Skip to content

Protecting IP from external theft

From proprietary information accessed by hackers to more conventional forms of piracy, the theft of IP is on the rise. In Canada, the onus is on companies to put their own protections in place.
|Written By Shannon Kari
Protecting IP from external theft

At the annual Uniform Law Conference of Canada in 1989, there was proposed legislation drafted that was called the Uniform Trade Secrets Act. 

It provided for potential civil remedies against anyone who acquired a trade secret improperly, including through commercial espionage or electronic means. Courts could grant injunctions, award damages and determine who could make future use of the trade secret.

The proposed legislation was put forward one year after the Supreme Court of Canada issued its ruling in R. v. Stewart on the issue of whether “confidential information” can be the subject of theft under the Criminal Code. The court, in a unanimous decision, concluded that it could not, since confidential information on its own is not property.

“Criminal law is designed to prevent wrongs against society as a whole. From a social point of view, whether confidential information should be protected requires a weighing of interests much broader than those of the parties involved,” wrote Justice Antonio Lamer for the court.

The ruling suggested this was a matter for civil litigation, although Parliament might want to consider some criminal protection given recent “technological developments” in society, the court said in its 1988 ruling.

Three decades later, there are still no criminal offences specific to this area and the Uniform Trade Secrets Act was never enacted into law by any province. In fact, the current website of the federal Canadian Intellectual Property Office states flatly that there is “no formal process” for protecting a trade secret.

The risk of having either trade secrets or intellectual property obtained improperly, however, is higher than ever in the current digital world. A government commission in the United States estimated in 2013 that the scale of international theft of American intellectual property was US$300 billion annually. The U.S. government considered sanctions against China for economic espionage before an agreement was reached by then-president Barack Obama and his Chinese counterpart in 2015.

Attempts to obtain IP data or confidential business information through duplicitous tactics are nothing new. As well, the attacks can come from hackers motivated purely by monetary reasons or state-sponsored actors, notes Sunny Handa, a partner at Blake Cassels & Graydon LLP in Montreal and co-practice group leader of the firm’s technology and India groups. “The difference now is if your secret gets out it will get out quickly,” says Handa.

In a climate where the potential risks are increasing, what are some of the basic principles that should be followed to try to minimize the chance that outside parties will obtain key information — the equivalent to the Coca Cola formula — for any corporation?

“For most companies, the biggest risk is the employees, either through a mistake or deliberate theft,” says James Kosa, a partner at WeirFoulds LLP in Toronto. “Corporate espionage, more often than not, occurs internally,” he says. He agrees that this puts companies in a difficult position to protect proprietary information such as trade secrets yet not have their employees in a work environment where they feel they are not trusted. 

“From a risk management perspective, it is about managing the people, especially people who are leaving. You need to track data they have accessed. You can use mobile device management software that tracks large data transfers. If it is more than 50 MB, it is not an email,” says Kosa, whose practice focuses on information technology and IP law and who has a computer science background. Companies should also have software that permits the remote disabling or wiping of information from an employee’s phone, he adds. “What happens if a phone is lost?” he notes.

Imran Ahmad, a partner at Miller Thomson LLP in Toronto, agrees that employees might put crucial data at risk, even if they do not have any bad intentions. “Taking files home on a USB stick or laptop” or using online-based external software may increase the chance of being hacked, he says. 

“You need to map out the data flow” for key information, says Ahmad, who heads the firm’s cybersecurity practice. “In-house counsel should have a flow map, knowing where the data is.” 

The other key issue for companies when looking at measures to ensure the security of its intellectual property or trade secrets is the impact of these protections on the operation of the business, says Kosa.

“A perfectly secure data set is useless if no one can access it. You are balancing security with accessibility to the data,” he says. For data that is of importance on par with the Coca Cola formula, parts of it can be digitally stored separately. “You can break it up. Not everything needs to be accessible all of the time,” says Kosa.

Online security is much more than “firewalls” to try to prevent hacking, says Handa. “You need to understand where your data is and identify what is most important to your company. If it is a trade secret, then break it up. A key piece can be in an encrypted (online) vault,” he suggests.

Another area where there is the potential for there to be an information breach is in the use of third-party contractors. If production is going to take place in another country, then ensure that you have a senior employee oversee those operations, Handa says. “Select an employee you trust. You have to trust someone. If you just ship out production, with blueprints, you are asking for trouble,” he says.

A merger and acquisition situation should also be approached carefully in terms of the confidential information that is disclosed to potential bidders, says Handa.

“If it is an auction situation, you do not reveal your trade secret until the very end. Or you can have a reputable third party conduct a [source] code audit,” to satisfy potential buyers, he explains.

Regular audits or “cyber diligence” are a good practice for companies, even if not in an M&A situation, Ahmad suggests. “You should have someone go on the darknet to see if any of your IP has been compromised. What is the state of your network and are you leaking data?” he says.

