Employee Confidentiality, Trade Secrets, And Contracts: Responsibility And Importance

29th June, 2022 - 12:20 pm Categories: Intellectual Property 0 Comments

Recently we came across a piece of news in the Times of India mentioning a woman engineer who has been charged with stealing data from the company she was employed. The company based in the MIDC Waluj area of Aurangabad is an ancillary unit of a leading automobile company responsible for manufacturing spare parts. The first information report (FIR) was filed with the cyber-crime police, who revealed that the data taken was connected to the design of spare parts valued at 14.47 crore in rupees.  This raises the question what is data? Why is data considered valuable? Why are the employers or companies filing a police complaint against the employee?

A few decades back, one would not have even known or thought how valuable a resource data would become; in this day and age where the civilization has started to rely on internet usage solely, data has become the fuel. According to Section 2(1)(o) of the IT Act, 2000,  means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and are intended to be processed, are being processed or have been processed in a computer system or computer network, and maybe in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. Data in its most superficial meaning is facts, figures, or information generally stored in or used by a computer. To further understand data, which can be a simple e-mail or a well-written research paper published in a database. Considering the era we live and are entering, data has now become one of the most general critical pieces of an asset for any organization or individual. Essentially data has been termed the oil of the digital era Moreover, economists have given their verdict about its valuation of it. Data can amount to personal information, client database, algorithms, software, trade secrets, business models, blueprints, and research data which is the biggest weapon in an organization’s arsenal. Not only that, consider military data for once, which are primarily blueprints and designs for bombs, bio-weapon and machinery; what happens if a hacker steals the data and sells it to terrorists. Corporate espionage has become common to dominate a market or industry to make and break organizations. It is frightening that a vast quantity of data can be stored in a mere pen drive, CD/ Hard disk, which is easy to copy and easily transported compared to many documents.

Breach and theft of digital data is a massive fear among people at an individual level and an organization level, which we surely can relate to now, considering how Indians panicked when it was reported that their personal information was leaked from the Facebook server in 2019. According to a survey, our country placed third in the world in terms of data breaches, with 86.63 million Indian users compromised between November 2021 and November 2022. In India, the number of impacted accounts increased by 351.6% over the previous year. Around 19.18 million Indian consumers’ data was compromised in 2020 alone. According to CERT-In (Indian Computer Emergency Response Team) statistics, the first two months of 2022 recorded more cybercrime than in 2018. The information technology ministry’s CERT-In is the primary organization for dealing with cyber security concerns.

Unlike the European Union, which recently implemented the ‘General Data Protection Regulation,’ replacing the Data Protection Directive, India lacks a comprehensive data protection law. However, the Information Technology Act 2000 is the primary Indian law that rules and regulates the majority of cybercrime and e-commerce, with data theft being one of the most serious. Although, a recent Supreme court judgement in the case of Jagjeet Singh v. The State of Punjab {Special Leave to Appeal (Crl. No(s). 3583/2021} found that, in addition to being responsible under the IT Act, 2000, a person is also liable under the IPC, 1860, for offences such as hacking, data theft, and so on.

What exactly is Data Theft?

In simple terms, ‘DATA THEFT’ refers to the illegal/unapproved copying, replicating, removal, or theft of secret, valuable, or personal data/data from a firm or business without its knowledge or approval. Stealing or hacking passwords, financial or banking information, personal information of customers/other employees, information of importance to a company such as trade secrets, client database, software, supply codes, confidential information, information that the company is required to protect, hacking into databases, and many more in line with these are examples of information crimes.

Employees are, without a doubt, a company’s most valuable asset. On the other hand, one can become an enormous liability if they fail to follow the security procedures to secure firm information or do something to damage an individual’s privacy or gain sensitive information. Employee data theft most commonly occurs when employees leave the organization due to termination or layoff. Employees have easy access to important data locations, intimate knowledge of how the organization operates, and a potential departure path with critical data, making data theft easy. An employee’s behaviour exposes not just the offending employee but also the legal body that stores or manages such data or sensitive personal information to respond.

In our Indian law, the word ‘Data Theft’ has not been defined. There is no absolute provision or enactment to deal with cybercrimes. Hence, the charges against any alleged person are mainly built on precedents. Although, the most significant provisions which allow governing such cases are contained in a combination of the IPC, 1860 and the IT Act, 2000.

