Theft of digital information

  • By Anthony Liew, member of ADLS’s Technology and Law Committee

In the 21st century, a company’s most valuable asset is its intellectual property. Trademarks, patents and copyright form the usual list of intellectual property assets. However, of increasing importance are a company's trade secrets.

Examples of trade secrets include customer lists and customer requirements, strategic planning, commercial opportunities, market information and budget forecasts. They form the fabric of a company's confidential information and a very important generator of business and wealth for a company. In this digital age, that information is increasingly created and stored electronically. It is therefore portable, easy to copy and highly prone to being stolen by employees.

It is not unusual for employees to have access to commercially sensitive information. Advancements in technology mean that employees will have faster and easier ways to copy, download and secrete that information. Although organisations would usually have security measures in place to prevent or reduce the theft of confidential information, those measures can be woefully inadequate. According to the Global State of Information Security Survey® 2014 undertaken by PwC in collaboration with CIO magazine and CSO magazine, security strategies employed by most organisations are often ineffectual because "organisations rely on yesterday's security strategies to fight against highly skilled adversaries who leverage the threats and technologies of tomorrow".

Employees are often driven by different motivations to steal digital data, varying from the benign and misguided to operating intentionally for the purpose of personal financial gain. The most common excuse given was "everyone did it and there was nothing that the employer could do".

There is some truth in that excuse. It is standard to include non-disclosure and confidentiality covenants in employment contracts in order to prevent employees from disclosing the employer's confidential information to third parties during and after the termination of an employee's employment.

However, enforcement of such covenants, whether by an application with the Employment Relations Authority or by taking proceedings in the courts for injunctive relief, is cumbersome, time-consuming and financially draining. In addition to legal counsel's fees (which can be quite prohibitive), the employer will have to spend a not insignificant amount of time and money preparing the brief for counsel and engaging computer forensic experts to provide the collaborative evidence required for a successful case. Whilst such issues may not be too taxing for an employer who has the necessary financial resources, unless the information stolen is so significant and crucial to the operation of the business, most enterprises would hesitate to spend money or resources that could otherwise be more profitably applied to growing the business or creating new intellectual property.

Alternative legal remedies
What other possible legal remedies could such employers resort to that would either deter employees from committing theft of digital information or assist the employer to recover the stolen information without being a drain on the employers' financial resources? Given that theft of digital data is rampant and on the increase, a possible alternative is to get the police interested in prosecuting such offences. As such, it is helpful to look at the relevant sections in the Crimes Act 1961 that may possibly assist.

Theft of trade secrets - section 230 Crimes Act 1961
Section 230 reads:
230 Taking, obtaining, or copying trade secrets
(1) Every one is liable to imprisonment for a term not exceeding 5 years who, with intent to obtain any pecuniary advantage or to cause loss to any other person, -
(a) dishonestly and without claim of right, takes, obtains, or copies any document or any model or other depiction of any thing or process containing or embodying any trade secret, knowing that it contains or embodies a trade secret; or
(b) dishonestly and without claim of right, takes or obtains any copy of any document or any model or other depiction of any thing or process containing or embodying any trade secret, knowing that it contains or embodies a trade secret.
(2) For the purpose of this section, trade secret means any information that-
(a) is, or has the potential to be, used industrially or commercially; and
(b) is not generally available in industrial or commercial use; and
(c) has economic value or potential economic value to the possessor of the information; and
(d) is the subject of all reasonable efforts to preserve its secrecy.

This section is most likely to provide an attractive option for employers to pursue employees or ex-employees for theft of trade secrets. Surprisingly, there is no case law on the section as yet.

The definition of trade secrets in sub-section (2) limits the section to information that has industrial or commercial application, has economic value to the owner and is not available in the public domain. Examples of what the civil courts have regarded as trade secrets include customer lists and customers’ preferences, a manufacturing method for making confectionery, strategic planning, product lines, tender prices, market information and budget forecasts. In applying the definition in s 230(2), the court will no doubt be guided by those judicial determinations. It must also be shown that the owner has taken reasonable steps to ensure that that information is kept secret and confidential. This, no doubt, would include measures such as confidentiality clauses in employment agreements, the use of non-disclosure agreements, and such reasonable steps as are required in the circumstances of the particular case to ensure that access and use of the information is properly regulated and enforced.

