Guardians of Secrets: Comparative Governance in Cyber Espionage

The authors are Khushboo Jagasia and Nauman Mir, fourth-year students at Symbiosis Law School, Pune.

In today's corporate world, data reigns supreme as a vital asset. The boards and management are responsible for safeguarding, preserving and actively defending it against any inbound or outbound threat.

Trade secrets are confidential business information not disclosed to the public. The Agreement on Trade-Related Aspects of Intellectual Property (“TRIPS”) sets global standards for secrecy, commercial value and reasonable efforts for protection. However, as evidenced by Google's 2010 disclosure of cyber-attacks from China targeting its proprietary source code, internet expansion has only escalated these risks. Compounding this challenge are detection issues of breaches that often remain undetected for prolonged periods.

Understanding Corporate Espionage as a Growing Concern

As global economies evolve, so do the challenges surrounding corporate espionage and protecting sensitive business information. The critical responsibility of corporate officers and directors in safeguarding trade secrets, essential assets for companies, is under scrutiny. This highlights regulatory changes due to laws like Sarbanes-Oxley, which emphasise the need for compliance plans covering outbound and inbound protection, including trade secret audits to assess risks related to sensitive information.

Economic espionage has become a significant concern for states, especially with the rise of economic supremacy as a key goal for many nations. However, there is a significant gap: the need for comprehensive regulations for cyber-enabled corporate espionage. This gap leads to legal uncertainties and obstructs efforts to counter advanced cyber threats targeting sensitive business information.

In the USA, the aftermath of the Sarbanes-Oxley Act highlights uncertainties in interpreting "reasonable assurance" judgments. It also reveals the broad spectrum of benefits organisations might pursue through internal controls on corporate behaviour, such as rent-seeking activities, increased surveillance, and potentially positive effects on corporate accountability norms.

The persistent problem of fraud in India calls for an urgent overhaul of corporate governance practices. KPMG surveys spanning from 2006 to 2010 reveal ongoing fraud risks in major organisations, including banks. These findings underscore a critical need for transparent and ethical governance practices to address fraud challenges effectively.

A significant aspect often overlooked is corporate espionage. As cyber warfare tactics evolve, corporate espionage has emerged as a sophisticated method for stealing trade secrets. While the USA has responded with a comprehensive array of state and federal laws, India remains inadequately equipped to deal with such threats.

Where does India fall short?

Despite the critical importance of protecting trade secrets, India currently lacks specific legislation addressing cyber espionage. This significant oversight leaves a gap in safeguarding sensitive business information. The introduction of laws similar to those in the USA and EU would provide clear definitions, remedies, and enhance overall trust. Such legislative advancements are crucial for enabling businesses to innovate and expand securely.

Under existing frameworks like the Information Technology Act, 2000, remedies for electronic misappropriation include injunctive relief, damages, and potential criminal actions under Sections 72, 72A, or 84C. However, Indian law currently falls short in addressing theft by unrelated third parties, revealing a pressing need for comprehensive legislation. Without these essential revisions, Indian companies are left vulnerable, unable to fully protect their intellectual assets against evolving cyber threats.

The Impact of Trade Secret Theft on Global Economies

Trade secret theft represents a significant economic drain, with the U.S. Intellectual Property Commission estimating losses between 1-3% of GDP, or $180 billion to $540 billion annually. Similarly, in the U.K., £7.6 billion out of the £27 billion cost of cybercrime is attributed to industrial espionage, impacting sectors like finance, aerospace, defence, and mining. These figures likely underestimate the true impact of espionage, as cyber is just one possible avenue for such activities.

Key Responsibilities in the USA

For private corporations, managing cyber risks and protecting critical infrastructure is a fundamental responsibility. Effective governance plays a key role in this, and directors must be aware of several key duties:

The effective governance of private corporations is crucial, given their responsibility for managing critical infrastructure and cyber risks within the USA. Key responsibilities include:

1. Duty of Loyalty and Care:  Directors must ensure that their decisions do not result in losses due to negligence or lack of consideration. They are also responsible for taking action to prevent foreseeable losses.

2. Duty to Disclose Data Breaches: Publicly traded corporations  disclose data breaches, mandated by Delaware state corporate law and SEC guidance. . Failure to disclose such breaches to shareholders, regulators, and consumers can lead to liability under corporate breach notification and securities regulations. SEC guidance from 2011 underscores the need to assess cybersecurity risks, including past incidents and their severity, and to disclose material risks that could affect the company's financial health.

3. Duty to Monitor: In light of the Caremark ruling, boards must ensure that information and reporting systems provide timely and accurate information to make informed judgments, particularly regarding compliance with laws. This involves exercising good faith judgment in assessing the effectiveness of these systems.

Addressing Gaps in Board Expertise

Corporate directors often lack specialisation in engineering, data, or information technologies, thus limiting their ability to provide insights on cybersecurity during boardroom discussions. Recognising this gap, the SEC amended Item 407 of Regulation S-K on February 28, 2010, requiring companies to disclose the board's role in risk oversight and its leadership structure. Companies must outline how the entire board manages risk oversight, details of a separate risk and audit committee and the reporting structures for individuals handling day-to-day risk management. Additionally, companies must justify their chosen board leadership structure, including disclosure of a lead independent director for companies where the roles of CEO and Chairman are held by the same individual.

The Legislative Mandate

To effectively combat cyber espionage and protect trade secrets, the government must also take decisive action. There is a pressing need to empower the Administration to develop comprehensive policies and frameworks that safeguard private firms and support victims of cyber espionage. In the USA, companies are often hesitant to involve federal authorities like the FBI due to fears of exposing trade secrets and damaging shareholder confidence. Owners of private infrastructure must report any incidents affecting critical information systems, as these reports provide essential data for government analysis and response. This data enables cybersecurity officials to develop tailored strategies based on the specifics of each attack, ensuring more effective protection and mitigation efforts.

Bridging gaps in Trade Secret Protection in India

India's current legal framework is lagging behind global standards, particularly compared to advanced systems in the USA and the UK. Adopting stringent, clear, and effective legislation is essential to close this gap. Such measures will bolster protection for trade secrets, foster business trust, and support ongoing innovation, which are crucial for Indian companies to compete effectively on the global stage.

To tackle the escalating threat of cyber warfare and corporate espionage effectively, organisations in India should integrate both inbound and outbound protection strategies into their cybersecurity practices. This means implementing comprehensive document classification protocols to secure sensitive information and enhancing visitor access control systems to prevent unauthorised data access. Fortifying network security through firewalls, encryption, and intrusion detection/prevention systems is also crucial, along with regularly updating security policies to stay ahead of new cyber threats.

Mitigating insider threats involves conducting thorough background checks on employees and consultants and establishing clear confidentiality agreements with external partners. Secure data exchange protocols are essential for sharing information with external entities.

Furthermore, comprehensive cybersecurity training for employees is vital for raising awareness about protecting corporate secrets. By integrating these measures and advocating for legislative reform, India can strengthen its defences against corporate espionage and safeguard its position in the global market.

Conclusion

The 298th Law Commission Report highlights the need for specialised legislation on Economic Espionage. Such legislation would clarify definitions, outline remedies, and consider exceptions for whistleblowers, governmental use, and compulsory licensing.

In today’s competitive business environment, safeguarding proprietary information is crucial for maintaining market leadership and driving innovation. As data breaches become more common, robust security measures are essential to protect trade secrets and ensure business continuity.