VIDEO CONFERENCE DURING COVID 19: SECURITY CHALLENGES AND PROTECTING CONFIDENTIALITY

 21 July 2020   |    Common Post

There is a massive amount of data, information, views, screen sharing information and analysis which is being exchanged through several electronic means particularly video conferencing and audio-visual means due to Covid 19 restrictions.  The information collected are shared between employees, consultants and stored for a duration in the server which is accessed by IT Department and personnel who maintain IT Equipment and servers. Several times there may be tightly worded Non-Disclosure Agreement (NDA) with Research and Development Teams or senior management. The management of a company now may not even think of doing detailed and well-crafted Non-Disclosure Agreement with I-T Team or the Admin team who manage the IT Infrastructure. The problem gets accentuated when this IT operation, storage and maintenance is also outsourced to third parties. The entire concept of disclosing confidential information to specific staff/employees on ‘need to know’ basis has seen transformational changes since the onslaught of the coronavirus pandemic.

In between the term of an agreement it is difficult for companies to execute fresh NDAs or amend prevailing contractual arrangements. The amount of data exchanged which was otherwise happening in one to one physical meetings at offices (pre Covid 19 situaiton) is now not only shared online but stored online. If such data is read, understood and divulged to complete outsiders oraly by members who control the IT Infrastructure, it can lead to massive losses and strategic disadvantage to Companies.

Clearly with the restrictive operation of Indian Courts, firstly approaching Courts and getting an favourable injunction order within 72 hours is a challenge. Further, identifying the point when information accessed is unauthorized and then proving that the disclosure of the information did happen to third parties in the current scenario through such person privy to such data or intercepting such data has necessitated dedicated attention to the subject matter.

This short article will examine the core meaning of Trade Secret and Confidential Information as understood in India, referring to brief understanding from United States of America and United Kingdom. The article will quickly cover the safety nets as per Information Technology Act, 2000 and decisions by Indian Courts protecting confidential information.

THE INFORMATION DISCLOSED IN VIDEO CONFERENCES OR VIRTUAL MEETINGS MAY AMOUNT TO BEING TRADE SECRET OR THEY MAY BE MERELY A PROPRIETARY INFORMATION OF THE ORGANISATION
 

The ambit of proprietary information is wider than Confidential Information. The ambit of trade secret is narrower than confidential information. Almost 80 years back in the American Law Institute's Restatement of Law of Torts (1939), as outlined in Section 757 (b)
‘trade secret was understood to mean any formula, pattern, device or compilation of information which is used in one's business, and which gives him an opportunity to obtain an advantage over competitors who do not know or use it.’

It may be a formula for a chemical compound, a process of manufacturing, treating or preserving materials, a pattern for a machine or other device, or a list of customers ... It differs from other secret information in a business ... in that it is not simply information as to single or ephemeral events ... A trade secret is a process or device for continuous use in the operation of the business. 

Almost 50 years later, the United States of America enacted the Uniform Trade Secrets Act, 1989. Section 1 sub clause (4) defines  ‘A trade-secret means information, including a formula, pattern compilation, program, data, device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by other persons who can obtain economic value from its disclosure or use, and ' (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. Thus, the "novelty" of the information is not essential, but it should be inaccessible. The information should be crucial to the holder due to its potential value.’

 

IN A VIDEO CONFERENCE – INFORMATION OR SCREEN SHARING IMAGES OR DATA – ARE THEY CONFIDENTIAL?

The data may be pertaining to the Organization. The information may also be an analysis, trend or forecast or trade secret may be a skill or cumulative number of years of experience built up by individual employees in relation to practical implementation of technique or processes and ‘it indicates the way in which a skilled man or woman does his or her job.’ To illustrate the development and research team of an Organization who has developed and fully aware of the technical specification, nuances of coding and development and methods of customizing the same gives a presentation of the same before the marketing team over a video conferencing facility. The product about which the presentation was made is yet to be launched in the market and the data gets leaked. While investigations are going on, since more than 30 members participated in the video conference, company seeks injunctive relief. How do we classify this information?

The data shared about from being confidential, is a an output of cumulative years of experience built up by the research and development team of the Organization as how a feature or idea can be practically implemented by writing a code and integrating the same in a certain way or deploying a technique or process to achieve it. In India, know-how and trademark are mostly understood to belong to the same genre. However renowned expert Francis Gurry way back in 1984 wrote a book name ‘breach of trust’ within which he writes - know how developed ‘technical knowledge of industrial significance developed over a period of time’ may be ‘know how’ but may not be construed as ‘trade secret’.