Accessing computer system for dishonest purpose - section 249 Crimes Act 1961
If the information does not qualify as a trade secret for the purposes of s 230, then one option is to proceed under s 249 of the Crimes Act, which says:
249 Accessing computer system for dishonest purpose
(1) Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right,-
(a) obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) causes loss to any other person.
(2) Every one is liable to imprisonment for a term not exceeding 5 years who, directly or indirectly, accesses any computer system with intent, dishonestly or by deception, and without claim of right,-
(a) to obtain any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) to cause loss to any other person.
(3) In this section, deception has the same meaning as in section 249(2).
The elements required to be proved under this section are: (a) unauthorised access to a computer system, (b) for dishonest purposes, and (c) either obtains any benefit or property, or causes loss to another or intends to obtain any benefit or property or causes loss to another.
The interesting thing about this section is that it applies to any of the following situations:
(i) a person who, having no authorised access, unlawfully accessed a computer system for a dishonest purpose;
(ii) a person who may have authorised access but used that access with intent to cause loss (financial or otherwise) or to achieve a financial gain; or
(iii) a person (whether with or without authorised access) who initially accessed a computer system without a dishonest purpose, but whilst still accessing the system forms a dishonest purpose.

"Access" is defined in s 248 to mean, in relation to any computer system, instruct, communicate with, store data in, receive data from, or otherwise make use of the resources of the computer system. Remote access via a smart phone to download information for a dishonest purpose would therefore be caught by the section.

Theft of bandwidth – Davies v New Zealand Police
The case of Davies v New Zealand Police [2007] NZHC 376; [2008] 1 NZLR 638, concerned an employee's unauthorised use of an employer's internet connection and computer to download music files and pornography at work. The employee, Mr Davies, was charged and convicted in the District Court with stealing internet usage belonging to his employer, valued at $205. Mr Davies appealed to the High Court to have the conviction set aside. On appeal, his Counsel argued (amongst other grounds) that internet usage was not property capable of being stolen, but simply describes an action or activity. The High Court disagreed. In his judgment, Miller J observed at paragraph [33] that internet usage describes data transmitted to and from a customer's internet address using its internet service provider's network. The quantities of data transmitted are measured in megabytes, which are a thing in action capable of being stolen in the same way that units of electricity can be stolen.

In the Davies case, the employer had to nominate in advance with Telecom, its internet service provider, the number of megabytes it wished to purchase for the following month and was then debited the nominated amount. If its usage exceeded the nominated amount, the employer would be charged at a different rate. Counsel for Mr Davies argued that the only megabytes belonging to the employer were the ones that it had prepaid Telecom for. As Mr Davies was charged with usage in respect of the amount that exceeded the employer's monthly limit, counsel argued that Mr Davies did not deprive the employer of anything since it had an unlimited supply of megabytes available to it. Justice Miller rejected the argument and held at paragraph [34] that: "There is nothing in this point; infinite capacity might have been available, but that which was used was nonetheless property which the [Employer] had an interest, having acquired a contractual right to it and having incurred a contractual obligation to pay for it one way or another."

Since civil litigation is expensive, time-consuming and may not achieve the desired outcome, aggrieved employers may resort to criminal prosecutions under the Crimes Act. That approach, however, is dependent on the availability of police resources. It may require repeated complaints to motivate the police to commit a greater level of resources to prosecuting such offending. As a first measure, however, both employers and employees should be made aware that, in addition to civil remedies, such wrongful actions could be prosecuted under the Crimes Act. Such awareness could in itself act as deterrent.

This article was prepared by Anthony Liew on behalf of ADLS’s Technology and Law Committee

Contact Us
Phone 09 303 5270
Fax 09 309 3726