John Simpson, a lawyer at Shift Law in Toronto, says regular internal auditing of data is something that newer companies, such as those that are technology based, may not be prioritizing. “For innovative companies, that may sound like a buzz kill. You want to be out bragging about your product. But, in reality, to sufficiently protect confidential information in an innovative business, you need to be doing an audit of what is protectable,” says Simpson, who specializes in intellectual property law. 

The audits are essential tools in the event that civil litigation is ever initiated. As well, “trade secrets” are not just the equivalent of unique formulas, he says. “It can seem amorphous. But it can also be business processes. The way to protect that is through internal processes and specific agreements with contractors and third parties,” he adds.

While online attacks either from individuals or state-sponsored entities are legitimate issues, Simpson notes that, sometimes, confidential business information can be disclosed in a much more low-tech setting. “For startup businesses, a chief executive may go to a conference and talk about the company’s product. Even if it is a friendly audience, it is not longer confidential. It may be valuable, but it is no longer protectable,” says Simpson.

If there is a specific wrongdoing that resulted in the disclosure of IP or a trade secret, that could lead to a strong civil suit if the misconduct all occurred in Canada. If the attack originated elsewhere, a company’s legal options may be limited.

“You have no meaningful remedies,” says Barry Sookman, a senior partner at McCarthy Tétrault LLP in Toronto and an intellectual property lawyer. “China and Russia are huge culprits. But it is very hard to prove. It is also a very expensive process,” he adds.

Ahmad agrees that legal action is an uphill battle. “Your remedies are almost non-existent. The company with the information is usually not the one who steals it. You can start litigation, but there will be jurisdiction and timeline issues,” he says.

Even if it is from a position of self-interest, there have been positive developments recently in that countries such as India and China are taking more active steps to try to crack down on the theft of IP and trade secrets, says Kosa. “They used to make more money from counterfeiting. But now they are developing their own IP,” he explains.

However, in cases where a company has been attacked online and is subject to a demand for money to ensure that its proprietary information is not widely disseminated, Kosa says, it is actually a better strategy to pay the ransom.

“They don’t have any use for it to hold it hostage. They may not even really know what it is. You can pay or you can decide the secret is no longer worth having. But paying actually works. They want to create an incentive to pay so they will return what has been stolen,” he says.

Rights & jurisdiction

 

The main page of the website for FairPlay Canada features a slide show of various individuals who work in the film and television production industry in roles such as hairdresser, carpenter and program assistant. It is these people who will be most harmed, the site suggests, if the Canadian Radio-television and Telecommunications Commission does not approve the creation of a new agency tasked with requiring internet service providers to block access to torrent-based websites that facilitate the downloading of movies, televisions shows and other content without permission.

Despite the focus on the everyday workers within the industry, FairPlay is a coalition led by media and communications giants including Bell, Rogers, Quebecor and the CBC. It is arguing that there is a significant economic risk to the Canadian film and television industries from sites such as The Pirate Bay and others.

The application filed in late January has been met with a widespread and spirited reaction. From the industry perspective, it is a legitimate modern tool to crack down on “illegal online piracy.” For open-media advocates, it is censorship and could lead to other measures to restrict online access of legitimate content.

Barry Sookman was among those who wrote to the regulator in support of the coalition’s application. “The whole slippery slope argument is a false narrative,” suggests the McCarthy Tétrault LLP lawyer and former head of the firm’s intellectual property group. “We are talking about a particular class of site” that exists expressly for the purpose of illegal downloading, he says. “If you can regulate this content offline, then you should be able to regulate it online.” 

Most people would not publicly proclaim, “I have a right to shoplift,” says Sookman. Yet, he says this kind of belief seems to apply to those opposed to the application when it comes to accessing online content.

Ariel Katz, an intellectual property professor at the University of Toronto law school, prepared an expert report for the Public Interest Advocacy Centre, which opposes the application.

Far from the gloomy scenario presented by the coalition, he says the data shows that there is not a current revenue crisis for Canadian television and film producers. “The most effective way to reduce piracy is to make content available, easily and conveniently accessible and reasonably priced,” says Katz. 

He also questions the use of the term “piracy” by the coalition. “Piracy is not a legal term,” he notes. “Copyright law does not give a copyright owner exclusive rights to control every use of their work and every aspect of its distribution. Therefore, not every unauthorized use is an infringing use and not every unauthorized use deserves the colloquial title of piracy.” 

The law professor also questions whether the CRTC has jurisdiction to implement these measures. “Copyright in this country is a creature of statute. The CRTC cannot create copyright-like rights and cannot create new remedies,” says Katz.

A reply submission was filed by the coalition last month and the CRTC is expected to issue a decision on what has been a very high-profile application later this summer.