent the investigation relates to direct communications between the employer and employee such information may under certain circumstances be used (e.g. information obtained from the company's own passage control system when the employee uses his electronic key).
Right to privacy supersedes right to protection of property
Finnish legislators have prioritized the constitutional right to privacy and confidential communications over companies' rights to protect their property, including trade secrets. Attempts have been made to strengthen companies' mandate to investigate data such as log files in connection with possible trade secret violation cases, but the outcome of the "tailor-made" legislation ("Lex Nokia") has not been workable in practice, since companies have not applied the limited monitoring procedures available.
Overstepping the line during an investigation will result in a reversal of roles, with the company no longer a victim in a suspected data breach case, but rather a criminal in violation of communications secrecy.
If the right to conduct internal investigations is limited, the most practical solution is to commence discussions with the police. However, before the police can take on a case, the company needs some initial evidence to support its suspicions. But how can companies acquire proof of wrongdoing if they do not have the right to investigate? Further, the alleged misconduct must be severe enough for the police to invoke investigative powers.
Investigating suspected trade secret violations in Finland is a balancing act for both the company involved and the police. Both parties must avoid crossing the line of impropriety, but achieving results often requires going closer to that line than companies or police generally feel comfortable with. While it's possible to achieve some results it’s essential to prepare for frustrating moments when it seems that incriminating evidence is within reach but is actually off-limits.
Swedish employers in stronger position than Finnish peers
Although the EU Commission has proposed harmonizing European privacy laws by introducing new data protection regulations, the question of accessing employee e-mails, log files and internet history records is likely to remain subject to national regulations.
Finland’s choice to prioritize employee privacy over effective prevention of industrial espionage and protection of trade secrets remains the exception. For example, Sweden has adopted quite a different approach and is more accommodating of companies' rights to conduct internal investigations in cases of suspected data leaks. Swedish employers therefore are in a stronger position than their Finnish counterparts when it comes to obtaining evidence of employee violations of the Swedish Trade Secrets Act. Under the current regime in Finland companies can maximize their ability to prevent and detect malpractice by validating their legal and technical security measures and policies, and where needed, providing information about such policies in employee-employer co-determination proceedings ("yt-menettely").
It remains to be seen whether companies’ constitutional right to protect their trade secrets and intangible assets such as IPR will be enhanced when Finland implements the directive on the protection of trade secrets proposed by the EU Commission. Although the proposed directive does not regulate internal investigation issues, the implementation phase could be a suitable time for legislators to assess whether the current regime sufficiently guarantees the protection of trade secrets. Without effective rules prescribing acceptable grounds and procedures for internal investigations, Finnish companies will remain largely impotent to fully safeguard their trade secrets.