Stop! Thief..? Confidential information, theft and the protection of trade secrets
When is theft not theft?
While this might sound like the sort of bad joke a lawyer would tell round the Christmas dinner table, it is a question that an increasing number of companies find they need to address – often as a result of some very unfortunate circumstances.
The answer is surprising and, depending on your perspective, can be disappointing. This is because under English law a person does not commit theft when the property they take from another is information (confidential or otherwise).
Many companies rely on highly confidential information or sensitive data for the successful operation of their business. This legal position can therefore be particularly unhelpful for companies with disgruntled employees who take improper advantage of access they have to important information. If the civil remedies open to a companies are not sufficient, it may leave them wondering what their options are to seek redress by criminal justice.
The Law – Theft Act 1968
The basic definition of theft is set out in the Theft Act 1968 (the TA 68). Section 1(1) TA 68 states that:
A person is guilty of theft if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it; and “thief” and “steal” shall be construed accordingly.
This definition is supported by section 4(1), which states that:
“Property” includes money and all other property, real or personal, including things in action and other intangible property.
On its face, therefore, an individual who accesses information on a computer (for example) and takes that information for their own gain might well be accused of theft. After all, information sounds like exactly the sort of thing the phrase “intangible property” may have been intended to capture when it was included in the wording of s4(1) TA 68.
Oxford v Moss (1979) 68 Cr App R 183
However, the case of Oxford v Moss makes clear that for the purpose of section 4(1) TA 68, confidential information does not fall within the definition of “intangible property”. In this case, a civil engineering undergraduate dishonestly obtained a copy of his upcoming exam paper, read its contents, and returned the paper to where he had found it. He was charged with theft of confidential information but was not convicted.
Despite being heard over 40 years ago, Oxford v Moss remains good authority for the proposition that information is not “property” and it creates the issue described above, whereby an individual can take information without committing theft. There are various other interesting aspects to the judgment, which was an appeal of a magistrate’s decision. For example, Mr Justice Smith, who gave the leading judgment (with the Lord Chief Justice agreeing), was of the opinion that if a person obtains information given to them in confidence and then seeks to take unfair advantage of it, it is open to the courts to restrain that person by way of an injunction or to punish them with a damages order, rather than by a conviction for theft.
In the modern day, with the proliferation of information that is readily accessible on a wide range of devices, the ruling in Oxford v Moss and the relevant legislation feels increasingly out of date.
To be clear – if an individual were to download copies of documents onto a USB stick or external hard drive, or forward themselves copies of documents via email, it could well be argued that the copies of those documents had been stolen, because the computer files themselves will have been transferred. However, in circumstances where an individual simply reads and learns information or even takes notes of it, but does not remove the original document itself (whether that document is on a computer or in hard copy) it cannot be said that they have committed theft.
As noted above, this is a somewhat counterintuitive conclusion and one that is a surprise to many. We observe an increasing number of situations in which rogue employees leave companies and take with them valuable information before trying to sell it or leverage it to gain favour with other businesses. Understandably, this is a practice that companies wish to deter against and in many cases will seek to punish harshly when they are the victims of it. However, the approach of the police (even when actual documents and client lists have been printed off and taken) is often to respond that this is a civil matter, further narrowing the potential for criminal sanctions against the dishonest individual.
Computer Misuse Act 1990
Ironically, one of the best solutions to this outdated legislative position and case law is another piece of outdated and often overlooked legislation: The Computer Misuse Act 1990 (the CMA). Described as “An Act to make provision for securing computer material against unauthorised access or modification; and for connected purposes”. The CMA states in section 1(1) that:
(1) A person is guilty of an offence if –
- he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
- the access he intends to secure, or to enable to be secured, is unauthorised; and
- he knows at the time when he causes the computer to perform the function that that is the case.
A person guilty of an offence under section 1 CMA can be sentenced to imprisonment for a term not exceeding 12 months on summary conviction, or imprisonment for a term not exceeding two years or to a fine or to both, if convicted on indictment.
The CMA therefore offers a possible route of redress for companies with employees who abuse their computer access rights and take unauthorised actions in respect of confidential information. Of course, the circumstances must be right for the CMA to be of use. If an individual were to take notes of a discussion of confidential information and take that information away, the individual would not have committed theft and the CMA could not be used to pursue them either. However, in the increasingly typical scenario of an employee accessing various files on a computer in order to gather sensitive information, the CMA can offer a welcome – and little known – route for criminal redress.
Civil remedies – recent developments
Notwithstanding the potential criminal offence under the CMA there are, of course, civil remedies that a company may wish to consider as a starting point in circumstances such as those considered above. Interestingly, things have not been stagnant in this area in the way they have under criminal law.
If the information stolen constitutes “trade secrets”, then the victim may have a civil claim under the English common law of confidence. This was bolstered on 8 June 2016, when the European Union introduced Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (the Directive).
The Directive was implemented into English law by The Trade Secrets (Enforcement, etc.) Regulations 2018 (the Trade Secrets Regulations), which came into force on 9 June 2018. The Trade Secrets Regulations explicitly acknowledge that most of the provisions of the Directive already existed in England under common law principles. However, the Trade Secrets Regulations were intended to close any gaps between the two. The statutory and common law regimes now operate in parallel.
Specifically, regulation 3(1) of the Trade Secrets Regulations states that:
The acquisition, use or disclosure of a trade secret is unlawful where the acquisition, use or disclosure constitutes a breach of confidence in confidential information.
Here, then, is another potential route of redress available to companies that are the victim of the sort of activity considered in this article. However, both the common law and statutory regime only offer civil remedies such as injunctions or damages and do not offer a positive answer to the question of whether it is possible to establish criminality.
There are also complications when relying on this civil route. For example, it is necessary to overcome all the various definition hurdles (such as the meaning of “trade secrets”) in order to engage the statutory regime. The common law regime is equitable and therefore subject to the discretion of the court. Even this updated legal framework may therefore not provide a great deal of comfort.
At best, it seems, the law of confidence and the Trade Secrets Regulations provide an avenue that companies may consider when “trade secrets” are taken from them but it may not be applicable or useful in many circumstances. It is particularly interesting, as noted above, that in the Oxford v Moss judgment it was acknowledged that courts can order an injunction or damages and a criminal sanction for theft of confidential information is not necessary. The Trade Secrets Regulations may therefore be a reason to have less hope that in the future there will be opportunities for criminal redress when confidential information is taken.
Data protection laws have also recently been strengthened and in the right circumstances they may be another tool for companies to consider. We do not propose to consider data protection laws in detail here or how they may apply to these sort of scenarios, but it should by now be clear that individuals can interfere with confidential or sensitive information in a range of ways and there is a wide array of possible remedies that victim companies may be able to rely on to deal with those situations, all of which have subtle nuances that must be carefully considered.
In our experience, companies often wish to highlight potential criminal liability to individuals in order to bring home the seriousness of their situation and to try to bring those individuals to the table. The lack of criminal offences applicable to circumstances such as the ones we have suggested – even taking into account the CMA – represents a legal lacuna about which many companies should be aware.
As we approach 2020, it is arguably increasingly important for legislation to be introduced to protect companies against the easy abuses that the proliferation of information and documents on computers, and their ready accessibility, allows for. However, such change is not immediately in prospect and neither does it seem likely that the decision in Oxford v Moss will be overturned.
Until such time as either of those positions change, companies that wish to seek criminal justice for the unauthorised access and abuse of information stored on computers may be better served by considering the CMA, rather than allegations of theft – however counterintuitive that may be – as part of the arsenal they might bring to bear on a wrongdoer.