March 14 2011

Confidential information: protection and punishment

Singhania & Partners LLP | Corporate & Commercial - India

Introduction
Protection of trade secrets
Protection of digital information
Punishment under the Penal Code
Need for new legislation
Comment


Introduction

A company's foundations are built on its confidential information. An involuntary leak of such sensitive information could:

  • damage the company;
  • give its competitors an unfair advantage; or
  • result in financial crisis, damage to goodwill and even bankruptcy.

Therefore, protection of such information is of utmost importance.

The damage that the leakage of sensitive information can do to a company is often underestimated. Therefore, it is essential - especially in light of the growing number of blatant security breaches - to keep confidential information confined within the company.

Protection of trade secrets

'Confidential company information' can be broadly classified as a company's trade secrets. Trade secrets include formulae, devices or other manufacturing or business patterns that are kept confidential in order to give the company an advantage over its business competitors. In order for information to be classified as a trade secret, it must meet the following three requirements:

  • It must be a secret;
  • It must have a commercial value; and
  • The holder must have taken reasonable steps to keep it secret.

The novelty of the information is irrelevant, provided that it is inaccessible. The disadvantage of such trade secrets is that once they are leaked or competitors obtain access to them, they can be used at will, as they are not protected or exclusive to the company. Thus, such trade secrets are deemed not to exist until their purported holder takes steps to protect them and maintain their secrecy.

To avoid such unwarranted events, companies take varied steps to protect their confidential information and trade secrets. Such steps include:

  • non-disclosure agreements that prohibit employees from the dissemination of company-specific vital information and include a duty of confidence and restraint of trade clauses; and
  • third-party contracts with suppliers and distributors that secure the dissemination of trade secrets and include individual confidentiality agreements.

The use of non-disclosure agreements is the most effective and standard method of protecting such information. They are proprietary information agreements executed between two parties that outline the information to be shared between the parties and restrict such information from being divulged to third parties. Parties agree not to disclose information revealed to them under such arrangement. However, non-disclosure agreements seek to protect information only when it is directly received from the discloser. If the other party obtains it by lawful means from other sources and not by any breach of confidentiality, that party is not obliged to keep such information secret.

A breach of a non-disclosure agreement would result in a breach of contract, which could result in the award of damages, special damages or injunctive relief under the Contract Act.

Protection of digital information

A company's digital documents containing vital confidential information also need to be protected from misuse. However, protection of such information is a challenge, as most information and documents are sent and exchanged electronically via the Internet. To ensure protection, certain precautions must be taken, such as:

  • creating and instituting password or passcode entry to computer files containing sensitive information;
  • tracking user access to confidential data and creating rules for the transfer or copying of data from the network; and
  • securing wireless networks and implementing firewalls and intrusion detection systems to keep external intruders out.

Information that is communicated via the Internet is regulated by the Information Technology Act 2000. This act received presidential assent on June 9 2000 and has been effective since October 17 2000. The act is based on the United Nations Commission on International Trade Law Model Law on Electronic Commerce. The act was enacted to secure and protect information exchanged and delivered via the Internet. It aims to facilitate the development of a secure regulatory environment for electronic commerce by providing a legal infrastructure that governs electronic contracting and the security and integrity of electronic transactions.

Civil liabilities under the act
Sections 43(a) to (h) of Chapter IX of the act cover a wide range of cyber-contraventions related to unauthorised access to computers, computer systems, computer networks and resources. Section 43 of the act covers instances such as:

  • computer trespass and violation of privacy;
  • unauthorised digital copying, downloading and extraction of data, computer databases or information and theft of data held or stored in any media; and
  • unauthorised transmission of data or programmes residing within a computer, a computer system or a computer network (cookies, spyware, globally unique identifiers and digital profiling are not legally permissible).

Any person found guilty of contravention of any of these provisions shall be liable to pay the affected person damages of up to Rs10 million.

