The theft of confidential company information has been on the rise since the start of the coronavirus pandemic, where the move to working from home has resulted in less stringent safeguards to protect information than would otherwise exist in the office, says law firm ENSafrica.
A recent report by cybersecurity software company Code42 found that when workers walk away from their jobs, they’re increasingly bringing home sensitive company data, and found that there was a 40% increase in “data exposure events” between the first half of 2020 and the first half of 2021.
What can employers and other affected parties do when their sensitive information is leaked, stolen, or otherwise compromised?
As with all legal questions, the answer depends on the facts and circumstances, say ENSafrica’s Era Gunning (executive: banking and finance department), Nicole Gabryk (executive: dispute resolution department), André Maré (executive: intellectual property department) and candidate attorney Jeremy de Beer.
The potential options include:
Crime of theft
When an employee steals information, the obvious answer may be to lay a charge of theft. However, it is not as simple as this. Theft requires an intention to deprive an owner of their property permanently. If an employee were to steal physical documents, or a hard drive, this would be sufficient to sustain a charge of theft.
Where an employee copies the information and later distributes those copies, the employer has not been permanently deprived of their property.
Although an argument could be made that the copies are also the property of the employer, and as such theft of such copies is still theft, because the employer has been permanently deprived of those specific copies, it is likely more advisable to pursue a copyright claim where there has been unlawful copying of information.
Copyright infringement
A copyright infringement can have civil and, in limited circumstances, criminal consequences. In terms of the Copyright Act, an employer would be able to pursue a civil claim for copyright infringement against an employee who unlawfully copies information protected by copyright where the employer is the owner of such copyright.
This position is protected under the Copyright Act, with ownership generally determined by the type of work involved, while employers are also strongly advised to include terms to this effect in employment agreements, thus removing any doubt regarding ownership in works of copyright. These works would generally include documents, reports and the like created by the employee in the course and scope of their employment, and may also include artistic works or computer programs/software.
A criminal case is also possible. Section 27(1)(f) of the Copyright Act provides that “any person who at a time when copyright subsists in a work, without the authority of the owner of the copyright, distributes for any other purposes to such an extent that the owner of the copyright is prejudicially affected […] shall be guilty of an offence”.
Delict of unlawful competition
Another potential avenue, in parallel to pursuing a copyright infringement, is to rely on the delict of unlawful competition.
This claim can take many forms, including the misappropriation of confidential information or trade secrets – that is, using or disclosing information that is useful, not publicly available and has commercial value which was imparted or received in confidence, often in a fiduciary or employment relationship.
This would require proving all the usual elements of a delictual claim: wrongful conduct of a competitor using or disclosing confidential information, which has caused harm to the owner of that information, and that such conduct was intentional or negligent. In essence, it is much the same as a general civil claim for damages.
Competition Act
The disclosure of competitively sensitive information to a competitor may also constitute a contravention of the Competition Act.
Generally, competitively sensitive information includes information about an entity’s pricing, trading terms, customers, costing, strategy, innovation, profitability and marketing that is not in the public domain and that affects its competitive offerings.
Where an employee of a firm provides competitively sensitive information to that firm’s competitor, this may constitute a contravention of section 4(1)(a) of the Competition Act, which provides that “an agreement between, or concerted practice by, firms or a decision by an association of firms, is prohibited if it is between parties in a horizontal relationship and if it has the effect of substantially preventing or lessening competition in a market, unless a party to the agreement, concerted practice, or decision can prove that any technological, efficiency or other pro-competitive, gain resulting from it outweighs that effect”.
An exchange of competitively sensitive information may contravene this section insofar as it may remove strategic uncertainty from competitive decisions for one or more parties and the removal of the strategic uncertainty may lead to the softening of competition (tacit collusion).
What will become important is whether the employee responsible for leaking the information has actual or ostensible authority to represent the firm concerned and to agree and bind it to participation in the cartel activities.
Where an errant employee is on a frolic of their own, and there is no actual or ostensible authority for their conduct, there will be no basis for imputing liability to the firm. An example is where the wrongdoer’s employment with the firm concerned was terminated before the wrongdoer leaked the information. In such instances, it is unlikely that a contravention of the Competition Act would be sustained.
The Competition Act is generally aimed at preventing collusive conduct between competitors rather than corporate espionage.
Where a firm has its confidential information leaked to a competitor by a disgruntled employee, and that competitor is conferred a competitive advantage to the victim firm’s detriment, this conduct is not truly within the focus of the competition authorities, because it does not involve any collusion. However, this will once again turn on whether the employee had actual or ostensible authority at the time of the disclosure.
Breach of contract
The simplest remedy may take the form of a breach of contract. This could take several forms, depending on whether the party leaking the information is still an employee of the firm at the time of the leak.
Where there is still an employment relationship, the breach of trust occasioned by the employee’s misconduct in leaking the information would likely serve as grounds for dismissal.
Where the employee has already left the employ of the firm, it may still be breach of contract in respect of various clauses which survive the termination of the employment contract, for instance, confidentiality clauses generally drafted to survive the termination of employment and are enforceable even after an employee leaves their role.
Another example would be a restraint of trade clause, which generally remains enforceable against an employee several years after their employment has been terminated, in order to prevent that employee from competing unfairly with their former employer.
In order for such a restraint to be enforceable there must be a protectable interest, which our courts have held include trade secrets. As such, it would be possible to claim damages for breach of contract in these instances. Ultimately, a claim for breach of contract will depend on what was agreed to between the affected firm and the wrongdoer.
Hi Mark
I have always thought of things we ‘know’ or that are ‘knowable’ (I am not going to delve into the dark arts of Epistemology, a branch of philosophy – the Theory of Knowledge’) about the what it means to ‘know’ something. For present purposes the common usage of ‘know’ suffices.
I subjectively place stuff that we know or that is knowable somewhere on the data-information-knowledge-wisdom continuum, depending on a few factors.
So my first thought arising from your article above is whether theft of data is to be treated in the same way as the theft of information? Is data the same thing as information?
The second is about the inconsistency or presence/absence of definitions between different statutes. For example:
– what is ‘confidential’ information? (for example, no definition in financial services conduct regulation)
– what is ‘personal’ information? (defined in POPIA to include “…information relating to… an identifiable, existing juristic person)
– what is ‘sensitive’ information?
Regards,
Quinten
when an employee is working on contract basis and requests an extension thereafter, takes the institution to the ccma and cries fowl play upon contract ending. Also using another person’s personal information as evidence in the case.