The increasing level of communication and exchange of insights and perspectives over video conferencing or calls have exposed organizational knowhow to technological vagaries of interception, unauthorized storage and open to be used later (may be quite a few months later).

‘BREACH OF TRUST’ – COMMON LAW PRINCIPLES - INDIA AND UNITED KINGDOM

Both countries India and UK have looked at principles of ‘breach of trust’ clearly outlined in tort and common law to protect unauthorized disclosure of confidential information and proprietary information.

IN UNITED KINGDOM

One of the first expositions and application of breach of trust principle was in year 1948 before English Court of Appeal in Saltman Engineering Co Ltd v Campbell Engineering Co Ltd

The Saltman Engineering case is important because, prior to this, there was contention and discourse surrounding the fact that a contract between the parties must exist before liability for breach of confidence could be invoked. Saltman Engineering Case made it clear that breach of confidence is a distinct cause of action and liability exists quite separately from any other legal action. As per the main ratio or decision - for an idea or information to be confidential, it should meet the following requirements: (a) The idea or information should be something which is not in public domain or is public knowledge; (b) From the idea or information, it should be clear that the maker of the confidential information has used his brain (implying the creative process) and thus produced a result (being the idea or information) which can only be produced by somebody who goes through the same process. Thus, on the fulfilment of the aforesaid requirements, any idea or information will qualify as confidential, for Courts, in a case of breach of confidence. The idea or information can be a confidential document, a formula, a plan, a sketch, or any particular falling within the parameter set out above.

IN INDIA

The Bombay High Court during 2003 distinguished the law of breach of confidence from the law of copyright. “The law of breach of confidence is a breach of trust or confidence – "is a broader right" than the proprietary right of copyright. In other words, the Bombay High Court has held that the right to maintain the secrecy of confidential information or an idea is a wider spectrum of rights, which may also include intellectual property rights, recognized by the statues. To constitute a breach, it has to be established that the unauthorized use of confidential information or an idea provided a spring-board because of which the infringer obtained an unfair advantage over its competitors or against the maker/owner of the confidential information or idea., as to what the maker/owner, in a breach of confidence action must address:

 

The information or idea relied on by the infringer, in order to obtain an unfair advantage, must be clearly identified

 

The information or idea was handed over to the infringer, in the circumstance of confidence

 

The information or idea can be classified as confidential

 

The information or idea was used, or threatened to be used without authorization

 

Read Zee Telefilms Ltd. and Anr. Vs Sundial Communication Pvt Ltd. (2003 (5) Bom CR 404) reiterated the principles set out in CMI Centre for Medical Innovation GMBH and Anr. Vs Phytopharm PLC (1999) FSR 235

Hear the full Article

INDIAN COURT’S EXPOSITION ON TRADE SECRETS

A trade secret has an element of uniqueness or excl


usivity with sufficiently developed technical intricacies, not in the realm of public knowledge. A trade secret may be based on a single factor or on an idea, or combination of many factors or ideas, and thus a trade secret cannot be defined or restricted to a set of activities or ideas. It was further observed that a trade secret can exist independent of and without protection available under the Copyright Act, Trade Mark Act, Designs Act and Patent Act. In other words, a set of activities, ideas or information, not in public knowledge, which are unique and exclusive to a business, developed for the purpose of the business, will qualify as a trade secret. [[][[]]Trivitron Healthcare Pvt Ltd Vs Shivram Iyer and Ors (2018) 1 CTC 430]

In the case of Fairfest Media Ltd. v. ITE Group, the Calcutta High Court ordered for return of all confidential and proprietary information and compensation for any losses suffered due to disclosure of trade secrets (using this term interchangeably with confidential information). Similarly, the Delhi High Court held, in the case of John Brady v Chemical Process Equipment P. Ltd, irrespective of whether there is a contract in place or not, no one is allowed to benefit and unfairly gain from using the information received in confidence. 

On the breach of confidence, the Organization may seek injunctive relief either before regular civil court, commercial court. In the event there is an arbitration clause in the contract or employment agreement / business arrangement such Organization can approach the Court by way of an interim application for an injunction under Section 9 of the Arbitration & Conciliation Act, 1996. There is a need for Organizations to evaluate an internal redressal team to continuance conduct surveillance audits and track the actual usage of such content and outcomes shared in video conference.