Criminal liabilities under the act
Sections 65 to 74 of Chapter XI of the act cover a wide range of cyber-offences, including offences related to unauthorised alteration, deletion, addition, modification, destruction, duplication or transmission of data and computer databases. The commissioning of any such offence is punishable by imprisonment, a fine or both.

Penalties for any act that constitutes a breach of confidentiality or privacy under the act are covered by Section 72, which states that any person conferred with powers under the act who discloses confidential information without authorisation shall be punished by up to two years' imprisonment, a fine of Rs100,000 or both. However, this section has limited application, as it confines itself to the acts and omissions of those persons who have been conferred with powers under the act.

Punishment under the Penal Code

Any act of mishandling, misappropriation or misuse of confidential information is also punishable under the Penal Code. When a person misappropriates confidential information that has been entrusted to him or her without authorisation, such act amounts to a criminal breach of trust under Section 405 of the Penal Code. In a criminal breach of trust, entrustment of property (in this case, confidential company information) is the essential element. The accused is entrusted with property and with dominion or control over that property. In addition, any person who dishonestly misappropriates or converts for his or her own use any moveable property (in this case, confidential information) shall be liable for dishonest misappropriation under Section 403 of the Penal Code. Such an offence shall be punishable by up to two years' imprisonment, a fine or both.

Cases relating to the unauthorised use and disclosure of confidential information have resulted in the award of significant amounts in damages. In a recent case an employee of a business process outsourcing company in Gurgaon was accused of providing unauthorised confidential personal information about 1,000 UK customers from the company database to the UK newspaper The Sun. His employment has been terminated while the investigation is ongoing. If he is found guilty, he could be charged under Section 66 of the Information Technology Act, which covers 'hacking' in its widest definition, and face three years in prison and a Rs200,000 fine. He could also be charged under six provisions of the Penal Code.

A similar case involved five employees from a Pune, Maharashtra-based business process outsourcing company who were accused of misappropriating money from the bank accounts of four New York-based account holders.

Need for new legislation

Despite the growing number of confidentiality breaches and the imminent dangers posed to businesses, the Information Technology Act is the first piece of legislation to contain provisions on data protection. This act essentially deals with contingencies and obligations relating to the extraction and destruction of data. However, they are not sufficiently exhaustive, which means that companies must enter into separate contracts to ensure complete and satisfactory protection of their confidential information. Such contracts are governed by and have the same enforceability as a general contract. Data protection is also not a subject covered by any of the three lists in Schedule VII of the Indian Constitution; although Entry 97 of List 1 does include "any other matter not enumerated in List II and List III." Thus, only Parliament is competent to legislate on data protection, since it can be interpreted as any other matter not enumerated in Lists II and III.

To cover such matters, on December 8 2006 the Data Protection Bill was introduced in Parliament. The provisions in the bill relate to the nature of data being obtained for a specific purpose and the quantum of data being obtained for that purpose. The purpose of the bill is to:

  • provide protection for personal data and individual information collected for a particular purpose by one organisation;
  • prevent the use of such information by other organisations for commercial or other purposes; and
  • entitle the individual to claim compensation or damages for disclosure of such personal data or information without consent and for matters that are connected or incidental.

However, the bill is yet to be given effect - the delay being put down to a lack of information on the subject to frame the act.

Comment

Many western countries have already established provisions on data protection. Hence, it is essential that swift action is taken to bring the Data Protection Act into force and implement stringent and comprehensive data protection laws.

As methods for exchanging, disseminating and receiving information continue to develop, it is vital that India establishes legislation supporting data protection. Employment laws need to be amended, advertising and marketing practices need to be changed and employer-employee contracts need to be more stringent in order to secure the exchange of confidential information.

For further information on this topic please contact Rohit Jaiswal or Sandeep Mohanty at Singhania & Partners LLP by telephone (+91 11 4153 1000), fax (+91 11 4153 1001) or email ([email protected] or [email protected]).