The Situation: Protecting intangible property can be extremely challenging, but significant and effective tools are available under English law to minimize significant harm to entities that have been victimized by a data breach in the UK.
The Result: The Trade Secrets Directive has harmonised the treatment of confidential business information in the EU so as to ensure that the scope of protection is uniform across member states, including the UK. This is likely to continue post-Brexit.
Looking Ahead: Reacting promptly and effectively to a data breach is key to containing it and limiting its damage. Businesses should develop a strategy to respond to future breaches so as to maximize the recovery of the confidential information and ensure no wider dissemination or leakage.
What are Trade Secrets and the Trade Secrets Directive?
Trade secrets relate to valuable know-how and business information, that is undisclosed and intended to remain confidential. Recent developments—such as globalisation, increased outsourcing, longer supply chains and the increased use of information, data and communication technology—contribute to increasing the risk of dishonest practices targeting the misappropriation and misuse of trade secrets. This has made it even easier for disgruntled employees to more easily transfer significant quantities of data and intellectual property through ever more sophisticated means, and walk away with extracts of key databases and other commercially sensitive material held in electronic form. Whereas previously, businesses may have principally reviewed CCTV records for evidence of large data storage devices being attached to IT infrastructure, it is just as likely today that businesses will utilize lawyers and forensic IT investigators to examine remote uploads to the cloud. Unlawful data transfers arise in sectors as diverse as automotive engineering to biopharmaceutical research.
The Trade Secrets Directive (2016/244/EU) ("the Directive"), which came into force in July 2018, is designed to tackle some of these challenges and also to harmonise the minimum standards of protection of trade secrets and confidential business information across the EU. The implementation of the Directive to date has been patchy across the various EU member states (a reflection of the fact that existing legal protections for trade secrets vary considerably across the EU), though there are a number of ways it has changed the underlying legal landscape.
Three-Tier Effect of the Trade Secrets Directive
The Directive has created a minimum level of protection by:
(i) Creating a unified definition of trade secrets across member states.
Under the Directive's definition of a trade secret, information is required to: (i) be secret; that is, not generally known or readily accessible to persons within the circles that normally deal with that kind of information; (ii) have commercial value because it is secret; (iii) have been subject to reasonable steps to keep it secret (Article 2(1)). This closely aligns to the common law test adopted previously under English law in Faccenda Chicken v Fowler ( Ch 117.
(ii) Codifying the remedies for the unauthorised use of trade secrets.
The Directive envisages that both interim and final injunctions may be ordered to prohibit the misuse of trade secrets and prescribes specific circumstances that courts should take account of, where appropriate, in deciding on the grant of an injunction and in assessing its proportionality. These circumstances are very similar to those which are already taken into account by the English courts under common law.
(iii) Preserving confidentiality, through adopting measures to ensure the details of the trade secret are kept confidential during litigation.
English courts already acknowledge the importance of preserving confidentiality during trade secret litigation and have adopted measures including:
limiting the disclosure of sensitive material to members of confidentiality clubs;
holding hearings in private; and
giving redacted public judgments to remove confidential references.
Effect of the Directive in the UK
The recent implementation of the Directive in the UK took the form of the Trade Secrets (Enforcement, etc.) Regulations 2018 (SI 2018/597) ("the Regulation"). As most of the substantive provisions of the Directive already existed in UK law, the regulations are concerned primarily with limitation and prescription periods, procedural issues and remedies. (The Directive is also important insofar as it offers certain protections to employees, namely: (i) employees' rights to bring any knowledge gained through experience in the course of normal employment is preserved and (ii) reverse engineering is generally allowed. This could be particularly relevant in certain EU countries, such as Germany, which did not previously recognize a general right for reverse engineering.) It has also introduced a new definition of "trade secret" as including information that is (i) secret, in the sense that it is not generally available or known among persons that deal with such information; (ii) has commercial value because of its secrecy; and (iii) reasonable steps have been taken to keep the information secret. The third requirement is particularly important because it goes beyond what has been traditionally required under common law and because many companies may not have adequate systems in place to protect confidentiality of it electronic infrastructure.
What the Directive ensures, through the harmonisation of the treatment of trade secrets across the EU, is that UK-based businesses with European offices or other business being conducted in the EU, can rely on there being equivalent protection to their trade secrets in local jurisdictions across the EU. To this end, the Directive clarifies the circumstances in which interim and final relief will be available. UK entities will continue to be able to rely on and enforce the Directive's terms as implemented in EU member states post-Brexit since the Directive applies regardless of where the secret holder is domiciled, provided the damage took place in a member state.
Remedial Solutions in the UK
The form of civil relief obtained to protect IP rights will depend on the circumstances of the case but can include some of the most invasive orders available to the English judiciary, which in many jurisdictions would fall within the preserve of the state and law enforcement rather than civil litigation. These include (amongst other bespoke remedies):
(i) Search and Seizure Orders; obtained without notice permitting an unannounced search led by the claimant's lawyers of a defendant's property and/or systems for misappropriated IP/confidential information. They may also enable a claimant to preserve property which is the subject of an action. Such orders have been described by the Court of Appeal as "a Draconian power which should be used in only exceptional cases" (Donaldson LJ in Yousif v Salama and Another  1 WLR 1540 at 1543) and "one of the law's two nuclear weapons" (Donaldson LJ in Bank Mellat v Nikpour  FSR 87 at 92).
(ii) Preservation Orders; requiring a defendant to preserve evidence pending a trial.
(iii)Delivery Up Orders; requiring a defendant to deliver up to the claimant categories of information—such as a forensically sound copy of their electronic files—for later review in civil proceedings. Such an order can, where the circumstances justify it, be a "Door Step" Delivery Up Order, requiring the immediate production of such material on an unannounced basis to minimize the risk of deletion of evidence.
These orders carry what is known as a "penal notice" requiring strict compliance by a defendant. Breach of the orders is a quasi-criminal offence and can result in imprisonment of up to two years, an unlimited fine or sequestration of assets. Which remedy will be available will depend on the circumstances, but the court is often willing to impose custodial sentences on those flouting its orders.
Where a person knowingly or recklessly obtains confidential information that the claimant is seeking to protect, and this confidential information contains personal data, there may also be criminal liability under section 170 of the Data Protection Act 2018. A person is also guilty of an offence under provision 1 of the Computer Misuse Act 1990 if he intends to secure access to unauthorized computer material, knowing at the time that the program or data is unauthorized.
Whichever business area a victim of a data breach operates in, where the situation calls for it, they should consider seeking appropriate interim orders to help protect IP or confidential information. In extreme cases, such orders can be obtained within a matter of days. The speed of obtaining these protective orders can be of crucial importance; timely action may be necessary to secure valuable data and prevent irremediable harm.
Three Key Takeaways
- The Trade Secrets Directive ensures commonality across the EU in protecting trade secrets, including in the UK.
- If there has been a data breach, prompt action should be taken to avoid significant financial harm.
- Appropriate urgent interim relief can be obtained without notice to the respondent on an urgent basis. If the situation calls for it, the English courts have the power to impose draconian orders on the wrongdoer without notice, including under threat of imprisonment.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus.
Adam R. Brown
Gregory J. Barden
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.