By Dr. Kalyan C. Kankanala
“Data has the ability to make or break a company.” – Dr. Kalyan C. Kankanala
In today’s information age, data has emerged as a very important business tool. Among other factors, the success of businesses is dependent on possession, management, processing and analysis of data. The relevance of data in business has increased so significantly during the last decade that one report estimates a short supply of close to two hundred thousand (2,00,000) data professionals by the end of 2018 in the United States alone. NASSCOM estimates that India will need about three hundred thousand (3,00,000) data professionals by 2020, even as an MIT report suggests that forty (40) percent of companies are struggling to find data professionals and retain them. This, despite the fact that hundreds of data management, analytics and related programs have been started by Universities across the world to meet the need.
Jurisprudence of data management
The significant increase in the importance of data collection, organisation, management, processing, analysis and utilisation of business, gives rise to several legal issues. Right from the source of data to its purpose, businesses have to confront and comply with a series of laws ranging from privacy to secrecy. While the law with respect to data management, analysis, security and safety is more evolved in certain parts of the world like Europe, the law has not made much progress in countries like India. Although it has been the subject of ongoing discussions and debates over the last two decades, India continues to follow a regime primarily based on common law, for trade secrets and information security. With the exception of largely ineffective statutory provisions under the Information Technology Act, financial laws, and vague references to other Acts, trade secret law in India has not made much progress on the legislative front.
Maintaining the secret
As it stands today, data and information of a business are protectable as confidential information or trade secrets based on judicial precedents. While confidential information broadly covers proprietary data and information to which a legal duty of confidentiality is attached, trade secrets protect data and information that has business/economic value owing to its secrecy, and steps to safeguard secrecy.
At a general level, data will qualify as a trade secret if:
- It has independent business/economic value;
- It is not known to others, or it is not reasonably ascertainable; and
- Reasonable measures have been taken to protect its secrecy.
The reasonable steps must not only give notice or secrecy of data/information but must also legally bind the receiver to maintain the secret. In addition to executing Non-Disclosure Agreements, Confidentiality Clauses and other contractual measures, Courts have over the years held even simple steps as confidentiality notices, email disclaimers, and conditions soliciting secrecy as valid measures for qualifying data/information as a trade secret. Reverse engineering and independent creation are recognised as exceptions to trade secret misappropriation, and inevitable disclosure during the course of employment has been permitted. In other words, if an employee discloses secret data during the course of his employment, and such disclosure is inevitable for his livelihood, he will not be held liable for trade secret misappropriation. However, any conscious or sub-conscious disclosure of trade secrets on social media can give rise to legal liability.
The inadequacy of Indian laws
On its face, the law seems adequate to address any concerns with respect to data security and safety, but when one delves deeper into its contours, it can be noticed that protecting and enforcing trade secrets in India may not be as easy as it sounds. Though both civil and criminal liability can attach to an act of data misappropriation and misuse, the speed at which action can be taken is too long to prevent damage from data disclosure. Though the IT Act affords remedies for the security breach and privacy violations, and the response can be swift at times, the law addresses a very narrow set of actions, and the enforcement mechanism is not uniform. To add to the complexity, most Indian Courts lean in favour of employees unless there is irrefutable evidence supporting the company.
As it stands today, India has a trade secret law in place, but it is not adequate to protect data and trade secrets of all types, under all circumstances. Companies, therefore, rely heavily on contractual instruments, and physical/information security measures to protect their interests. Some measures that have proved to be very effective in the Indian context to protect data and information are:
- Classification of data based on its importance;
- Co-relation of physical/information security measures to the data class;
- Advanced information security measures, data forts, and data exclusions;
- Training, and data protection/secrecy culture;
- Social media policies and practices aimed at data protection and secrecy; and
- Appropriate notices, legal instruments, and related measures.
A business can make the best out of the law in India by adopting a well planned and integrated approach towards data protection, security and safety. A combination of measures, which include legal, physical and people based steps can help the company retain its business advantage from data and trade secret assets.
Dr. Kalyan C. Kankanala is a well known IP Attorney, professor, and writer. He works with BananaIP (BIP) Counsels, a leading IP Firm, and offers courses at IIMB and NLSIU, Bangalore. Dr. Kalyan is also a renowned novelist and storyteller.
Featured Image Credits: Flickr
Stay updated with all the insights.
Navigate news, 1 email day.
Subscribe to Qrius