Protecting business know-how: Criminal and employment consequences of employee data theft

This article has been also published on the EACCNY website on March 22, 2021.

Protecting business know-how in the context of the employment relationship is also about preventing and managing data theft. As businesses increasingly rely on digital information storage, the risk of data exfiltration of financial records, customer information, and intellectual property/trade secrets is also increasing.

Data theft often occurs when an employee leaves an organization to work for a competitor and transfers data from the company’s electronic archives to a personal device or email account.

Banning employees from sending business emails to their personal accounts and restricting the opportunity for them to copy data on non-company-owned devices are some of the preventive measures that help to prevent data theft.

It is also beneficial to warn employees of the consequences of data extrusion, which include criminal liability.

EMPLOYEE DATA THEFT IS A CRIME

Data exfiltration may be considered a crime under the Italian Criminal Code and, depending on the case, it may also constitute i) embezzlement (Art. 646) and/or ii) revelation of trade secrets (Art. 623).

The Italian Supreme Court stated for the first time in 2020 that embezzlement pursuant to Article 646 of the Criminal Code applies in the case of company files copied by an employee who, before resigning, had returned a company laptop with the hard drive formatted (Decision No. 11959/2020).

Before this decision, prevailing case law held that the immaterial nature of the files meant that no offense could be committed in such a case. However the Court noted that files can be transferred from one device to another and can be stored in virtual archives and thus concluded that they should be considered movable goods pursuant to Article 646 of the Criminal Code and therefore may be subject to appropriation or removal.

A recent Supreme Court decision in January 2021 confirmed the possibility that employee data exfiltration may constitute embezzlement and added that if the stolen information concerns company know-how the criminal offense of revealing trade secrets (Article 623 of the Criminal Code) may apply (Decision No. 3000/2021).

The Supreme Court stressed that trade secrets concern all technical and commercial information that is essential for the company on the level of competition, in the sense that knowledge of said information by competitors could strengthen their position to the detriment of the company.

Article 623 does not protect the assets of a businessperson but rather his/her personal right to organize an economic activity, a right that corresponds to the obligation of employee loyalty and fairness under Article 2105 of the Italian Civil Code. In other words, the freedom of the businessperson not to see the organizational structure of the company disrupted by lack of employee loyalty is protected from a criminal law vantage point.

WHAT HAPPENS FROM AN EMPLOYMENT STANDPOINT

Pursuant to Article 2105 of the Italian Civil Code, all employees are bound by a duty of loyalty toward their employers and have a duty to maintain confidentiality as well: “An employee cannot engage in business, either on their own behalf or on behalf of third persons, in competition with their employer nor divulge information pertaining to the organization and methods of production of the enterprise, nor use it in such a manner as may be prejudicial to the enterprise.

This duty does not cease to be valid after termination of employment and no specific covenants need to be executed between the parties in this regard, because trade secrets and all business-related information are generally considered the property of the employer. However, the parties may sign a non-disclosure agreement during the employment period in order to provide a penalty clause effective in case of a breach of confidentiality.

This obligation does not mean that an employee is not entitled to benefit from the skills developed on the job, but it should be clear that the unauthorized disclosure of employer confidential information is a breach of the employee’s obligations and may lead to disciplinary action (following the proper disciplinary processes as regulated by Section 7 of the Workers’ Statute) as well as the seeking of damages from the employee.

RECENT RULINGS IN EMPLOYMENT CASE-LAW

The Supreme Court (employment division) recently had the opportunity to rule in this area and in doing so stated some important principles.

First of all, a worker’s possession of corporate documents of a confidential nature (including information relating to a certain product, raw materials and their costs, the identity of suppliers and customers, and methods of production and transport) implies violation of the worker’s loyalty obligation even in the event that disclosure does not occur (Decision No. 3739/2017). Indeed, the employee’s loyalty obligation takes the form of a duty to refrain from any activity contradictory to the interests of the employer, which must be understood to include those that may not currently be producing damage but are endowed with the potential to cause harm (Decision No. 25147/2017).

Employers and employees also must be aware that it is not only the possession or the disclosure of data that is considered unlawful conduct, but also the destruction of data: indeed, the Supreme Court has declared that it is lawful to dismiss an employee for just cause based on the destruction of all the company documents contained on their computer, including electronic correspondence (Decision No. 9990/2015).

In addition, even third-party data in the employer’s possession must be safeguarded; with reference to this matter the Court affirmed that the dismissal of a call-center employee assigned to the company credit department who illegally accessed customer call data was lawful, as the behavior exposed the employer to the risk of violating customers’ rights to confidentiality and secrecy (Decision No. 14319/2017).

To conclude, as a general principle, the Court stressed that a company’s interest in avoiding the disclosure of news and technical data concerning production methods or know-how is legally protected by Article 2105 of the Italian Civil Code, and the conduct of an employee who creates copies of documents and keeps them without any justifiable reason constitutes an undeniable and objective breach to be sanctioned (Decision No. 1136/2012).

CONCLUSIONS

Companies should pay more attention to managing their know-how and confidential information, possibly through the use of non-disclosure agreements and penalty clauses; however, in light of the recent case law, employees themselves should also be aware of the consequences that data theft or unauthorized use of company information could have on their employment relationships, as well as on their criminal records.

 

Indietro
Seguici su