 

THE THREE STAGE TEST OF ‘CONFIDENTIAL INFORMATION’ IN UNITED KINGDOM

A three-stage test under law of United Kingdom for determining whether information is 'confidential information'. The High Court in the case of Kerry Ingredients (UK) Ltd v Bakkavor Group Ltd [[][[]]2016] considered the application of this test.

(1) There must be a 'quality of confidence' to the information.

The information must be objectively confidential, and not just treated or labelled as confidential by the holder. A court is more likely to be satisfied that the information has the necessary quality of confidence if the holder of the information can show the steps taken to maintain its secrecy; marking it as 'confidential' could evidence these steps. Some forms of information may be easily recognisable as confidential. For example, a business strategy, secret formula, algorithm or industrial process that is important to the business and known only to a select few individuals. In contrast, information which is based on data that is already publicly known or is widely shared will almost certainly not be confidential.

(2) The information must be provided in circumstances giving rise to an obligation of confidence.

This test requires an assessment of whether the receiver of the information knew, or ought to have known, that the information imparted is confidential, and that they were under a duty to keep it secret. This may be proved by reference to a contractual obligation which has been imposed on a party receiving confidential information, typically via a non-disclosure agreement.  However, an obligation of confidence can sometimes arise automatically from the circumstances of the disclosure or the relationship between the parties. For example, an obligation of confidence is implied where confidential information is disclosed by an employer to an employee.

(3) There must be unauthorised use or disclosure (actual or threatened) of the confidential information which has or will cause a detriment to the information owner.The use of the confidential information will be unauthorised where no permission has been provided to the recipient to use or disclose the information, or if the information was disclosed for a particular purpose and has been used for another unauthorised purpose.

Importantly, the confidential information must also have been used in a manner which may cause a detriment to the information holder. Where the information is not widely known, mere disclosure of the information may be considered sufficient. However, where the information is based on reverse engineering or constructed from publicly available data, it may be necessary to show that the information has provided a 'springboard' competitive advantage to the recipient over others.

In this case the Court notably touched upon reference to Confidential Information within the purview of solely injunctive relief or also substitution of the said relief by way of computing appropriate damages.

Justice Arnold J’s decision in Vestergaard Frandsen A/S v Bestnet Europe Ltd [[][[]]2009] EWHC 1456 (Ch)[[][[]]2010] FSR 2 in paragraph 41 of his judgment states:

"in the absence of specific discretionary reasons for the refusal of an injunction, where the claimant has established that the defendant has acted in breach of an equitable obligation of confidence and that there is a sufficient risk of repetition, the claimant is generally entitled to an injunction save in exceptional circumstances. In deciding whether there are exceptional circumstances which justify the refusal of an injunction, the approach laid down in Shelfer is applicable, if not directly then by analogy."

In Shelfer v City of London Electric Lighting Co [[][[]]1895] 1 Ch 287. There, A. L. Smith LJ said (at 322-323):"Many Judges have stated, and I emphatically agree with them, that a person by committing a wrongful act (whether it be a public company for public purposes or a private individual) is not thereby entitled to ask the Court to sanction his doing so by purchasing his neighbour's rights, by assessing damages in that behalf, leaving his neighbour with the nuisance, or his lights dimmed, as the case may be. In such cases the well-known rule is not to accede to the application, but to grant the injunction sought, for the plaintiff's legal right has been invaded, and he is prima facie entitled to an injunction. There are, however, cases in which this rule may be relaxed, and in which damages may be awarded in substitution for an injunction as authorized by this section. (Emphasis Applied)

In any instance in which a case for an injunction has been made out, if the plaintiff by his acts or laches has disentitled himself to an injunction the Court may award damages in its place. So again, whether the case be for a mandatory injunction or to restrain a continuing nuisance, the appropriate remedy may be damages in lieu of an injunction, assuming a case for an injunction to be made out.

In my opinion, it may be stated as a good working rule that —

(1.) If the injury to the plaintiff's legal rights is small,

(2.) And is one which is capable of being estimated in money,

(3.) And is one which can be adequately compensated by a small money payment,

(4.) And the case is one in which it would be oppressive to the defendant to grant an injunction: then damages in substitution for an injunction may be given.

