[This post has been authored by Dhruti Lunker and Isiri S.D., students at Tamil Nadu National Law University.]
“The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history.” –Gen. Keith Alexander
With ‘survival of the fittest’ being the motto of existing global markets, there is cut-throat competition as it is every company’s objective to reach the top of the ladder of success first. Healthy competition is always encouraged, but when the means to achieve victory is unethical and illegal, the same can distort the spirit of others in the field. Physical theft of confidential documents and information to obtain the competitors’ secrets has become obsolete in the present era of ‘Go Virtual’. The advent of technology has made ‘cyberspace’ the most frequently used medium for theft of confidential information such as trade secrets, business plans, technological surveillance, etc. Our increased reliance on IT systems and cyberspace has paved way for corporate espionage through the exploitation of cyberspace (for the purpose of this post, all references to corporate espionage shall be limited to cyber-espionage). This makes it extremely difficult to trace as cyber thieves use ultra-modern technology that consists of spear-phishing, ransomware, and zero-day malware attacks, etc.
About Corporate Espionage
Corporate Espionage is the practice of obtaining confidential information from other companies through illicit and unethical means to gain a competitive advantage. In the context of corporate espionage, it is equally relevant and important to talk about ‘competitive intelligence’. The objective of both corporate espionage and competitive intelligence is to gain a competitive advantage over other players in the market. Notably, the former is ‘negative’, while the latter is the ‘positive’ side of the same coin. In developing competitive intelligence, companies gather and analyse information about the industry and its competitors through various sources. These include the competitor’s websites, analyst reports, etc., to formulate their business strategy. Evidently, the differences between the two are as blurry as can be. Competitive intelligence, if efficiently utilised, can act as a real game-changer as it promotes innovation and helps in formulating long term strategies.
With companies placing complete reliance on the technology, corporate espionage has become even more enticing in today’s day and age owing to its ‘low cost – high yield’ and convenience. In this regard, the most prone to corporate espionage are ‘trade secrets’, thanks to their significant role in market competition. The European Commission, in its report, has stated that secrecy for a business is as important as patents or other IP for any scale of business organization. Moreover, a study conducted by the European Commission in 2016 revealed that in the last decade, twenty percent of businesses had experienced at least one act, or attempt, of theft of ‘secret information’. Therefore, the exposure of ‘trade secrets’ to theft is quite explicit.
What is a Trade Secret?
The phrase ‘Trade Secret’ has not been defined under any Indian statute or even the TRIPS Agreement. In common parlance, ‘trade secret’ refers to a secret process, technique or formula used for the manufacturing or processing of a product. However, Indian Courts, based on the principles of equity, have observed that the concept includes ‘not only secret formulae for the manufacture of products but also, in an appropriate case, the names of customers and the goods which they buy or method of business adopted by an employer which is unknown to others.’ Thus, any information that is confidential, undisclosed, and has extraordinary value may fall within the ambit of a trade secret. In India, trade secrets are regarded as a soft intellectual property as they are not protected by registration or any specific IP legislation.
Need for Legislation
It can be said with certainty that a major cause for rampant corporate espionage in India is the absence of specific legislation for the protection of trade secrets. In cases relating to the protection of trade secrets, Indian courts have relied on principles of equity and the law of contracts to provide relief. However, the lack of clear policy comes to centre stage with alarming instances of espionage that have stunned the corporate sector and government alike. For instance, not too long ago, the Nuclear Power Corporation of India Limited, a government-owned company that operates twenty-two commercial nuclear reactors, verified that a cyber-attack was initiated on its system through malware designed for data extraction. An assessment by the cybersecurity group revealed that critical information was accessible to hackers. It is hugely contemplated that the attack could have happened for two plausible reasons – firstly, to steal technical data relating to reactors’ design, coolant system, fuel handling, etc.; secondly, to gauge the security mechanism of the Kudankulam Power plant.
When confidential information is shared by an insider, there is no iota of doubt as to its authenticity. This hypothesis is best illustrated by the case of espionage against Tata-owned, VSNL by its employee. It was alleged that the Managing Director’s Secretary had shared the agendas of the Company’s board meetings with its competitor. The police had charged the suspect under Section 408 of the Indian Penal Code that punishes a clerk or servant for criminal breach of trust, as it was believed that he had siphoned INR 8.7 lakhs from the company’s accounts in addition to sharing confidential information. Before the server and gateway equipment could be traced, the suspects discarded them, leaving the investigation at a dead-end. The illustrations of espionage do not even scratch the surface and further, it is pertinent to note that such instances are not often reported voluntarily due to the fear of staining the company’s reputation.
The Information Technology Act, 2000 (‘IT Act’) is the only law regulating cyberspace in India. The Act punishes offences like data theft, damage to a computer source, unauthorised access, etc. Prima facie, the provisions of the IT Act seem instrumental in controlling the acts of cyber-espionage, they are toothless in practice. The IT Act does not have specific provisions dealing with and penalizing corporate espionages. Application of analogous provisions of the IT Act may be inadequate to control such acts of corporate espionage. For instance, sub-section (a) and (b) of Section 43 of the IT Act read with Section 66 penalises unauthorised access to a computer system and extraction of data from a computer without authorisation from the owner with fine, imprisonment or both. Even when the case falls squarely within the contours of this provision, the criminal would be subjected to a meagre fine of a maximum five lakh rupees or imprisonment of up to three years, while the theft of such sensitive data would be worth millions to the right buyer. This penalty-to-effect disproportionality is a major inadequacy of the IT Act in controlling acts of corporate espionage. Another significant issue in the application of IT Act for regulating such acts is the lack of harmonisation of laws relating to data protection, cyber-security and intellectual property. In this regard, the need for a trade secret legislation can be emphasised along with the introduction of tailor-made provisions in the IT Act specifically dealing with the acts of corporate espionage (possible changes in this regard are discussed in a later section of this post).
