Sir – having read the letter to the editor from Simon Janes in the April edition of Security Management Today (‘Information theft must be addressed’), I felt that your readers would be interested to know why it continues not to be a crime to steal sensitive business information in the UK.

In his correspondence, Simon refers to the Government’s proposals to raise the maximum penalties for the most serious hacking offences under the Computer Misuse Act 1990. In welcoming this decision, he rightly states that until some serious moves are made to criminalise the theft of information the threat will continue.

Those who are the victims of business espionage and the leaking of sensitive information – together with those of us who investigate and advise on these problems – share the frustration over the continuing failure to establish suitable legislation that will deal with what is a major problem.

In essence, there are two reasons why it is not a crime to steal sensitive business information. First, information is not regarded as property under the terms of the Theft Act 1968. Case law for this dates back to 1979, when an attempted prosecution concerning the theft of confidential papers failed – even though it had been argued that the information contained therein should be regarded as intangible property.

Second, the more common circumstances of information theft by staff (by way of photocopying, computer printing and copying onto disks and flash drives) do not qualify against the legal definition of theft. The owner is not permanently deprived of the information – only the paper onto which it was copied or printed (or the disk if it has been purloined from the office).

Without associated offences, all that remains are internal disciplinary procedures or a civil action against the culprit for breaking the terms of their Contract of Employment and/or the breach of a confidentiality agreement.

The UK legislature has recognised this problem for some time. In 1997, and having examined all the issues, The Law Commission published a consultation paper. Unable to see how to legislate effectively against the taking of confidential information, the Commission suggested that the best way forward was to follow the practice in other countries and then consider whether there should be criminal liability for the misuse by the recipient of trade secrets belonging to someone else. The snag here is that there’s currently no legal definition of a ‘trade secret’.

Unfortunately, this project has not progressed any further, having been forced to give way to the completion of work on fraud and other higher priority commitments. In principle, the majority of respondents to the consultation supported criminalisation of the unauthorised use or disclosure of a trade secret.

However, a minority were strongly opposed, arguing that the paper had failed to substantiate the Commission’s main justification for proposing a new offence – that civil remedies alone were insufficient to discourage trade secret misuse.

This view misses the point that much of the product of business espionage is used covertly by the recipients as intelligence behind their strategic planning and commercial activities. Without, say, the evidence of a whistleblower, misuse in such circumstances would be difficult to prove.

Few companies have much appetite for attempting to sue an employee for breach of confidence, mainly because of the legal costs, the unwelcome publicity and the kind of tactics which defence lawyers have deployed in the past. These have included a challenge to the confidentiality of the information – the justification of which would require the release of further sensitive material – and the demand for extensive disclosure of other confidential company documents. There is also a defence that the information was taken in order to disclose it in the public interest.

Thus the threat of civil action is hardly a deterrent against the taking or leaking of information from an employer.

The Law Commission should be encouraged to return to its search for a solution. In particular, one which can penalise – legally – the dishonest taker of the information.

Christopher Davy, Director, Risk Analysis (UK)

Source

SMT