 

Trade Secrets (Enforcement, etc.) Regulations 2018

Trade Secrets (Enforcement, etc.) Regulations 2018 was enacted implementing the European Union Trade Secrets Directive. The Trade Secret (Enforcement, etc) Regulation 2018 is applicable for England and Wales, Scotland and Northern Ireland. Any Entity / Organization from India or South Asia intending to do business in these countries have to adhere to the prescribed standards.

There is considerable overlapping of principles while applying law of tort (common law) and specific statutes protecting confidential information.

 

An Act specifically to address the issue of protecting confidential information, trade secret and innovation conceived in India during 2008

The Department of Science and Technology introduced the Draft National Innovation Act, 2008 with the objective to 'codify and consolidate the law of confidentiality in aid of protecting Confidential Information, trade secrets and Innovation'. Provisions in connection with trade secrets are found in Chapter VI of the Innovation Bill, titled "Confidentiality and Confidential Information and Remedies and Offences". Section 8 of the Draft Act recognizes the contractual right of parties to set out terms and conditions in respect of confidentiality. In India as well as globally, it is already common practice to enter into confidentiality and non-disclosure contracts with employees to prevent them from disclosing trade secrets or confidential information

The Draft Act however, significantly also provides for confidentiality arising from non-contractual relationships; arising in equity or as a result of circumstances imparting an obligation of confidence [[][[]]Section 8(3)]. Section 10 provides remedies to protect and preserve confidentiality and orders to prevent threatened or apprehended misappropriation.

Section 11 lays down three exceptions to misappropration of Confidential Information: (a) availability of the information in the public domain, (b) the information has been independently derived, and (c) disclosure of the information is held to be in public interest by a court of law.

The above exceptions are also extracted by contract lawyers regularly while reviewing and vetting non-disclosure agreements.

Significantly, Section 12 is an extensive section providing for preventive or mandatory injunctions restraining the misappropriation of confidential information. An injunction, being an equitable remedy, is generally only issued when other remedy at law (such as damages) is inadequate.

However, the above Act is still not passed and the entire reasoning of granting an injunction for breach of confidentiality obligation is drawn from the Court decisions in India.

FRAMEWORK TO RESTRICT UNAUTHORISED ACCESS OF INFORMATION UNDER INFORMATION TECHNOLOGY ACT, 2000
 

In a video conference wherein more than 30 participants are engaged in the conference and people are speaking to each other sharing screens how can we trace who is an ‘originator’ as understood under 2 (za) of the Information Technology Act, 2000. The access to all other members is voluntarily granted by the Company or the client and after gaining lawful access there is a wide dissemination of confidential and proprietary information within the virtual meeting room. The conjoint reading of the sections from Section 41 to 72 of the IT Act will not directly answer and provide a direct remedy under the IT Act.

The IT Act’s specific provision will only apply to a person who through powers granted under the same act or rules has secured access to electronic records, information, documents, correspondence and then proceeds to disclose such electronic record, information, document or other material to any other person shall be punished for a period of two years and fine extending to one lakhs INR. The same clearly does not contemplate a situation of extensive sharing of information within a virtual meeting room as access to these 60 employees/consultants are given by in an unauthorized manner. Additionally, if the information so disclosed in such meeting is orally disseminated to third parties particularly competing companies or businesses within similar business verticals it may create irreparable damage and long term road block for launch of products and services for the disclosing company.  

Section 72A of the IT Act is more relevant as it covers instances and situations wherein parties who are bound by contract with each other secures access to confidential information and knowingly discloses such information to third parties completely aware that such disclosure will lead to wrongful loss to the company / entity pertaining to whom such confidential information is disclosed.

The amount of damage is computed at Rupees 5,00,000/- (may around 7800 USD) and an imprisonment of maximum 3 years.

Since the onset of video conferencing fresh issues and dissection of each legal relation created while business communication and information are exchanged over a video conference needs an assessment. The available statutory framework does not directly include situations like this. Thus, the only option available is to trigger laws pertaining to breach of trust and revisit tests laid down Courts in United Kingdom and India to protect trade secret and confidential information.

 


Few of the above issues formed a part of representations and arguments made by Common Law Chambers to secure injunctions to prevent unauthorized disclosure of confidential information under various circumstances by ex-employees or business partners in India.
 

Copyright © All rights reserved

Cookies and Privacy

We use cookies to improve your experience on our website. To find out more, read our updated Cookie policy, Privacy policy and Terms & Conditions