The term ‘theft’ is defined under Section 378 of the Indian Penal Code of 1860. It states that any person whosoever intends to take possession of any movable property, dishonestly and without the person’s consent to whom it belongs, shall be convicted. Movable property has been explained under Section 22 of the IPC, 1860 as any material property of any description, except land and things attached to the earth or permanently fastened to anything attached to the earth. Therefore, as per the Indian law, if theft is committed concerning the movable property in this regard information or data, Supreme Court has stated in the case of  Jagjeet Singh v. State of Punjab & Anr. [Special Leave Petition (Criminal) No. 3583 of 2021] provisions of IPC and IT Act would be applicable in the matters of Data Theft.

Accusations brought against employees turned into Data Thieves like the woman Engineer in this instant:

The provisions contained in IPC, 1860 and IT Act, 2000 can be conjured against the culprit, which is mainly-

• Section 405 & 408 of IPC defines criminal breach of trust as dishonest or misappropriate dominion over property or disposes of that property entrusted to them based on trust or any legal contract.
• Section 381 of IPC states theft by clerk or servant of property in possession of master, which means whoever being employed in any capacity, commits theft in respect to any property in possession of master or employer shall be punished and convicted.
• Section 43(b) of the IT Act states that unauthorized downloading, copying or extraction of information, data, or databases is punishable by fines and compensation.
• Section 66 of the IT Act deals with data theft, whereas information disclosure in violation of a legitimate contract is punished under Section 72(A).

Similarly, on February 26, 2020, in the matter of Devendra Rameshchandra Jain v The State Of MaharashtraThe petitioner Awadhesh Kumar Paras Nath Pathak, who worked for Cosmo Films Limited Company, filed a petition. The applicant’s resignation was approved, and he went on to work for Jindal Polyfilms Ltd. The applicant had made one Sachin Gore copy of data without his awareness; it was discovered later. The duplicated files contained information on film manufacturing, product rates, commission value, manufacturing line, and production line, among other things. Many crucial documents connected to Cosmo Films’ production and commercial strategies were housed in this folder. The lawsuit was filed against the applicant under Sections 408, 420 of the IPC, Sections 43(b), 66 C, and 72 of the IC Act, 2000.

“PREVENTION IS BETTER THAN CURE”

It is always better to be safe than sorry; now, in this instant, the woman engineer who was an employee of the company has allegedly stolen a bunch of design-based data of spare parts while she was working on them with the R&D team, but if the woman wanted to take the information and data which she had worked on while moving on from the company, is she at fault? There can be a question raised that she was unaware that taking the data along with her would result in data theft and police FIRs. Though a very imaginary scenario concerning our case in hand, this is plausible until evidence shows otherwise. Therefore, considering this very imaginary and lack of awareness scenario, one might genuinely nod a yes, to the question; How speedily and not so thoroughly did one go through their employment agreement? We want to ascertain that it is of utmost importance from the employer to the employee to be aware and made be aware continuously and comprehensively, which is confidential; which is a trade secret; mark them exclusively.

It is both the employee and employer’s utmost responsibility that policies are clarified, contractual obligations are well reminded, and anything of significance such as trade secrets should be marked confidential. The employer should set up contingencies and secure a workspace to make sure they can monitor any employer’s e-mail traffic and access for any unusual activity, which would also help in terminating access and accounts as soon as the employee departs.

CONCLUSION:

We have seen plenty of doctors amputating a body part to prevent infestation and avoid harm to the main body; similarly, protocols should be placed in an organization to do the same when an employee is a liability to safeguard the main body. As we see how vital data has become in this digital era, it is imperative to ensure we do right by what is ours. The fact will always remain that an employee should always adhere to the policies of his/her employer. However, digital technology and motives unknown have made these white-collar crimes the most significant threat. The fact remains that organizations are pretty vulnerable to the lack of legislation and provisions available in India.

Earlier, we have seen convicts escape the charges because their intelligent lawyers somehow would bring up a precedent case which would allow them to be only charged under the IT Act and not IPC, howsoever with the recent verdict of SC in  Jagjeet Singh v. State of Punjab & Anr. dated 18-05-2021 it has been stated that a person shall be held liable under provisions of both IPC and IT Act for offences such as data theft & hacking.

This gives us hope and probably will establish confidentiality as the unspoken norm which will be ingrained in the mind of employees as business and corporate etiquette.

Author: Anirban Panja – a student of Rajiv Gandhi School Of Intellectual Property, (IIT Kharagpur)  currently an intern at Khurana & Khurana, Advocates and IP Attorney, in case of any queries please contact/write back to us via email chhavi@khuranaandkhurana.com.