A comparative analysis of how trade secrets are regulated across different countries also provides a compelling justification for enacting a separate law on trade secrets. For instance – United States & India were in the same boat before the US enacted legislation on trade secrets. In light of a steady rise in cases of trade secrets theft, the US Congress realised that the protection of intellectual property and trade secrets was crucial for a healthy and secure economy. Consequently, the United States introduced the Economic Espionage Act in 1996, federal legislation that governs foreign economic espionage and criminalises the commercial theft of trade secrets. In addition, there is the Uniform Trade Secrets Act (‘USTA’) that governs the protection of trade secrets in individual states based on their adoption. As of now, 47 states in the US have adopted UTSA. The former provides for criminal actions against perpetrators, while the latter focuses on the protection and enforcement of trade secrets. Both legislations complement each other to a great extent and thereby, provide for both criminal and civil actions respectively. It was revealed that the administration became more efficient due to the adoption of these legislations and had begun pursuing more investigations. Consequently, the number of prosecutions rose by 30%. The Federal Bureau of Investigation established a Counter-Intelligence Division (CD) that works with private organisations, to combat economic espionage and prosecutes trade secret thefts. Between 2009 and 2013, the department saw a 60% rise in the number of prosecutions. The FBI is also actively engaged in raising public awareness about the same using Counter-Intelligence Strategic Partnership Program (CISPP).
The UK enacted the Trade Secrets Regulations 2018, for ensuring uniformity on the subject matter across the European Union. Its objective was to reconcile the definitions of ‘trade secret’ with internationally binding standards and provide for different forms of misappropriations. This was merely an addition to the well-established legal structure for the ‘protection of trade secrets’ through common law and contract law. The enumeration of the prevalence of trade secret laws in India’s counterparts is extremely relevant since it unveils a success story.
It is pertinent to note that ‘undisclosed information’, including trade secrets, is given recognition and enforceability in the international law regime as well, under the Trade-Related Aspects of Intellectual Property Rights (TRIPS) Agreement. Article 39 of the agreement provides for the protection of ‘undisclosed information’ against use in an unauthorised manner contrary to honest commercial practices. The aforesaid provision mainly focuses on the protection of trade secrets and know-how from commercial exploitation and unfair competition. Articles 42-49 of the TRIPS Agreement make provisions relating to the enforcement of intellectual property, i.e. initiating judicial proceedings to enforce intellectual property in case of infringement, and also protecting confidential information from being disclosed.
One reason for opposing the need for having a law on trade secrets is the prevalence of common law remedies and principles of equity that the Indian Courts have relied on so far. On the contrary, however, it is important to understand the ease and convenience of applying a statute over other sources of law. A statistical survey was conducted in the US on the evaluation of trade secret litigation which revealed that the courts preferred applying statutes (i.e. Uniform Trade Secrets Act) over resorting to the principles of equity or common law remedies. In India, statutes are one of the primary sources of law. Any court, while adjudicating a dispute, would refer to the legislation governing the subject matter and only in its absence, refer to the common law remedies and principles of equity. Therefore, India must consider resolving the conflicts of trade secret theft, or misappropriation, with a specific statute suiting the Indian scenario enacted in that regard.
The need for specific legislation on trade secrets has contemporary relevance in our pandemic struck the world. Most global powers (including India) are in the race to discover a vaccine against the deadly coronavirus. In this regard, it is crucial to mention that the US, UK, and Canada had accused Russia of targeting British Labs, conducting COVID-19 vaccine research through a hacking group called APT29 to steal valuable intellectual property. The UK’s National Cyber Security Centre has expressed its certainty that the APT29 was a part of the Russian Intelligence Services. The race for the vaccine is progressing at a great pace and various pharmaceutical companies are undertaking expensive R&D to develop the formula for the vaccine. At this juncture, any theft of confidential information would prove detrimental for the companies possessing the vaccine formula to the extent it would deteriorate the commercial value of their product formula. In the absence of a trade secret law and strong cyber laws, the Indian Pharmaceutical Industry cannot afford to be exposed to the wrath of the growing corporate espionage. This is just an example to throw light on the importance of a statute for the protection of trade secrets as owing to cut-throat competition globally; the world will witness many such instances of espionage.
Recommendations And Conclusion
The world is witnessing a shift from conventional systems to highly equipped technology. This has pushed the cyberspace to become the most frequent and convenient mode for exchanging information and storing data. Of late, the cyberspace is being exploited for the exchange of secret information constituting trade secrets and other coveted information. In light of the aforesaid, the enactment of a separate statute on the protection of trade secrets can prevent the rising trend of corporate espionage.
Further, to cope with the technological advancements and multifarious challenges that it poses, amendments are required to the Information Technology Act, 2000 to include provisions dealing directly with cyber-espionage and its harmonization with data protection and intellectual property. For the protection of trade secrets, it may be recommended that a separate chapter dedicated to corporate espionage be introduced in the IT Act and which should be read with legislation dealing specifically with the protection of trade secrets. The Economic Espionage Act of the US could be a helpful reference in this regard. Together, the two can act as a wholesome deterrent against acts of theft of confidential information and especially, cyber-espionage. Lastly, strengthening the monitoring systems in companies to track any attempt of corporate espionage and mandating compulsory non-disclosure agreements with all its employees and other relevant persons would also be highly beneficial in curbing the growing trend in corporate espionage