Proprietary Data, Trade Secrets and Information Security in India – An Integrated Approach
“Data has the ability to make or break a company.” – Dr. Kalyan C. Kankanala
In today’s information age, Data has emerged as a very important business tool. Among other factors, success of businesses is dependent on possession, management, processing and analysis of data. The relevance of data in business has increased so significantly during the last decade that one report estimates a short supply of close to two hundred thousand (2,00,000) data professionals by the end of 2018 in the United States alone. NASSCOM estimates that India will need about three hundred thousand (3,00,000) data professionals by 2020. A MIT report suggests that forty (40) percent of companies are struggling to find data professionals, and retain them. This is despite the fact that hundreds of data management, analytics and related programs have been started by Universities across the world to meet the need.
The rise in the importance of data collection, organization, management, processing, analysis and utilization, gives rise to several legal issues. From where data comes from and for what purpose the data is used, businesses have to confront and comply with a series of laws ranging from privacy to secrecy. While the law with respect to data management, analysis, security and safety is more evolved in certain parts of the world like Europe, the law has not made much progress in countries like India. Though it has been the subject of ongoing discussions and debates over the last two decades, India continues to follow a primarily common law based regime for trade secrets and information security. With the exception of largely ineffective statutory provisions under the Information Technology Act, Financial laws, and vague references under other Acts, trade secret law in India has not made much progress on the legislative front.
As it stands today, data and information of a business is protectable as confidential information or trade secrets based on judicial precedents. While confidential information broadly covers proprietary data and information to which a legal duty of confidentiality is attached, trade secrets protect data and information that has business/economic value owing to its secrecy, and steps to safeguard secrecy.
At a general level, data will qualify as a trade secret if:
It has independent business/economic value;
It is not known to others, or it is not reasonably ascertainable; and
Reasonable measures have been taken to protect its secrecy.
The reasonable steps must not only give notice or secrecy of data/information, but must also legally bind the receiver to maintain the data/information secret. In addition to executing Non-Disclosure Agreements, Confidentiality Clauses and other contractual measures, Courts have over the years held even simple steps as confidentiality notices, email disclaimers, and conditions soliciting secrecy as valid measures for qualifying data/information as a trade secret. Reverse engineering and independent creation are recognized as exceptions to trade secret misappropriation, and inevitable disclosure during the course of employment has been permitted. In other words, if an employee discloses secret data during the course of his employment, and such disclosure is inevitable for his livelihood, he will not be held liable for trade secret misappropriation. However, any conscious or sub-conscious disclosure of trade secrets on social media can give rise to legal liability.
On its face, the law seems adequate to address any concerns with respect to data security and safety, but when one delves deeper into its contours, one will notice that protecting and enforcing trade secrets in India may not be as easy as it sounds. Though both civil and criminal liability can attach to an act of data misappropriation and misuse, the speed at which action can be taken is too long to prevent damage from data disclosure. Though the IT Act affords remedies for security breach and privacy violations, and the response can be swift at times, the law addresses a very narrow set of actions, and the enforcement mechanism is not uniform. To add to the complexity, most Indian Courts lean in favour of employees unless there is irrefutable evidence in favour of a company.
As it stands today, India has a trade secret law in place, but the law is not adequate to protect data and trade secrets of all types, under all circumstances. Companies therefore rely heavily on contractual instruments, and physical/information security measures to protect their interests. Some measures that have proved to be very effective in the Indian context to protect data and information are:
Classification of data based on its importance;
Co-relation of physical/information security measures to the data classification;
Advanced information security measures, data forts, and data exclusions;
Training, and data protection/secrecy culture;
Social media policies and practices aimed at data protection and secrecy;
Appropriate notices, legal instruments, and related measures; and so on.
A business can make the best out of the law in India by adopting a well planned and integrated approach towards data protection, security and safety. A combination of measures, which include legal, physical and people based steps can help the company retain its business advantage from data and trade secrets.
Authored by Dr. Kalyan C. Kankanala